From a8a80a51853387c1d3ad0fa15295f042fcc83485 Mon Sep 17 00:00:00 2001 From: Andrey Konovalov Date: Fri, 13 Dec 2019 14:05:54 +0100 Subject: Update README.md --- README.md | 120 ++++++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 77 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index a6f5cce..161a92d 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ Pull requests are welcome. ## Exploitation techniques +[2019, Linux Security Summit EU: "Exploiting Race Conditions Using the Scheduler" by Jann Horn](https://static.sched.com/hosted_files/lsseu2019/04/LSSEU2019%20-%20Exploiting%20race%20conditions%20on%20Linux.pdf) [slides] [[video](https://www.youtube.com/watch?v=MIJL5wLUtKE)] + [2019: "Kepler: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities"](https://www.usenix.org/sites/default/files/conference/protected-files/sec19_slides_wu-wei.pdf) [slides] [[video](https://www.youtube.com/watch?v=4b_GbFs5XZI)] [[paper](https://www.usenix.org/system/files/sec19-wu-wei.pdf)] [2019: "Leak kernel pointer by exploiting uninitialized uses in Linux kernel" by Jinbum Park](https://jinb-park.github.io/leak-kptr.html) [slides] @@ -27,6 +29,8 @@ Pull requests are welcome. [2018: "linux kernel pwn notes"](https://www.cnblogs.com/hac425/p/9416886.html) [article] +[2018: "Use of timer_list structure in linux kernel exploit"](https://xz.aliyun.com/t/3455) [article] + [2017: "KERNELFAULT: Pwning Linux using Hardware Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.youtube.com/watch?v=nqF_IjXg_uM) [video] [2017: "Escalating Privileges in Linux using Fault Injection" by Niek Timmers and Cristofaro Mune](https://www.riscure.com/uploads/2017/10/escalating-privileges-in-linux-using-fi-presentation-fdtc-2017.pdf) [slides] @@ -112,6 +116,8 @@ Pull requests are welcome. ### Information leak +[2019: "CVE-2018-3639 / CVE-2019-7308—Analysis of Spectre Attacking Linux Kernel ebpf"](https://xz.aliyun.com/t/4230) [article, CVE-2018-3639, CVE-2019-7308] + [2019: "From IP ID to Device ID and KASLR Bypass (Extended Version)"](https://arxiv.org/pdf/1906.10478.pdf) [paper] [2018: "Kernel Memory disclosure & CANVAS Part 1 - Spectre: tips & tricks"](https://www.immunityinc.com/downloads/Kernel-Memory-Disclosure-and-Canvas_Part_1.pdf) [article, Spectre] @@ -135,6 +141,16 @@ Pull requests are welcome. ### LPE +[2019: "Bad Binder: Android In-The-Wild Exploit" by Maddie Stone](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html) [article, CVE-2019-2215] + +[2019: "Analyzing Android's CVE-2019-2215 (/dev/binder UAF)"](https://dayzerosec.com/posts/analyzing-androids-cve-2019-2215-dev-binder-uaf/) [article, CVE-2019-2215] + +[2019: "Stream Cut: Android Kernel Exploitation with Binder Use-After-Free (CVE-2019-2215)"](https://www.youtube.com/watch?v=yrLXvmzUQME) [video, CVE-2019-2215] + +[2019: "CVE-2019-2215 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/6853) [article, CVE-2019-2215] + +[2019, Linux Security Summit EU: "Deep Analysis of Exploitable Linux Kernel Vulnerabilities" by Tong Lin and Luhai Chen](https://www.youtube.com/watch?v=MYEAGmP_id4) [video, CVE-2017-16995, CVE-2017-10661] + [2019: "Tailoring CVE-2019-2215 to Achieve Root" by Grant Hernandez](https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/) [article, CVE-2019-2215] [2019: "Android: Use-After-Free in Binder driver"](https://bugs.chromium.org/p/project-zero/issues/detail?id=1942) [announcement, CVE 2019-2215] @@ -149,6 +165,8 @@ Pull requests are welcome. [2019: "Taking a page from the kernel's book: A TLB issue in mremap()" by Jann Horn](https://googleprojectzero.blogspot.com/2019/01/taking-page-from-kernels-book-tlb-issue.html) [article, CVE-2018-18281] +[2019: "CVE-2018-18281 - Analysis of TLB Vulnerabilities in Linux Kernel"](https://xz.aliyun.com/t/4005) [article] + [2018: "CVE-2017-11176: A step-by-step Linux Kernel exploitation](https://blog.lexfo.fr/) [article, CVE-2017-11176] [2018: "A cache invalidation bug in Linux memory management" by Jann Horn](https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html) [article, CVE-2018-17182] @@ -171,7 +189,7 @@ Pull requests are welcome. [2017: "Adapting the POC for CVE-2017-1000112 to Other Kernels"](https://ricklarabee.blogspot.de/2017/12/adapting-poc-for-cve-2017-1000112-to.html) [article, CVE-2017-1000112] -[2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides, CVE-2017-0403, CVE-2016-6787] +[2017: "The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel" by Di Shen](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) [slides, CVE-2017-0403, CVE-2016-6787] [[video](https://www.youtube.com/watch?v=U2qvK1hJ6zg)] [2017: "Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox!" by Chris Salls](https://salls.github.io/Linux-Kernel-CVE-2017-5123/) [article, CVE-2017-5123] @@ -235,6 +253,10 @@ Pull requests are welcome. [2016, HITB Ams: "Perf: From Profiling To Kernel Exploiting" by Wish Wu](https://www.youtube.com/watch?v=37v14rMtALs) [video, CVE-2016-0819] +[2016: "QUADROOTER: NEW VULNERABILITIES AFFECTING OVER 900 MILLION ANDROID DEVICES"](https://www.blackhat.com/docs/eu-16/materials/eu-16-Donenfeld-Stumping-The-Mobile-Chipset-wp.pdf) [article, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340] + +[2016, DEF CON: "STUMPING THE MOBILE CHIPSET: New 0days from down under" by Adam Donenfeld](https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEF%20CON%2024%20-%20Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf) [slides, CVE-2016-2503, CVE-2106-2504, CVE-2016-2059, CVE-2016-5340] + [2015: "Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)" by Gal Beniamini](https://bits-please.blogspot.de/2015/08/android-linux-kernel-privilege.html) [article, CVE-2014-4322] [2015: "Exploiting "BadIRET" vulnerability" by Rafal Wojtczuk](https://web.archive.org/web/20171118232027/https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/) [article, CVE-2014-9322] @@ -325,8 +347,12 @@ Pull requests are welcome. ### Other +[2019: "CVE-2019-2000 - Android kernel binder vulnerability analysis"](https://xz.aliyun.com/t/4494) [article, CVE-2019-2000] + [2019: "Linux: virtual address 0 is mappable via privileged write() to /proc/\*/mem"](https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2) [article, CVE-2019-9213] +[2019: "CVE-2019-9213 - Analysis of Linux Kernel User Space 0 Virtual Address Mapping Vulnerability"](https://cert.360.cn/report/detail?id=58e8387ec4c79693354d4797871536ea) [article, CVE-2019-9213] + [2017: "initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection"](https://alephsecurity.com/2017/05/23/nexus6-initroot/#anecdote-a-linux-kernel-out-of-bounds-write-cve-2017-1000363) [article, CVE-2017-1000363] [2016: "Motorola Android Bootloader Kernel Cmdline Injection Secure Boot Bypass"](https://alephsecurity.com/vulns/aleph-2017011) [article, CVE-2016-10277] @@ -336,6 +362,8 @@ Pull requests are welcome. ## Protection bypass techniques +[2019, POC: "KNOX Kernel Mitigation Bypasses" by Dong-Hoon You](http://powerofcommunity.net/poc2019/x82.pdf) [slides] + [2016: "Linux Kernel x86-64 bypass SMEP - KASLR - kptr_restric"](https://web.archive.org/web/20171029060939/http://www.blackbunny.io/linux-kernel-x86-64-bypass-smep-kaslr-kptr_restric/) [article] [2016, KIWICON: "Practical SMEP bypass techniques on Linux" by Vitaly Nikolenko](https://cyseclabs.com/slides/smep_bypass.pdf) [slides] @@ -369,7 +397,9 @@ Pull requests are welcome. ## Defensive -[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/07/17/security-things-in-linux-v5-2/) [articles] +[2019, Linux Security Summit EU: "A New Proposal for Protecting Kernel Data Memory" by Igor Stoppa](https://www.youtube.com/watch?v=nPH2sQAD6RY) [video] + +[2019: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/) [articles] [2019: "Control-Flow Integrity for the Linux kernel: A Security Evaluation" by Federico Manuel Bento](http://www.alunos.dcc.fc.up.pt/~up201407890/Thesis.pdf) [thesis] @@ -469,7 +499,7 @@ Marek Majkowski](https://blog.cloudflare.com/a-gentle-introduction-to-linux-kern [2018: "Writing the worlds worst Android fuzzer, and then improving it" by Brandon Falk](https://gamozolabs.github.io/fuzzing/2018/10/18/terrible_android_fuzzer.html) [article] -2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities" [[slides](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities.pdf)] [[whitepaper](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities-wp.pdf)] +[2018: "From Thousands of Hours to a Couple of Minutes: Towards Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities"](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities.pdf) [slides] [[whitepaper](http://i.blackhat.com/us-18/Thu-August-9/us-18-Wu-Towards-Automating-Exploit-Generation-For-Arbitrary-Types-of-Kernel-Vulnerabilities-wp.pdf)] [2018: "MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation"](http://www.cs.columbia.edu/~suman/docs/moonshine.pdf) [paper] @@ -617,10 +647,47 @@ https://github.com/grant-h/qu1ckr00t https://github.com/kangtastic/cve-2019-2215 +https://github.com/QuestEscape/exploit + + +## Tools + +https://github.com/jonoberheide/ksymhunter + +https://github.com/jonoberheide/kstructhunter + +https://github.com/ngalongc/AutoLocalPrivilegeEscalation + +https://github.com/PenturaLabs/Linux_Exploit_Suggester + +https://github.com/jondonas/linux-exploit-suggester-2 + +https://github.com/mzet-/linux-exploit-suggester + +https://github.com/spencerdodd/kernelpop -## Practice +https://github.com/vnik5287/kaslr_tsx_bypass + +http://www.openwall.com/lkrg/ -### CTF tasks +https://github.com/IAIK/meltdown + +https://github.com/nforest/droidimg + +https://github.com/a13xp0p0v/kconfig-hardened-check + +https://github.com/PaoloMonti42/salt + +https://github.com/jollheef/out-of-tree + +https://github.com/nforest/droidimg + +https://github.com/elfmaster/kdress + +https://github.com/mephi42/ida-kallsyms/ + + +## CTF tasks CSAW CTF 2010: [writeup](https://jon.oberheide.org/blog/2010/11/02/csaw-ctf-kernel-exploitation-challenge/), [source](https://jon.oberheide.org/files/csaw.c), [source and exploit](https://github.com/0x3f97/pwn/tree/master/kernel/csaw-ctf-2010-kernel-exploitation-challenge) @@ -668,7 +735,7 @@ Insomni'hack teaser 2019 (1118daysober): [writeup 1](https://ctftime.org/writeup Security Fest 2019 (brainfuck64): [writeup](https://kileak.github.io/ctf/2019/secfest-brainfuck64/) -TokyoWesterns CTF 2019 (gnote): [writeup](https://rpis.ec/blog/tokyowesterns-2019-gnote/) +TokyoWesterns CTF 2019 (gnote): [writeup](https://rpis.ec/blog/tokyowesterns-2019-gnote/), video [part 1](https://www.youtube.com/watch?v=n7osrud3PMI), [part 2](https://www.youtube.com/watch?v=i8gZ85VC2Mw) Balsn CTF 2019 (KrazyNote): [exploit](https://github.com/Mem2019/Mem2019.github.io/blob/master/codes/krazynote.c) @@ -677,43 +744,6 @@ HITCON CTF Quals 2019 (PoE): [source and exploit](https://github.com/david942j/c r2con CTF 2019: [source, exploit and writeup](https://github.com/esanfelix/r2con2019-ctf-kernel) -## Tools - -https://github.com/jonoberheide/ksymhunter - -https://github.com/jonoberheide/kstructhunter - -https://github.com/ngalongc/AutoLocalPrivilegeEscalation - -https://github.com/PenturaLabs/Linux_Exploit_Suggester - -https://github.com/jondonas/linux-exploit-suggester-2 - -https://github.com/mzet-/linux-exploit-suggester - -https://github.com/spencerdodd/kernelpop - -https://github.com/vnik5287/kaslr_tsx_bypass - -http://www.openwall.com/lkrg/ - -https://github.com/IAIK/meltdown - -https://github.com/nforest/droidimg - -https://github.com/a13xp0p0v/kconfig-hardened-check - -https://github.com/PaoloMonti42/salt - -https://github.com/jollheef/out-of-tree - -https://github.com/nforest/droidimg - -https://github.com/elfmaster/kdress - -https://github.com/mephi42/ida-kallsyms/ - - ### Misc https://github.com/Fuzion24/AndroidKernelExploitationPlayground @@ -755,3 +785,7 @@ https://github.com/a13xp0p0v/kernel-hack-drill https://github.com/vnik5287/kernel_rop https://github.com/R3x/How2Kernel + +https://www.twitch.tv/dayzerosec/videos?filter=all&sort=time + +https://github.com/pr0cf5/kernel-exploit-practice -- cgit v1.3