A WIP cheat sheet for various linux kernel heap exploitation techniques (and privilige escalations).
####################################################
# #
# Tired of bloated heap implementations? #
# __ #
# | | __ ____ _____ ______ #
# | |/ // __ \\__ \ \____ \ #
# | <\ ___/ / __ \| |_> > #
# use |__|_ \\___ >____ / __/ #
# \/ \/ \/|__| #
# #
####################################################
flag is in /dev/sda
modify ./rootfs/init to improve debugging
exploit is located inside the vm in /pwn (recommend running with while ! /pwn; do true; done)
| File | Technique | Linux-Version | Applicable CTF Challenges |
|---|---|---|---|
| dirty_cred.c | DirtyCred abuses the heap memory reuse mechanism to get privileged | latest | Wall Rose |
| dirty_pagetable.c | Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (kernel RCE) | latest | keasy |
| dirty_pagetable_mp.c | Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (modprobe) | latest | Faulty Kernel |
| flag_corrupt.c | use a UAF to corrupt /etc/passwd flags and get privileged | latest | Faulty Kernel |
| File | Technique | Linux-Version | Applicable CTF Challenges |
|---|---|---|---|
| cross_cache.c | showcasing a cross cacheq attack that allows using dangeling ptrs to target heap of other slabs | latest | Wall Rose |
| slubstick.c | SLUBStick more reliable way to trigger cross-cache | latest | |
| per_cpu_slabs.c | showcasing how slabs are managed and reallocated on a per cpu basis | latest | |
| mmaped_files.c | using mmaped files to create race windows with copy_from_user or copy_to_user |
latest |
just replace pwn.c with the example you want to run (e.g. ./linux6.6.22/dirty_cred.c)
then run ./scripts/start-qemu.sh -b to build and execute /pwn inside the vm
-
scripts/start-qemu.sh [OPTIONS]
-b build and compress rootfs if changed
-d build with -DDEBUG
-g run with GDB (kaslr still enabled)
-k disable kaslr
-c force compress rootfs -
scripts/decompress.sh
run this to extract the rootfs.cpio.gz into ./rootfs -
scripts/compress.sh
recompress ./rootfs into rootfs.cpio.gz (i.e. after changes were made) -
scripts/build.sh
build the exploit (pwn.c), and add it to the root of the filesystem /pwn
only using scripts/start-qemu.sh should be sufficient in most cases
compile and modify kernel using buildroot
- download buildroot and extract
- apply buildroot keap.patch using patch:
patch -p1 -i buildroot/keap.patch -d ./PATH/TO/BUIDLROOT- make changes using
make menuconfig(e.g. changing kernel version) - compile keap and kernel using
make(might take a while) - the final files (rootfs.cpio.gz and bzImage) are located inside the buildroot dir inside
./output/images