由于将 `route4_filter` 对象从链表中删除和释放时的检查条件不一致,导致该对象被释放后仍存于链表中,后面可以触发 **Double-Free**。需要 `User Namespaces` 才能触发。采用 DirtCred 方法进行提权。
【kernel exploit】CVE-2021-4154 错误释放任意file对象-DirtyCred利用
【bsauce读论文】 DirtyCred-内核凭证替换利用技术
【kernel exploit】CVE-2022-34918 nftable堆溢出漏洞利用(list_head任意写)
【kernel exploit】CVE-2022-1015 nftables 栈溢出漏洞分析与利用
【kernel exploit】CVE-2021-41073 内核类型混淆漏洞利用分析
syzlang语法编写案例学习 —— Looking for Remote Code Execution bugs in the Linux kernel
syzkaller 源码阅读笔记3(syz-fuzzer)
syzkaller 源码阅读笔记2(syz-manager)
syzkaller 源码阅读笔记1(syz-extract & syz-sysgen)
Linux kernel CVE exploit analysis report and relative debug environment. You don't need to compile Linux kernel and configure your environment anymore.
Anything about kernel security. CTF kernel pwn, kernel exploit, kernel fuzz and kernel defense paper, kernel debugging technique, kernel CVE debug.
There are some papers about fuzzing. I record them by Xmind. Welcome to contact to me.
Something about CTF and vulnerability environment, mainly about kernel exploit.
The best vulnerable driver to learn how to exploit kernel vulnerability.