Kernel ROP Generator

Description

Tools for generating ROP chains on Linux Kernel images.

angrop_rop_generator.py works by patching the binary (using rop_instruction_patcher.py) to replace the various thunks and runtime patches. These thunks are replaced with nops or invalid instructions to avoid them being identified as possible gadgets. Calls to __x86_return_thunk are replaced with ret so that angrop/rp++ can find gadgets correctly

Usage

1. Generate ROP chain with angrop_rop_generator.py

   • python angrop_rop_generator.py <vmlinux path> <vmlinuz path>

   • <vmlinux image> needs to include symbols

   • outputs the generated ROP chain

Testing

To test the generated ROP chain, we patch the following syscalls

• Patch __sys_shutdown to copy ROP chain from user to kernel memory

• Patch __x64_sys_reboot to jump to the ROP chain

• Run python kernel_syscall_patcher.py  <vmlinux path>

• This outputs <vmlinux>.syscall_patched

Copy the generated ROP chain into rop_test_trigger.c

• Compile gcc -static -o rop_test_trigger rop_test_trigger.c

• cp rop_test_trigger <image_runner path>/rootfs/

• Run the patched vmlinux in QEMU ./run_vmlinuz.sh <vmlinux>.syscall_patched sh

• Inside QEMU run ./rop_test_trigger