Press enter or click to view image in full size
Hey Everyone,
Welcome to part 2 of this series, I strongly recommend reading part 1 if you haven't already since the information provided in part one is essential to understand this blog post.
Understanding how your target works is a key to find vulnerabilities, I usually spend more time understanding how my target and the used technologies work than the actual hacking time, this is true for all types of targets and binary is no exception.
While I was “wasting” some CPU cycles using my original fuzz harness, I decided to dig deeper into the message format used by the kernel, netconsd stands for “The Netconsole Daemon” and from the description it’s parsing kernel messages, so I started looking for “netconsole message format” on Google.
I found this document which explains the message format.
netconsole=[+][src-port]@[src-ip]/[<dev>],[tgt-port]@<tgt-ip>/[tgt-macaddr]
where
+ if present, enable extended console support
src-port source for UDP packets (defaults to 6665)
src-ip source IP to use (interface address)
dev network interface (eth0)
tgt-port port for logging agent (6666)
tgt-ip IP address for logging…