2024 공부할꺼

technique

---

1. all in one
   1. https://arttnba3.cn/2021/03/03/PWN-0X00-LINUX-KERNEL-PWN-PART-I/#%E7%AC%94%E8%80%85%E8%87%AA%E7%94%A8%E6%A8%A1%E6%9D%BF
2. race condition
   1. FUSE for exploitation : https://exploiter.dev/blog/2022/FUSE-exploit.html  
   2. mmap for exploitation : no link
3. dirty series
   1. dirty cred
      1. https://i.blackhat.com/USA-22/Thursday/US-22-Lin-Cautious-A-New-Exploitation-Method.pdf
      2. https://zplin.me/papers/DirtyCred.pdf
      3. https://www.youtube.com/watch?v=KEStazCf8vc
      4. https://github.com/Markakd/DirtyCred
      5. https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/
      6. https://blog.wohin.me/posts/linux-kernel-pwn-06/
   2. dirty pagetable
      1. https://uz56764.tistory.com/116?category=1037366
      2. https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606
      3. https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html
4.  cross cache technique
   1.  
   2. Cross Cache Attack技术细节分析 (veritas501.github.io)
5. kaslr bypass
   1. https://www.willsroot.io/2022/12/entrybleed.html
6. data only exploitation
   1. https://h0mbre.github.io/kCTF_Data_Only_Exploit/
7. null byte dereferences
   1. https://buff.ly/3ZOekyI
8. ds
9.  
10. FG-kalsr bypass
    1. https://www.cnblogs.com/hetianlab/p/17540071.html
11. fuzzing
    1. 🔍 Looking for Remote Code Execution bugs in the Linux kernel | Andrey Konovalov (xairy.io)

---

CVE's

• name space (VFS)
  • https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf
• io_uring
  • Put an io_uring on it - Exploiting the Linux Kernel - chompie at the bits
  • https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a
  • io_uring - new code, new bugs, and a new exploit technique
  • https://qyn.app/posts/CVE-2023-3389/
  • https://www.ctfiot.com/69111.html 
•  netlink
  • https://starlabs.sg/blog/2023/06-breaking-the-code-exploiting-and-examining-cve-2023-1829-in-cls_tcindex-classifier-vulnerability/
  • https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176
• esp4
  • https://etenal.me/archives/1825
• netfilter 
  • https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/
  • https://www.youtube.com/watch?v=9wgHENj_YNk
  • https://www.synacktiv.com/publications/old-bug-shallow-bug-exploiting-ubuntu-at-pwn2own-vancouver-2023
  • https://makelinux.github.io/kernel/map/
  • https://seclists.org/oss-sec/2023/q1/20
  • https://t.co/edPmvOirK1
  • https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineering-attacking-the-linux-kernel/
  • https://kaist-hacking.github.io/pubs/2023/kim:kernel-ctf-slides.pdf
• etc
  
  • https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html : driver vuln
  • https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html : walk through
  • https://github.com/bsauce/kernel-exploit-factory : tun of exploit PoC and description
  • https://github.com/V4bel/CVE-2022-41218 : driver vuln v4bel
  • https://github.com/google/security-research : google kctf
  • https://github.com/google/security-research/tree/master/pocs/linux/kernelctf
  • https://blog.immunityinc.com/
  • https://github.com/Snoopy-Sec/Localroot-ALL-CVE/tree/master/2023/CVE-2023-3269 

---

CTF challenge

• https://t.co/BFPyEvAnOU
• https://willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html 

 

debugging

• https://sam4k.com/patching-instrumenting-debugging-linux-kernel-modules/
• https://blog.k3170makan.com/2020/11/linux-kernel-exploitation-0x0-debugging.html
• https://blogs.oracle.com/linux/post/live-kernel-debugging-1
• https://bootlin.com/doc/training/debugging/debugging-labs.tar.xz
• https://bootlin.com/doc/training/debugging/debugging-labs.pdf
• https://bootlin.com/doc/training/debugging/debugging-slides.pdf

 

---

other resource

• https://www.kernel.org/doc/html/latest : 커널 docs
• https://buff.ly/3uuQzRc : netfilter basic
• https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-1 : slub internal
• https://research.nccgroup.com/2023/02/06/rustproofing-linux-part-1-4-leaking-addresses/ : techenique (leak, race)
• https://0xkol.github.io/assets/files/OffensiveCon23_Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf : android kenrel exploit
• https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/ : kernel CTF basic
• https://www.interruptlabs.co.uk/articles/pipe-buffer : aar/aaw technique
• https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/ : other android exploitation
• https://writeup.md/post/linux-kernel-pwn-abc-1/ : some background knowledge
• https://blog.csdn.net/Breeze_CAT?type=blog : cve analysis & etc about kernel explotiation
• https://www.youtube.com/watch?v=aq0TLYXGQCA&list=PLOEpetqiDZSrfM_HYPe9l6RC782Ttul2H : network driver (netfilter)
• https://github.com/bsauce/kernel-security-learning : github kernel explkoit reference
• https://read.seas.harvard.edu/cs161/2020/schedule/ : harvard education about linux kernel and system programming 
• https://students.mimuw.edu.pl/ZSO/Wyklady/06_memory2/BuddySlabAllocator.pdf : slab allocator
• https://argp.github.io/2012/01/03/linux-kernel-heap-exploitation/ : kernel heap exploit perspective
• https://events.static.linuxfound.org/images/stories/pdf/klf2012_kim.pdf : how does slub work from korean mantainer
• https://ruffell.nz/programming/writeups/2019/02/15/looking-at-kmalloc-and-the-slub-memory-allocator.html : analysis kmalloc code
• https://makelinux.github.io/kernel/map/ : kernel map
• https://github.com/bsauce/kernel-security-learning : bsauce kernel exploitation walk through
• https://ywhkkx.github.io/ : kernel 1day analysis
• https://github.com/smallkirby/kernelpwn/blob/master/structs.md : structure used for attack