{"id":13534831,"url":"https://github.com/spencerdodd/kernelpop","last_synced_at":"2026-01-21T19:15:30.796Z","repository":{"id":53830322,"uuid":"107932322","full_name":"spencerdodd/kernelpop","owner":"spencerdodd","description":"kernel privilege escalation enumeration and exploitation framework","archived":false,"fork":false,"pushed_at":"2018-08-02T22:40:52.000Z","size":9179,"stargazers_count":687,"open_issues_count":8,"forks_count":130,"subscribers_count":46,"default_branch":"master","last_synced_at":"2024-11-02T22:32:52.921Z","etag":null,"topics":["enumeration","exploits","kernel","security","tools","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spencerdodd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-23T04:32:26.000Z","updated_at":"2024-09-27T13:54:40.000Z","dependencies_parsed_at":"2022-08-21T20:20:35.850Z","dependency_job_id":null,"html_url":"https://github.com/spencerdodd/kernelpop","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spencerdodd%2Fkernelpop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spencerdodd%2Fkernelpop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spencerdodd%2Fkernelpop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spencerdodd%2Fkernelpop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spencerdodd","download_url":"https://codeload.github.com/spencerdodd/kernelpop/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246734975,"owners_count":20825211,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["enumeration","exploits","kernel","security","tools","vulnerabilities"],"created_at":"2024-08-01T08:00:43.491Z","updated_at":"2026-01-21T19:15:30.788Z","avatar_url":"https://github.com/spencerdodd.png","language":"Python","readme":"# kernelpop\n\nkernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation \non the following operating systems:\n\n- [x] Linux\n\n- [x] Mac\n\nIt is designed to be `python` version-agnostic, meaning that it should work with both `python2` and `python3` \n\n* please let me know if you find that it doesn't\n\n---\n\n### example of enumeration to root (Linux)\n\n![got-root](img/final.gif)\n\n---\n\n### ways to use\n\n* run from project source\n\n```\n$ git clone https://github.com/spencerdodd/kernelpop\n$ cd kernelpop\n$ python kernelpop.py || python3 kernelpop.py\n```\n\n* build binary\n\n```\n$ git clone https://github.com/spencerdodd/kernelpop\n$ cd kernelpop\n$ ./create_executable.sh\n$ ./kernelpop\n```\n\n* steps to build binary without script\n\n1. install `pyinstaller` (steps vary per build system)\n2. `$ pyinstaller kernelpop.py --onefile`\n3. `$ cp dist/kernelpop .`\n\nboth of the binary build steps should create a binary `kernelpop` in the project root.\n\n---\n\n### enumeration output\n\n```\nuser@debian:~/Desktop/kernelpop$ python3 kernelpop.py\n\n##########################\n#  welcome to kernelpop  #\n#                        #\n# let's pop some kernels #\n##########################\n\n[*] grabbing distro version and release from underlying OS (linuxdebian7)\n[*] grabbing kernel version from 'uname -a'\n[+] kernel (Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2 i686 GNU/Linux) identified as:\n[base]\n\ttype:\t\t\tlinux\n\tdistro:\t\t\tlinuxdebian7\n\tversion:\t\t3.2.0-4\n\tarchitecture:\t\ti686\n[specific]\n\ttype:\t\t\tlinux\n\tdistro:\t\t\tlinuxdebian7\n\tversion:\t\t3.2.41-2\n\tarchitecture:\t\ti686\n[*] matching kernel to known exploits\n[+] discovered 11 possible exploits !\n\t[[ distro kernel matched exploit available ]]\n\t\tCVE20165195_32\tDirty COW race condition root priv esc for 32 bit\n\t[[ distro kernel version vulnerable ]]\n\t\tCVE20144699\tExploitable race condition in linux before 3.15.4\n\t\tCVE20143153\t`futex_requeue` vulnerability before 3.14.6 allows for priv esc\n\t\tCVE20162384\tDouble free vulnerability in the `snd_usbmidi_create` (requires physical proximity)\n\t\tCVE20140196\t`n_tty_write` vuln before 3.14.4 allows priv esc to root\n\t\tCVE20132094_semtex\tperf_swevent_init Local root exploit (32 bit)\n\t\tCVE20176074\t`dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root\n\t\tCVE20132094_32\tperf_swevent_init Local root exploit (32 bit)\n\t[[ base linux kernel vulnerable ]]\n\t\tCVE20144014\t`chmod` restriction bypass allows users to get root before 3.14.8\n\t\tCVE20177308\t`packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls.\n\t\tCVE20171000112\tip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges.\n```\n\nIn the output, there are a few categories. This is what each means\n\n**[[ distro kernel matched exploit available ]]**\n\n* there is a distro version specific matched kernel exploit in the project that you can use to exploit the kernel.\nHigh likelihood of successful exploitation.\n\n**[[ distro kernel version vulnerable ]]**\n\n* the distro kernel version is vulnerable to the vulnerability listed, but was not explicitly stated as tested in the\nPoC exploit in the project. Exploitation without modification of the exploit may work, but has a lower likelihood of\nsuccess.\n\n**[[ base linux kernel vulnerable ]]**\n\n* it is unknown if the distro kernel version is vulnerable to the vulnerability, but the base linux kernel is in the\nvulnerable range for the exploit. Exploitation without modification of the exploit is either unlikely or unknown,\nbut may still work.\n\n---\n\n### requirements\n\n* `python2` or `python3`\n\n* `pyinstaller` (if you want to build a binary)\n\n---\n\n# usage\n\n```\nrun modes:\n\t(default)\t        python3 kernelpop.py\n\t(exploit-mode)\t        python3 kernelpop.py -e {exploit name}\n\t\t(dump-source)   python3 kernelpop.py -e {exploit name} -d\n\t(uname-mode)            python3 kernelpop.py -u {uname -a output}\n\t(interactive-mode)      python3 kernelpop.py -i # LEGACY option (same as uname-mode)\nother:\n\t(playground path)       -p {new path}\n\t(json output file)      --digest json\n```\n\n### default mode (passive)\n\nThe `default` mode processes information about the host kernel and compares it to the known kernel exploits available\nto the program. It then outputs a list of potentially useful vulnerabilities and attached exploits.\n\n### exploit mode (active)\n\n```\n-e {exploit name}\n```\n\nThe `exploit` mode dynamically compiles and runs the exploit source code with stdio interactions inside the program.\nIt can catch interrupts from short-stopped attempts as well. Use the name of the exploit that comes up in the\ninitial `kernelpop` enumeration run in `default` mode.\n\n* **dump-source (option) `-d`**\n\n\t* This is a modifier for `exploit` mode. It dumps the source-files for the given exploit to their respective\n\tfiles in `PLAYGROUND_PATH` (default `/tmp`). This is useful for modifying exploit source on a box or working\n\twith exploits that require manual interaction or hard-coding of values. It is especially useful when running\n\tfrom a binary, because you won't have access to the project source code (i.e. exploit source).\n\n### uname mode (passive)\n\n```\n-u {uname -a output}\n```\n\nThis option allows you to pass the output of a `uname -a` command to the program inline, which makes it use-able for\nintegration into automated scripts or for any other forseeable reason. Replacement for `interactive mode`.\n\n### interactive mode (passive) [LEGACY - required for Mac by `uname` output]\n\n```\n-i {uname -a output}\n```\n\nThe `interactive` mode allows you to perform enumeration with just the output of a `uname -a` command,\nwhich makes it useful as a host-side only enumeration tool. This run by starting `kernelpop` and with the `-i` flag\nand then passing the output of `uname -a` when requested. This is a legacy feature and replaced by `uname mode`, but remains\nsupported as `-u` does not support Mac enumeration.\n\n### `PLAYGROUND` path\n\n```\n-p {new PLAYGROUND_PATH dir}\n```\n\nThe `-p` option sets the value of the global variable `PLAYGROUND_PATH`. This is the location where all exploit source\nfiles are written to, and exploits compiled to. This is set, by default, to `/tmp`. However, you can set it to any\ndirectory with this modifier in case you do not have write access in `/tmp`.\n\n### digestible ouput\n\n```\n--digest json\n```\n\nThis option allows you to dump the results of a kernelpop run to a digestible json file for later processing. So\nfar, I have just implemented the `json` dump, but I will work on an XML version if it is requested.\n\n### To Do\n\n- [ ] add more exploits! (src/to_add if anyone wants to get cracking on a few of these, be my guest!)\n\n- [ ] include patch levels in vulnerable window comparisons\n\n- [ ] add way to override detected settings in case of incorrect parsing or adversarial settings\n\n### Process for adding kernel vulnerability windows: [ should write a scraper ]\n\n* google: CVE-XXXX-XXXX \"ubuntu\"\n\n\t* click the canonical link (https://people.canonical.com/~ubuntu-security/cve/2016/CVE-XXXX-XXXX.html)\n\n\t\t* click all linked advisories at usn.ubuntu.com and parse info\n\n\t\t* grab patch versions for filling in vulnerability windows per version\n\n* google: CVE-XXXX-XXXX \"debian\"\n\n\t* security-tracker.debian.org link (https://security-tracker.debian.org/tracker/CVE-XXXX-XXXX)\n\n\t\t* pull information from the bottom of the page that relates to the patched versions for the specific cve\n\n* google: CVE-XXXX-XXXX \"mitre\"\n\n\t* links to other distros to pull info from\n\n---\n\n### currently supported CVE's:\n\n* `CVE-2017-1000379`\n\n* `CVE-2017-1000373`\n\n* `CVE-2017-1000372`\n\n* `CVE-2017-1000371`\n\n* `CVE-2017-1000370`\n\n* `CVE-2017-1000367`\n\n* `CVE-2017-1000112`\n\n* `CVE-2017-7308`\n\n* `CVE-2017-6074`\n\n* `CVE-2017-5123`\n\n* `CVE-2016-5195`\n\n* `CVE-2016-2384`\n\n* `CVE-2016-0728`\n\n* `CVE-2015-1328`\n\n* `CVE-2014-4699`\n\n* `CVE-2014-4014`\n\n* `CVE-2014-3153`\n\n* `CVE-2014-0196`\n\n* `CVE-2014-0038`\n\n* `CVE-2013-2094`\n\n* `CVE-2010-4347`\n\n* `CVE-2010-2959`\n\n* `CVE-2009-1185`\n\n---\n\n### exploit sources\n\n`https://github.com/SecWiki/linux-kernel-exploits`\n\n`http://exploit-db.com/`\n\n`https://github.com/lucyoa/kernel-exploits`\n\n`https://github.com/SecWiki/windows-kernel-exploits`\n\n### historical distro sources\n\nDebian\n\n* [debian releases](http://cdimage.debian.org/cdimage/archive/)\n\n","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing","Uncategorized","Linux"],"sub_categories":["\u003ca id=\"41ae40ed61ab2b61f2971fea3ec26e7c\"\u003e\u003c/a\u003e漏洞利用","Uncategorized","Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspencerdodd%2Fkernelpop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspencerdodd%2Fkernelpop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspencerdodd%2Fkernelpop/lists"}