Local Root Exploits

So-called local root exploits often exist especially for older operating systems, which exploit vulnerabilities in the kernel when expanding privileges, such as a buffer overflow or a race condition. As an example, we might have encountered the kernel “3.19.0-15-generic“ while collecting information and would then search the internet for known exploits of this kernel version. The Offensive Security’s Exploit Database Archive (https://www.exploit-db.com/) is one method that is well suited for this purpose. By conducting the following Google search, we will get several hits or exploits, which we could use against this kernel:

site:exploit-db.com 3.19 local root exploit

In general, the source code of exploits is almost always in the high-level C language and must “only“ be compiled into an executable programme by us. It is possible that the target system for the build process does not have all the necessary libraries, which then requires us to statically “build“ the local root exploit on our attacker machine. Static linking integrates the required files into the executable programme, allowing us to achieve increased portability. For example, we can accomplish this with the following gcc command:

gcc -static ${source file} -o ${executable}

When compiling on our attacker machine, we still have to consider the system architecture of our target system. If our target system is based on an x86 processor (32-bit architecture) and our own system is based on the 64-bit architecture, we must conduct cross-compiling:

gcc -march=i386 ${source file} -o ${executable}