A WIP cheat sheet for various linux kernel heap exploitation techniques (and privilige escalations).
####################################################
# #
# Tired of bloated heap implementations? #
# __ #
# | | __ ____ _____ ______ #
# | |/ // __ \\__ \ \____ \ #
# | <\ ___/ / __ \| |_> > #
# use |__|_ \\___ >____ / __/ #
# \/ \/ \/|__| #
# #
####################################################
flag is in /dev/sda
modify ./rootfs/init to improve debugging
exploit is located inside the vm in /pwn (recommend running with while ! /pwn; do true; done)
This source code is provided for educational and ethical purposes only. The author(s) strictly prohibit any use of this code for unlawful, malicious, or unauthorized activities. By using this code, you agree to comply with all applicable laws and take full responsibility for any misuse.
The author(s) disclaim all liability for damages or legal consequences resulting from improper or illegal use of this code. Use responsibly and only in accordance with ethical guidelines and legal requirements.
| File | Technique | Linux-Version | Applicable CTF Challenges |
|---|---|---|---|
| dirty_cred.c | DirtyCred abuses the heap memory reuse mechanism to get privileged | latest | Wall Rose |
| dirty_pagetable.c | Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (kernel RCE) | latest | keasy |
| dirty_pagetable_mp.c | Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (modprobe) | latest | Faulty Kernel |
| flag_corrupt.c | use a UAF to corrupt /etc/passwd flags and get privileged | latest | Faulty Kernel |
| File | Technique | Linux-Version | Applicable CTF Challenges |
|---|---|---|---|
| cross_cache.c | showcasing a cross cacheq attack that allows using dangeling ptrs to target heap of other slabs | latest | Wall Rose |
| slubstick.c | SLUBStick more reliable way to trigger cross-cache | latest | |
| per_cpu_slabs.c | showcasing how slabs are managed and reallocated on a per cpu basis | latest | |
| mmaped_files.c | using mmaped files to create race windows with copy_from_user or copy_to_user |
latest |
just replace pwn.c with the example you want to run (e.g. ./linux6.6.22/dirty_cred.c)
then run ./scripts/start-qemu.sh -b to build and execute /pwn inside the vm
-
scripts/start-qemu.sh [OPTIONS]
-b build and compress rootfs if changed
-d build with -DDEBUG
-g run with GDB (kaslr still enabled)
-k disable kaslr
-c force compress rootfs -
scripts/decompress.sh
run this to extract the rootfs.cpio.gz into ./rootfs -
scripts/compress.sh
recompress ./rootfs into rootfs.cpio.gz (i.e. after changes were made) -
scripts/build.sh
build the exploit (pwn.c), and add it to the root of the filesystem /pwn
only using scripts/start-qemu.sh should be sufficient in most cases
compile and modify kernel using buildroot
- download buildroot and extract
- apply buildroot keap.patch using patch:
patch -p1 -i buildroot/keap.patch -d ./PATH/TO/BUIDLROOT- make changes using
make menuconfig(e.g. changing kernel version) - compile keap and kernel using
make(might take a while) - the final files (rootfs.cpio.gz and bzImage) are located inside the buildroot dir inside
./output/images