A Guide to Kernel Exploitation: Attacking the Core by Perla Enrico & Oldani Massimiliano

Author:Perla, Enrico & Oldani, Massimiliano [Perla, Enrico]
Language: eng
Format: mobi, epub, pdf
ISBN: 9781597494861
Publisher: Elsevier Science
Published: 2010-10-27T22:00:00+00:00

It is also possible to query the state of all the kernel extensions mapped into the kernel as an unprivileged user, as well as their load address, size, and other useful information. You can do this either by using the kextstat command-line utility that dumps each kernel extension in a readable format (as shown in the following code), or by using the Mach kmod_get_info() API to programmatically query the same information.

Index Refs Address Size Wired Name (Version) <Linked Against>

12 19 0x0 0x0 0x0 com.apple.kernel.6.0 (7.9.9)

13 1 0x0 0x0 0x0 com.apple.kernel.bsd (7.9.9)

14 1 0x0 0x0 0x0 com.apple.kernel.iokit (7.9.9)

15 1 0x0 0x0 0x0 com.apple.kernel.libkern (7.9.9)

16 1 0x0 0x0 0x0 com.apple.kernel.mach (7.9.9)

17 18 0x5ce000 0x11000 0x10000 com.apple.iokit.IOPCIFamily (2.6) <7 6 5

The Mach interface to query this information is pretty straightforward and can be useful for automating the process inside an exploit. It is just a matter of calling the kmod_get_info() function and passing in the address of a kmod_info struct pointer. This pointer is then updated to a freshly allocated list of kmods on the system. Here is a snippet of code that prints output similar to the kextstat program. As usual, the code in its entirety is available online at www.attackingthecore.com.

int

main (int ac, char **av)

{

mach_port_t task;

kmod_info_t *kmods;

unsigned int nokexts;

task = mach_host_self();

if ((kmod_get_info (task, (void *) &kmods, &nokexts) != KERN_SUCCESS)){

printf("error: could not retrieve list of kexts.\n");

return 1;

}

for (; kmods; kmods = (kmods->next) ? (kmods + 1): NULL)

printf ("- Name: %s, Version: %s, Load Address: 0x%08x Size: 0x%x\n", kmods->name, kmods->version, kmods->address, kmods- >size);

return 0;

}

IOKit

When writing device drivers on Mac OS X, developers generally utilize an API known as IOKit. An object-oriented framework, IOKit implements a limited version of C++ derived from Embedded C++. The implementation of this is in the libkern/ directory of the XNU source tree. This implementation of C++ has runtime-type information, multiple inheritance, templating, and exception handling removed.

Note

Since other C++ components are implemented, this means from a vulnerability hunter's perspective that C++-specific vulnerabilities are now possible in kernel space. Therefore, when auditing an IOKit kernel extension, you must keep an eye out for mismatched new and delete calls, such as creating a single object and then using delete[] on it, for example. Also, since GCC is used to compile these kernel extensions, new[] will actually wrap when allocating large numbers of objects.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.