-
Linux内核设计与实现(Linux Kernel Development)—— 读后总结
前言这段时间读了这一本书,它讲解的是Linux 2.6的内核,从内核开发角度切入,通俗易懂,有必要进行一下记录总结。 看完这本之后我下一本要读:《深入理解Linux内核》。 总结目录 Linux内核设计与实现总结(1) —— qemu内核调试环境... -
pwnable.kr rootkit writeup
0x01 Analysis
rootkit is another challenge about kernel exploits after syscall.
After connected to host, I found that the kernel load rootkit module at boot.
1
[ 3.337631] rootkit: module license 'unspecified' taints kernel.
Then, I use ida to disassembly the rootkit.ko.
The module disable write protection, and replace original syscall such as
sys_open
tosys_open_hooked
by write syscall table(0xc15fa020
).The
sys_open_hooked
syscall will check whether the string of the filename has aflag
substring.
If there not, then the original sys_open is called.
If there is, it returns afd
with a value of-1
, then the file opening failed.Of cource, other sys_call such as
sys_symlink
will failed also.1
2
3/tmp # ln -s ../flag ./
[ 5234.521789] You will not see the flag...
ln: ./flag: Operation not permitted -
pwnable.kr tiny_easy writeup
0x01 Check security1234567$ checksec tiny_easy[*] '/home/ubuntu/pwn/tiny_easy/tiny_easy' Arch: i386-32-littl... -
pwnable.kr login writeup
0x01 Analyzemain(): 1234567891011121314151617181920212223242526int __cdecl main(int argc, const char **argv, const char **env... -
pwnable.kr brainfuck writeup
0x01 Overview‘’’int __cdecl do_brainfuck(char a1){ int result; // eax _BYTE *v2; // ebx result =...