Recently, most talked about one of kernel vulnerabilities is a KASLR exposed vulnerability that allows us to defeat KERNEL address space randomization mitigation and we can take the KASLR address.
Linux KERNEL has a nice feature that wchan (wait channel) on ‘proc’ filesystem indicates where the process is sleeping.
WCHAN wait channel. The address of an event on which a particular process is waiting. Abbreviation appears in output of ps command with -l option.
We can use /proc filesystem to read wchan value:
root@ubuntu:~# cat /proc/2401/wchan
This wchan value was returned to me as function name. But we need to the virtual address of the kernel. Address of the virtual address can be obtained from ‘stat’ file:
root@ubuntu:~# cat /proc/2401/stat
2401 (epoll-example) S 2079 2401 1037 34816 2401 4202496 192 0 0 0 0 0 0 0 20 0 1 0 1599993 1826816 121 4294967295 134512640 134517128 3217578304 3217576436 3077821488 0 0 0 0 3223617913 0 0 17 0 0 0 0 0 0
epollis a Linux kernel system call, a scalable I/O event notification mechanism, first introduced in Linux kernel 2.5.44. It is meant to replace the older POSIX
poll(2)system calls, to achieve better performance in more demanding applications, where the number of watched file descriptors is large (unlike the older system calls, which operate in O(n) time,
epolloperates in O(1) time).
epollis similar to FreeBSD‘s
kqueue, in that it operates on a configurable kernel object, exposed to user space as a file descriptor of its own.
The epoll_wait() system call waits for events on the epoll(7) instance referred to by the file descriptor epfd. The memory area pointed to by events will contain the events that will be available for the caller.
root@ubuntu:~# cat /proc/2463/stack