Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kernel-pwning initialization #293

Closed
4 of 6 tasks
rockrid3r opened this issue Aug 12, 2023 · 4 comments · May be fixed by #296
Closed
4 of 6 tasks

Add kernel-pwning initialization #293

rockrid3r opened this issue Aug 12, 2023 · 4 comments · May be fixed by #296

Comments

@rockrid3r
Copy link

rockrid3r commented Aug 12, 2023
edited
Loading

Currently it only supports userland-pwning chals. Kernel-pwning also need such a bootstrap.

  • Add CLI parameter "-ker" to switch to kernel-pwn initialization
  • Autodetection of bzImage file
  • Extract vmlinux from bzImage, +tests
  • "Unstrip" vmlinux like vmlinux-to-elf did, +tests
  • Add templates for compress.sh/decompress.sh to work with cpio-compressed initramfs. Example [here]
    (https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/)
  • It is important for users to have vmlinux-to-elf and extract-vmlinux. Post-cargo installation script vs provide instructions in README.md.

Probably can add dependency on vmlinux-to-elf repo?
@k4mp3t
Copy link
Contributor

k4mp3t commented Aug 12, 2023

I am interested in looking into that however I myself am just getting started with exploring kernel pwn and therefore don't exactly know how a common setup looks like.

Your list of task is a good orientation but could you maybe point me to a e. g. challenge writeup that explains the steps you are looking to automate? If there is none, thats totally fine!

@ReeyaDono
Copy link

Hello, I recently started exploring kernel pwn as well, and I recommend this article here. It explains some basic environments setup and explanation about some popular Linux kernel mitigation and their corresponding exploit techniques.

https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/

@rockrid3r
Copy link
Author

rockrid3r commented Aug 13, 2023
edited
Loading

@ReeyaDono nice link. Also we can add the auto-generation(or just template?) of compress.sh/decompress.sh files from provided blogpost. They are useful when working with cpio-compressed initramfs(i.e. almost always). Adding this to to-do

@rockrid3r rockrid3r mentioned this issue Sep 14, 2023
Open
@rockrid3r
Copy link
Author

@k4mp3t noted that all this turned out to be not a useful feature. vmlinux-to-elf already implements the extract-vmlinux logic, so pwninit would just become a wrapper of vmlinux-to-elf which does not sound reasonable.

Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding basic vmlinux identification & extraction rockrid3r/pwninit
3 participants
@k4mp3t @ReeyaDono @rockrid3r