Ben-Lichtman
commented
2 months ago The easy workaround to this is to filter by address ranges.
Is there an easy way to determine which pages are executable otherwise?
Open k4lizen opened 2 months ago
Ben-Lichtman
commented
2 months ago The easy workaround to this is to filter by address ranges.
Is there an easy way to determine which pages are executable otherwise?
k4lizen
commented
2 months ago pwntools may have something like that, I know it fetches some information about an elf by patching it to read /proc/self/maps and running it once. Not sure if that would work on the kernel though which is my usecase.
This may be interesting:
The easy workaround to this is to filter by address ranges.
But how do I know which address ranges are executable? By debugging the kernel? I haven't tried filtering by looking at the memory mappings but it sounds non-trivial
I was doing this challenge: https://2020.ctf.link/assets/files/kernel-rop-bf9c106d45917343.tar.xz and the gadget
0xffffffff8246dc83: push rax; ret;is returned for the extracted vmlinux. I used it in a ROP chain and got[ 2.990604] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)so the gadget is stored in a NX page. Without the gadget, the script works and there is no error.Its hard to tell which gadgets are in NX pages just by looking at the addresses, since there are hundereds / thousands of duplicates in the kernel image, there should be some way to filter them out.