Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x

April 18, 2012 29 comments

“Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x” is the title of my last paper that has been published on phrack #68. You can read the paper here.

Many thanks to:
– blackb1rd (a phrack reviewer) who helped me in writing the paper.
– All the phrack staff for publishing the paper.
– emdel for … mmmh … Hi, emdel!

Any comments or suggestions would be (obviously) appreciated.

Syscall Hijacking: OpenBSD

November 26, 2011 14 comments

in this post I show you how to hijack the system calls in the latest OpenBSD kernel versions.
The way in which syscalls can be hijacked in OpenBSD kernel is very similar to that used in the Linux kernel 2.4 versions. The syscall table is exported and it is accessible by an external kernel module. So a syscall address can be overwritten by the address of an our function. Read more…

How to install NetBSD on Linux Virtualbox

May 9, 2011 10 comments

Hi. In this post I show you a workaround that allows you to install (and run) NetBSD on Linux Virtualbox.
If you have tried to install NetBSD on Virtualbox probably the installation failed with an error like this:

acpiacad0: AC adapter online.
uvm_fault(0xc09e6a40, 0, 2) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 2 eip c0100d69 cs 8 eflags 10246 cr2 0 ilevel 0
kernel: supervisor trap page fault, code=0
Stopped in pid 0.15 (system) at netbsd:spllower+0x29:  addl %eax,0(%eax)

The following workaround allows you to install and run NetBSD on Virtualbox. If the name of the NetBSD machine is “NetBSD”, you have to run this command in your shell:

$ vboxsdl --norawr0 --startvm NetBSD

That’s all!
Bye bye.

Enabling SSL on RedHat’s JBoss Enterprise Application Platform 5.1

April 12, 2011 2 comments

Hi folks,

i’m writing this little note as “errata corrige”   of HTTPS Configuration  Chapter in RedHat JBoss EAP Installation Guide. If you follow the steps indicated there you will get a not working Tomcat’s istance: That’s because they are missing a step well explained in the Tomcat 6 SSL How To:

Shortly Tomcat can use two SSL Engine:

  • the JSSE implementation provided as part of the Java runtime (since 1.4)
  • the APR implementation, which uses the OpenSSL engine by default

the RedHat guide shows you how to use java keytool, which can be used with the JSSE implementation, but the default tomcat configuration in JBoss EAP 5.1 uses the APR implementation, that’s means if you would use the keytool and the keystore as i suggest you, you should change this line in <server-profile>/deploy/jbossweb.sar/server.xml

<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />

with this line

<Listener className=”org.apache.coyote.http11.Http11NioProtocol” SSLEngine=”on” />

for non-blocking ssl listener or with

<Listener className=”org.apache.coyote.http11.Http11Protocol” SSLEngine=”on” />

to obtain a blocking ssl listener.

After that you can easily follow the redhat guide.

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

March 18, 2011 30 comments

Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one. Read more…

Syscall Hijacking: Anti Fork-Bomb LKM (kernel 2.6.x)

February 10, 2011 Leave a comment

Hi. In this post I’ll show you how to implement a simple anti fork-bomb LKM.
There is already a kernel method to prevent the fork bomb: you can search online about this stuff.
Instead I’ll show you how prevent a fork bomb attack through a simple loadable kernel module, in order to better understand how a new process is created and how we can prevent its creation. Read more…

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x)

January 20, 2011 34 comments

Hi. In this post I’ll show you how to obtain dynamically the syscall table address. In the last posts (this and this) I wrote codes in which the syscall table address was hardcoded (as suggested by sj).
Now I’ll show you how to dinamically obtain it. Read more…