Linux kernel legacy_parse_param heap overflow local privilege escalation

Repository contains a single C file (exploit.c) implementing a local Linux kernel privilege-escalation exploit using the new mount API syscalls fsopen(430) and fsconfig(431). The exploit performs extensive kernel heap grooming using System V message queues (0x400 + 0x400 queues), pipes (0x100), and multiple UNIX socketpairs to spray SKBs. It appears to trigger a kernel memory corruption/UAF condition in filesystem context handling, then leverages message-queue structures (kernel_msg/msg_segment) for out-of-bounds/UAF manipulation and heap address leakage (tracks uaf_msg_address, heap_base_address, corrupted/leak queue IDs/types). In the final stage, it escalates privileges by overwriting an on-disk privileged target binary (/usr/bin/mount) with an embedded attacker-controlled x86_64 ELF payload (root_shellcode). The process model is: child process sets up namespaces/CPU affinity and runs two exploitation phases (phase 1: memory corruption; phase 2: privilege escalation) with retry loops; upon success it signals the parent via a pipe. The parent then executes /usr/bin/mount via execl(), which—after being overwritten—runs the embedded payload and spawns a root shell (execve("/bin///sh")). No network C2 or remote endpoints are present; all actions are local kernel exploitation and file overwrite/execution.

Repository purpose: proof-of-concept exploitation of CVE-2022-0185 (Linux kernel fs_context legacy_parse_param integer underflow leading to kmalloc-4k heap overflow) to achieve local privilege escalation, plus a separate kCTF-focused container escape variant. Structure (17 files): - README.md: describes CVE, affected kernels (5.1–5.15), and two exploit variants. - Makefile: builds two static, non-PIE binaries (targets: kctf and fuse). Links util.c; fuse build also links fakefuse.c and a bundled static libfuse (libfuse3.a implied). - exploit_fuse.c (~7.6KB): Ubuntu-oriented LPE. Flow: 1) unshare_setup(): creates new user+mount namespace and writes /proc/self/{setgroups,uid_map,gid_map} to become uid 0 inside namespace. 2) modprobe_init(): creates /tmp/root (invalid executable content) and /tmp/w (script that runs chmod u+s /bin/bash), chmod 0777. 3) Starts a FUSE filesystem mounted at ./evil (fakefuse.c ops). The FUSE read handler blocks on a pipe to precisely time a race. 4) do_leak(): triggers the fsopen("ext4") + repeated fsconfig(FSCONFIG_SET_STRING) pattern to reach the vulnerable 4095-byte boundary and overflow. Uses SysV message queue spraying (msg_msg objects) and MSG_COPY reads to obtain an out-of-bounds read and leak a kernel pointer; do_check_leak() derives kernel base using a hardcoded offset (single_start). 5) do_win(): uses a FUSE-backed mmap at fixed addresses (0x1337000/0x1338000) and a racing thread (arb_write) to convert the heap overflow into an arbitrary write primitive by corrupting msg_msg linkage. It targets modprobe_path-8. 6) modprobe_hax(): execve(/tmp/root) triggers modprobe, which runs /tmp/w, making /bin/bash SUID; then execve(/bin/bash, ["-p"]). - fakefuse.c/.h: minimal FUSE FS exposing file "evil" under mountpoint "evil". evil_read() returns a 0x1000 buffer whose tail contains the string modprobe_win ("/tmp/w"), and synchronizes with the racing thread via fuse_pipes. - util.c/.h: shared helpers for SysV IPC message queues (msgget/msgsnd/msgrcv), hex dumping, syscall wrappers for fsopen/fsconfig, and global paths (/tmp/w, /tmp/root) and argv for bash -p. - exploit_kctf.c (~17.5KB, partially truncated in provided content): kCTF/GKE-oriented exploit variant. It pins CPU affinity, performs extensive heap spraying with SysV message queues, leaks KASLR base (do_kaslr_leak) and additional heap addresses (do_heap_leaks), then attempts exploitation via a hardcoded kernel ROP chain (gadgets/symbols: stack pivot, commit_creds, prepare_kernel_cred, switch_task_namespaces, kpti_trampoline, pop rdi/rsi, etc.). Intended outcome is privilege escalation/container escape; reliability noted as ~50% in README. Notable observables / targets: - Uses fsopen("ext4") and fsconfig() syscalls to reach the vulnerable legacy_parse_param path. - Heavy use of SysV IPC message queues (IPC_PRIVATE) for heap feng shui and MSG_COPY for leak primitives. - FUSE mountpoint and file: ./evil and ./evil/evil. - Modprobe hijack artifacts: /tmp/root (trigger) and /tmp/w (helper script), and SUID modification of /bin/bash. Overall: This is real exploit code (not just detection). It is local-only (no network C2/endpoints), and provides working privilege escalation via modprobe_path overwrite (fuse variant) and a more complex ROP-based kCTF escape (kctf variant).

Repository purpose: educational research + PoC exploit for CVE-2022-0185 (Linux kernel fscontext heap overflow in legacy_parse_param() reachable via fsopen()/fsconfig()). Structure: - README.md: high-level vulnerability explanation, affected versions, references, lab guidance, and mitigation notes. - exploit.c: full local privilege escalation exploit implementation. - LICENSE/.gitignore: standard. Exploit capabilities (exploit.c): - Uses fsopen(2)/fsconfig(2) (hardcoded syscall numbers 430/431) to reach the vulnerable filesystem context parameter parsing and trigger a heap overflow. - Performs kernel heap grooming/spraying using multiple primitives: - Large numbers of SysV message queues (MSG_QUEUE_COUNT_1/2) with crafted message sizes (0x400/0x1400) and structures resembling kernel msg_msg layout. - Multiple UNIX socketpairs and skb spraying constants (SKB_DATA_COUNT) to influence heap layout. - Pipes (PIPE_COUNT) for additional allocation patterns. - Multi-phase exploitation flow: - Phase 1: attempts memory corruption and retries until successful. - Phase 2: attempts privilege escalation and retries until successful. - Post-exploitation behavior: - Contains embedded x86_64 ELF shellcode bytes (root_shellcode[]). - Targets /usr/bin/mount as the execution/privilege trigger; parent process execs /usr/bin/mount after child signals success via a pipe. - Includes a verification read of /usr/bin/mount checking for marker 0x56565656 at an offset, suggesting the exploit overwrites/patches the target binary or its in-memory representation as part of the escalation chain. No network C2 or remote endpoints are present; the attack vector is strictly local kernel exploitation.

This repository contains two operational exploits for CVE-2022-0185, a Linux kernel vulnerability in the filesystem layer. The structure includes two main exploit files: 'exploit_fuse.c' (targets Ubuntu with kernel 5.7+ using FUSE and SYSVIPC for arbitrary kernel write) and 'exploit_kctf.c' (targets Google Kubernetes Engine with kernel 5.10.68+ using a kernel ROP chain for root code execution). Supporting files include a minimal FUSE implementation ('fakefuse.c', 'fakefuse.h'), utility functions ('util.c', 'util.h'), and a bundled libfuse header set. The FUSE exploit achieves privilege escalation by making /bin/bash SUID via modprobe_path manipulation and a crafted shell script. The kctf exploit achieves root in the root namespace via a kernel ROP chain. Both exploits require local code execution and specific kernel versions/configurations. The repository is well-structured for research and demonstration purposes, with clear separation between the two exploit strategies and comprehensive supporting code.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-0185, a vulnerability in the Linux kernel's fsconfig syscall that can lead to a kernel crash (denial of service). The main exploit is implemented in 'crash.c', a C program that opens an ext4 filesystem context using the fsopen syscall and then repeatedly calls fsconfig with crafted arguments to trigger the vulnerability. The repository includes a Dockerfile to build a container image that runs the exploit as an unprivileged user (UID 65534), and a Kubernetes pod manifest ('pod.yaml') for easy deployment in Kubernetes environments. The README provides usage instructions for both Docker and Kubernetes. The exploit is a local DoS PoC and does not provide privilege escalation or remote code execution. The main fingerprintable endpoints are the use of the 'ext4' filesystem type in the exploit and the published Docker image. The repository is structured for ease of testing in containerized environments.

This repository contains a full exploit for CVE-2022-0185, a heap overflow vulnerability in the Linux kernel's fsconfig syscall (affecting versions 5.1-rc1 to 5.16.2). The exploit is implemented in C and is designed to be run locally on a vulnerable system, including within containers. The main exploit logic is in 'qemuANDexp/exp/cve-2022-0185.c', which orchestrates a complex heap manipulation using System V message queues, sockets, and pipes to achieve arbitrary kernel memory write. The exploit ultimately overwrites a SUID binary (such as /usr/bin/mount) with a custom shell payload (embedded in util.c), resulting in a root shell when the binary is executed. The repository includes scripts and instructions for setting up a QEMU-based test environment, as well as detailed technical documentation in the README. The code is operational and provides a working local privilege escalation and container escape exploit for the specified Linux kernel versions.

This repository contains a local privilege escalation exploit for CVE-2022-0185, a heap-based buffer overflow in the Linux kernel's fs/fsconfig.c. The exploit is implemented in a single C file ('exploit.c'), which leverages a pipe-primitive to avoid the need for KASLR, SMAP, SMEP, or KPTI bypasses. The exploit works by manipulating kernel heap structures via message queues, sockets, and pipes to achieve an out-of-bounds write, ultimately allowing the attacker to overwrite '/usr/bin/mount' with a statically linked SUID shell binary. The Makefile provides a simple build process for the exploit. The README describes the exploit's approach and references the pipe-primitive technique. The exploit is operational and, if successful, grants root privileges by replacing '/usr/bin/mount' with a SUID shell. The only fingerprintable endpoint is the file path '/usr/bin/mount', which is the target of the overwrite. The exploit is intended for use on vulnerable Linux systems and requires local access.