Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/yuawn/linux-kernel-exploitation
Linux kernel module implementation & exploitation (pwn) labs.
https://github.com/yuawn/linux-kernel-exploitation
ctf kernel kernel-exploitation linux linux-kernel privilege-escalation pwn pwnable security
Last synced: 24 days ago
JSON representation
Linux kernel module implementation & exploitation (pwn) labs.
- Host: GitHub
- URL: https://github.com/yuawn/linux-kernel-exploitation
- Owner: yuawn
- Created: 2020-12-17T05:33:31.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2022-01-26T06:25:04.000Z (almost 3 years ago)
- Last Synced: 2024-11-30T18:14:48.585Z (25 days ago)
- Topics: ctf, kernel, kernel-exploitation, linux, linux-kernel, privilege-escalation, pwn, pwnable, security
- Language: C
- Homepage: https://speakerdeck.com/yuawn/kernel-exploitation
- Size: 16.4 MB
- Stars: 185
- Watchers: 4
- Forks: 20
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Linux Kernel Exploitation
Linux kernel exploitation lab.
Slide: [speakerdeck.com/yuawn/kernel-exploitation](https://speakerdeck.com/yuawn/kernel-exploitation)## Linux kernel exploitation techniques
- ret2user
- status switch
- modify cr4 register
- bypass smep
- bypass smap
- kpti
- fix cr3 register
- swapgs_restore_regs_and_return_to_usermode()
- kernel information leak
- useful kernel structure for UAF
- modprobe_path
- userfaultfd
- race condition
- setxattr
- setxattr + userfaultfd
- msg_msg
- signal handler## Prepare files needed to compile kernel module
```sh
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.10.1.tar.xz
tar Jxvf linux-5.10.1.tar.xz
cp .config linux-5.10.1
cd linux-5.10.1
make menuconfig # load .config
make modules_prepare
```## Compile linux kernel
```sh
sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.10.1.tar.xz
tar Jxvf linux-5.10.1.tar.xz
cp .config linux-5.10.1
cd linux-5.10.1
make menuconfig # load .config
make -j $(nproc)
```## busybox
```sh
wget https://busybox.net/downloads/busybox-1.32.0.tar.bz2
tar jxvf busybox-1.32.0.tar.bz2
cd busybox-1.32.0
mkdir build
export BUSYBOX_BUILD=$(pwd)/build
make O=$BUSYBOX_BUILD defconfig
make O=$BUSYBOX_BUILD menuconfig # Settings -> Build Options: enable Build static binary (no shared libs)
cd $BUSYBOX_BUILD
make -j 4
make install -j 4
```## initramfs
```sh
mkdir rootfs
cd rootfs
mkdir -pv {bin,sbin,etc,proc,dev,tmp,sys,usr/{bin,sbin}}
cp -r $BUSYBOX_BUILD/_install/* .
vim init # Create init file
```
- Some files
- /etc/passwd
- /home/user
- /flag