Skip to content

Instantly share code, notes, and snippets.

Avatar
🐢
静水流深

Bonan brant-ruan

🐢
静水流深
View GitHub Profile
@brant-ruan
brant-ruan / exploit_bypass_kaslr_smap_smep_ret2dir.c
Created February 4, 2023 07:58
ret2dir | Pawnyable LK01-2
View exploit_bypass_kaslr_smap_smep_ret2dir.c
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
@brant-ruan
brant-ruan / rds_amd64_ret2dir.c
Created February 3, 2023 15:50
ret2dir | CVE-2010-3904 | by Dan Rosenberg and Vasileios P. Kemerlis
View rds_amd64_ret2dir.c
/*
* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
* CVE-2010-3904
* by Dan Rosenberg <drosenberg@vsecurity.com>
*
* Copyright 2010 Virtual Security Research, LLC
*
* The handling functions for sending and receiving RDS messages
* use unchecked __copy_*_user_inatomic functions without any
* access checks on user-provided pointers. As a result, by
@brant-ruan
brant-ruan / perf-events_amd64_ret2usr.c
Created February 3, 2023 15:20
ret2usr | CVE-2013-2094 | by sorbo
View perf-events_amd64_ret2usr.c
/*
* CVE-2013-2094 exploit x86_64 Linux < 3.8.9
* by sorbo (sorbo@darkircop.org) June 2013
*
* Based on sd's exploit. Supports more targets.
*
*/
#define _GNU_SOURCE
#include <string.h>
@brant-ruan
brant-ruan / perf-events_amd64_ret2dir.c
Last active February 3, 2023 15:16
ret2dir | CVE-2013-2094 | by Vasileios P. Kemerlis
View perf-events_amd64_ret2dir.c
/*
* Linux kernel exploit (privilege escalation)
* CVE-2013-2094 (PERF_EVENTS)
* Vasileios P. Kemerlis <vpk@cs.columbia.edu>
*
* Based on the exploits of `sd', `sorbo', and `spender';
* uses the `ret2dir' technique for bypassing:
* - SMEP+SMAP (Intel)
* - KERNEXEC/UDEREF (PaX)
*
@brant-ruan
brant-ruan / bpf_example_maps.c
Created January 14, 2023 08:46
Pawnyable LK06
View bpf_example_maps.c
#include "bpf_insn.h"
#include <linux/bpf.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
@brant-ruan
brant-ruan / bpf_example_filter.c
Last active January 14, 2023 08:46
Pawnyable LK06
View bpf_example_filter.c
#include <linux/bpf.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
// https://pawnyable.cafe/linux-kernel/LK06/distfiles/bpf_insn.h
#include "bpf_insn.h"
@brant-ruan
brant-ruan / fuse_example.c
Last active January 13, 2023 10:11
Pawnyable LK04
View fuse_example.c
// gcc fuse.c -o test -D_FILE_OFFSET_BITS=64 -static -pthread -lfuse -ldl
#define FUSE_USE_VERSION 29
#include <errno.h>
#include <fuse.h>
#include <stdio.h>
#include <string.h>
void fatal(const char *msg) {
perror(msg);
exit(1);
@brant-ruan
brant-ruan / exploit_race_fuse.c
Last active January 13, 2023 09:53
Pawnyable LK04
View exploit_race_fuse.c
// gcc exploit.c -o exploit -D_FILE_OFFSET_BITS=64 -static -pthread -lfuse -ldl
#define _GNU_SOURCE
#define FUSE_USE_VERSION 29
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <fuse.h>
#include <linux/fuse.h>
#include <pthread.h>
#include <stdio.h>
@brant-ruan
brant-ruan / exploit_race_uffd.c
Last active January 13, 2023 08:59
Pawnyable LK04
View exploit_race_uffd.c
#define _GNU_SOURCE
#include <assert.h>
#include <fcntl.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
@brant-ruan
brant-ruan / leak_kbase_and_heap.c
Last active January 13, 2023 09:00
Pawnyable LK04
View leak_kbase_and_heap.c
#define _GNU_SOURCE
#include <assert.h>
#include <fcntl.h>
#include <linux/userfaultfd.h>
#include <poll.h>
#include <pthread.h>
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>