├── .gitignore ├── README.md ├── Rhydon1337-tools.md ├── more_stuff.md ├── off-topic └── dot_files.txt ├── pdfs_talks_etc ├── AndroidSecurityResearchIntro-JonathanLevin.pdf ├── android_sec-TOC-JonathanLevin.pdf ├── hijacking the linux kernel 2011 paper.pdf └── offensivecon2023-exploit-engineering-linux-kernel.pdf ├── resources ├── Linux Kernel Resources - eLinux.org.pdf ├── The_linux_process_journey-Shlomi_Boutnaru.pdf ├── kernel_basics_2.6.md └── v2.6_virtual memory manager │ ├── thesis.pdf │ └── understanding the 2_6 linux kernel virtual memory manager.pdf ├── syllabus-subjects ├── LFD440_ Linux Kernel Debugging and Security.pdf ├── The PSCG Embedded Linux Course - 2023.pdf ├── sylabus- Attacking the Linux Kernel - HITBSecConf2023 - Phuket.pdf └── syllabus-kernel_exploitation.pdf ├── videos.md └── xnu_vs_android_kernel.md /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | To Be Continued 2 | 3 | Linux & Android Kernel Vulnerability research and exploitation 4 | 5 | # Environment setup 6 | 7 | - Do not even bother using **WSL2** for Kernel dev/research, you will run into many problems quite fast and it's not worth time to try and troubleshoot. 8 | Use a virtual machine instead 9 | - Relevant Hypervisors: (VMware, Hyper-V,Xen) 10 | - VirtualBox seems to not support mitigations like SMEP 11 | - Vmware 12 | - Windows/Linux: VMware Workstation Pro (buy ) 13 | - Mac: VMware Fusion 14 | - 15 | - ["Kernel hacking like it's 2020" - Russell Currey (LCA 2020)](https://www.youtube.com/watch?v=heib48KG-YQ) 16 | 17 | # Linux kernel Exploitation tutorials & Practice Playgrounds 18 | 19 | - [Andrey Konovalov xairy collection](https://github.com/xairy/linux-kernel-exploitation#practice) (**VERY** comprehensive - Use this!) 20 | - [Lexfo Blog CVE-2017-11176: A step-by-step Linux Kernel exploitation (4 Parts)](https://blog.lexfo.fr/tag/kernel.html) - Nice introduction **LInk to notes** 21 | - [pr0cf5/kernel-exploit-practice](https://github.com/pr0cf5/kernel-exploit-practice/tree/master) - Playground with many labs 22 | - [0x00Sec - Point of no C3 | Linux Kernel v4.13 Exploitation](https://0x00sec.org/t/point-of-no-c3-linux-kernel-exploitation-part-0/11585) 23 | 24 | - [Low-level adventures - Learning Linux kernel exploitation - Part 1 - Laying the groundwork](https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/) 25 | - [Low-level adventures - Learning Linux kernel exploitation - Part 2 - CVE-2022-0847](https://0x434b.dev/learning-linux-kernel-exploitation-part-2-cve-2022-0847/) 26 | - [Linux Kernel PWN | 01 From Zero to One](https://blog.wohin.me/posts/linux-kernel-pwn-01/) 27 | - [Learning Linux Kernel Exploitation by midas](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) 28 | - 29 | - [Information docs index](https://low-level.readthedocs.io/en/latest/security/kernel/) 30 | 31 | ### CTF challenges 32 | 33 | - [UIUCTF23 – Corny Kernel – Writeup (Beginners)](https://charlesit.blog/2023/07/28/uiuctf23-corny-kernel-writeup/) 34 | - [3k CTF 2021 - Klibrary - Exploit linux kernel use after free with a race condition](https://ctftime.org/writeup/28528) 35 | - 36 | - (searchable writeups) 37 | - [pwnable.tw - death_note] 38 | 39 | ## Theory 40 | 41 | - [understanding v2.3 linux kernel vulnerabilities - Richard Carback (Umbc.edu)](https://redirect.cs.umbc.edu/courses/undergraduate/421/Spring12/02/slides/ULKV.pdf) 42 | 43 | ## Academic research papers 44 | 45 | - [Hijacking the Linux Kernel - 2011](https://drops.dagstuhl.de/opus/volltexte/2011/3063/) 46 | - [Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel - Moshe Kol, JSOF](https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf) 47 | 48 | # Tracing the Kernel 49 | 50 | - [Steven Rostedt - Learning the Linux Kernel with tracing](https://www.youtube.com/watch?v=JRyrhsx-L5Y) 51 | 52 | # Kernel Bugs, vulnerabilities and exploitation techniques 53 | 54 | - [I found ANOTHER BUG IN THE LINUX KERNEL! (SPARC)](https://www.youtube.com/watch?v=disnmelvG90) 55 | - [A cache invalidation bug in Linux memory management - Jann Horn, Google Project Zero - CVE-2018-17182](https://googleprojectzero.blogspot.com/2018/09/) 56 | - [CVE-2022-22706 / CVE-2021-39793: Mali GPU driver makes read-only imported pages host-writable 57 | ](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-39793.html) 58 | - [Linux Kernel universal heap spray 59 | ](https://duasynt.com/blog/linux-kernel-heap-spray) 60 | - [EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)](https://www.willsroot.io/2022/12/entrybleed.html) 61 | - [Tickling ksmbd: fuzzing SMB in the Linux kernel](https://pwning.tech/ksmbd-syzkaller/) 62 | - [Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)](https://pwning.tech/ksmbd/) 63 | - [Kernel privilege escalation: how Kubernetes container isolation impacts privilege escalation attacks](https://snyk.io/blog/kernel-privilege-escalation/) 64 | - [A new method for container escape using file-based DirtyCred](https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/) 65 | 66 | # Linux Kernel Exploitation cve PoC/writeups & guides 67 | 68 | - [CVE-2021-22600 - USMA: Share Kernel Code with Me Yong Liu, Jun Yao, Xiaodong Wang 360 Vulnerability Research Institute](https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-YongLiu-USMA-Share-Kernel-Code.pdf) 69 | - [ocastejon - linux-kernel-learning & exploitation techniques](https://github.com/ocastejon/linux-kernel-learning) 70 | 71 | - [CVE-2022-27666: My file your memory - Erin Avllazagaj](https://albocoder.github.io/exploit/2023/03/13/KernelFileExploit.html) 72 | - [PoC](https://github.com/plummm/CVE-2022-27666) 73 | - [nrb547 CVE-2021-32606: CAN ISOTP local privilege escalation](https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md) 74 | - [MWR Labs Whitepaper Kernel Driver mmap Handler Exploitation 2017-09-18 – Mateusz Fruba](https://labs.withsecure.com/content/dam/labs/docs/mwri-mmap-exploitation-whitepaper-2017-09-18.pdf) 75 | - [ww9210 FUZE project Repo](https://github.com/ww9210/Linux_kernel_exploits) 76 | - [Immunity Blog - Writing a Linux Kernel Remote in 2022](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/) 77 | - [CVE-2022-20186 GitHub Blog Corrupting memory without memory corruption - Arm Mali GPU kernel driver](https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/) 78 | - [GitHub Blog - Rooting with root cause: finding a variant of a Project Zero bug - CVE-2022-46395](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/) 79 | - [PoCs by Google](https://github.com/google/security-research/tree/master/pocs/linux) 80 | - [Pwning the all Google phone with a non-Google bug - CVE-2022-38181](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/) 81 | - [Exploiting CVE-2021-3490 for Container Escapes](https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/?utm_medium=soc&utm_source=lnkd&utm_term=spklr&utm_content=8671201906&utm_campaign=%5Bglobal%5D) 82 | - [CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem (Alexander Popov)](https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html) 83 | - [CyberArk - LPE for Razer Usb driver](https://www.cyberark.com/resources/threat-research-blog/colorful-vulnerabilities) 84 | 85 | ## Dirty COW Vulnerability 86 | 87 | - [eshard Blog - Reversing DirtyC0W](https://eshard.com/posts/dirtyc0w-1) 88 | - [Williams College- Dirty COW: CVE-2016-5095 A Privilege Escalation Vulnerability in the Linux Kernel- CSCI432, May 11 2022](https://www.cs.williams.edu/~cs432/osco/18-ye.pdf) 89 | - [Dirty Cow Technical Explanation](https://www.youtube.com/watch?v=FKdZ0QEIga8) 90 | - [Huge Dirty COW (CVE-2017–1000405) - The incomplete Dirty COW patch - Bindecy](https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0) 91 | - [HugeDirtyCow POC - Bindecy](https://github.com/bindecy/HugeDirtyCowPOC) 92 | 93 | ## StackRot (2023) 94 | 95 | - [Rezilion Blog - What You Need to Know About StackRot – CVE-2023-3269](https://www.rezilion.com/blog/what-you-need-to-know-about-stackrot-cve-2023-3269/) 96 | - [lrh2000 - CVE-2023-3269: Linux kernel privilege escalation vulnerability - writeup & PoC](https://github.com/lrh2000/StackRot) 97 | - [Openwall Mailing List - The patch for StackRot](https://www.openwall.com/lists/oss-security/2023/07/05/1) 98 | - [Aegisbyte Blog - StackRot](https://www.aegisbyte.com/post/stackrot-cve-2023-3269-exploit-will-be-released-soon) 99 | 100 | ## DirtyPipe (CVE-2022-0847) 101 | 102 | ## Pwnkit (CVE-2021-4034) 103 | 104 | ## Udmabuf Driver Vulnerability 105 | 106 | - [Blue Frost Security Blog](https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html) 107 | 108 | ## Linux Kernel MMAP Vulnerabilities 109 | 110 | - [Checkpoint Research - MMAP VULNERABILITIES – LINUX KERNEL - Eyal Itkin](https://research.checkpoint.com/2018/mmap-vulnerabilities-linux-kernel/#single-post) 111 | - [De4dCr0w - Kernel-Driver-mmap-Handler-Exploitation](https://github.com/De4dCr0w/Kernel-Driver-mmap-Handler-Exploitation) 112 | - [deshal3v (Omer Shalev) Blog - mmap handler exploitation](https://deshal3v.github.io/blog/kernel-research/mmap_exploitation) 113 | - [Exploit-DB - Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem](https://www.exploit-db.com/exploits/46502) 114 | 115 | # Talks from conferences (videos) 116 | 117 | - [xairy.io Talks](https://xairy.io/talks/) 118 | - [OffensiveCon23 - Alex Plaskett & Cedric Halbronn - Exploit Engineering – Attacking the Linux Kernel](https://www.youtube.com/watch?v=9wgHENj_YNk) 119 | - [OffensiveCon23 - Moshe Kol - Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel](https://www.youtube.com/watch?v=E3CVDOlcHC4) 120 | - [#HITB2022SIN E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation - Sam Page](https://www.youtube.com/watch?v=OmvGf-zVcbI) 121 | 122 | # Major changes to source code 123 | 124 | - [VMA 2.6 -> 2.7](https://lwn.net/Articles/182495/) 125 | - [Replace any vm_next use with vma_find().](https://lore.kernel.org/lkml/20220426150616.3937571-69-Liam.Howlett@oracle.com/) 126 | - [mm/vmacache.c] 127 | - [[PATCH 6.1 14/30] mm: introduce new lock_mm_and_find_vma() page fault helper](https://www.spinics.net/lists/stable/msg663179.html) 128 | 129 | # Additional Out of context resources 130 | 131 | - [Robert Love's Quora Answers](https://www.quora.com/profile/Robert-Love-1/answers) 132 | 133 | # Source code structs & fields of interest 134 | 135 | ## VMA (Virtual memory areas) & Memory management 136 | 137 | - [vm_area_struct](https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/include/linux/mm_types.h;l=490) 138 | - [vm_area_struct #2](https://livegrep.com/search/linux?q=vm_area_struct&fold_case=auto®ex=false&context=true) 139 | - mm/vmacache.c 140 | - vm_mm mm_struct 141 | - find_vma(), vmacache_update(), mm_struct , vmacache 142 | - Exploiting `do_page_fault()`? 143 | 144 | # The backyard/garage of the Linux kernel docs 145 | 146 | [https://www.kernel.org/doc/](https://www.kernel.org/doc/) 147 | 148 | # Linux internals 149 | 150 | - [sam4k - Linternals: Introduction](https://sam4k.com/linternals-introduction/) 151 | - [Linux insides](https://0xax.gitbooks.io/linux-insides/content/) 152 | - [The slab allocators of past, present, and future - Vlastimil Babka](https://www.youtube.com/watch?v=d1KfrAL7Htk) 153 | - [Mentorship Session: Debugging Linux Memory Management Subsystem (The linux foundation) 154 | ](https://www.youtube.com/watch?v=fwLoPtTCmnw) 155 | - [Contained in this video playlist](https://www.youtube.com/watch?v=FdNIiQxwJuk&list=PLbzoR-pLrL6o8cdq_JLTwsLfe2_DhNsDf) 156 | - [ECE-T480 - Spring 2021: Lecture 16 (the slab allocator)](https://www.youtube.com/watch?v=pFi-JKgoX-I ) 157 | 158 | - [The ARM32 Scheduling and Kernelspace Userspace Boundary](https://people.kernel.org/linusw/the-arm32-scheduling-and-kernelspace-userspace-boundary) - Linux internals - The ARM32 Scheduling and Kernelspace Userspace Boundary by Linus Walleij 159 | - [The Linux Process Journey](https://www.linkedin.com/search/results/content/?keywords=shlomi%20boutnaru%20linux%20process%20journey&origin=FACETED_SEARCH&postedBy=%5B%22following%22%5D&sid=X%2C8&sortBy=%22date_posted%22) - Linux internals - The Linux Process Journey by Shlomi Boutnaru 160 | 161 | # Virtual memory areas datastructures (VMA) 162 | 163 | - [The Maple Tree, A Modern Data Structure for a Complex Problem](https://blogs.oracle.com/linux/post/the-maple-tree-a-modern-data-structure-for-a-complex-problem) 164 | 165 | # Page Tables and Process Memory internals & exploits 166 | 167 | [Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel](https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html) 168 | 169 | - [Hiding Process Memory via Anti-Forensic Techniques](https://www.youtube.com/watch?v=tMxCfxjtvnk) 170 | - [Blackhat - Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache](https://www.youtube.com/watch?v=HZk2egYDXxg) 171 | 172 | # Various open source tools 173 | 174 | ## Kernel Vulnerability Scanner tools 175 | 176 | - [The-Z-Labs - linux-exploit-suggester - Linux privilege escalation auditing tool](https://github.com/The-Z-Labs/linux-exploit-suggester/tree/master) 177 | 178 | # In Chromium 179 | 180 | - [Chromium Issue](https://bugs.chromium.org/p/project-zero/issues/detail?id=2329) 181 | 182 | # Android 183 | 184 | - [GitHub Blog (Android Kernel Mitigations obstacle race)](https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/) 185 | - linux/mm/memory.c 186 | - [abi-monitor](https://source.android.com/docs/core/architecture/kernel/abi-monitor) 187 | 188 | # blogs 189 | 190 | - 191 | - 192 | - 193 | 194 | # Mitigations 195 | 196 | - [Summary of Linux Kernel Security Protections (2022)](https://www.slideshare.net/ShubhamDubey29/summary-of-linux-kernel-security-protections) 197 | - https://github.com/nccgroup/exploit_mitigations/blob/main/linux_mitigations.md -------------------------------------------------------------------------------- /Rhydon1337-tools.md: -------------------------------------------------------------------------------- 1 | ### Linux Kernel Development Repositories by Rhydon1337 2 | 3 | - [linux-kernel-development](https://github.com/Rhydon1337/linux-kernel-development) 4 | - [linux-kernel-debugging](https://github.com/Rhydon1337/linux-kernel-debugging) 5 | - [linux-kernel-patch-guard](https://github.com/Rhydon1337/linux-kernel-patch-guard) 6 | - [linux-kernel-pci-enumerator](https://github.com/Rhydon1337/linux-kernel-pci-enumerator) 7 | - [linux-kernel-shadow-ssh](https://github.com/Rhydon1337/linux-kernel-shadow-ssh) 8 | - [linux-kernel-filesystem-filter](https://github.com/Rhydon1337/linux-kernel-filesystem-filter) 9 | - [linux-kernel-process-hider](https://github.com/Rhydon1337/linux-kernel-process-hider) 10 | - [linux-kernel-ata-sniffer](https://github.com/Rhydon1337/linux-kernel-ata-sniffer) 11 | -------------------------------------------------------------------------------- /more_stuff.md: -------------------------------------------------------------------------------- 1 | ### Linux Memory Management and Case Studies 2 | 3 | - [lame Memory Management in Linux Operating System | Linux Case Study](https://www.youtube.com/watch?v=ZFw6u11rOfo) 4 | - [P1kachu - Blog](https://blog.lse.epita.fr/authors/P1kachu.html) 5 | 6 | ### Kernel Exploits and Security Reports 7 | 8 | - [Learnings from kCTF VRPs 42 - Linux](https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html) 9 | - [ARM Summer School (2023) - OCW Course](https://ocw.cs.pub.ro/courses/ass) 10 | 11 | ### General Security and Vulnerability Reports 12 | 13 | - [CVE-2023-4039 Mitigation](https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html) 14 | - [Meta Quest 2: Defense Through Offense](https://engineering.fb.com/2023/09/12/security/meta-quest-2-defense-through-offense/) 15 | - [The Ups and Downs of 0-Days: Year in Review](https://security.googleblog.com/2023/07/the-ups-and-downs-of-0-days-year-in.html) 16 | -------------------------------------------------------------------------------- /off-topic/dot_files.txt: -------------------------------------------------------------------------------- 1 | https://github.com/tamirzb/trouble.nvim 2 | https://github.com/tamirzb/dotfiles -------------------------------------------------------------------------------- /pdfs_talks_etc/AndroidSecurityResearchIntro-JonathanLevin.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/pdfs_talks_etc/AndroidSecurityResearchIntro-JonathanLevin.pdf -------------------------------------------------------------------------------- /pdfs_talks_etc/android_sec-TOC-JonathanLevin.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/pdfs_talks_etc/android_sec-TOC-JonathanLevin.pdf -------------------------------------------------------------------------------- /pdfs_talks_etc/hijacking the linux kernel 2011 paper.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/pdfs_talks_etc/hijacking the linux kernel 2011 paper.pdf -------------------------------------------------------------------------------- /pdfs_talks_etc/offensivecon2023-exploit-engineering-linux-kernel.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/pdfs_talks_etc/offensivecon2023-exploit-engineering-linux-kernel.pdf -------------------------------------------------------------------------------- /resources/Linux Kernel Resources - eLinux.org.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/resources/Linux Kernel Resources - eLinux.org.pdf -------------------------------------------------------------------------------- /resources/The_linux_process_journey-Shlomi_Boutnaru.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/resources/The_linux_process_journey-Shlomi_Boutnaru.pdf -------------------------------------------------------------------------------- /resources/kernel_basics_2.6.md: -------------------------------------------------------------------------------- 1 | https://web.archive.org/web/20220317082000/https://manybutfinite.com/post/anatomy-of-a-program-in-memory/ 2 | https://web.archive.org/web/20220125205711/http://lxr.linux.no/linux+v2.6.28.1/fs/proc/task_mmu.c#L201 3 | https://web.archive.org/web/20220317203017/https://manybutfinite.com/post/getting-physical-with-memory/ 4 | https://web.archive.org/web/20220401074856/https://manybutfinite.com/category/internals -------------------------------------------------------------------------------- /resources/v2.6_virtual memory manager/thesis.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/resources/v2.6_virtual memory manager/thesis.pdf -------------------------------------------------------------------------------- /resources/v2.6_virtual memory manager/understanding the 2_6 linux kernel virtual memory manager.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/resources/v2.6_virtual memory manager/understanding the 2_6 linux kernel virtual memory manager.pdf -------------------------------------------------------------------------------- /syllabus-subjects/LFD440_ Linux Kernel Debugging and Security.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/syllabus-subjects/LFD440_ Linux Kernel Debugging and Security.pdf -------------------------------------------------------------------------------- /syllabus-subjects/The PSCG Embedded Linux Course - 2023.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/syllabus-subjects/The PSCG Embedded Linux Course - 2023.pdf -------------------------------------------------------------------------------- /syllabus-subjects/sylabus- Attacking the Linux Kernel - HITBSecConf2023 - Phuket.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/syllabus-subjects/sylabus- Attacking the Linux Kernel - HITBSecConf2023 - Phuket.pdf -------------------------------------------------------------------------------- /syllabus-subjects/syllabus-kernel_exploitation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IdanBanani/Linux-Kernel-VR-Exploitation/19c4d4704f4e801e4904b1642b47e8516da9e4a6/syllabus-subjects/syllabus-kernel_exploitation.pdf -------------------------------------------------------------------------------- /videos.md: -------------------------------------------------------------------------------- 1 | ### Kernel Exploitation 2 | 3 | - [LiveOverflow hxp-CTF-2020-w Kernel Root Exploit via a ptrace() and execve() Race Condition](https://www.youtube.com/watch?v=qUh507Na9nk) 4 | - [Kernel Exploitation RpiSec 2021](https://www.youtube.com/watch?v=HtdriW7KVNE) 5 | - [MSRC BHEurope2022 - Exploring a New Class of Kernel Exploit Primitive -MMIO - Blind arbitrary read](https://www.youtube.com/watch?v=uqWiZXMh8TI) 6 | - [pwn.college - Kernel Security](https://www.youtube.com/watch?v=j0I2AakUAxk&list=PL-ymxv0nOtqowTpJEW4XTiGQYx6iwa6og) 7 | - [Temple Of PWN 13 - Kernel Exploitation](https://www.youtube.com/watch?v=dZgvLbuJiQ4) 8 | - [Intro to Kernel Exploitation (Lame...)](https://www.youtube.com/watch?v=xHHmoEsJc58) 9 | - [Dirty Pipe - CVE-2022-0847 - Linux Privilege Escalation - Hackersploit](https://www.youtube.com/watch?v=af0PGYaqIWA) 10 | - [Gamozolabs - Rust lang - Reading kernel page tables with our Android exploit](https://www.youtube.com/watch?v=NJjpkzuc1k4) 11 | - [Alexander Popov - CVE-2017-2636 Race For Root: The Analysis Of The Linux Kernel Race Condition Exploit (SHA2017)](https://www.youtube.com/watch?v=g7Qm0NpPAz4) 12 | - [Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel](https://www.youtube.com/watch?v=EMcjHfceX44) 13 | - [Linux kernel addr_limit bug / exploitation](https://www.youtube.com/watch?v=UFakJa3t8Ls) 14 | - [BlackHat2022 - From Finding New Type of Logical Flaw at Linux Kernel To Developing New Heap Exploitation Technique](https://www.youtube.com/watch?v=C3ta-uUthfA) 15 | - [Elevating The TrustZone To Achieve A Powerful Android Kernel Exploit | Tamir Zahavi Nullcon Goa 2022](https://www.youtube.com/watch?v=WXqff23dT5I) 16 | - [(Academic) 390R 18. Linux Kernel Exploitation](https://www.youtube.com/watch?v=dZm581pe5fQ) 17 | - [Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)](https://www.youtube.com/watch?v=yrLXvmzUQME) 18 | 19 | ### Red Team Tactics 20 | 21 | - [TheCyberMentor - Linux Privilege Escalation for Beginners](https://www.youtube.com/watch?v=ZTnwg3qCdVM) 22 | - [(Academic) USENIX Security '22 - Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability](https://www.youtube.com/watch?v=aQNjdzUvPmo) 23 | - [Linux Red Team Privilege Escalation Techniques - Kernel Exploits & SUDO Permissions](https://www.youtube.com/watch?v=w2rElXYV2Fs) 24 | - [another red team PE - Kioptrix Level 2](https://www.youtube.com/watch?v=-XJL3L1Nl14) 25 | - [HackaDemic Walkthrough | Vulnhub | Local Privilege Escalation | Linux Kernel Exploit](https://www.youtube.com/watch?v=Iegm19TX6T4) 26 | - [Linux Privilege Escalation Part 2: Kernel Exploitation](https://www.youtube.com/watch?v=jWncA1P2yUU) 27 | - [(Indian) Stapler Walkthrough | Vulnhub | Linux Kernel Exploitation | Fdput Bpf Privilege Escalation](https://www.youtube.com/watch?v=gH2DeQUhmto) 28 | 29 | ### Windows 30 | 31 | - [ROP is DEAD! Kernel Driver Binary Exploitation](https://www.youtube.com/watch?v=mALEQkLegaE) 32 | 33 | ### iOS 34 | 35 | - [BlackHat 2011 - iOS Kernel Exploitation](https://www.youtube.com/watch?v=fQHkA_s3d2o) 36 | 37 | Feel free to use this markdown format as needed! -------------------------------------------------------------------------------- /xnu_vs_android_kernel.md: -------------------------------------------------------------------------------- 1 | | iOS (XNU) Kernel Function | Android (Linux) Kernel Function | Description | 2 | |---------------------------------|--------------------------------------|-------------------------------------------------| 3 | | task_for_pid | find_task_by_vpid | Find a task_struct by its process ID | 4 | | vfs_getattr | vfs_stat | Get file attributes (stat) | 5 | | vfs_read | vfs_read_file | Read data from a file | 6 | | vfs_write | vfs_write_file | Write data to a file | 7 | | kern_return_t | int or void | Return type for various kernel functions | 8 | | mach_msg | ipc_send or ipc_receive | Inter-process communication using messages | 9 | | thread_create | kthread_create | Create a new thread | 10 | | vm_map | mm_struct | Data structure representing a virtual memory map| 11 | | kern_execve | do_execve | Execute a new program | 12 | | kern_fork | do_fork | Create a new process (fork) | 13 | | kern_exit | do_exit | Terminate a process (exit) | 14 | | kern_wait4 | do_wait | Wait for a child process to exit | 15 | | thread_terminate | do_exit | Terminate a thread | 16 | | thread_suspend | send_sig | Suspend a thread | 17 | | thread_resume | send_sig | Resume a suspended thread | 18 | | vm_allocate | vm_mmap | Allocate virtual memory | 19 | | vm_deallocate | vm_munmap | Deallocate virtual memory | 20 | | mach_vm_protect | mprotect | Change memory protection | 21 | | task_suspend | send_sig | Suspend a task (process) | 22 | | task_resume | send_sig | Resume a suspended task (process) | 23 | | vfs_lookup | d_find_alias or lookup_dentry | Lookup a file or directory in the filesystem | 24 | 25 | | iOS (XNU) Kernel Struct | Android (Linux) Kernel Struct | Description | 26 | |-----------------------------|------------------------------|-------------------------------------------------| 27 | | `task_struct` | `task_struct` | Represents a process or task | 28 | | `thread` | `task_struct` | Represents a thread within a process | 29 | | `vm_map` | `mm_struct` | Represents a virtual memory map | 30 | | `vm_object` | `vm_area_struct` | Represents a virtual memory object | 31 | | `vm_page` | `page` | Represents a page of virtual memory | 32 | | `file` | `file` | Represents an open file descriptor | 33 | | `dentry` | `dentry` | Represents a directory entry in the filesystem | 34 | | `inode` | `inode` | Represents an inode in the filesystem | 35 | | `file_operations` | `file_operations` | Defines file operation functions | 36 | | `super_block` | `super_block` | Represents a filesystem superblock | 37 | | `address_space` | `address_space` | Manages the address space of a process | 38 | | `mmu_gather` | `mmu_gather` | Used for TLB (Translation Lookaside Buffer) operations | 39 | 40 | Certainly, here are the tables in markdown format with some indication of relevant versions or start years where applicable: 41 | 42 | **Scheduling Policies and Priorities:** 43 | 44 | | iOS (XNU) Scheduler | Android (Linux) Scheduler | Description | 45 | |----------------------------|---------------------------------|-----------------------------------------------------| 46 | | Priority-Based (Mach) | Completely Fair Scheduler (CFS) | Introduced in iOS (XNU) 2.5 (early versions used a different scheduler) | 47 | | Real-Time and Fair Schedulers (Mach) | Round Robin Scheduler | Real-time scheduler (Fixed priority) and fair scheduler for background tasks in iOS | 48 | | Priority Ranges (Mach) | Nice Values | Priority values typically range from -20 to +20 in Android | 49 | 50 | **IPC Mechanisms:** 51 | 52 | | iOS (XNU) IPC Mechanisms | Android (Linux) IPC Mechanisms | Description | 53 | |----------------------------|-------------------------------|-------------------------------------------------------| 54 | | Mach Messages | Inter-Process Communication (IPC) | Mach IPC is part of the XNU kernel, while Android uses Binder IPC | 55 | | Port Rights (Mach) | Binder IPC | Binder IPC framework introduced in Android 1.0 | 56 | | XPC (XNU) | Socket IPC | XPC introduced in iOS 7 (Grand Central Dispatch, GCD) | 57 | 58 | **File Systems:** 59 | 60 | | iOS (XNU) File Systems | Android (Linux) File Systems | Description | 61 | |----------------------------|-----------------------------|-------------------------------------------------| 62 | | HFS+ (Historically) | Ext4 (Historically) | Default file systems in older versions | 63 | | APFS (Current) | F2FS (Some Devices) | APFS introduced in iOS 10, F2FS used on some Android devices | 64 | | File System APIs | VFS (Virtual File System) | Abstraction layers for file operations | 65 | 66 | **Memory Management:** 67 | 68 | | iOS (XNU) Memory Management | Android (Linux) Memory Management | Description | 69 | |-----------------------------|---------------------------------|----------------------------------------------| 70 | | Mach Virtual Memory System | Page Cache and Slab Allocator | Mach VM system in iOS (XNU), Page Cache and Slab Allocator in Linux | 71 | | ARC (Automatic Reference Counting) | Garbage Collection (Java) | iOS memory management for Objective-C/Swift, Java GC for Android | 72 | 73 | **Power Management:** 74 | 75 | | iOS (XNU) Power Management | Android (Linux) Power Management | Description | 76 | |-----------------------------|---------------------------------|-------------------------------------------------| 77 | | Advanced Power Management (APM) | Advanced Power Management (APM) | Power-saving strategies and APIs for devices | 78 | | Energy Impact Measurement | Battery Stats Framework | Introduced in iOS 9, Battery Stats in Android | 79 | 80 | **Device Drivers:** 81 | 82 | | iOS (XNU) Device Drivers | Android (Linux) Device Drivers | Description | 83 | |-----------------------------|------------------------------|-----------------------------------------------------| 84 | | Proprietary and Open-Source Drivers | Kernel and Vendor-Specific Drivers | iOS uses proprietary drivers for Apple devices, Android uses a combination of open-source and vendor-specific drivers | 85 | | IOKit Framework (XNU) | Hardware Abstraction Layer (HAL) | Abstraction layers for device interaction | 86 | 87 | **Security Models:** 88 | 89 | | iOS (XNU) Security Model | Android (Linux) Security Model | Description | 90 | |-----------------------------|------------------------------|-----------------------------------------------------| 91 | | App Sandbox (App Store) | SELinux (Security-Enhanced Linux) | App sandboxing enforced in iOS, SELinux introduced in Android 4.3 (Jelly Bean) | 92 | | Code Signing (App Store) | Android Permissions System | Code signing required for iOS apps, Permissions system for Android apps | 93 | --------------------------------------------------------------------------------