Kernel exploiting

Exploitation in this environment is a little special because, first of all is the kernel, so failure means all the system is fucked up, second you have all the particular subsystems (think about memory allocation for example) and mitigations designed specifically for it.

Kernel stack overflows (basics)
Kernel exploitation for dummies
Writing kernel exploits
Linux Kernel Exploitation slides from Modern Binary Exploitation
PAWNYABLE
repo with a bunch of proof-of-concept exploits for the Linux kernel
repo with some writeup about kernel exploitation tecnique and exploit
Presentation about stackjacking disclosure of kernel stack data (probably fixed by now)
Practical SMEP/SMAP bypass techniques on Linux
SMEP: What is It, and How to Beat It on Linux
Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric
Linux Kernel ROP - Ropping your way to part 1 and part 2
Hacking the PS4, part 3 kernel exploitation
Kernel-mode exploits primer
Smashing The Kernel Stack For Fun And Profit Phrack 60::6
Attacking the Core: Kernel Exploitation Notes Phrack 64::6
Stairway to Successful Kernel Exploitation
Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)
Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112
CVE-2016-0728
MMap Vulnerabilities also PDF
out-of-tree {module, exploit} development tool: is for automating some routine actions for creating development environments for debugging kernel modules and exploits, generating reliability statistics for exploits, and also provides the ability to easily integrate into CI (Continuous Integration).
collection of verified Linux kernel exploits
Tailoring CVE-2019-2215 to Achieve Root
CVE-2017-11176: A step-by-step Linux Kernel exploitation
- part 1/4
- part 2/4
- part 3/4
- part 4/4
pr0cf5/kernel-exploit-practice repository for kernel exploit practice
milabs/lkrg-bypass LKRG bypass methods
a13xp0p0v/linux-kernel-defence-map
Linux Kernel Teaching This is a collection of lectures and labs Linux kernel topics. The lectures focus on theoretical and Linux kernel exploration.
The Plight of TTY in the Linux Kernel
Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel
Learning Linux Kernel Exploitation
- Part 1
- Part 2
- Part 3
Writing a Linux Kernel Remote in 2022
Learning Linux kernel exploitation - Part 2 Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
The Android kernel mitigations obstacle race CVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver
DirtyCred: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe
Exploiting CVE-2022-42703 - Bringing back the stack attack
StackRot
CVE-2022-29582 An io_uring vulnerability
Escaping the Google kCTF Container with a Data-Only Exploit

Mitigations

Kernel stack cookies
Address space layout randomization (KASLR)
Supervisor mode access prevention (SMAP): all the userland pages in the page table are set not executable when the system is in kernel mode
Kernel page table isolation (KPTI): user-space and kernel-space table are completely separated when in user-mode

Links

KASLR

bcoles/kasld A collection of various techniques to bypass KASLR and retrieve the Linux kernel base virtual address on x86 / x86_64 architectures as an unprivileged user.

Fuzzing

Fuzzing the Linux kernel (x86) entry code, part 1, part 2, part 3
Looking for Remote Code Execution bugs in the Linux kernel This article covers my experience with fuzzing the Linux kernel externally over the network. I’ll explain how I extended a kernel fuzzer called syzkaller for this purpose and show off the found bugs.