To Be Continued
Linux & Android Kernel Vulnerability research and exploitation
- Do not even bother using WSL2 for Kernel dev/research, you will run into many problems quite fast and it's not worth time to try and troubleshoot. Use a virtual machine instead
- Relevant Hypervisors: (VMware, Hyper-V,Xen)
- VirtualBox seems to not support mitigations like SMEP
- Vmware
- Windows/Linux: VMware Workstation Pro (buy )
- Mac: VMware Fusion
- "Kernel hacking like it's 2020" - Russell Currey (LCA 2020)
-
Andrey Konovalov xairy collection (VERY comprehensive - Use this!)
-
Lexfo Blog CVE-2017-11176: A step-by-step Linux Kernel exploitation (4 Parts) - Nice introduction LInk to notes
-
pr0cf5/kernel-exploit-practice - Playground with many labs
-
Low-level adventures - Learning Linux kernel exploitation - Part 1 - Laying the groundwork
-
Low-level adventures - Learning Linux kernel exploitation - Part 2 - CVE-2022-0847
- UIUCTF23 – Corny Kernel – Writeup (Beginners)
- 3k CTF 2021 - Klibrary - Exploit linux kernel use after free with a race condition
- https://ctftime.org/tasks/?tags=&hidden-tags=kernel
- https://t.me/ctftime_pyramid (searchable writeups)
- [pwnable.tw - death_note]
- Hijacking the Linux Kernel - 2011
- Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel - Moshe Kol, JSOF
- I found ANOTHER BUG IN THE LINUX KERNEL! (SPARC)
- A cache invalidation bug in Linux memory management - Jann Horn, Google Project Zero - CVE-2018-17182
- CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable
- Linux Kernel universal heap spray
- EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
- Tickling ksmbd: fuzzing SMB in the Linux kernel
- Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)
- Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks
- A new method for container escape using file-based DirtyCred
-
MWR Labs Whitepaper Kernel Driver mmap Handler Exploitation 2017-09-18 – Mateusz Fruba
-
CVE-2022-20186 GitHub Blog Corrupting memory without memory corruption - Arm Mali GPU kernel driver
-
GitHub Blog - Rooting with root cause: finding a variant of a Project Zero bug - CVE-2022-46395
-
Pwning the all Google phone with a non-Google bug - CVE-2022-38181
-
CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem (Alexander Popov)
- eshard Blog - Reversing DirtyC0W
- Williams College- Dirty COW: CVE-2016-5095 A Privilege Escalation Vulnerability in the Linux Kernel- CSCI432, May 11 2022
- Dirty Cow Technical Explanation
- Huge Dirty COW (CVE-2017–1000405) - The incomplete Dirty COW patch - Bindecy
- HugeDirtyCow POC - Bindecy
- Rezilion Blog - What You Need to Know About StackRot – CVE-2023-3269
- lrh2000 - CVE-2023-3269: Linux kernel privilege escalation vulnerability - writeup & PoC
- Openwall Mailing List - The patch for StackRot
- Aegisbyte Blog - StackRot
- Checkpoint Research - MMAP VULNERABILITIES – LINUX KERNEL - Eyal Itkin
- De4dCr0w - Kernel-Driver-mmap-Handler-Exploitation
- deshal3v (Omer Shalev) Blog - mmap handler exploitation
- Exploit-DB - Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem
- xairy.io Talks
- OffensiveCon23 - Alex Plaskett & Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel
- OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel
- #HITB2022SIN E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation - Sam Page
- VMA 2.6 -> 2.7
- Replace any vm_next use with vma_find().
- [mm/vmacache.c]
- [PATCH 6.1 14/30] mm: introduce new lock_mm_and_find_vma() page fault helper
- vm_area_struct
- vm_area_struct #2
- mm/vmacache.c
- vm_mm mm_struct
- find_vma(), vmacache_update(), mm_struct , vmacache
- Exploiting
do_page_fault()
?
-
The slab allocators of past, present, and future - Vlastimil Babka
-
Mentorship Session: Debugging Linux Memory Management Subsystem (The linux foundation)
-
The ARM32 Scheduling and Kernelspace Userspace Boundary - Linux internals - The ARM32 Scheduling and Kernelspace Userspace Boundary by Linus Walleij
-
The Linux Process Journey - Linux internals - The Linux Process Journey by Shlomi Boutnaru
Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel
- Hiding Process Memory via Anti-Forensic Techniques
- Blackhat - Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache
- GitHub Blog (Android Kernel Mitigations obstacle race)
- linux/mm/memory.c
- abi-monitor