Skip to content

Introduction

For binary exploitation under Linux, we categorize that as follow:

  • Userland Pwn: Our targets are programs running in the user space, including general user applications, shared libraries, etc.
  • Kernel Pwn: Our targets are code running in the kernel space, including the kernel itself and kernel-mode drivers.

The categorization is determined by how we exploit the target, and the runtime state of CPU.

Note that most of executables under Linux are in the format of ELF, so you may need to take a brief understanding of that.

Userland Pwn

When executing userland programs, the CPU is usually running under a low-privilege state with limited access to hardwares.

The entry point to interact with such userland programs as well as the entry point of our attack on such targets is usually their corresponding interactivable parts for users, which can be in different formats and the methods of interaction are also different according to specific programs. For example, a CGI program can be exploited by dynamically requesting its web interfaces, while a PDF reader can be exploited by opening a static well-constructed file.

To exploit userland applications, we will firstly need to determine how we should interact with our targets. For attacking targets with remotely accessible interfaces, we usually need to write programs like python scripts to do the exploitation. For attacking targets without remotely accessible interfaces, we usually need to construct a special input for the attack, which will usually need to be read and executed by the victim user, i.e., one-click attack.

Our general goal is to archive the remote code execution. In some cases vuneralibies in userland programs will also be used to archive the denial-of-service attack.

Kernel Pwn

When executing kernel code, the CPU is usually running under a high-privilege state wirh full access to hardwares.

The entry point to interact with kernel code as well as the entry point of our attack on such code is usually the system calls, which are ABIs exported by kernel and should be triggerred by specific machine instructions like syscall in AMD64. Most of vulnerabilities in kernel code can be exploited by local programs, while some of the could also be attacked remotely.

To exploit kernel code, we usually need to write a userland program to interact with kernel. For some vulnerabilities in kernel-side network services, it may also be applicable to be exploited remotely by interacting with corresponding network interfaces within programs like python scripts.

Our goal is to cause needed affects in the kernel. Generally our goal is to archive the arbitrary read & write or arbitrary code execution in the kernel, which are usually used for local privilege escalation, or remote code execution. In some cases vulnerabilities in kernel code will also be used to archive the denial-of-service attack.