WingNews logo WingNews
top | item 10934488

(no title)

javanix | 10 years ago

The /proc/kallsyms values are identical across identical kernel compilations.

Suppose you have a vulnerable CentOS 7 system that you want to exploit - you could get the proper addresses from your own CentOS 7 VM running the same kernel, apply those to a modified exploit compilation, and run that compilation on your target host.

discuss

order

benmmurphy|10 years ago

Latest versions of Linux have Kernel ASLR for text but I think lots of distributions have it disabled because they set CONFIG_HIBERNATION: https://www.kernel.org/doc/Documentation/kernel-parameters.t...

Also, it is not bullet proof because apparently there are lots of info leaks in linux and I think linux also does not reboot after a panic (http://www.cyberciti.biz/tips/reboot-linux-box-after-a-kerne...) so if the entropy for KASLR is small enough you can retry very aggressively. Though in this particular instance if you have to wait 30 minutes between each try that would kill brute forcing.