Giters

gfelber / how2keap

A WIP cheat sheet for various linux kernel heap exploitation techniques (and privilige escalations).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ctfkeaplinuxlinux-kernel

how2keap

####################################################
#                                                  #
#    Tired of bloated heap implementations?        #
#          __                                      #
#         |  | __ ____ _____  ______               #
#         |  |/ // __ \\__  \ \____ \              #
#         |    <\  ___/ / __ \|  |_> >             #
#    use  |__|_ \\___  >____  /   __/              #
#              \/    \/     \/|__|                 #
#                                                  #
####################################################

flag is in /dev/sda

modify ./rootfs/init to improve debugging

exploit is located inside the vm in /pwn (recommend running with while ! /pwn; do test; done)

Techniques

Privilige Escalation

File Technique Linux-Version Applicable CTF Challenges
dirty_cred.c DirtyCred abuses the heap memory reuse mechanism to get privileged latest Wall Rose
dirty_pagetable.c Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (kernel RCE) latest keasy
dirty_pagetable_mp.c Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (modprobe) latest Faulty Kernel
flag_corrupt.c use a UAF to corrupt /etc/passwd flags and get privileged latest Faulty Kernel

Gadgets

File Technique Linux-Version Applicable CTF Challenges
cross_cache.c showcasing a cross cacheq attack that allows using dangeling ptrs to target heap of other slabs latest Wall Rose
per_cpu_slabs.c showcasing how slabs are managed and reallocated on a per cpu basis latest
mmaped_files.c using mmaped files to create race windows with copy_from_user or copy_to_user latest

run examples

just replace pwn.c with the example you want to run (e.g. ./linux6.6.22/dirty_cred.c)

helper scripts:

  • scripts/start-qemu.sh [OPTIONS]
    start qemu vm
    -b build and compress rootfs if changed
    -d build with -DDEBUG
    -g run with GDB (kaslr still enabled)
    -k disable kaslr
    -c force compress rootfs

  • scripts/decompress.sh
    run this to extract the rootfs.cpio.gz into ./rootfs

  • scripts/compress.sh
    recompress ./rootfs into rootfs.cpio.gz (i.e. after changes were made)

  • scripts/build.sh
    build the exploit (pwn.c), and add it to the root of the filesystem /pwn

buildroot

download buildroot and extract apply buildroot keap.patch using patch

patch -p1 -i buildroot/keap.patch -d ./PATH/TO/BUIDLROOT

now you can make changes using make menuconfig (e.g. changing kernel version) and recompile keap using make (might take a while) the final files (rootfs.cpio.gz and bzImage) are located inside the buildroot dir inside ./output/images

helpful links

About

A WIP cheat sheet for various linux kernel heap exploitation techniques (and privilige escalations).

ctfkeaplinuxlinux-kernel

License:GNU General Public License v3.0

Languages

Language:C 83.5%Language:Shell 5.7%Language:Python 5.2%Language:Assembly 2.0%Language:Makefile 1.8%Language:Dockerfile 1.8%