{"id":13539192,"url":"https://github.com/bcoles/kernel-exploits","last_synced_at":"2025-04-12T18:43:32.408Z","repository":{"id":37405609,"uuid":"132224945","full_name":"bcoles/kernel-exploits","owner":"bcoles","description":"Various kernel exploits","archived":false,"fork":false,"pushed_at":"2024-03-14T13:37:20.000Z","size":170,"stargazers_count":774,"open_issues_count":0,"forks_count":237,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-04-03T20:12:46.574Z","etag":null,"topics":["exploit","kernel","kernel-exploits","linux","linux-kernel","local-root"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bcoles.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-05T07:25:57.000Z","updated_at":"2025-04-01T05:54:34.000Z","dependencies_parsed_at":"2024-08-01T09:22:36.123Z","dependency_job_id":null,"html_url":"https://github.com/bcoles/kernel-exploits","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkernel-exploits","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkernel-exploits/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkernel-exploits/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bcoles%2Fkernel-exploits/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bcoles","download_url":"https://codeload.github.com/bcoles/kernel-exploits/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248617138,"owners_count":21134190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","kernel","kernel-exploits","linux","linux-kernel","local-root"],"created_at":"2024-08-01T09:01:21.501Z","updated_at":"2025-04-12T18:43:32.367Z","avatar_url":"https://github.com/bcoles.png","language":"C","readme":"# Kernel Exploits\n\nVarious kernel exploits\n\n## CVE-2021-22555\n\nLinux local root exploit.\n\nUpdated version of theflow's [exploit](https://github.com/google/security-research/blob/master/pocs/linux/cve-2021-22555/exploit.c) for [CVE-2021-22555](https://nvd.nist.gov/vuln/detail/CVE-2021-22555).\n\n\u003e A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space.\n\n\n## CVE-2019-13272\n\nLinux local root exploit.\n\nUpdated version of Jann Horn's [exploit](https://bugs.chromium.org/p/project-zero/issues/detail?id=1903) for [CVE-2019-13272](https://nvd.nist.gov/vuln/detail/CVE-2019-13272).\n\n\u003e In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.\n\n\n## CVE-2018-18955\n\nLinux local root exploit.\n\nWrapper for Jann Horn's [exploit](https://bugs.chromium.org/p/project-zero/issues/detail?id=1712) for [CVE-2018-18955](https://nvd.nist.gov/vuln/detail/CVE-2018-18955).\n\n\u003e In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.\n\n\n## CVE-2018-5333\n\nLinux local root exploit.\n\nUpdated version of wbowling's [exploit](https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4) for [CVE-2018-5333](https://nvd.nist.gov/vuln/detail/CVE-2018-5333).\n\n\u003e In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference.\n\n\n## CVE-2017-1000112\n\nLinux local root exploit.\n\nUpdated version of xairy's [exploit](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112) for [CVE-2017-1000112](https://nvd.nist.gov/vuln/detail/CVE-2017-1000112).\n\n\u003e Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb-\u003elen becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev-\u003elen - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.\n\n\n## CVE-2017-7308\n\nLinux local root exploit.\n\nUpdated version of xairy's [exploit](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-7308) for [CVE-2017-7308](https://nvd.nist.gov/vuln/detail/CVE-2017-7308).\n\n\u003e The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.\n\n\n## CVE-2016-9793\n\nLinux local root exploit.\n\nUpdated version of xairy's [exploit](https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793) for [CVE-2016-9793](https://nvd.nist.gov/vuln/detail/CVE-2016-9793).\n\n\u003e The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.\n\n\n## CVE-2016-8655\n\nLinux local root exploit.\n\nUpdated version of rebel's [exploit](https://packetstormsecurity.com/files/140063/Linux-Kernel-4.4.0-AF_PACKET-Race-Condition-Privilege-Escalation.html) for [CVE-2016-8655](https://nvd.nist.gov/vuln/detail/CVE-2016-8655).\n\n\u003e Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.\n","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Fkernel-exploits","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbcoles%2Fkernel-exploits","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbcoles%2Fkernel-exploits/lists"}