Kernel Root Exploit via a ptrace() and execve() Race Condition
Let's have a look at a recent kernel local privilege escalation exploit!
Exploit Source: https://hxp.io/blog/79/hxp-CTF-2020-wisdom2/
Kernel Developer Walkthrough: https://www.youtube.com/watch?v=LORxdO1XUjY
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code: https://www.youtube.com/watch?v=fLS99zJDHOc
How Do Linux Kernel Drivers Work? https://www.youtube.com/watch?v=juGNPLdjLH4
👕 T-Shirt Series: https://www.youtube.com/playlist?list=PLhixgUqwRTjwy6HCzLfwNzdrSrcrLOM4d
00:00 - Introduction
00:15 - Exploit PoC
00:39 - main()
00:52 - prepare_shellcode()
02:39 - mmap() shared memory to signal "ready" state
03:07 - fork() into [child] and [parent]
03:44 - [parent] wait for the child
04:00 - [child] unveil() loop
05:03 - [parent] ptrace ATTACH and POKE child
05:58 - [child] execve("passwd")
06:38 - [parent] PEEK entrypoint of child in loop
07:34 - [parent] child entrypoint changes!
07:49 - Exploit Walkthrough
09:20 - Root Shell via Shellcode
10:10 - Vulnerability Summary
10:37 - Which UNIX-like Kernel is this?
12:44 - The importance for Security Research
13:59 - Next Video and Resources
14:22 - Patreon and YT Members
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
![[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F](https://i.ytimg.com/vi/2GVi8_9u5TY/mqdefault.jpg)
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Security Basics
View skill →
Related AI Lessons
⚡
⚡
⚡
⚡
HDFC AMC Just Confirmed a Cybersecurity Incident.
Medium · Cybersecurity
BEFORE YOU TOUCH THE TARGET: A PASSIVE AND ACTIVE RECON WALK-THROUGH FOR CYBERSECURITY…
Medium · Cybersecurity
Virtual Keyboard Login with PingOne Advanced Identity Cloud
Medium · Cybersecurity
Why Businesses Quietly Accept Technology Friction as “Normal”
Medium · Cybersecurity
Chapters (19)
Introduction
0:15
Exploit PoC
0:39
main()
0:52
prepare_shellcode()
2:39
mmap() shared memory to signal "ready" state
3:07
fork() into [child] and [parent]
3:44
[parent] wait for the child
4:00
[child] unveil() loop
5:03
[parent] ptrace ATTACH and POKE child
5:58
[child] execve("passwd")
6:38
[parent] PEEK entrypoint of child in loop
7:34
[parent] child entrypoint changes!
7:49
Exploit Walkthrough
9:20
Root Shell via Shellcode
10:10
Vulnerability Summary
10:37
Which UNIX-like Kernel is this?
12:44
The importance for Security Research
13:59
Next Video and Resources
14:22
Patreon and YT Members
🎓
Tutor Explanation
DeepCamp AI