ww9210 / Linux_kernel_exploits

Repo for FUZE project. I will also publish some Linux kernel LPE exploits for various real world kernel vulnerabilities here. the samples are uploaded for education purposes for red and blue teams.
MIT License
491 stars 112 forks source link

Linux_kernel_exploits

Some Linux kernel exploits for various real world kernel vulnerabilities here. More exploits are yet to come.

This repo contains the exploits developed during a research project, as well as the code of FUZE to facilitate exploit generation.

What is FUZE

FUZE is a framework to facilitate linux kernel exploitation, here is the baisc idea of how it works:

  1. Critical information extraction we need to understand both spatial and temporal metadata of this vulnerability
  2. under context kernel fuzzing to find sensitive operation over the vulnerable object, e.g. dereferencing a dangling pointer
  3. partial symbolic execution After finding the dereference site of the vulnerable object, we start execution right before the dereference site, set the value in vulnerable object which can be controlled by us as symbolic bytes.

Dependency

angr, qemu-system-x86_64, ROPGadget, pwntools, GDB, gef, capstone, KASAN, ftrace

Install

To install FUZE, run the following command

git clone https://github.com/ww9210/Linux_kernel_exploits
cd Linux_kernel_exploits
python setup.py install --user

Documentation

TODO here, currently you can browser the code under fuze/test

Publication

For more details about facilitating linux kernel exploits, please refer to our USENIX paper:

@inproceedings{wu18fuze,
  title={FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities},
  author={Wu, Wei and Chen, Yueqi and Xu, Jun and Xing, Xinyu and Gong, Xiaorui and Zou, Wei},
  booktitle={27th USENIX Security Symposium (USENIX Security 18)},
  organization={USENIX Association}
}

If this repo is of help to your research, we really appreciate you for citing the above paper.