Studying a kernel’s ROP gadgets is notoriously painful if you don’t do it every day and don’t have the perfect environment ready.
Opening up a compressed kernel is the first challenge. Linus’s extraction script is heuristically based and you might need to be on a linux host with all the right tools installed for it to work. When building this, I discovered that the EFI boot stub on x86 kernels is a valid PE file which initially confused my parser.
All of these are problems are in the past. EnVisen now has the ability to parse compressed kernels, and finding/comparing ROP gadgets in them.
For background, please refer to my series on EnVisen:
Let’s give this a whirl…
You’ll notice there is one sample that’s a
vmlinux-3.10.0–693.17.1.el7.x86_64. As the name
indicates this is a straight up uncompressed ELF binary containing
the kernel. But that’s too easy. I’ll pick one of the vmlinuz-*
Before I load from the URL, we need to explicitly tell EnVisen to parse this as a compressed kernel image:
(As a side note, you can totally try NOT selecting vmlinuz, and instead letting it auto-detect format. I was surprised by what I found. At some point I want to rename vmlinuz to .exe and run it on a Windows box just to see my linux kernel execute as a perfectly valid Windows executable.)
Anyway… once we load from the URL, we see:
One thing in particular that I’d like to call out, is the little link to save extracted vmlinux. You can now use EnVisen to extract ELF files out of compressed bootable kernels on any platform and any operating system without having an environment that Linus’s script expects.
If you’re a pentester or security researcher, who wants to look at ROP gadget addresses, and relative offsets, you might find EnVisen a useful tool in your toolbox.