####################################################
# #
# Tired of bloated heap implementations? #
# __ #
# | | __ ____ _____ ______ #
# | |/ // __ \\__ \ \____ \ #
# | <\ ___/ / __ \| |_> > #
# use |__|_ \\___ >____ / __/ #
# \/ \/ \/|__| #
# #
####################################################
flag is in /dev/sda
modify ./rootfs/init to improve debugging
exploit is located inside the vm in /pwn (recommend running with while ! /pwn; do test; done
)
File | Technique | Linux-Version | Applicable CTF Challenges |
---|---|---|---|
dirty_cred.c | DirtyCred abuses the heap memory reuse mechanism to get privileged | latest | Wall Rose |
dirty_pagetable.c | Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (kernel RCE) | latest | keasy |
dirty_pagetable_mp.c | Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (modprobe) | latest | Faulty Kernel |
flag_corrupt.c | use a UAF to corrupt /etc/passwd flags and get privileged | latest | Faulty Kernel |
File | Technique | Linux-Version | Applicable CTF Challenges |
---|---|---|---|
cross_cache.c | showcasing a cross cacheq attack that allows using dangeling ptrs to target heap of other slabs | latest | Wall Rose |
per_cpu_slabs.c | showcasing how slabs are managed and reallocated on a per cpu basis | latest | |
mmaped_files.c | using mmaped files to create race windows with copy_from_user or copy_to_user |
latest |
just replace pwn.c with the example you want to run (e.g. ./linux6.6.22/dirty_cred.c)
-
scripts/start-qemu.sh [OPTIONS]
start qemu vm
-b build and compress rootfs if changed
-d build with -DDEBUG
-g run with GDB (kaslr still enabled)
-k disable kaslr
-c force compress rootfs -
scripts/decompress.sh
run this to extract the rootfs.cpio.gz into ./rootfs -
scripts/compress.sh
recompress ./rootfs into rootfs.cpio.gz (i.e. after changes were made) -
scripts/build.sh
build the exploit (pwn.c), and add it to the root of the filesystem /pwn
download buildroot and extract apply buildroot keap.patch using patch
patch -p1 -i buildroot/keap.patch -d ./PATH/TO/BUIDLROOT
now you can make changes using make menuconfig
(e.g. changing kernel version) and recompile keap using make
(might take a while)
the final files (rootfs.cpio.gz and bzImage) are located inside the buildroot dir inside ./output/images