Kernel exploiting
Exploitation in this environment is a little special because, first of all is the kernel, so failure means all the system is fucked up, second you have all the particular subsystems (think about memory allocation for example) and mitigations designed specifically for it.
- Kernel stack overflows (basics)
- Kernel exploitation for dummies
- Writing kernel exploits
- Linux Kernel Exploitation slides from Modern Binary Exploitation
- PAWNYABLE
- repo with a bunch of proof-of-concept exploits for the Linux kernel
- repo with some writeup about kernel exploitation tecnique and exploit
- Presentation about stackjacking disclosure of kernel stack data (probably fixed by now)
- Practical SMEP/SMAP bypass techniques on Linux
- SMEP: What is It, and How to Beat It on Linux
- Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric
- Linux Kernel ROP - Ropping your way to part 1 and part 2
- Hacking the PS4, part 3 kernel exploitation
- Kernel-mode exploits primer
- Smashing The Kernel Stack For Fun And Profit Phrack 60::6
- Attacking the Core: Kernel Exploitation Notes Phrack 64::6
- Stairway to Successful Kernel Exploitation
- Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)
- Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112
- CVE-2016-0728
- MMap Vulnerabilities also PDF
- out-of-tree {module, exploit} development tool: is for automating some routine actions for creating development environments for debugging kernel modules and exploits, generating reliability statistics for exploits, and also provides the ability to easily integrate into CI (Continuous Integration).
- collection of verified Linux kernel exploits
- Tailoring CVE-2019-2215 to Achieve Root
- CVE-2017-11176: A step-by-step Linux Kernel exploitation
- pr0cf5/kernel-exploit-practice repository for kernel exploit practice
- milabs/lkrg-bypass LKRG bypass methods
- a13xp0p0v/linux-kernel-defence-map
- Linux Kernel Teaching This is a collection of lectures and labs Linux kernel topics. The lectures focus on theoretical and Linux kernel exploration.
- The Plight of TTY in the Linux Kernel
- Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel
- Learning Linux Kernel Exploitation
- Writing a Linux Kernel Remote in 2022
- Learning Linux kernel exploitation - Part 2 Continuing to walk down Linux Kernel exploitation lane. This time around with an unanticipated topic: DirtyPipe as it actually nicely fits the series as an example.
- The Android kernel mitigations obstacle race CVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver
- DirtyCred: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe
- Exploiting CVE-2022-42703 - Bringing back the stack attack
- StackRot
- CVE-2022-29582 An io_uring vulnerability
- Escaping the Google kCTF Container with a Data-Only Exploit
Mitigations
- Kernel stack cookies
- Address space layout randomization (
KASLR
) - Supervisor mode access prevention (
SMAP
): all the userland pages in the page table are set not executable when the system is in kernel mode - Kernel page table isolation (
KPTI
): user-space and kernel-space table are completely separated when in user-mode
Links
- The State of Kernel Self Protection
- Control Flow Integrity (CFI) in the Linux kernel
- Put an io_uring on it: Exploiting the Linux Kernel
KASLR
- bcoles/kasld A collection of various techniques to bypass KASLR and retrieve the Linux kernel base virtual address on x86 / x86_64 architectures as an unprivileged user.
Fuzzing
- Fuzzing the Linux kernel (x86) entry code, part 1, part 2, part 3
- Looking for Remote Code Execution bugs in the Linux kernel This article covers my experience with fuzzing the Linux kernel externally over the network. I’ll explain how I extended a kernel fuzzer called syzkaller for this purpose and show off the found bugs.
Heap
- Linux Kernel universal heap spray
- An Analysis of Linux Kernel Heap Hardening
- SLAB quarantine
- Exploiting Linux kernel heap off-by-one
- Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability
- Linux kernel heap feng shui in 2022
- CVE-2022-1786 | A Journey To The Dawn
iOS
- One Byte to rule them all
- Writing an iOS Kernel Exploit from Scratch
- An iOS zero-click radio proximity exploit odyssey
Papers
KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities
ret2dir: Rethinking Kernel Isolation
KOOBE: Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
A Systematic Study of Elastic Objects in Kernel Exploitation
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Dirty Cred
This exploitation method swaps unprivileged and privileged kernel credentials