This course delves into the exploitation of a Use-After-Free vulnerability in the xt_qtaguid kernel module on Android devices. By analyzing past vulnerabilities and exploring the reported CVE-2021-0399 vulnerability, learners will gain insights into rooting techniques, memory manipulation, and kernel control flow integrity. The teaching method involves discussing historical vulnerabilities, practical exploitation steps, and on-device protection mechanisms. This course is intended for security researchers, Android developers, and individuals interested in kernel-level security and exploitation techniques.
The Art of Exploiting UAF by Ret2bpf in Android Kernel
Overview
Syllabus
Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary
Taught by
Black Hat
Related Courses
-
Breaking Android Kernel Isolation and Rooting with ARM MMU Features
-
Exploiting UAF by Ret2bpf in Android Kernel
-
Android Universal Root - Exploiting Mobile GPU - Command Queue Drivers
-
Universal Android Rooting Is Back
-
Ret2page - The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache
-
Taking Kernel Hardening to the Next Level
