current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
stack overflow careers
Sign up ×
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute:
up vote 1 down vote favorite
1

I have done buffer overflow exploits for user level processes in the past. However this does not seem to work good if I try to overflow the buffer of a vulnerable kernel module. Here's what I do:

There is a vulnerable kernel module which I can open as a file and read/write to it. The write operation is done without bounds checking. So I do a write operation and overflow the buffer and overwrite the return address as the address of an environment variable that has my shellcode. But something is going wrong. The kernel crashes and after rebooting I opened /var/log/messages and find that the eip is correctly pointing to the address I overwrote. But still it crashes saying "Unable to handle kernel null pointer dereference at virtual address" Any reason why this would happen? Why wouldn't the control be redirected to a overwritten return address?

Note: I ran this on redhat enterprise linux with exec-shield and ASLR turned off.

share|improve this question

closed as off topic by John3136, mschr, rene, carlosfigueira, vzwick Sep 26 '12 at 20:06

Questions on Stack Overflow are expected to relate to programming within the scope defined by the community. Consider editing the question or leaving comments for improvement if you believe the question can be reworded to fit within the scope. Read more about reopening questions here.If this question can be reworded to fit the rules in the help center, please edit the question.
    
Might be more appropriate on security.stackexchange.com – bstpierre Sep 26 '12 at 19:54
    
@bstpierre Was not aware of it.. Thanks! – Aswin Parthasarathy Oct 3 '12 at 8:48

1 Answer 1

up vote 2 down vote accepted

The kernel can't jump to user addresses without performing a kernel exit, since it is running in a privileged mode with a different configuration than userspace (e.g. different paging tables, CPU permission bits, etc.).

So, in order to get shellcode into the kernel, you'd have to pack the shellcode into the buffer written to the driver (and copied to the kernel), and somehow get the address of it. This is not so hard if you have access to the kernel map, but recently Linux distributions have begun locking access to such sensitive information to make it harder to exploit kernel bugs.

share|improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.