Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to confirm R0 register when bypass PXN #14

Open
GeneBlue opened this issue Jul 18, 2016 · 4 comments
Open

How to confirm R0 register when bypass PXN #14

GeneBlue opened this issue Jul 18, 2016 · 4 comments

Comments

@GeneBlue
Copy link

Hello fi01:
Thanks for providing this POC code,it helps me a lot.As a beginner,I am researching a method to bypass PXN recently.However,something are confusing me.When we attempt to bypass PXN,we need use R0 or R1 to build a ROP chain.So,how to confirm R0 or R1? inet_release() func in kernel source,arg is sock.setup_getroot() func in POC code,arg is sk. If sk equals sock? This poc cann't running in an emulator,so i cann't debug kernel to prove these. Could you help me please?
@GeneBlue
Copy link
Author

I have solve this problem.

@r4nd0mus3r
Copy link

How did you solve this?

@GeneBlue
Copy link
Author

@r4nd0mus3r debug goldfish kernel and research panic info in nexus

@r4nd0mus3r
Copy link

@GeneBlue every time I try to debug the goldfish kernel the code gets stuck into an infinite loop while trying to control sk. How did you bypass that? I tried after a while overwriting the socks table with new vulnerable sockets and then trying again but still same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GeneBlue @r4nd0mus3r