Archive for the ‘Security’ Category

Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x

April 18, 2012 4 comments

“Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x” is the title of my last paper that has been published on phrack #68. You can read the paper here.

Many thanks to:
- blackb1rd (a phrack reviewer) who helped me in writing the paper.
- All the phrack staff for publishing the paper.
- emdel for … mmmh … Hi, emdel!

Any comments or suggestions would be (obviously) appreciated.

Syscall Hijacking: OpenBSD

November 26, 2011 13 comments

in this post I show you how to hijack the system calls in the latest OpenBSD kernel versions.
The way in which syscalls can be hijacked in OpenBSD kernel is very similar to that used in the Linux kernel 2.4 versions. The syscall table is exported and it is accessible by an external kernel module. So a syscall address can be overwritten by the address of an our function. Read more…

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

March 18, 2011 26 comments

Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one. Read more…

Syscall Hijacking: Anti Fork-Bomb LKM (kernel 2.6.x)

February 10, 2011 Leave a comment

Hi. In this post I’ll show you how to implement a simple anti fork-bomb LKM.
There is already a kernel method to prevent the fork bomb: you can search online about this stuff.
Instead I’ll show you how prevent a fork bomb attack through a simple loadable kernel module, in order to better understand how a new process is created and how we can prevent its creation. Read more…

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x)

January 20, 2011 32 comments

Hi. In this post I’ll show you how to obtain dynamically the syscall table address. In the last posts (this and this) I wrote codes in which the syscall table address was hardcoded (as suggested by sj).
Now I’ll show you how to dinamically obtain it. Read more…

Syscall Hijacking: Simple Rootkit (kernel 2.6.x)

December 28, 2010 18 comments

Hi. In this post I’ll show you how to change the process credentials through kernel modules. In a such way you can make your own rootkit(s): i.e. when you performs a pre-established action, the module will give you a root access.
First of all we need to know where these credentials are kept: in the kernel versions < 2.6.29 we find all this informations in the “task_struct” structure. This structure is defined in “linux/sched.h”: Read more…

Syscall Hijacking: Kernel 2.6.* systems

December 3, 2010 34 comments

In this guide I will explain how to hijack the syscall in kernel 2.6.*: in particular how to bypass the kernel write protection and the “protected mode” bit of the CR0 CPUs register.
I don’t explain what is a syscall or syscall table: I assume you know what it is.
Read more…

Port-knocking Backdoor

October 21, 2010 3 comments

In this post I’ll explain to you how to make a *unix backdoor using a “port knocking” scheme. That is, if we’ll “knock” to some TCP ports that we have initially decided, our program will open a backdoor for us (but only for us :) ).
How does the “port knocking” scheme work? The attacker decides a particular sequence of packets that will be sent to a compromised server where the backdoor is running. When the backdoor program will receive this particular sequence then it will give to the attacker the server’s shell.
Read more…

Smashing the stack in 2010 (improved)

October 15, 2010 Leave a comment


in this brief post I will show you the improvements I have made on “Smashing the stack in 2010″. First of all I have improved the bibliography in order to help the readers to learn and delve into as well as to give the credits to others researchers for their works. Then I have rewritten the section “write an exploit” in my Windows part because of lack of clarity in the previous version, now I hope it is suitable to a newbie. Last but not least I have added a new part called “Real Scenario” in which we are going to analyze real exploits, in fact it is important – to gain a real and useful knowledge – to be able to analyze a real attack even it can be complex and sophisticated. In the report I have analyzed in detail  CVE-2010-0249 (Operation Aurora exploit) and CVE-2010-2883 (the Adobe cooltype sing table exploit), they are good examples of attacks through memory corruption vulnerabilities. I know that thare are a lot of analyses especially for CVE-2010-2883, but we know the paradigm “learning by doing” :) anyway if you want to read other good works I suggest you the following VUPEN (a great analysis!) and jduck (on Metasploit blog).

Smashing the stack in 2010 (improved) : download

Table of contents (of the new part):

IV Real Scenario 75
8 Attacks and memory corruption 75
9 Memory corruption in practice 76
10 Examples of real attacks 77
10.1 Theory: Heap Spraying . . . . . . . . . . . . . . . . . 77
10.2 CVE-2010-0249 – Internet Explorer 6, 2010 – Graziano.  . 78
10.3 CVE-2010-2883 – Adobe Acrobat Reader, 2010 – Graziano  . 84

As usual feel free to contact me to ask questions, to give a feedback, to point an error out to me or just to chat or you can find me on irc ( chan #hacklab or on freenode chan #corelan ) :)

Happy hacking!! (again :P )

Using SHA1() function

October 6, 2010 9 comments

Hi. I’ ll show you how to convert any string into a SHA1 hash using the openssl library.
To use this library you must include in your codes this:

#include <openssl/sha.h>

Moreover you have to compile the source with the “-lssl” flag.
The following code takes in input a string (argv[1]) and generates an hash string through the SHA1() function. The value of “SHA_DIGEST_LENGTH” is 20 bytes, that is the dimension of SHA1 output.
This function stores the value computed in “temp” variable.
Then in the for loop, I copy the value of “temp” into “buf”, according to the standard format of SHA1 strings.

#include <stdio.h>
#include <string.h>
#include <openssl/sha.h>

int main(int argn, char *argv[]) {

	int i = 0;
	unsigned char temp[SHA_DIGEST_LENGTH];
	char buf[SHA_DIGEST_LENGTH*2];

	if ( argn != 2 ) {
		printf("Usage: %s string\n", argv[0]);
		return -1;

	memset(buf, 0x0, SHA_DIGEST_LENGTH*2);
	memset(temp, 0x0, SHA_DIGEST_LENGTH);

	SHA1((unsigned char *)argv[1], strlen(argv[1]), temp);

	for (i=0; i < SHA_DIGEST_LENGTH; i++) {
		sprintf((char*)&(buf[i*2]), "%02x", temp[i]);

	printf("SHA1 of %s is %s\n", argv[1], buf);

	return 0;


We can compile and run it as follows:

$ gcc sha.c -lssl -o sha
$ ./sha asd
SHA1 of asd is f10e2821bbbea527ea02200352313bc059445190

If you want know something else of SHA1() function you can use the manpages:

man 3 sha1

Or look up in openssl website: link


Get every new post delivered to your Inbox.