SlideShare a Scribd company logo

Compromising Linux Virtual Machines with Debugging Mechanisms

R
Russell Sanford

The document discusses a method for exploiting Linux virtual machines through kernel debugging, focusing on injecting API calls into 64-bit kernels using tools like IDA Pro and VMware. It outlines a step-by-step process for automating the exploitation, including extracting the kernel, allocating memory, and launching commands in userland. The author expresses the need for improved techniques in bypassing disk encryption schemes and highlights the current tools and techniques involved in the exploitation process.

Software
1 of 26
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Compromising Linux Virtual Machines with Debugging Mechanisms Russell Sanford xort@blacksecurity.org October 2016
What are we going to be covering? • Some kernel hacking! • Injecting API calls into running 64bit kernels • All Kernels 3x/4x (64bit) • Tool Release automating attack: bl4ck_vmpop.py !!!
Why? • Bypass disk encryption schemes • Get to underlining OS & code to audit! • Nobody has talked about abusing VMware’s debugging features? Previous work has only be done on infecting paused VM memory stored on disk (SLOW!!!)
Tools Involved • IDA Pro 64bit • VMware Workstation >= 5.0 or VMware Player >= 3.0 • Binwalk
The Old Way – Manual Exploitation • Compiling another kernel of the same version • Comparing function calls & string usage against the kernel with symbols. • Slowly locating and labelling the functions needed Manually hooking function calls and Injecting substituted commands into target
VMware GDB Stubs •VMware Workstation >= 5.0 •VMware Player >= 3.0 •Fusion •Allow R/W/X of memory, ability to single step, etc @ kernel level •Can be done to booted machine (must be temporarily paused) •When attaching to VMware we land in default_idle()
The Plan… Automating Exploitation •1) Extracting the kernel for IDA with binwalk •2) Decompile kernel in IDA •3) Enable debugging in VMware VMX file •4) Attach IDA database to VMware’s gdbserver port (8864) •5) Locate kernel API using unique byte sequences * • A) _vmalloc() • B) call_usermodehelper_setup() • C) call_usermodehelper_exec() • D) call_usermodehelper_fns() •6) Back up current state of processor (Back up Registers) •7) Call _vmalloc() to allocate working space for passing argv[] (program arguments) •8) Populate memory area with argv[] information •9) Call call_usermodehelper_setup() to initialize subprocess_info structure * •10) Pass subprocess_info structure to call_usermodehelper_exec() * •11) Restore backed up registers and restore control to CPU * In some 3x versions call_usermodehelper_fns() is used in place of _setup() + _exec()
Kernel API Involved _vmalloc(unsigned __int64 size, gfp_t gfp_mask, pgprot_t prot ) call_usermodehelper_setup(char *path, char **argv, char **envp, gfp_t gfp_mask, int (*init)(subprocess_info *, cred *), void (*cleanup)(subprocess_info *), void *data ) call_usermodehelper_fns(char *path, char **argv, char **envp, int wait, int (*init)(subprocess_info *, cred *), void (*cleanup)(subprocess_info *), void *data ) call_usermodehelper_exec(subprocess_info *sub_info, int wait ) 1) Allocating Memory _vmalloc() 2) Launching a Command In Userland call_usermodehelper_setup() call_usermodehelper_exec() OR call_usermodehelper_fns()
call_usermodehelper_setup & _exec Example struct subprocess_info *info; char userprog[] = "/bin/bash"; char *argv[] = {userprog, “-c", “/bin/bash < /dev/ttyS0 > /dev/ttyS0 2> /dev/ttyS0”, NULL }; char *envp[] = NULL; info = call_usermodehelper_setup(userprog, argv, envp, UMH_WAIT_EXEC, NULL, NULL, NULL); call_usermodehelper_exec(info, wait | UMH_KILLABLE);
Step #1 Extracting the kernel with binwalk for IDA binwalk –e my_kernel.bin) cd _my_kernel.bin file * | grep ELF A directory named “_my_kernel.bin” will be created Change into the directory of extracted files use the ‘file’ and ‘grep’ commands to locate extracted kernel
Step #3 Enable debugging in VMware VMX file •Virtual Machines Can Be Paused and Restarted in Debug Mode ! (gdbserver)
Step #2 Decompile the Kernel in IDA 1) Open the 64-bit ELF file with IDA Pro and click “OK” to begin analysis 2) Wait for analysis to complete. Analysis indicator at bottom right to say ‘idle’
Step #4 Attach IDA database to VMware’s gdbserver Select Debugger->Select Debugger from drop down menu and Select ‘Remote GDB debugger’ Select Debugger->Process Options and verify port 8864 is selected Select Debugger->Attach To Process to connect to Vmware’s gdbserver.
Step #4 Attach IDA database to VMware’s gdbserver Select Debugger->Debugger Options from drop down menu Click ‘Set Specific Options’ in the Debugger Setup Window Click ‘Memory Map’ in the GDB Configuration Window Right-Click in the ‘Manual Memory Regions’ Window and select ‘Insert’ Continued….
Step #4 Attach IDA database to VMware’s gdbserver The default End Address is 0xFF00000000000000 Change this value to 0xFFFFFFFFFFFFF000 …Continued
Step #5 Locate kernel API using unique byte sequences Formula: • When ‘Search Key‘ is encountered in memory – Analyze the next X bytes (predetermined range) • Check byte range for patterns known to exist uniquely to the function we are looking for • Check byte range to make sure patterns do not exist within range • Find beginning of function
Step #6 Back up current state of processor •Back up current state of processor (Back up Registers) •Easy to do with IDA •Backup up Registers with IDA Pro’s GetRegValue() function
Step #7 Allocating working space with _vmalloc() • vmalloc() > kmalloc() for our needs •Provides Larger Non-Contiguous Memory Allocations _vmalloc(unsigned __int64 size, gfp_t gfp_mask, pgprot_t prot) _vmalloc(0x1000, 0x20, 0x8000000000000163)
Step #8 Populate memory area with argv[] info • Top area is set aside to hold Qword (8 bytes) pointers to strings (ARGV array) • Ends with a NULL (0x0) Qword to terminate array • Bottom area will hold actual string data. • Strings are C-Strings (NULL byte terminated)
Step #9 Call call_usermodehelper_setup() to initialize subprocess_info struct Call_usermodehelper_setup() returns a pointer to a initialized subprocess_info structure. ENVP, *init, *cleanup, and *data Can be NULL call_usermodehelper_setup(char *path, char **argv, char **envp, gfp_t gfp_mask, int (*init)(subprocess_info *, cred *), void (*cleanup)(subprocess_info *), void *data)
Step #10 Pass subprocess_info structure to call_usermodehelper_exec() • Pass subprocess_info structure to call_usermodehelper_exec() • Call with wait = 0 • Executes command in User Land call_usermodehelper_exec(subprocess_info *sub_info, int wait)
Step #11 Restore processor’s saved state •Restore the saved state of processor (Back up Registers) •Easy to do with IDA •Restore Registers with SetRegValue() function
Current Payloads •Serial Bind Shell •Add SUID 0 (root) User •Add User •TCP Connect Back •Run a command as Root
Pwnage with bl4ck_vmpop.py (idapython) Serial Bind Shell Leveraged from a Linux Virtual Machine
What's Next? MIPS ARM Standalone program independent of IDA Pro Automated hardware hacking tool?
Thanks!

More Related Content

What's hot (20)

ODP
Linux Kernel Crashdump
Marian Marinov
 
PPT
Reliable Windows Heap Exploits
amiable_indian
 
PDF
Heap exploitation
Angel Boy
 
PDF
debugging openstack neutron /w openvswitch
어형 이
 
PPTX
Slab Allocator in Linux Kernel
Adrian Huang
 
PDF
High Performance Storage Devices in the Linux Kernel
Kernel TLV
 
PDF
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
PDF
Linux Kernel - Virtual File System
Adrian Huang
 
PDF
10分で分かるLinuxブロックレイヤ
Takashi Hoshino
 
PDF
Licensing in virtual environments
team-WIBU
 
PPTX
OS disk structure (1).pptx
SharanyaEmmadisetty
 
DOCX
Qnx os
Student
 
PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
PDF
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
PDF
ACPI Debugging from Linux Kernel
SUSE Labs Taipei
 
PDF
LISA2019 Linux Systems Performance
Brendan Gregg
 
PDF
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
 
PDF
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
PPT
04 cache memory
Inshad Arshad
 
PDF
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 
Linux Kernel Crashdump
Marian Marinov
 
Reliable Windows Heap Exploits
amiable_indian
 
Heap exploitation
Angel Boy
 
debugging openstack neutron /w openvswitch
어형 이
 
Slab Allocator in Linux Kernel
Adrian Huang
 
High Performance Storage Devices in the Linux Kernel
Kernel TLV
 
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Linux Kernel - Virtual File System
Adrian Huang
 
10分で分かるLinuxブロックレイヤ
Takashi Hoshino
 
Licensing in virtual environments
team-WIBU
 
OS disk structure (1).pptx
SharanyaEmmadisetty
 
Qnx os
Student
 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
ACPI Debugging from Linux Kernel
SUSE Labs Taipei
 
LISA2019 Linux Systems Performance
Brendan Gregg
 
qemu + gdb: The efficient way to understand/debug Linux kernel code/data stru...
Adrian Huang
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
Adrian Huang
 
04 cache memory
Inshad Arshad
 
Namespaces and cgroups - the basis of Linux containers
Kernel TLV
 

Similar to Compromising Linux Virtual Machines with Debugging Mechanisms (20)

PDF
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
scribdsituation719
 
PDF
Exploiting the Linux Kernel via Intel's SYSRET Implementation
nkslides
 
PDF
AOS Lab 1: Hello, Linux!
Zubair Nabi
 
PDF
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
PDF
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
PDF
unit 2 confinement techniques.pdf
RohitGautam261127
 
PPT
lec4.ppt system calls explained in detail
frp60658
 
PPT
Os note
kaiderellachan
 
PDF
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
ODP
A tour of F9 microkernel and BitSec hypervisor
Louie Lu
 
PDF
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
PDF
Auditing the Opensource Kernels
Silvio Cesare
 
PPTX
Introduction to Kernel and Device Drivers
RajKumar Rampelli
 
PDF
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
PPT
Unix.system.calls
GRajendra
 
PPTX
Dealing with legacy code
Prachi Gulihar
 
PDF
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
PPTX
Linux Kernel Tour
samrat das
 
PDF
Trap Handling in Linux
YongraeJo
 
PDF
Windows internals Essentials
John Ombagi
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
scribdsituation719
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
nkslides
 
AOS Lab 1: Hello, Linux!
Zubair Nabi
 
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
unit 2 confinement techniques.pdf
RohitGautam261127
 
lec4.ppt system calls explained in detail
frp60658
 
Os note
kaiderellachan
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
A tour of F9 microkernel and BitSec hypervisor
Louie Lu
 
Linux kernel-rootkit-dev - Wonokaerun
idsecconf
 
Auditing the Opensource Kernels
Silvio Cesare
 
Introduction to Kernel and Device Drivers
RajKumar Rampelli
 
Linux seccomp(2) vs OpenBSD pledge(2)
Giovanni Bechis
 
Unix.system.calls
GRajendra
 
Dealing with legacy code
Prachi Gulihar
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Linux Kernel Tour
samrat das
 
Trap Handling in Linux
YongraeJo
 
Windows internals Essentials
John Ombagi
 
Ad

Recently uploaded (20)

PDF
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
PPTX
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
PPTX
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PDF
Unlock Efficiency with Insurance Policy Administration Systems
Insurance Tech Services
 
PPTX
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PPTX
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
PDF
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
PPTX
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PPTX
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PDF
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PDF
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
PDF
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
The 5 Reasons for IT Maintenance - Arna Softech
Arna Softech
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
Tally_Basic_Operations_Presentation.pptx
AditiBansal54083
 
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
Unlock Efficiency with Insurance Policy Administration Systems
Insurance Tech Services
 
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
Download Canva Pro 2025 PC Crack Full Latest Version
bashirkhan333g
 
Foundations of Marketo Engage - Powering Campaigns with Marketo Personalization
bbedford2
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
Empowering Asian Contributions: The Rise of Regional User Groups in Open Sour...
Shane Coughlan
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
How to Hire AI Developers_ Step-by-Step Guide in 2025.pdf
DianApps Technologies
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
AI + DevOps = Smart Automation with devseccops.ai.pdf
Devseccops.ai
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
Ad

Compromising Linux Virtual Machines with Debugging Mechanisms

  • 1. Compromising Linux Virtual Machines with Debugging Mechanisms Russell Sanford [email protected] October 2016
  • 2. What are we going to be covering? • Some kernel hacking! • Injecting API calls into running 64bit kernels • All Kernels 3x/4x (64bit) • Tool Release automating attack: bl4ck_vmpop.py !!!
  • 3. Why? • Bypass disk encryption schemes • Get to underlining OS & code to audit! • Nobody has talked about abusing VMware’s debugging features? Previous work has only be done on infecting paused VM memory stored on disk (SLOW!!!)
  • 4. Tools Involved • IDA Pro 64bit • VMware Workstation >= 5.0 or VMware Player >= 3.0 • Binwalk
  • 5. The Old Way – Manual Exploitation • Compiling another kernel of the same version • Comparing function calls & string usage against the kernel with symbols. • Slowly locating and labelling the functions needed Manually hooking function calls and Injecting substituted commands into target
  • 6. VMware GDB Stubs •VMware Workstation >= 5.0 •VMware Player >= 3.0 •Fusion •Allow R/W/X of memory, ability to single step, etc @ kernel level •Can be done to booted machine (must be temporarily paused) •When attaching to VMware we land in default_idle()
  • 7. The Plan… Automating Exploitation •1) Extracting the kernel for IDA with binwalk •2) Decompile kernel in IDA •3) Enable debugging in VMware VMX file •4) Attach IDA database to VMware’s gdbserver port (8864) •5) Locate kernel API using unique byte sequences * • A) _vmalloc() • B) call_usermodehelper_setup() • C) call_usermodehelper_exec() • D) call_usermodehelper_fns() •6) Back up current state of processor (Back up Registers) •7) Call _vmalloc() to allocate working space for passing argv[] (program arguments) •8) Populate memory area with argv[] information •9) Call call_usermodehelper_setup() to initialize subprocess_info structure * •10) Pass subprocess_info structure to call_usermodehelper_exec() * •11) Restore backed up registers and restore control to CPU * In some 3x versions call_usermodehelper_fns() is used in place of _setup() + _exec()
  • 8. Kernel API Involved _vmalloc(unsigned __int64 size, gfp_t gfp_mask, pgprot_t prot ) call_usermodehelper_setup(char *path, char **argv, char **envp, gfp_t gfp_mask, int (*init)(subprocess_info *, cred *), void (*cleanup)(subprocess_info *), void *data ) call_usermodehelper_fns(char *path, char **argv, char **envp, int wait, int (*init)(subprocess_info *, cred *), void (*cleanup)(subprocess_info *), void *data ) call_usermodehelper_exec(subprocess_info *sub_info, int wait ) 1) Allocating Memory _vmalloc() 2) Launching a Command In Userland call_usermodehelper_setup() call_usermodehelper_exec() OR call_usermodehelper_fns()
  • 9. call_usermodehelper_setup & _exec Example struct subprocess_info *info; char userprog[] = "/bin/bash"; char *argv[] = {userprog, “-c", “/bin/bash < /dev/ttyS0 > /dev/ttyS0 2> /dev/ttyS0”, NULL }; char *envp[] = NULL; info = call_usermodehelper_setup(userprog, argv, envp, UMH_WAIT_EXEC, NULL, NULL, NULL); call_usermodehelper_exec(info, wait | UMH_KILLABLE);
  • 10. Step #1 Extracting the kernel with binwalk for IDA binwalk –e my_kernel.bin) cd _my_kernel.bin file * | grep ELF A directory named “_my_kernel.bin” will be created Change into the directory of extracted files use the ‘file’ and ‘grep’ commands to locate extracted kernel
  • 11. Step #3 Enable debugging in VMware VMX file •Virtual Machines Can Be Paused and Restarted in Debug Mode ! (gdbserver)
  • 12. Step #2 Decompile the Kernel in IDA 1) Open the 64-bit ELF file with IDA Pro and click “OK” to begin analysis 2) Wait for analysis to complete. Analysis indicator at bottom right to say ‘idle’
  • 13. Step #4 Attach IDA database to VMware’s gdbserver Select Debugger->Select Debugger from drop down menu and Select ‘Remote GDB debugger’ Select Debugger->Process Options and verify port 8864 is selected Select Debugger->Attach To Process to connect to Vmware’s gdbserver.
  • 14. Step #4 Attach IDA database to VMware’s gdbserver Select Debugger->Debugger Options from drop down menu Click ‘Set Specific Options’ in the Debugger Setup Window Click ‘Memory Map’ in the GDB Configuration Window Right-Click in the ‘Manual Memory Regions’ Window and select ‘Insert’ Continued….
  • 15. Step #4 Attach IDA database to VMware’s gdbserver The default End Address is 0xFF00000000000000 Change this value to 0xFFFFFFFFFFFFF000 …Continued
  • 16. Step #5 Locate kernel API using unique byte sequences Formula: • When ‘Search Key‘ is encountered in memory – Analyze the next X bytes (predetermined range) • Check byte range for patterns known to exist uniquely to the function we are looking for • Check byte range to make sure patterns do not exist within range • Find beginning of function
  • 17. Step #6 Back up current state of processor •Back up current state of processor (Back up Registers) •Easy to do with IDA •Backup up Registers with IDA Pro’s GetRegValue() function
  • 18. Step #7 Allocating working space with _vmalloc() • vmalloc() > kmalloc() for our needs •Provides Larger Non-Contiguous Memory Allocations _vmalloc(unsigned __int64 size, gfp_t gfp_mask, pgprot_t prot) _vmalloc(0x1000, 0x20, 0x8000000000000163)
  • 19. Step #8 Populate memory area with argv[] info • Top area is set aside to hold Qword (8 bytes) pointers to strings (ARGV array) • Ends with a NULL (0x0) Qword to terminate array • Bottom area will hold actual string data. • Strings are C-Strings (NULL byte terminated)
  • 20. Step #9 Call call_usermodehelper_setup() to initialize subprocess_info struct Call_usermodehelper_setup() returns a pointer to a initialized subprocess_info structure. ENVP, *init, *cleanup, and *data Can be NULL call_usermodehelper_setup(char *path, char **argv, char **envp, gfp_t gfp_mask, int (*init)(subprocess_info *, cred *), void (*cleanup)(subprocess_info *), void *data)
  • 21. Step #10 Pass subprocess_info structure to call_usermodehelper_exec() • Pass subprocess_info structure to call_usermodehelper_exec() • Call with wait = 0 • Executes command in User Land call_usermodehelper_exec(subprocess_info *sub_info, int wait)
  • 22. Step #11 Restore processor’s saved state •Restore the saved state of processor (Back up Registers) •Easy to do with IDA •Restore Registers with SetRegValue() function
  • 23. Current Payloads •Serial Bind Shell •Add SUID 0 (root) User •Add User •TCP Connect Back •Run a command as Root
  • 24. Pwnage with bl4ck_vmpop.py (idapython) Serial Bind Shell Leveraged from a Linux Virtual Machine
  • 25. What's Next? MIPS ARM Standalone program independent of IDA Pro Automated hardware hacking tool?