In this seventh part of our Exploit 101 series, we will introduce Kernel Exploitation, focusing on how attackers exploit vulnerabilities in the Linux kernel to achieve privilege escalation and system control.
What is Kernel Exploitation?
Kernel exploitation involves exploiting vulnerabilities in the operating system kernel, allowing an attacker to:
- Escalate privileges (gain root access from a low-privileged user)
- Bypass security restrictions
- Execute arbitrary code in kernel mode
- Achieve persistence (backdoors, rootkits)
Common Kernel Vulnerabilities
- Null Pointer Dereference – Accessing NULL memory in kernel space.
- Use-After-Free (UAF) – Reusing deallocated memory.
- Race Conditions – Exploiting concurrency flaws.
- Stack-Based Buffer Overflow – Overwriting kernel function pointers.
- Integer Overflow – Manipulating memory allocation sizes.
Setting Up a Kernel Exploitation Lab
1. Install a Vulnerable Kernel
To practice, use an older Linux kernel with known vulnerabilities.
Ubuntu with Kernel 4.15 (Vulnerable to CVE-2017-16995)
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/linux-image-4.15.0.deb
sudo dpkg -i linux-image-4.15.0.deb
sudo reboot
2. Debugging Kernel Exploits
- QEMU + GDB for Kernel Debugging
qemu-system-x86_64 -kernel bzImage -append "root=/dev/sda" -s -S
Attach GDB:
gdb -ex "target remote :1234"
Exploit 1: Null Pointer Dereference
Vulnerable Kernel Code (CVE-2017-11176)
struct my_struct {
int *ptr;
};
static struct my_struct *data;
void kernel_vuln(void) {
if (data->ptr) {
*(data->ptr) = 0xdeadbeef;
}
}
This code does not check if data is NULL, leading to a NULL dereference.
Exploiting It
- Trigger the vulnerability:
echo "Exploit Trigger" > /proc/vuln - If the kernel crashes, modify execution flow using
mmap(). - Map user-controlled memory at NULL (bypassing protections):
mmap(0, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS, -1, 0); *(int *)0 = 0xdeadbeef; // Control execution
Exploit 2: Use-After-Free (CVE-2021-22555)
Vulnerable Code
struct user_struct *obj = kmalloc(sizeof(struct user_struct), GFP_KERNEL);
kfree(obj);
printk("User data: %s\n", obj->name); // Accessing freed memory!
Exploiting It
- Spray the heap using
kmalloc()to allocate a controlled structure. - Overwrite function pointers in
obj->nameto execute shellcode. - Trigger execution with the crafted object.
Kernel Exploitation Mitigations
Modern kernels implement security mechanisms like:
- KASLR (Kernel Address Space Layout Randomization) – Makes addresses unpredictable.
- SMEP (Supervisor Mode Execution Prevention) – Blocks userland execution.
- KPTI (Kernel Page Table Isolation) – Mitigates Meltdown attacks.
Bypassing Protections
- Leak Kernel Addresses – Use
procfs,dmesg, or memory leaks. - ROP (Return-Oriented Programming) – Chain kernel gadgets to execute payloads.
- Disable SMEP – Use ROP to modify control registers.
Conclusion
Kernel exploitation is an advanced technique requiring deep knowledge of memory management, privilege escalation, and bypassing modern mitigations. In the next part, we will cover Kernel Rootkits and Persistence Techniques.
Stay tuned for Exploit 101: Part 8 – Kernel Rootkits and Persistence!

0 comments:
Post a Comment