how2keap

A WIP cheat sheet for various linux kernel heap exploitation techniques (and privilige escalations).

####################################################
#                                                  #
#    Tired of bloated heap implementations?        #
#          __                                      #
#         |  | __ ____ _____  ______               #
#         |  |/ // __ \\__  \ \____ \              #
#         |    <\  ___/ / __ \|  |_> >             #
#    use  |__|_ \\___  >____  /   __/              #
#              \/    \/     \/|__|                 #
#                                                  #
####################################################

flag is in /flag or /dev/sda

exploit is located inside the vm in /pwn (recommend running with while ! /pwn; do true; done)

Disclaimer

This source code is provided for educational and ethical purposes only. The author(s) strictly prohibit any use of this code for unlawful, malicious, or unauthorized activities. By using this code, you agree to comply with all applicable laws and take full responsibility for any misuse.

The author(s) disclaim all liability for damages or legal consequences resulting from improper or illegal use of this code. Use responsibly and only in accordance with ethical guidelines and legal requirements.

Techniques

Privilige Escalation

File	Technique	Linux-Version	Jail Escape	Applicable CTF Challenges
mad_cow.c	corrupt file struct and abuse COW to inject code into another process	latest	~1	Baby VMA
dirty_cred.c	DirtyCred abuses the heap memory reuse mechanism to get privileged, using MadCOW to achive privilege escalation	latest	~2	Wall Rose
jit_spray.c	cBPF JIT Spray sprays attacker controlled ring0 shellcode	latest	X
dirty_pagetable.c	Dirty Pagetable abuse pagetables to get unprotected AAR/AAW in kernel space (kernel RCE)	latest	X	keasy

Gadgets

File	Technique	Linux-Version	Applicable CTF Challenges
cross_cache.c	showcasing a cross-cache attack that allows using dangeling ptrs to target heap of other slabs	latest	Wall Rose
per_cpu_slabs.c	showcasing how slabs are managed and reallocated on a per cpu basis	latest
mmaped_files.c	using mmaped files to create race windows with copy_from_user or copy_to_user	latest
entrybleed.c	EntryBleed exploit prefetch timing to leak KASLR	latest
slubstick.c	SLUBStick more reliable way to trigger cross-cache	latest

run examples

just replace pwn.c with the example you want to run (e.g. ./linux6.6.22/dirty_cred.c)

then run ./scripts/start-qemu.sh -b to build and execute /pwn inside the vm

helper scripts:

• scripts/start-qemu.sh [OPTIONS]
  -b build and compress rootfs if changed
  -d build with -DDEBUG
  -p run /pwn on startup
  -g run with GDB (kaslr still enabled)
  -k disable kaslr
  -c force compress rootfs
  -l set loglevel to 9
  -r run as root
  -n run with nsjail
  -v run with kvm (host cpu)

• scripts/gdbinit
  This file can be used to specify gdb commands to be executed on startup.

buildroot

compile and modify kernel using buildroot

1. download buildroot and extract
2. apply buildroot keap.patch and config.patch using patch:

patch -p1 -i buildroot/keap.patch -d ./PATH/TO/BUIDLROOT
make -C ./PATH/TO/BUIDLROOT qemu_x86_64_defconfig
patch buildroot/.config ./PATH/TO/BUIDLROOT/config.patch

3. make changes using make menuconfig (e.g. changing kernel version)
4. compile keap and kernel using make (might take a while)
5. you will be prompted about additional packages, default is fine
6. the final files (rootfs.cpio.gz and bzImage) are located inside the buildroot dir inside ./output/images

helpful links

• bootlin: https://elixir.bootlin.com/linux/v6.12.27/source
• linux-stable: https://github.com/gregkh/linux/tree/v6.12.27
• bata24/gef: https://github.com/bata24/gef

Footnotes

1. Jail escape possible if a binary or library is accessible as readonly in jail and used by outside process ↩

2. Jail escape only possible through MadCOW style escape ↩