Update README.md

author: Andrey Konovalov 2019-12-13 14:05:54 +0100
committer: GitHub 2019-12-13 14:05:54 +0100
commit: a8a80a51853387c1d3ad0fa15295f042fcc83485 (patch)
tree: 688e933e5ad12a286e1e00049d7415eea2de8d80 /README.md
parent: 6780f3f1394eb1b2fa47e9cdc19b2016e00c4379 (diff)
1 files changed, 77 insertions, 43 deletions
diff --git a/README.md b/README.md
index a6f5cce..161a92d 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,8 @@ Pull requests are welcome.
 ## Exploitation techniques
+[2019, Linux Security Summit EU: "Exploiting Race Conditions Using the Scheduler" by Jann Horn](https://static.sched.com/hosted_files/lsseu2019/04/LSSEU2019%20-%20Exploiting%20race%20conditions%20on%20Linux.pdf) [slides] [[video](https://www.youtube.com/watch?v=MIJL5wLUtKE)]
 [2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities"](https://www.usenix.org/sites/default/files/conference/protected-files/sec19_slides_wu-wei.pdf) [slides] [[video](https://www.youtube.com/watch?v=4b_GbFs5XZI)] [[paper](https://www.usenix.org/system/files/sec19-wu-wei.pdf)]
 [2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park](https://jinb-park.github.io/leak-kptr.html) [slides]
@@ -27,6 +29,8 @@ Pull requests are welcome.
 [2018: "linux kernel pwn notes"](https://www.cnblogs.com/hac425/p/9416886.html) [article]
+[2018: "Use of timer_list structure in linux kernel exploit"](https://xz.aliyun.com/t/3455) [article]
 [2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.youtube.com/watch?v=nqF_IjXg_uM) [video]
 [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides]
@@ -112,6 +116,8 @@ Pull requests are welcome.
 ### Information leak
+[2019: "CVE-2018-3639 / CVE-2019-7308—Analysis of Spectre Attacking Linux Kernel ebpf"](https://xz.aliyun.com/t/4230) [article, CVE-2018-3639, CVE-2019-7308]
 [2019: "From IP ID to Device ID and KASLR Bypass (Extended Version)"](https://arxiv.org/pdf/1906.10478.pdf) [paper]
 [2018: "Kernel Memory disclosure & CANVAS Part 1 - Spectre: tips & tricks"](https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_1.pdf) [article, Spectre]
@@ -135,6 +141,16 @@ Pull requests are welcome.
 ### LPE
+[2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) [article, CVE-2019-2215]
+[2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)"](https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/) [article, CVE-2019-2215]
+[2019: "Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)"](https://www.youtube.com/watch?v=yrLXvmzUQME) [video, CVE-2019-2215]
+[2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/6853) [article, CVE-2019-2215]
+[2019, Linux Security Summit EU: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen](https://www.youtube.com/watch?v=MYEAGmP_id4) [video, CVE-2017-16995, CVE-2017-10661]
 [2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez](https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/) [article, CVE-2019-2215]
 [2019: "Android: Use-After-Free in Binder driver"](https://bugs.chromium.org/p/project-zero/issues/detail?id=1942) [announcement, CVE 2019-2215]
@@ -149,6 +165,8 @@ Pull requests are welcome.
 [2019: "Taking a page from the kernel's book: A TLB issue in mremap()" by Jann Horn](https://googleprojectzero.blogspot.com/2019/01/taking-page-from-kernels-book-tlb-issue.html) [article, CVE-2018-18281]
+[2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel"](https://xz.aliyun.com/t/4005) [article]
 [2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation](https://blog.lexfo.fr/) [article, CVE-2017-11176]
 [2018: "A cache invalidation bug in Linux memory management" by Jann Horn](https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html) [article, CVE-2018-17182]
@@ -171,7 +189,7 @@ Pull requests are welcome.
 [2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels"](https://ricklarabee.blogspot.de/2017/12/adapting-poc-for-cve-2017-1000112-to.html) [article, CVE-2017-1000112]
-[2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides, CVE-2017-0403, CVE-2016-6787]
+[2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides, CVE-2017-0403, CVE-2016-6787] [[video](https://www.youtube.com/watch?v=U2qvK1hJ6zg)]
 [2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls](https://salls.github.io/Linux-Kernel-CVE-2017-5123/) [article, CVE-2017-5123]
@@ -235,6 +253,10 @@ Pull requests are welcome.
 [2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu](https://www.youtube.com/watch?v=37v14rMtALs) [video, CVE-2016-0819]
+[2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES"](https://www.blackhat.com/docs/eu-16/materials/eu-16-Donenfeld-Stumping-The-Mobile-Chipset-wp.pdf) [article, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]
+[2016, DEF CON: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf) [slides, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340]
 [2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/android-linux-kernel-privilege.html) [article, CVE-2014-4322]
 [2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk](https://web.archive.org/web/20171118232027/https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/) [article, CVE-2014-9322]
@@ -325,8 +347,12 @@ Pull requests are welcome.
 ### Other
+[2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/4494) [article, CVE-2019-2000]
 [2019: "Linux: virtual address 0 is mappable via privileged write() to /proc/\*/mem"](https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2) [article, CVE-2019-9213]
+[2019: "CVE-2019-9213 - Analysis of Linux Kernel User Space 0 Virtual Address Mapping Vulnerability"](https://cert.360.cn/report/detail?id=58e8387ec4c79693354d4797871536ea) [article, CVE-2019-9213]
 [2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection"](https://alephsecurity.com/2017/05/23/nexus6-initroot/#anecdote-a-linux-kernel-out-of-bounds-write-cve-2017-1000363) [article, CVE-2017-1000363]
 [2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass"](https://alephsecurity.com/vulns/aleph-2017011) [article, CVE-2016-10277]
@@ -336,6 +362,8 @@ Pull requests are welcome.
 ## Protection bypass techniques
+[2019, POC: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You](http://powerofcommunity.net/poc2019/x82.pdf) [slides]
 [2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article]
 [2016, KIWICON: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko](https://cyseclabs.com/slides/smep_bypass.pdf) [slides]
@@ -369,7 +397,9 @@ Pull requests are welcome.
 ## Defensive
-[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/) [articles]
+[2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video]
+[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/) [articles]
 [2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis]
@@ -469,7 +499,7 @@ Marek Majkowski](https://blog.cloudflare.com/a-gentle-introduction-to-linux-kern
 [2018: "Writing the worlds worst Android fuzzer, and then improving it" by Brandon Falk](https://gamozolabs.github.io/fuzzing/2018/10/18/terrible_android_fuzzer.html) [article]
-2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities" [[slides](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities.pdf)] [[whitepaper](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities-wp.pdf)]
+[2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities"](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities.pdf) [slides] [[whitepaper](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities-wp.pdf)]
 [2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation"](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf) [paper]
@@ -617,10 +647,47 @@ https://github.com/grant-h/qu1ckr00t
 https://github.com/kangtastic/cve-2019-2215
+https://github.com/QuestEscape/exploit
+## Tools
+https://github.com/jonoberheide/ksymhunter
+https://github.com/jonoberheide/kstructhunter
+https://github.com/ngalongc/AutoLocalPrivilegeEscalation
+https://github.com/PenturaLabs/Linux_Exploit_Suggester
+https://github.com/jondonas/linux-exploit-suggester-2
+https://github.com/mzet-/linux-exploit-suggester
+https://github.com/spencerdodd/kernelpop
-## Practice
+https://github.com/vnik5287/kaslr_tsx_bypass
+http://www.openwall.com/lkrg/
-### CTF tasks
+https://github.com/IAIK/meltdown
+https://github.com/nforest/droidimg
+https://github.com/a13xp0p0v/kconfig-hardened-check
+https://github.com/PaoloMonti42/salt
+https://github.com/jollheef/out-of-tree
+https://github.com/nforest/droidimg
+https://github.com/elfmaster/kdress
+https://github.com/mephi42/ida-kallsyms/
+## CTF tasks
 CSAW CTF 2010: [writeup](https://jon.oberheide.org/blog/2010/11/02/csaw-ctf-kernel-exploitation-challenge/), [source](https://jon.oberheide.org/files/csaw.c), [source and exploit](https://github.com/0x3f97/pwn/tree/master/kernel/csaw-ctf-2010-kernel-exploitation-challenge)
@@ -668,7 +735,7 @@ Insomni'hack teaser 2019 (1118daysober): [writeup 1](https://ctftime.org/writeup
 Security Fest 2019 (brainfuck64): [writeup](https://kileak.github.io/ctf/2019/secfest-brainfuck64/)
-TokyoWesterns CTF 2019 (gnote): [writeup](https://rpis.ec/blog/tokyowesterns-2019-gnote/)
+TokyoWesterns CTF 2019 (gnote): [writeup](https://rpis.ec/blog/tokyowesterns-2019-gnote/), video [part 1](https://www.youtube.com/watch?v=n7osrud3PMI), [part 2](https://www.youtube.com/watch?v=i8gZ85VC2Mw)
 Balsn CTF 2019 (KrazyNote): [exploit](https://github.com/Mem2019/Mem2019.github.io/blob/master/codes/krazynote.c)
@@ -677,43 +744,6 @@ HITCON CTF Quals 2019 (PoE): [source and exploit](https://github.com/david942j/c
 r2con CTF 2019: [source, exploit and writeup](https://github.com/esanfelix/r2con2019-ctf-kernel)
-## Tools
-https://github.com/jonoberheide/ksymhunter
-https://github.com/jonoberheide/kstructhunter
-https://github.com/ngalongc/AutoLocalPrivilegeEscalation
-https://github.com/PenturaLabs/Linux_Exploit_Suggester
-https://github.com/jondonas/linux-exploit-suggester-2
-https://github.com/mzet-/linux-exploit-suggester
-https://github.com/spencerdodd/kernelpop
-https://github.com/vnik5287/kaslr_tsx_bypass
-http://www.openwall.com/lkrg/
-https://github.com/IAIK/meltdown
-https://github.com/nforest/droidimg
-https://github.com/a13xp0p0v/kconfig-hardened-check
-https://github.com/PaoloMonti42/salt
-https://github.com/jollheef/out-of-tree
-https://github.com/nforest/droidimg
-https://github.com/elfmaster/kdress
-https://github.com/mephi42/ida-kallsyms/
 ### Misc
 https://github.com/Fuzion24/AndroidKernelExploitationPlayground
@@ -755,3 +785,7 @@ https://github.com/a13xp0p0v/kernel-hack-drill
 https://github.com/vnik5287/kernel_rop
 https://github.com/R3x/How2Kernel
+https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time
+https://github.com/pr0cf5/kernel-exploit-practice
author	Andrey Konovalov	2019-12-13 14:05:54 +0100
committer	GitHub	2019-12-13 14:05:54 +0100
commit	a8a80a51853387c1d3ad0fa15295f042fcc83485 (patch)
tree	688e933e5ad12a286e1e00049d7415eea2de8d80 /README.md
parent	6780f3f1394eb1b2fa47e9cdc19b2016e00c4379 (diff)