Linux Kernel Netfilter Heap Out-of-Bounds Write Privilege Escalation

Repository contains a single C exploit (exploit.c) plus a short README. The code is a local Linux kernel privilege-escalation exploit targeting CVE-2021-22555 (netfilter/iptables heap out-of-bounds write). It is tailored for specific kernel builds via compile-time constants (notably Ubuntu 5.8.0-48-generic; an alternate CentOS 5.4.89 profile is present but disabled). High-level exploit flow (as evidenced by constants, structures, and the visible tail of the code): - Uses SysV message queues (msg_msg/msg_msgseg) for heap shaping and to create controlled fake objects. - Uses AF_UNIX socket buffers (skbuff) spraying (NUM_SOCKETS/NUM_SKBUFFS) to place attacker-controlled data in kernel heap. - Uses many pipes (NUM_PIPEFDS) and targets pipe_buffer objects; it forges/overwrites pipe_buffer->ops to point to a fake pipe_buf_operations table. - The fake ops->release is set to a kernel gadget (per-kernel-version gadget addresses) to gain control flow, then a kernel ROP chain is built (build_krop()) to call prepare_kernel_cred(0) and commit_creds() (addresses hardcoded per kernel profile), resulting in root. - After gaining root, it verifies by opening /etc/shadow, then attempts container escape by calling setns() on /proc/1/ns/mnt, /proc/1/ns/pid, and /proc/1/ns/net, cleans up message queues/sockets, and finally execve()s /bin/bash -i. No C2 or remote network endpoints are used by the exploit itself; it is a purely local LPE with post-exploitation namespace switching. The only network-relevant observable is the README’s ISO download URL for setting up a test environment.

Repository contains a working local Linux kernel exploit for CVE-2021-22555 (netfilter/x_tables OOB write) adapted from Google security-research PoC. The main file (exploit.c) is a multi-stage LPE: (1) sets up a namespace sandbox, sockets, and SysV message queues; (2) triggers the x_tables OOB write and uses message-queue heap grooming to corrupt and locate a target message; (3) performs SMAP bypass and leaks kernel heap pointers; (4) bypasses KASLR by leaking a pipe_buffer/anon_pipe_buf_ops pointer and computes kernel base; (5) achieves kernel code execution by forging pipe_buffer ops and pivoting into a kernel ROP chain that calls prepare_kernel_cred/commit_creds to become root; then it attempts to escape a container by setns() into /proc/1 namespaces and finally spawns /bin/sh. Hardcoded gadget and symbol offsets (e.g., commit_creds, prepare_kernel_cred, anon_pipe_buf_ops, and multiple ROP gadgets) indicate it is tuned to a specific kernel build/config (example shown: Linux 5.11.14 with kaslr enabled). Supporting scripts: start.sh launches a QEMU VM with SMEP/SMAP enabled and KASLR ("kaslr" kernel arg) plus a GDB stub (-s). gdb_kernel.sh attaches GDB to localhost:1234 and sets breakpoints at key gadget addresses for debugging the exploit.

This repository contains a local privilege escalation exploit for CVE-2021-22555, targeting the Linux kernel (tested on versions 4.15 and 5.8). The exploit leverages a pipe-primitive technique to achieve kernel memory corruption, allowing it to overwrite the /usr/bin/mount binary with a SUID shell payload. The exploit is implemented in a single C file (exploit.c), which contains all the logic for namespace setup, memory spraying, exploitation, and payload delivery. The payload is an embedded ELF binary that, once written to /usr/bin/mount, can be executed to obtain a root shell. The README provides a brief overview and compilation instructions. The exploit requires local access to the target system and does not require KASLR, SMAP, SMEP, or KPTI bypasses due to the use of the pipe-primitive. No network endpoints are involved; the only fingerprintable endpoint is the file path /usr/bin/mount, which is overwritten during exploitation.

This repository contains a local privilege escalation exploit for CVE-2021-22555, a heap out-of-bounds write vulnerability in the Linux kernel's net/netfilter/x_tables.c. The exploit is implemented in C (cve_2021_22555.c) and is designed to be compiled and run on a vulnerable Linux system. The README provides compilation and usage instructions, as well as tested kernel versions (Ubuntu 5.8.0-48-generic and COS 5.4.89+). The exploit works by manipulating kernel memory via message queues, sockets, and pipe buffers to achieve arbitrary code execution in the kernel, bypassing SMAP and KASLR protections. Upon success, it checks for root privileges by accessing /etc/shadow, attempts to escape container namespaces by joining /proc/1/ns/*, and finally spawns a root shell (/bin/bash -i). The exploit is operational and provides a working local root shell on affected systems. No network endpoints are involved; all actions are performed locally on the target system.