[Maran]

As I understand it the whole idea of this exploit is getting sudo access from a normal user.

Exploiting from root to root doesn't make a lot of sense. If the values are not retrievable as normal user this exploit can't be used.. Right?

[geofft]

The file /proc/kallsyms contains the addresses of various kernel functions: it's useful when you've already exploited a vulnerability in the kernel, and you want to do something useful with it, e.g. escalate your userspace process to root. In theory, since you're running code in kernelspace, you can do whatever; in practice it's much easier to start with known functions that can manipulate the data structures for you.

Think of it like the manual of a nuclear missile launcher. Obviously they don't want to give that out to everyone. But if you can break into the room with the launcher's control panel, you've still caused a major security breach even if you have no idea what to do next. Having the manual just makes your job easier, but the attack was that you broke in in the first place; they can't count on you being unable to figure out how to work the panel.

Also, if you're running a binary kernel (for instance, a kernel built by your Linux distro), the addresses in kallsyms are going to be constant for everyone running that distro. Hiding kallsyms for non-root users is primarily useful for people who build custom kernels.

Production-level malware often also has code that doesn't depend on having access to kallsyms and is more advanced (e.g., starting from the system call interrupt vector and disassembling it and seeing what addresses are jumped to). Using kallsyms is good for keeping a simple proof-of-concept exploit readable.

[javanix]

The /proc/kallsyms values are identical across identical kernel compilations.

Suppose you have a vulnerable CentOS 7 system that you want to exploit - you could get the proper addresses from your own CentOS 7 VM running the same kernel, apply those to a modified exploit compilation, and run that compilation on your target host.

[benmmurphy]

Latest versions of Linux have Kernel ASLR for text but I think lots of distributions have it disabled because they set CONFIG_HIBERNATION: https://www.kernel.org/doc/Documentation/kernel-parameters.t...

Also, it is not bullet proof because apparently there are lots of info leaks in linux and I think linux also does not reboot after a panic (http://www.cyberciti.biz/tips/reboot-linux-box-after-a-kerne...) so if the entropy for KASLR is small enough you can retry very aggressively. Though in this particular instance if you have to wait 30 minutes between each try that would kill brute forcing.