CSAW CTF 2013 Kernel Exploitation Challenge

[Nytro]

CSAW CTF 2013 Kernel Exploitation Challenge

Table of Contents

• Introduction
  
• Understanding the Code
  
• Tracing the Vulnerable Code Path
  
• Leveraging the Vulnerability
  
• Circumventing Additional Obstacles
  
• Achieving Local Privilege Escalation
  
• Exploit
  
• Proof of Concept
  
• Bonus Points
  

Introduction

CSAW CTF 2013 was last weekend, and this year I was lucky enough to be named a judge for the competition. I decided to bring back the Linux kernel exploitation tradition of previous years and submitted the challenge “Brad Oberberg.” Four of the 15 teams successfully solved the challenge.

Each team was presented with unprivileged access to a live VM running 32-bit Ubuntu 12.04.3 LTS. The vulnerable kernel module csaw.ko was loaded on each system, and successful exploitation would allow for local privilege escalation and subsequent reading of the flag. Source code to the kernel module was provided to each team, and may be viewed below (or downloaded here).

Sursa: CSAW CTF 2013 Kernel Exploitation Challenge | Michael Coppola's Blog

E cu rezolvari.

[Hertz]

Il rezolvai si eu B|

[florinul]

l-a incercat cineva?

[Nytro]

l-a incercat cineva?

Da, merge pe toate versiunile de kernel. Am incercat pe CentOS, RedHat si Arch si pe 32 si pe 64 de biti. Adica merge pe toate, de aia ii zice "CTF". Iei root pe orice.

[l3tmeb3]

Il incerc pe masina virtual insa cand ii dau "gcc -o solution.c solution", imi apar urmatoarele :

z3d@ubuntu:~$ g++ -o solution.c solution

g++: error: solution: No such file or directory

g++: fatal error: no input files

compilation terminated.

z3d@ubuntu:~$

Any ideea ?

[Nytro]

Asta e gen:

http://google.ro wget

Dai comanda:

g++ --help

Si vezi ce inseamna "-o" ala.

PS: L-am pus din greseala in aceasta categorie, dar acum vedem si noi cine reuseste sa "rooteze" ceva

[l3tmeb3]

ok, 10x

ps : multi "nepriceputi" ca sa nu zic pr... , care fac pe desteptii .

Edited December 2, 2013 by l3tmeb3

[zin0]

care are bunavointa sa il posteze gata facut pt 32 si 64,

[aelius]

Cred ca nu toti au inteles cum functioneaza. Csaw este un modul kernel care odata incarcat permite escaladarea privilegiilor. csaw.ko (the fucking kernel module) nu exista default pe linux, el este un "sukit" si face exact ce am spus: permite escaladarea privilegiilor cu ajutorul acelui exploit (adica poti oricand sa obtii drepturi de super user, atata timp cat modulul este incarcat in kernel)

// sidenote:

- modul kernel = LKM (loadable kernel module)

- incarcare / inserare (modprobe/insmod)

- vizualizare module kernel incarcate (lsmod)

Hai ca nu e greu, pe cuvant. NU ne mai invadati cu cerinte, chestia este un proof of concept, nu este destinata celor care dau cu scanul si fac psybnc-uri pe servere sparte.

// offtopic:

@l3tmeb3: cc brain.c -o brain ; de aici:

-o <file>                Place the output into <file>

Edited November 28, 2013 by aelius

[florinul]

))))))))))))))))))))))

[florinul]

am incercat si nu merge