/linux-kernel-exploitation

A bunch of links related to Linux kernel exploitation

Linux Kernel Exploitation

Some exploitation methods and techniques are outdated and don't work anymore on newer kernels.

Pull requests are welcome.

Books

2012: "A Guide to Kernel Exploitation: Attacking the Core" by Enrico Perla and Massimiliano Oldani

Exploitation techniques

2017: "Linux kernel addr_limit bug / exploitation" by Vitaly Nikolenko [video]

2017: "The Stack Clash" by Qualys Research Team [article]

2017: "New Reliable Android Kernel Root Exploitation Techniques" [slides]

2017: "Unleashing Use-Before-Initialization Vulnerabilities in the Linux Kernel Using Targeted Stack Spraying" [whitepaper]

2016: "Linux Kernel ROP - Ropping your way to # (Part 1)" by Vitaly Nikolenko [article]

2016: "Linux Kernel ROP - Ropping your way to # (Part 2)" by Vitaly Nikolenko [article]

2016, Ruxcon: "Exploiting COF Vulnerabilities in the Linux kernel" by Vitaly Nikolenko [slides]

2016: "Using userfaultfd" by Lizzie Dixon [article]

2016, DEF CON 24: "Direct Memory Attack the Kernel" by Ulf Frisk [video]

2016, MOSEC 2016: "Talk is cheap, show me the code" by Keen Lab [slides]

2015: "Kernel Data Attack is a Realistic Security Threat" [whitepaper]

2015: "From Collision To Exploitation: Unleashing Use-After-Free Vulnerabilities in Linux Kernel" [whitepaper]

2015: "Linux Kernel Exploitation" by Patrick Biernat [slides]

2014: "Writing kernel exploits" by Keegan McAllister [slides]

2013: "Kernel stack overflows (basics)" by Essa Alkuwari [article]

2013, Black Hat USA: "Hacking like in the Movies: Visualizing Page Tables for Local Exploitation"

2013: "Exploiting linux kernel heap corruptions" by Mohamed Channam [article]

2012: "Understanding Linux Kernel Vulnerabilities" by Richard Carback [slides]

2012: "A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator" by Dan Rosenberg [whitepaper]

2012: "Attacking hardened Linux systems with kernel JIT spraying" by Keegan McAllister [article]

2012: "The Linux kernel memory allocators from an exploitation perspective" by Patroklos Argyroudis [article]

2011: "Stackjacking Your Way to grsec/PaX Bypass" by Jon Oberheide [article]

2010: "Much ado about NULL: Exploiting a kernel NULL dereference" [article]

2010: "Exploiting Stack Overflows in the Linux Kernel" by Jon Oberheide [article]

2010, SOURCE Boston: "Linux Kernel Exploitation: Earning Its Pwnie a Vuln at a Time" by Jon Oberheide [slides]

2009, CanSecWest: "There's a party at ring0, and you're invited" by Tavis Ormandy and Julien Tinnes [slides]

2007: "Kernel-mode exploits primer" by Sylvester Keil and Clemens Kolbitsch [whitepaper]

2007, Phrack: "Attacking the Core : Kernel Exploiting Notes" [article]

2007: "The story of exploiting kmalloc() overflows" [article]

2005, CancSecWest: "Large memory management vulnerabilities" by Gael Delalleau [slides]

2005: "The story of exploiting kmalloc() overflows" [article]

Writeups

Information leak

2017: "Linux kernel 2.6.0 to 4.12-rc4 infoleak due to a data race in ALSA timer" by Alexander Potapenko [announcement, CVE-2017-1000380]

2017: "The Infoleak that (Mostly) Wasn't" by Brad Spengler [article, CVE-2017-7616]

2016: "Exploiting a Linux Kernel Infoleak to bypass Linux kASLR" [article]

2010: "Linux Kernel pktcdvd Memory Disclosure" by Jon Oberheide [article, CVE-2010-3437]

2009: "Linux Kernel x86-64 Register Leak" by Jon Oberheide [article, CVE-2009-2910]

2009: "Linux Kernel getname() Stack Memory Disclosures" by Jon Oberheide [article, CVE-2009-3001]

LPE

2017: "Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit" by Alexander Popov [video, CVE-2017-2636]

2017: "Dirty COW and why lying is bad even if you are the Linux kernel" [article, CVE-2016-5195]

2017: "NDAY-2017-0103: Arbitrary kernel write in sys_oabi_epoll_wait" by Zuk Avraham [article, CVE-2016-3857]

2017: "NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver" by Zuk Avraham [article, CVE-2016-2434]

2017: "PWN2OWN 2017 Linux kernel privilege escalation analysis" [article, CVE-2017-7184]

2017: "Exploiting the Linux kernel via packet sockets" by Andrey Konovalov [article, CVE-2017-7308]

2017: "NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Drive" by Zuk Avraham [article, CVE-2016-2411]

2017: "NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver" by Zuk Avraham [article, CVE-2016-2435]

2017: "CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP" by Alexander Popov [article, CVE-2017-2636]

2017: "CVE-2017-2636: local privilege escalation flaw in n_hdlc" by Alexander Popov [announcement, CVE-2017-2636]

2017: "CVE-2017-6074: DCCP double-free vulnerability (local root)" by Andrey Konovalov [announcement, CVE-2017-6074]

2016: "CVE-2016-8655 Linux af_packet.c race condition (local root)" by Philip Pettersson [announcement, CVE-2016-8655]

2016, Black Hat: "Rooting Every Android From Extension To Exploitation" by Di Shen and James Fang [slides, CVE-2015-0570, CVE-2016-0820, CVE-2016-2475, CVE-2016-8453]

2016: "Talk is Cheap, Show Me the Code" by James Fang, Di Shen and Wen Niu [slides, CVE-2015-1805]

2016: "CVE-2016-3873: Arbitrary Kernel Write in Nexus 9" by Sagi Kedmi [article, CVE-2016-3873]

2016, Project Zero: "Exploiting Recursion in the Linux Kernel" by Jann Horn [article, CVE-2016-1583]

2016: "ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)" By Perception Point Research Team [article, CVE-2016-0728]

2016: "CVE20160728 Exploit Code Explained" by Shilong Zhao [article, CVE-2016-0728]

2016: "CVE-2016-0728 vs Android" by Collin Mulliner [article, CVE-2016-0728]

2016: "Notes about CVE-2016-7117" by Lizzie Dixon [article, CVE-2016-7117]

2016: "CVE-2016-2384: exploiting a double-free in the usb-midi linux kernel driver" by Andrey Konovalov [article, CVE-2016-2384]

2016: "CVE-2016-6187: Exploiting Linux kernel heap off-by-one" by Vitaly Nikolenko [article, CVE-2016-6187]

2016: "CVE-2014-2851 group_info UAF Exploitation" by Vitaly Nikolenko [article, CVE-2014-2851]

2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu [slides, CVE-2016-0819]

2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu [video, CVE-2016-0819]

2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini [article, CVE-2014-4322]

2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk [article, CVE-2014-9322]

2015: "Follow-up on Exploiting "BadIRET" vulnerability (CVE-2014-9322)" by Adam Zabrocki [article, CVE-2014-9322]

2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu [whitepaper, CVE-2015-3636]

2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu [slides, CVE-2015-3636]

2015, Black Hat: "Ah! Universal Android Rooting Is Back" by Wen Xu [video, CVE-2015-3636]

2015: "When is something overflowing" by Keen Team [slides]

2015, Project Zero: "Exploiting the DRAM rowhammer bug to gain kernel privileges" by Mark Seaborn and Thomas Dullien [article, rowhammer]

2014: "Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC" by Samuel Gross [article, CVE-2014-0196]

2014: "CVE-2014-4943 - PPPoL2TP DoS Analysis" by Vitaly Nikolenko [article, CVE-2014-4943]

2014: "CVE-2014-4014: Linux Kernel Local Privilege Escalation "exploitation"" by Vitaly Nikolenko [article, CVE-2014-4014]

2014: "CVE-2014-4699: Linux Kernel ptrace/sysret vulnerability analysis" by Vitaly Nikolenko [article, CVE-2014-4699]

2014: "How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038" by Samuel Gross [article, CVE-2014-0038]

2014: "Exploiting the Futex Bug and uncovering Towelroot" [article, CVE-2014-3153]

2014: "CVE-2014-3153 Exploit" by Joel Eriksson [article, CVE-2014-3153]

2013: "Privilege Escalation Kernel Exploit" by Julius Plenz [article, CVE-2013-1763]

2013: "A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)" by Joe Damato [article, CVE-2013-2094]

2012: "Linux Local Privilege Escalation via SUID /proc/pid/mem Write" by Jason Donenfeld [article, CVE-2012-0056]

2011, DEF CON 19: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook [slides, CVE-2010-2963]

2011, DEF CON 19: "Kernel Exploitation Via Uninitialized Stack" by Kees Cook [video, CVE-2010-2963]

2010: "CVE-2010-2963 v4l compat exploit" by Kees Cook [article, CVE-2010-2963]

2010: "Exploiting large memory management vulnerabilities in Xorg server running on Linux" by Rafal Wojtczuk [article, CVE-2010-2240]

2010: "Some Notes on CVE-2010-3081 Exploitability" [article, CVE-2010-3081]

2010: "CVE-2010-4258: Turning Denial-of-service Into Privilege Escalation" by Nelson Elhage [article, CVE-2010-4258]

2010: "CVE-2007-4573: The Anatomy of a Kernel Exploit" by Nelson Elhage [article, CVE-2007-4573]

2010: "Linux Kernel CAN SLUB Overflow" by Jon Oberheide [article, CVE-2010-2959]

2010: "af_can linux kernel overflow" by Ben Hawkes [article, CVE-2010-2959]

2010: "linux compat vulns (part 1)" by Ben Hawkes [article, CVE-2010-3081]

2010: "linux compat vulns (part 2)" by Ben Hawkes [article, CVE-2010-3301]

2010: "CVE-2010-4258: Turning denial-of-service into privilege escalation" by Nelson Elhage [article, CVE-2010-4258]

2009: "Linux NULL pointer dereference due to incorrect proto_ops initializations (CVE-2009-2692)" [article, CVE-2009-2692]

2009: "Even when one byte matters" [article, CVE-2009-1046]

2009: "CVE-2008-0009/CVE-2008-0010: Linux kernel vmsplice(2) Privilege Escalation" [article, CVE-2008-0009, CVE-2008-0010]

2008: "vmsplice(): the making of a local root exploit" by Jonathan Corbet [article, CVE-2008-0600]

2004: "Linux kernel do_mremap VMA limit local privilege escalation vulnerability" [article, CVE-2004-0077]

RCE

2016: "CVE Publication: CVE 2016-8633" by Eyal Itkin [article, CVE-2016-8633]

2011, DEF CON 19: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" [slides, CVE-2011-1493]

2011, DEF CON 19: "Owned Over Amateur Radio: Remote Kernel Exploitation in 2011" [video, CVE-2011-1493]

2009: "When a "potential D.o.S." means a one-shot remote kernel exploit: the SCTP story" [article, CVE-2009-0065]

Protection bypass techniques

2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric" [article]

2016, KIWICON: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko [slides]

2016: "Micro architecture attacks on KASLR" by Anders Fogh" [article]

2016: "Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR" by Dmitry Evtyushkin, Dmitry Ponomarev and Nael Abu-Ghazaleh [slides]

2016, CCS: "Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR" by Daniel Gruss, Clementine Maurice, Anders Fogh, Moritz Lipp and Stefan Mangard [video]

2016, Black Hat USA: "Using Undocumented CPU Behavior to See Into Kernel Mode and Break KASLR in the Process" [video]

2016, Black Hat USA: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim [slides]

2016, Black Hat USA: "Breaking KASLR with Intel TSX" Yeongjin Jang, Sangho Lee and Taesoo Kim [video]

2016: "Breaking KASLR with micro architecture" by Anders Fogh [article]

2015: "Effectively bypassing kptr_restrict on Android" by Gal Beniamini [article]

2014, Black Hat Europe: "ret2dir: Deconstructing Kernel Isolation" by Vasileios P. Kemerlis, Michalis Polychronakis, Angelos D. Keromytis [whitepaper]

2014, Black Hat Europe: "ret2dir: Deconstructing Kernel Isolation" by Vasileios Kemerlis [video]

2013: "A Linux Memory Trick" by Dan Rosenberg [article]

2011: "SMEP: What is It, and How to Beat It on Linux" by Dan Rosenberg [article]

2009: "Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)" [article]

Defensive

2017: "PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables" [whitepaper]

2017: "KASLR is Dead: Long Live KASLR" [whitepaper]

2017: "Honey, I shrunk the attack surface – Adventures in Android security hardening" by Nick Kralevich [video]

2017: "Fine Grained Control-Flow Integrity for The Linux Kernel" by Sandro Rigo, Michalis Polychronakis, Vasileios Kemerlis [slides]

2016: "Emerging Defense in Android Kernel" by James Fang [article]

2016: "Randomizing the Linux kernel heap freelists" by Thomas Garnier [article]

2015: "Protecting Commodity Operating Systems through Strong Kernel Isolation" by Vasileios Kemerlis [whitepaper]

2013: "KASLR: An Exercise in Cargo Cult Security" by Brad Spengler [article]

2012: "How do I mitigate against NULL pointer dereference vulnerabilities?" by RedHat [article]

2009, Phrack: "Linux Kernel Heap Tampering Detection" by Larry Highsmith [article]

Fuzzing & detectors

2016, Linux Plumbers: "Syzkaller, Future Developement" by Dmitry Vyukov [slides]

2016: "Coverage-guided kernel fuzzing with syzkaller" [article]

2016: "Filesystem Fuzzing with American Fuzzy Lop" by Vegard Nossum and Quentin Casasnovas [slides]

2016, ToorCon: "Project Triforce: AFL + QEMU + kernel = CVEs! (or) How to use AFL to fuzz arbitrary VMs" [slides]

2015, LinuxCon North America: "KernelAddressSanitizer (KASan): a fast memory error detector for the Linux kernel" by Andrey Konovalov [slides]

2015, DEF CON 23: "Introduction to USB and Fuzzing" by Matt DuHarte [video]

2015, Black Hat: "Don't Trust Your USB! How to Find Bugs in USB Device Drivers" by Sergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke [video]

2010: "Automatic Bug-finding Techniques for Linux Kernel" by Jiri Slaby [whitepaper]

Fuzzers

https://github.com/kernelslacker/trinity

https://github.com/google/syzkaller

https://github.com/schumilo/vUSBf

http://web.eece.maine.edu/~vweaver/projects/perf_events/fuzzer/

https://github.com/nccgroup/TriforceLinuxSyscallFuzzer

https://github.com/oracle/kernel-fuzzing

https://github.com/rgbkrk/iknowthis

Exploits

https://www.exploit-db.com/search/?action=search&description=linux+kernel

https://github.com/offensive-security/exploit-database/tree/master/platforms/linux/local

https://bugs.chromium.org/p/project-zero/issues/list?can=1&q=linux+kernel&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=ids

http://vulnfactory.org/exploits/

https://www.kernel-exploits.com/

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

https://github.com/ScottyBauer/Android_Kernel_CVE_POCs

https://github.com/f47h3r/hackingteam_exploits

https://github.com/xairy/kernel-exploits

https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack

https://github.com/SecWiki/linux-kernel-exploits

https://grsecurity.net/~spender/exploits/

Practice

CTF tasks

CSAW CTF 2010: writeup, source

CSAW CTF 2011: writeup, source

CSAW CTF 2013: writeup, source and exploit

CSAW CTF 2014: source and exploit

CSAW CTF 2015: writeup 1, writeup 2, source and exploit

Insomni’hack finals 2015: writeup, source and exploit

rwth2011 CTF (ps3game): writeup

PlaidCTF 2013 (Servr): writeup, source

0ctf2016: writeup, exploit

0ctf2017: source and exploit

Misc

https://github.com/Fuzion24/AndroidKernelExploitationPlayground

https://github.com/ReverseLab/kernel-pwn-challenge

https://github.com/NoviceLive/research-rootkit

https://github.com/djrbliss/libplayground

pwnable.kr tasks (syscall, rootkit, softmmu, towelroot, kcrc, exynos)

RPISEC kernel labs

Tools

https://github.com/jonoberheide/ksymhunter

https://github.com/jonoberheide/kstructhunter

https://github.com/ngalongc/AutoLocalPrivilegeEscalation

https://github.com/PenturaLabs/Linux_Exploit_Suggester

https://github.com/jondonas/linux-exploit-suggester-2

https://github.com/mzet-/linux-exploit-suggester

Unsorted

https://github.com/mncoppola/Linux-Kernel-CTF

https://crowell.github.io/blog/2014/11/24/hosting-a-local-kernel-ctf-challenge/

https://github.com/ukanth/afwall/wiki/Kernel-security