• Feb 21, 2024

    Linux Kernel: Weaponizing an AAW & Heap Ovf (Blunder Driver Challenge)

    This blog will be about exploiting a Linux Kernel Driver by chaining a Heap Overflow bug with a ‘sandboxed’ Arbitrary Address Write (AAW) for Local Priviledge Escalation by overwriting core_pattern with most mitigations enabled.

  • Oct 4, 2023

    Linux Remote Process Injection: (Injecting into a Firefox Browser Process)

    This blog will cover Remote Process Injection in Linux; a common evasion technique popular in the Windows Malware world. The aim will be to write an injector that injects into another remote process and for the purpose of this blog, the chosen victim process will be Firefox.

  • Jul 15, 2023

    Linux Malware: Defense Evasion Techniques

    This post will cover some different detection evasion techniques that can be employed to custom agents in a compromised Linux host. A malware author needs to have good OPSEC making sure that their agent remains stealthy leaving little to no IOCs — this is obviously on top of using a secure and stealthy Red Team Infrastructure.

  • May 28, 2023

    Linux Kernel: Introduction to Kernel Stack Overflows

    In the Linux Kernel 'ring (0)' a stack is also allocated for local variables defined in functions. These functions are mainly implemented for device drivers that are defined in different Loadable Kernel Modules (LKMs). The same stack is also vulnerable to stack overflow attacks that aim at overwriting the return address saved on the stack — this post will cover exploiting these vulnerabilities.

  • Aug 21, 2022

    Linux: Local Process Injection

    Process Injection is a defense evasion technique that is often employed within malware and entails a method of executing arbitrary code in the address space of a separate live process, therefore, allowing access to the process’s memory, system resources and possibly network resources.

  • Mar 6, 2022

    Sig-Return Oriented Programming Attack (SROP)

    This post covers yet another Binary Exploitation attack that is somewhat similar to return-oriented-programming (ROP) to understand how this works, we first need to understand Linux signals.

  • Feb 1, 2022

    Pwnkit: Linux Priviledge Escalation (CVE-2021-4034)

    This was a Linux Priviledge Escalation vulnerability in polkit’s pkexec that affected almost every Linux distro running the vulnerable version(s). This post covers the RCA of the vulnerability and how this was weaponized for a Local Priviledge Escalation attack.