https://github.com/idanbanani/linux-kernel-vr-exploitation

Linux & Android Kernel Vulnerability research and exploitation
https://github.com/idanbanani/linux-kernel-vr-exploitation

exploitation kernel-bypass kernel-exploitation kernel-security linux linux-kernel-hacking lpe privilege-escalation privilege-escalation-exploits pwn vulnerability-research

Last synced: 16 days ago
JSON representation

Linux & Android Kernel Vulnerability research and exploitation

• Host: GitHub
• URL: https://github.com/idanbanani/linux-kernel-vr-exploitation
• Owner: IdanBanani
• Created: 2023-09-28T15:15:35.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2023-12-12T17:53:34.000Z (over 1 year ago)
• Last Synced: 2025-03-22T09:43:34.454Z (about 1 month ago)
• Topics: exploitation, kernel-bypass, kernel-exploitation, kernel-security, linux, linux-kernel-hacking, lpe, privilege-escalation, privilege-escalation-exploits, pwn, vulnerability-research
• Homepage:
• Size: 17.1 MB
• Stars: 37
• Watchers: 1
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
To Be Continued

Linux & Android Kernel Vulnerability research and exploitation

# Environment setup

- Do not even bother using **WSL2** for Kernel dev/research, you will run into many problems quite fast and it's not worth time to try and troubleshoot.

Use a virtual machine instead

- Relevant Hypervisors: (VMware, Hyper-V,Xen)

  - VirtualBox seems to not support mitigations like SMEP

  - Vmware 

    - Windows/Linux: VMware Workstation Pro (buy )

    - Mac: VMware Fusion

- 

- ["Kernel hacking like it's 2020" - Russell Currey (LCA 2020)](https://www.youtube.com/watch?v=heib48KG-YQ)

# Linux kernel Exploitation tutorials & Practice Playgrounds

- [Andrey Konovalov xairy collection](https://github.com/xairy/linux-kernel-exploitation#practice) (**VERY** comprehensive - Use this!)

- [Lexfo Blog CVE-2017-11176: A step-by-step Linux Kernel exploitation (4 Parts)](https://blog.lexfo.fr/tag/kernel.html) - Nice introduction **LInk to notes**

- [pr0cf5/kernel-exploit-practice](https://github.com/pr0cf5/kernel-exploit-practice/tree/master) - Playground with many labs

- [0x00Sec - Point of no C3 | Linux Kernel v4.13 Exploitation](https://0x00sec.org/t/point-of-no-c3-linux-kernel-exploitation-part-0/11585)

- [Low-level adventures - Learning Linux kernel exploitation - Part 1 - Laying the groundwork](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/)

- [Low-level adventures - Learning Linux kernel exploitation - Part 2 - CVE-2022-0847](https://0x434b.dev/learning-linux-kernel-exploitation-part-2-cve-2022-0847/)

- [Linux Kernel PWN | 01 From Zero to One](https://blog.wohin.me/posts/linux-kernel-pwn-01/)

- [Learning Linux Kernel Exploitation by midas](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/)

- 

- [Information docs index](https://low-level.readthedocs.io/en/latest/security/kernel/)

### CTF challenges

- [UIUCTF23 – Corny Kernel – Writeup (Beginners)](https://charlesit.blog/2023/07/28/uiuctf23-corny-kernel-writeup/)

- [3k CTF 2021 - Klibrary - Exploit linux kernel use after free with a race condition](https://ctftime.org/writeup/28528)

- 

  -  (searchable writeups)

- [pwnable.tw - death_note]

## Theory

- [understanding v2.3 linux kernel vulnerabilities - Richard Carback (Umbc.edu)](https://redirect.cs.umbc.edu/courses/undergraduate/421/Spring12/02/slides/ULKV.pdf)

## Academic research papers

- [Hijacking the Linux Kernel - 2011](https://drops.dagstuhl.de/opus/volltexte/2011/3063/)

- [Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel - Moshe Kol, JSOF](https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf)

# Tracing the Kernel

- [Steven Rostedt - Learning the Linux Kernel with tracing](https://www.youtube.com/watch?v=JRyrhsx-L5Y)

# Kernel Bugs, vulnerabilities and exploitation techniques

- [I found ANOTHER BUG IN THE LINUX KERNEL! (SPARC)](https://www.youtube.com/watch?v=disnmelvG90)

- [A cache invalidation bug in Linux memory management - Jann Horn, Google Project Zero - CVE-2018-17182](https://googleprojectzero.blogspot.com/2018/09/)

- [CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable

](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-39793.html)

- [Linux Kernel universal heap spray

](https://duasynt.com/blog/linux-kernel-heap-spray)

- [EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)](https://www.willsroot.io/2022/12/entrybleed.html)

- [Tickling ksmbd: fuzzing SMB in the Linux kernel](https://pwning.tech/ksmbd-syzkaller/)

- [Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)](https://pwning.tech/ksmbd/)

- [Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks](https://snyk.io/blog/kernel-privilege-escalation/)

- [A new method for container escape using file-based DirtyCred](https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/)

# Linux Kernel Exploitation cve PoC/writeups & guides

- [CVE-2021-22600 - USMA: Share Kernel Code with Me Yong Liu, Jun Yao, Xiaodong Wang 360 Vulnerability Research Institute](https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-YongLiu-USMA-Share-Kernel-Code.pdf)

- [ocastejon -  linux-kernel-learning & exploitation techniques](https://github.com/ocastejon/linux-kernel-learning)

- [CVE-2022-27666: My file your memory - Erin Avllazagaj](https://albocoder.github.io/exploit/2023/03/13/KernelFileExploit.html)

  - [PoC](https://github.com/plummm/CVE-2022-27666)

- [nrb547 CVE-2021-32606: CAN ISOTP local privilege escalation](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md)

- [MWR Labs Whitepaper Kernel Driver mmap Handler Exploitation 2017-09-18 – Mateusz Fruba](https://labs.withsecure.com/content/dam/labs/docs/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf)

- [ww9210 FUZE project Repo](https://github.com/ww9210/Linux_kernel_exploits)

- [Immunity Blog - Writing a Linux Kernel Remote in 2022](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/)

- [CVE-2022-20186 GitHub Blog Corrupting memory without memory corruption -  Arm Mali GPU kernel driver](https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/)

- [GitHub Blog - Rooting with root cause: finding a variant of a Project Zero bug - CVE-2022-46395](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/)

- [PoCs by Google](https://github.com/google/security-research/tree/master/pocs/linux)

- [Pwning the all Google phone with a non-Google bug -  CVE-2022-38181](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/)

- [Exploiting CVE-2021-3490 for Container Escapes](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/?utm_medium=soc&utm_source=lnkd&utm_term=spklr&utm_content=8671201906&utm_campaign=%5Bglobal%5D)

- [CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem (Alexander Popov)](https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html)

- [CyberArk - LPE for Razer Usb driver](https://www.cyberark.com/resources/threat-research-blog/colorful-vulnerabilities)

## Dirty COW Vulnerability

- [eshard Blog - Reversing DirtyC0W](https://eshard.com/posts/dirtyc0w-1)

- [Williams College- Dirty COW: CVE-2016-5095 A Privilege Escalation Vulnerability in the Linux Kernel- CSCI432, May 11 2022](https://www.cs.williams.edu/~cs432/osco/18-ye.pdf)

- [Dirty Cow Technical Explanation](https://www.youtube.com/watch?v=FKdZ0QEIga8)

- [Huge Dirty COW (CVE-2017–1000405) - The incomplete Dirty COW patch - Bindecy](https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0)

- [HugeDirtyCow POC - Bindecy](https://github.com/bindecy/HugeDirtyCowPOC)

## StackRot (2023)

- [Rezilion Blog - What You Need to Know About StackRot – CVE-2023-3269](https://www.rezilion.com/blog/what-you-need-to-know-about-stackrot-cve-2023-3269/)

- [lrh2000 - CVE-2023-3269: Linux kernel privilege escalation vulnerability - writeup & PoC](https://github.com/lrh2000/StackRot)

- [Openwall Mailing List - The patch for StackRot](https://www.openwall.com/lists/oss-security/2023/07/05/1)

- [Aegisbyte Blog - StackRot](https://www.aegisbyte.com/post/stackrot-cve-2023-3269-exploit-will-be-released-soon)

## DirtyPipe (CVE-2022-0847)

## Pwnkit (CVE-2021-4034)

## Udmabuf Driver Vulnerability

- [Blue Frost Security Blog](https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html)

## Linux Kernel MMAP Vulnerabilities

- [Checkpoint Research - MMAP VULNERABILITIES – LINUX KERNEL - Eyal Itkin](https://research.checkpoint.com/2018/mmap-vulnerabilities-linux-kernel/#single-post)

- [De4dCr0w - Kernel-Driver-mmap-Handler-Exploitation](https://github.com/De4dCr0w/Kernel-Driver-mmap-Handler-Exploitation)

- [deshal3v (Omer Shalev) Blog - mmap handler exploitation](https://deshal3v.github.io/blog/kernel-research/mmap_exploitation)

- [Exploit-DB - Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem](https://www.exploit-db.com/exploits/46502)

# Talks from conferences (videos)

- [xairy.io Talks](https://xairy.io/talks/)

- [OffensiveCon23 - Alex Plaskett & Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel](https://www.youtube.com/watch?v=9wgHENj_YNk)

- [OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel](https://www.youtube.com/watch?v=E3CVDOlcHC4)

- [#HITB2022SIN E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation - Sam Page](https://www.youtube.com/watch?v=OmvGf-zVcbI)

# Major changes to source code

- [VMA 2.6 -> 2.7](https://lwn.net/Articles/182495/)

- [Replace any vm_next use with vma_find().](https://lore.kernel.org/lkml/[email protected]/)

- [mm/vmacache.c]

- [[PATCH 6.1 14/30] mm: introduce new lock_mm_and_find_vma() page fault helper](https://www.spinics.net/lists/stable/msg663179.html)

# Additional Out of context resources

- [Robert Love's Quora Answers](https://www.quora.com/profile/Robert-Love-1/answers)

# Source code structs & fields of interest

## VMA (Virtual memory areas) & Memory management

- [vm_area_struct](https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/include/linux/mm_types.h;l=490)

- [vm_area_struct #2](https://livegrep.com/search/linux?q=vm_area_struct&fold_case=auto&regex=false&context=true)

- mm/vmacache.c

  - vm_mm mm_struct

  - find_vma(), vmacache_update(),  mm_struct ,  vmacache

- Exploiting `do_page_fault()`?

  

# The backyard/garage of the Linux kernel docs

[https://www.kernel.org/doc/](https://www.kernel.org/doc/)

# Linux internals

- [sam4k - Linternals: Introduction](https://sam4k.com/linternals-introduction/)

- [Linux insides](https://0xax.gitbooks.io/linux-insides/content/)

- [The slab allocators of past, present, and future - Vlastimil Babka](https://www.youtube.com/watch?v=d1KfrAL7Htk)

- [Mentorship Session: Debugging Linux Memory Management Subsystem (The linux foundation)

](https://www.youtube.com/watch?v=fwLoPtTCmnw)

  - [Contained in this video playlist](https://www.youtube.com/watch?v=FdNIiQxwJuk&list=PLbzoR-pLrL6o8cdq_JLTwsLfe2_DhNsDf)

- [ECE-T480 - Spring 2021: Lecture 16 (the slab allocator)](https://www.youtube.com/watch?v=pFi-JKgoX-I )

- [The ARM32 Scheduling and Kernelspace Userspace Boundary](https://people.kernel.org/linusw/the-arm32-scheduling-and-kernelspace-userspace-boundary) - Linux internals - The ARM32 Scheduling and Kernelspace Userspace Boundary by Linus Walleij

- [The Linux Process Journey](https://www.linkedin.com/search/results/content/?keywords=shlomi%20boutnaru%20linux%20process%20journey&origin=FACETED_SEARCH&postedBy=%5B%22following%22%5D&sid=X%2C8&sortBy=%22date_posted%22) - Linux internals - The Linux Process Journey by Shlomi Boutnaru

# Virtual memory areas datastructures (VMA)

- [The Maple Tree, A Modern Data Structure for a Complex Problem](https://blogs.oracle.com/linux/post/the-maple-tree-a-modern-data-structure-for-a-complex-problem)

# Page Tables and Process Memory internals & exploits

[Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel](https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html)

- [Hiding Process Memory via Anti-Forensic Techniques](https://www.youtube.com/watch?v=tMxCfxjtvnk)

- [Blackhat - Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache](https://www.youtube.com/watch?v=HZk2egYDXxg)

# Various open source tools

## Kernel Vulnerability Scanner tools

- [The-Z-Labs - linux-exploit-suggester - Linux privilege escalation auditing tool](https://github.com/The-Z-Labs/linux-exploit-suggester/tree/master)

# In Chromium

- [Chromium Issue](https://bugs.chromium.org/p/project-zero/issues/detail?id=2329)

# Android

- [GitHub Blog (Android Kernel Mitigations obstacle race)](https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/)

- linux/mm/memory.c  

- [abi-monitor](https://source.android.com/docs/core/architecture/kernel/abi-monitor)

# blogs

- 

- 

- 

# Mitigations

- [Summary of Linux Kernel Security Protections (2022)](https://www.slideshare.net/ShubhamDubey29/summary-of-linux-kernel-security-protections)

- https://github.com/nccgroup/exploit_mitigations/blob/main/linux_mitigations.md