Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The mmap syscall is used in order to load code in prior to executing a file. When loading a binary with MMAP_SHARED (which is common so that memory can be shared), the memory is writable, if loaded.

So, by opening up the mmaped file as writable, we can edit the memory across processes. Using this, we can edit the root shell process in order to escalate to root! Modifying an arbitrary process inline is a powerful primitive.

In order to exploit this, the author wrote some assembly, mmaped a region of a running process, then overwrite the code in this process. Once the code is triggered, a setuid root shell is created that pops a root shell.

The actual trick for making this consistent was interesting. The author found a line of code that only occurred upon sending the process a signal. This allowed for the write to occur, then for the code to execute, removing the need to win a race condition.

The bug stems from the issue that there is no verification on a previous file mappings permissions. If validation was done to to check the permissions (writable, readable, executable, etc.), then this would not have been possible. So, the fix is to verify these mapping permissions in the mmap syscall.