{"id":18386075,"url":"https://github.com/idanbanani/linux-kernel-vr-exploitation","last_synced_at":"2025-04-07T00:32:46.064Z","repository":{"id":197023009,"uuid":"697836262","full_name":"IdanBanani/Linux-Kernel-VR-Exploitation","owner":"IdanBanani","description":"Linux \u0026 Android Kernel Vulnerability research and exploitation","archived":false,"fork":false,"pushed_at":"2023-12-12T17:53:34.000Z","size":17951,"stargazers_count":37,"open_issues_count":0,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-22T09:43:34.454Z","etag":null,"topics":["exploitation","kernel-bypass","kernel-exploitation","kernel-security","linux","linux-kernel-hacking","lpe","privilege-escalation","privilege-escalation-exploits","pwn","vulnerability-research"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/IdanBanani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-09-28T15:15:35.000Z","updated_at":"2025-02-28T09:10:48.000Z","dependencies_parsed_at":null,"dependency_job_id":"d36feb23-0486-4983-b8ce-8ef3db5bac8d","html_url":"https://github.com/IdanBanani/Linux-Kernel-VR-Exploitation","commit_stats":null,"previous_names":["idanbanani/linux-kernel-vr-exploitation"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IdanBanani%2FLinux-Kernel-VR-Exploitation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IdanBanani%2FLinux-Kernel-VR-Exploitation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IdanBanani%2FLinux-Kernel-VR-Exploitation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/IdanBanani%2FLinux-Kernel-VR-Exploitation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/IdanBanani","download_url":"https://codeload.github.com/IdanBanani/Linux-Kernel-VR-Exploitation/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247574088,"owners_count":20960495,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploitation","kernel-bypass","kernel-exploitation","kernel-security","linux","linux-kernel-hacking","lpe","privilege-escalation","privilege-escalation-exploits","pwn","vulnerability-research"],"created_at":"2024-11-06T01:20:17.570Z","updated_at":"2025-04-07T00:32:44.012Z","avatar_url":"https://github.com/IdanBanani.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"To Be Continued\n\nLinux \u0026amp; Android Kernel Vulnerability research and exploitation\n\n# Environment setup\n\n- Do not even bother using **WSL2** for Kernel dev/research, you will run into many problems quite fast and it's not worth time to try and troubleshoot.\nUse a virtual machine instead\n- Relevant Hypervisors: (VMware, Hyper-V,Xen)\n  - VirtualBox seems to not support mitigations like SMEP\n  - Vmware \n    - Windows/Linux: VMware Workstation Pro (buy )\n    - Mac: VMware Fusion\n- \n- [\"Kernel hacking like it's 2020\" - Russell Currey (LCA 2020)](https://www.youtube.com/watch?v=heib48KG-YQ)\n\n# Linux kernel Exploitation tutorials \u0026 Practice Playgrounds\n\n- [Andrey Konovalov xairy collection](https://github.com/xairy/linux-kernel-exploitation#practice) (**VERY** comprehensive - Use this!)\n- [Lexfo Blog CVE-2017-11176: A step-by-step Linux Kernel exploitation (4 Parts)](https://blog.lexfo.fr/tag/kernel.html) - Nice introduction **LInk to notes**\n- [pr0cf5/kernel-exploit-practice](https://github.com/pr0cf5/kernel-exploit-practice/tree/master) - Playground with many labs\n- [0x00Sec - Point of no C3 | Linux Kernel v4.13 Exploitation](https://0x00sec.org/t/point-of-no-c3-linux-kernel-exploitation-part-0/11585)\n\n- [Low-level adventures - Learning Linux kernel exploitation - Part 1 - Laying the groundwork](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/)\n- [Low-level adventures - Learning Linux kernel exploitation - Part 2 - CVE-2022-0847](https://0x434b.dev/learning-linux-kernel-exploitation-part-2-cve-2022-0847/)\n- [Linux Kernel PWN | 01 From Zero to One](https://blog.wohin.me/posts/linux-kernel-pwn-01/)\n- [Learning Linux Kernel Exploitation by midas](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/)\n- \u003chttps://github.com/ocastejon/linux-kernel-learning\u003e\n- [Information docs index](https://low-level.readthedocs.io/en/latest/security/kernel/)\n\n### CTF challenges\n\n- [UIUCTF23 – Corny Kernel – Writeup (Beginners)](https://charlesit.blog/2023/07/28/uiuctf23-corny-kernel-writeup/)\n- [3k CTF 2021 - Klibrary - Exploit linux kernel use after free with a race condition](https://ctftime.org/writeup/28528)\n- \u003chttps://ctftime.org/tasks/?tags=\u0026hidden-tags=kernel\u003e\n  - \u003chttps://t.me/ctftime_pyramid\u003e (searchable writeups)\n- [pwnable.tw - death_note]\n\n## Theory\n\n- [understanding v2.3 linux kernel vulnerabilities - Richard Carback (Umbc.edu)](https://redirect.cs.umbc.edu/courses/undergraduate/421/Spring12/02/slides/ULKV.pdf)\n\n## Academic research papers\n\n- [Hijacking the Linux Kernel - 2011](https://drops.dagstuhl.de/opus/volltexte/2011/3063/)\n- [Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel - Moshe Kol, JSOF](https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf)\n\n# Tracing the Kernel\n\n- [Steven Rostedt - Learning the Linux Kernel with tracing](https://www.youtube.com/watch?v=JRyrhsx-L5Y)\n\n# Kernel Bugs, vulnerabilities and exploitation techniques\n\n- [I found ANOTHER BUG IN THE LINUX KERNEL! (SPARC)](https://www.youtube.com/watch?v=disnmelvG90)\n- [A cache invalidation bug in Linux memory management - Jann Horn, Google Project Zero - CVE-2018-17182](https://googleprojectzero.blogspot.com/2018/09/)\n- [CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable\n](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-39793.html)\n- [Linux Kernel universal heap spray\n](https://duasynt.com/blog/linux-kernel-heap-spray)\n- [EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)](https://www.willsroot.io/2022/12/entrybleed.html)\n- [Tickling ksmbd: fuzzing SMB in the Linux kernel](https://pwning.tech/ksmbd-syzkaller/)\n- [Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)](https://pwning.tech/ksmbd/)\n- [Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks](https://snyk.io/blog/kernel-privilege-escalation/)\n- [A new method for container escape using file-based DirtyCred](https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/)\n\n# Linux Kernel Exploitation cve PoC/writeups \u0026 guides\n\n- [CVE-2021-22600 - USMA: Share Kernel Code with Me Yong Liu, Jun Yao, Xiaodong Wang 360 Vulnerability Research Institute](https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-YongLiu-USMA-Share-Kernel-Code.pdf)\n- [ocastejon -  linux-kernel-learning \u0026 exploitation techniques](https://github.com/ocastejon/linux-kernel-learning)\n\n- [CVE-2022-27666: My file your memory - Erin Avllazagaj](https://albocoder.github.io/exploit/2023/03/13/KernelFileExploit.html)\n  - [PoC](https://github.com/plummm/CVE-2022-27666)\n- [nrb547 CVE-2021-32606: CAN ISOTP local privilege escalation](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md)\n- [MWR Labs Whitepaper Kernel Driver mmap Handler Exploitation 2017-09-18 – Mateusz Fruba](https://labs.withsecure.com/content/dam/labs/docs/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf)\n- [ww9210 FUZE project Repo](https://github.com/ww9210/Linux_kernel_exploits)\n- [Immunity Blog - Writing a Linux Kernel Remote in 2022](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/)\n- [CVE-2022-20186 GitHub Blog Corrupting memory without memory corruption -  Arm Mali GPU kernel driver](https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/)\n- [GitHub Blog - Rooting with root cause: finding a variant of a Project Zero bug - CVE-2022-46395](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/)\n- [PoCs by Google](https://github.com/google/security-research/tree/master/pocs/linux)\n- [Pwning the all Google phone with a non-Google bug -  CVE-2022-38181](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/)\n- [Exploiting CVE-2021-3490 for Container Escapes](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/?utm_medium=soc\u0026utm_source=lnkd\u0026utm_term=spklr\u0026utm_content=8671201906\u0026utm_campaign=%5Bglobal%5D)\n- [CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem (Alexander Popov)](https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html)\n- [CyberArk - LPE for Razer Usb driver](https://www.cyberark.com/resources/threat-research-blog/colorful-vulnerabilities)\n\n## Dirty COW Vulnerability\n\n- [eshard Blog - Reversing DirtyC0W](https://eshard.com/posts/dirtyc0w-1)\n- [Williams College- Dirty COW: CVE-2016-5095 A Privilege Escalation Vulnerability in the Linux Kernel- CSCI432, May 11 2022](https://www.cs.williams.edu/~cs432/osco/18-ye.pdf)\n- [Dirty Cow Technical Explanation](https://www.youtube.com/watch?v=FKdZ0QEIga8)\n- [Huge Dirty COW (CVE-2017–1000405) - The incomplete Dirty COW patch - Bindecy](https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0)\n- [HugeDirtyCow POC - Bindecy](https://github.com/bindecy/HugeDirtyCowPOC)\n\n## StackRot (2023)\n\n- [Rezilion Blog - What You Need to Know About StackRot – CVE-2023-3269](https://www.rezilion.com/blog/what-you-need-to-know-about-stackrot-cve-2023-3269/)\n- [lrh2000 - CVE-2023-3269: Linux kernel privilege escalation vulnerability - writeup \u0026 PoC](https://github.com/lrh2000/StackRot)\n- [Openwall Mailing List - The patch for StackRot](https://www.openwall.com/lists/oss-security/2023/07/05/1)\n- [Aegisbyte Blog - StackRot](https://www.aegisbyte.com/post/stackrot-cve-2023-3269-exploit-will-be-released-soon)\n\n## DirtyPipe (CVE-2022-0847)\n\n## Pwnkit (CVE-2021-4034)\n\n## Udmabuf Driver Vulnerability\n\n- [Blue Frost Security Blog](https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html)\n\n## Linux Kernel MMAP Vulnerabilities\n\n- [Checkpoint Research - MMAP VULNERABILITIES – LINUX KERNEL - Eyal Itkin](https://research.checkpoint.com/2018/mmap-vulnerabilities-linux-kernel/#single-post)\n- [De4dCr0w - Kernel-Driver-mmap-Handler-Exploitation](https://github.com/De4dCr0w/Kernel-Driver-mmap-Handler-Exploitation)\n- [deshal3v (Omer Shalev) Blog - mmap handler exploitation](https://deshal3v.github.io/blog/kernel-research/mmap_exploitation)\n- [Exploit-DB - Linux \u003c 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem](https://www.exploit-db.com/exploits/46502)\n\n# Talks from conferences (videos)\n\n- [xairy.io Talks](https://xairy.io/talks/)\n- [OffensiveCon23 - Alex Plaskett \u0026 Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel](https://www.youtube.com/watch?v=9wgHENj_YNk)\n- [OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel](https://www.youtube.com/watch?v=E3CVDOlcHC4)\n- [#HITB2022SIN E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation - Sam Page](https://www.youtube.com/watch?v=OmvGf-zVcbI)\n\n# Major changes to source code\n\n- [VMA 2.6 -\u003e 2.7](https://lwn.net/Articles/182495/)\n- [Replace any vm_next use with vma_find().](https://lore.kernel.org/lkml/20220426150616.3937571-69-Liam.Howlett@oracle.com/)\n- [mm/vmacache.c]\n- [[PATCH 6.1 14/30] mm: introduce new lock_mm_and_find_vma() page fault helper](https://www.spinics.net/lists/stable/msg663179.html)\n\n# Additional Out of context resources\n\n- [Robert Love's Quora Answers](https://www.quora.com/profile/Robert-Love-1/answers)\n\n# Source code structs \u0026 fields of interest\n\n## VMA (Virtual memory areas) \u0026 Memory management\n\n- [vm_area_struct](https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/include/linux/mm_types.h;l=490)\n- [vm_area_struct #2](https://livegrep.com/search/linux?q=vm_area_struct\u0026fold_case=auto\u0026regex=false\u0026context=true)\n- mm/vmacache.c\n  - vm_mm mm_struct\n  - find_vma(), vmacache_update(),  mm_struct ,  vmacache\n- Exploiting `do_page_fault()`?\n  \n# The backyard/garage of the Linux kernel docs\n\n[https://www.kernel.org/doc/](https://www.kernel.org/doc/)\n\n# Linux internals\n\n- [sam4k - Linternals: Introduction](https://sam4k.com/linternals-introduction/)\n- [Linux insides](https://0xax.gitbooks.io/linux-insides/content/)\n- [The slab allocators of past, present, and future - Vlastimil Babka](https://www.youtube.com/watch?v=d1KfrAL7Htk)\n- [Mentorship Session: Debugging Linux Memory Management Subsystem (The linux foundation)\n](https://www.youtube.com/watch?v=fwLoPtTCmnw)\n  - [Contained in this video playlist](https://www.youtube.com/watch?v=FdNIiQxwJuk\u0026list=PLbzoR-pLrL6o8cdq_JLTwsLfe2_DhNsDf)\n- [ECE-T480 - Spring 2021: Lecture 16 (the slab allocator)](https://www.youtube.com/watch?v=pFi-JKgoX-I )\n\n- [The ARM32 Scheduling and Kernelspace Userspace Boundary](https://people.kernel.org/linusw/the-arm32-scheduling-and-kernelspace-userspace-boundary) - Linux internals - The ARM32 Scheduling and Kernelspace Userspace Boundary by Linus Walleij\n- [The Linux Process Journey](https://www.linkedin.com/search/results/content/?keywords=shlomi%20boutnaru%20linux%20process%20journey\u0026origin=FACETED_SEARCH\u0026postedBy=%5B%22following%22%5D\u0026sid=X%2C8\u0026sortBy=%22date_posted%22) - Linux internals - The Linux Process Journey by Shlomi Boutnaru\n\n# Virtual memory areas datastructures (VMA)\n\n- [The Maple Tree, A Modern Data Structure for a Complex Problem](https://blogs.oracle.com/linux/post/the-maple-tree-a-modern-data-structure-for-a-complex-problem)\n\n# Page Tables and Process Memory internals \u0026 exploits\n\n[Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel](https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html)\n\n- [Hiding Process Memory via Anti-Forensic Techniques](https://www.youtube.com/watch?v=tMxCfxjtvnk)\n- [Blackhat - Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache](https://www.youtube.com/watch?v=HZk2egYDXxg)\n\n# Various open source tools\n\n## Kernel Vulnerability Scanner tools\n\n- [The-Z-Labs - linux-exploit-suggester - Linux privilege escalation auditing tool](https://github.com/The-Z-Labs/linux-exploit-suggester/tree/master)\n\n# In Chromium\n\n- [Chromium Issue](https://bugs.chromium.org/p/project-zero/issues/detail?id=2329)\n\n# Android\n\n- [GitHub Blog (Android Kernel Mitigations obstacle race)](https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/)\n- linux/mm/memory.c  \n- [abi-monitor](https://source.android.com/docs/core/architecture/kernel/abi-monitor)\n\n# blogs\n\n- \u003chttps://hackmd.io/@ptr-yudai\u003e\n- \u003chttps://xairy.io/\u003e\n- \u003chttps://google.github.io/security-research/\u003e\n\n# Mitigations\n\n- [Summary of Linux Kernel Security Protections (2022)](https://www.slideshare.net/ShubhamDubey29/summary-of-linux-kernel-security-protections)\n- https://github.com/nccgroup/exploit_mitigations/blob/main/linux_mitigations.md","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fidanbanani%2Flinux-kernel-vr-exploitation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fidanbanani%2Flinux-kernel-vr-exploitation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fidanbanani%2Flinux-kernel-vr-exploitation/lists"}