4 Billion Syscalls Later: Live Kernel Privesc on Ubuntu - Pt 2

Added: 2026-05-16

[00:00:00]Um, so our target chunk is located in anywhere in K Malik 128 and up. It's really nice because we can control the size and the contents of the allocation fully. But we do need a custom fuse file system that acts kind of like a blocking mechanism because when the set XTRA sys call happens, the allocation in the free happens in the same uh sysol path which is not great for us, right? We want that allocation to remain fuse acts like a a blocking mechanism for it. So once we refill that chunk uh we need to corrupt the list head field in the target strcts because that can actually give us arbitrary write and that's exactly what happens when we delete the uh flow again with a call to list deltait since we can fully control the prev and next pointer as it's part of the chunk at an instruction level you can kind of visualize it we control rcx and rdx fully with this arbitrary right primitive we can ultimately corrupt a global kernel variable called mro path this is again another very popular technique you'll see a lot with arbitrary write exploits, data only exploits, and corrupting this path variable with something you control allows it to execute with elevated privileges whenever like a bad binary format is run. Of course, we got to talk about the info leak because we don't know where MA proath is um on the GA kernel. Funny enough, there is no KSLR.

[00:01:14]Uh they have decided not to enable that for those kernels. However, our exploit will still try to accommodate for KSLR.

[00:01:20]It turned out like for our bug, it is kind of hard to use it to leak out anything. So ultimately I opted to kind of cheat a little bit. We're on an order distro. I opted to use that end day. Um really trivial kind of bug because we can kind of leak that address from a file. We can just read easily and it's like really old as well. One blocker I do want to talk about though is that this can take a really long time because overflowing a 32-bit ref count does require that number of increments.

[00:01:47]That's 4 billion with some extra right there. I've been trying to work this exploit to make it hit within the time frame, but the best runs right now are all plateauing at around 20 minutes.

[00:01:58]>> For those of you in the audience, this is harrowing to do this as a researcher if you've never done this.

[00:02:03]>> Rooting for you, Exodus.

[00:02:04]>> I think this is really safe. So, we should be able to run it again if it failed.

[00:02:08]>> This is why live demos are awesome. And I understand as a presenter why you want video to make sure you can show what you've done, but this is where the real test is.

[00:02:18]Speaking of that, because this is not running, I have video.

[00:02:22]>> Hey.

[00:02:22]>> Hey.

[00:02:24]>> See, that's being prepared.

[00:02:26]>> And first, we're going to have to add the patch in like that turns the into a short. Um, and then we did what we just did earlier. And see the same exploit.

[00:02:35]No slide spray.

[00:02:39]And yeah, there we're there.