Build an application with some kernel memory disclosure

Question

Hi all,

I'd like to build a C application that I can then exploit to get some confidential information from the kernel memory.

The issue is that I don't really understand where to start... I've found that the use of copy_to_user() without appropriate checks on the return value could lead to this sort of issue, but I don't understand how it can be then exploitable. If you could give me some pointers so I can progress, it would be great.

Edit : What I'd like to have, is a kind of exploit like this : http://inj3ct0r.com/exploits/7837 , where there is X bytes of kernel memory that are finally dumped.

The fact is I don't want any SCTP socket or anything, but "only" the easiest way to recreate this dump of confidential information.

To make a parallel with a buffer overflow, I 'd like to create the file vuln.c which would be using the gets() function, and then build the special string that will do the job... In the case of disclosure, I think that it will be another C file.

I hope this makes sense...

Best.

Answer 1

Assuming you're not after kernel internals, take a look at this question.

Answer 2

The reality is that there are a number of ways to proceed depending on what sort of exploit you are trying to learn.

1. Do you want to inject code through a buffer overflow and change of return pointer?
2. Is there already a calll to copy_to_user that you want to exploit using an off by one error?
3. Do you want to use return oriented programming instead of code injection
4. Many others, some of which are listed here

Answer 3

Thx for your replies : )

I've edited my previous post with more details, hope it will help...