Tue 02 October 2018

In the last article, the arbitrary call primitive is used to gain arbitrary code execution in ring-0 while bypassing SMEP. It covers an extensive study of page fault exception trace, how to find gadgets in kernel image, designing a ROP-chain to finally call the payload. In the end, it shows how to repair the kernel and gain root privileges. The core concept section focuses on the thread_info structure, virtual memory layout and netlink's hash tables.