README

This is a knowledge base about all things kernel debugging. By curating various sources, the framework development as well as debugging kernel panics should become a lot easier.

Tools of interest

• drgn - Programmable debugger
• HadesDbg- The Linux x86/x86-64 last chance debugging tool
• Systemtap
  • Does not seem to work out of the box within a container setup
  • As it behaves similarly to what we may can do with eBPF it might be fun to write some PoC tooling with redbpf
• casr - Collect crash reports, triage, and estimate severity.
• crash - Linux kernel crash utility

General information on kernel debugging

• Ubuntu Debugging
• FreeBSD - Chapter 10. Kernel Debugging

Learning collection

Repositories of interest

• Linux Kernel Teaching
• Linux Kernel Learning
• Linux Kernel Hacking
• Pawnyable - Exploitation challenges

Technical blog posts touching basics

• Linux Kernel universal heap spray
• A collection of structures that can be used in kernel exploits
• Linux kernel heap feng shui in 2022
• Looking at kmalloc() and the SLUB Memory Allocator
• The Slab Allocator in the Linux kernel
• The Linux kernel memory allocators from an exploitation perspective

Write-Ups

Section to dump good write-ups that either feature an actual exploit, a new technique, or general vulnerability discovery.

Vulnerability discovery

• Ruffling the penguin! How to fuzz the Linux kernel

Public exploits

• The exploit recon 'msg_msg' and its mitigation in VED
• [CVE-2022-101(5|6)] How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables
• [CVE-2022-32250] SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables
• [CVE-2022-2586] N-day exploit for CVE-2022-2586: Linux kernel nft_object UAF
• [CVE-2022-1786] A Journey To The Dawn
• Writing a Linux Kernel Remote in 2022
• CVE-2021-22555: Turning \x00\x00 into 10000$
• A deep root in Linux's filesystem layer (CVE-2021-33909)
• Exploiting CVE-2021-43267
• Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel
  • Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG
• Put an io_uring on it: Exploiting the Linux Kernel
• Kernel Pwning with eBPF: a Love Story
• [CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver
• Anatomy of an Exploit: RCE with CVE-2020-1350 SIGRed
• [CVE-2019-15666] Ubuntu / CentOS / RHEL Linux Kernel 4.4 - 4.18 privilege escalation
• CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 1/4)

Interesting CTF exploits

• [CVE-2022-0185] Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers
  • [CVE-2022-0185] Linux kernel slab out-of-bounds write: exploit and writeup
• [corCTF 2022] CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel
• [corCTF 2021] Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel
• [corCTF 2021] Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel