UAF Exploitation in Sheaves Era - The Exploitation pOc Artifacts

by : Antonius (w1sdom / sw0rdm4n / ev1lut10n) - www.bluedragonsec.com

This repository is about use after free exploitation pOc specific to the new slub sheaves architecture in the linux kernel 7 series on x86_64 architecture. The sheaves architecture changes the concept of modern slub exploitation. A freed object is no longer handed straight back to the slab freelist. Instead, it is parked in a per-cpu sheaf and surplus sheaves are buffered in a per-node structure called the barn.

pOc Collections for Linux Kernel 7.0 Slub Sheaves Exploitation Series

cross_cache_blindcred

Cross cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using blind cred overwrite for LPE. Without information leak to bypass KASLR.

cross_cache_hijack1

Cross cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using function pointer hijack for LPE. An UAF read for information leak & UAF write for LPE.

cross_cache_hijack2_no_sheaf

Cross cache UAF exploitation pOc for linux kernel 7.0 when the object has no sheaves, using function pointer hijack for LPE. An UAF read for information leak & UAF write for LPE.

cross_cache_modprobe

Cross cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using modprobe for LPE. An UAF read for information leak & UAF write for LPE.

cross_cache_read_leak_xattr

Cross cache UAF read information leak pOc using simple_xattr. No LPE, just info leak.

cross_cache_socket

Cross cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using modprobe for LPE. Communication via socket. An UAF read for information leak & UAF write for LPE.

same_cache_blindcred

Same cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using blind cred overwrite for LPE. Without information leak to bypass KASLR.

same_cache_hijack

Same cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using function pointer hijack for LPE. An UAF read for information leak & UAF write for LPE.

same_cache_leak2lpe

Same cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using modprobe for LPE. Converting a single UAF write into information leak & LPE.

same_cache_modprobe

Same cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using modprobe for LPE. An UAF read for information leak & UAF write for LPE.

same_cache_read_leak_seq_file

Same cache UAF read information leak pOc using seq_file. No LPE, just info leak.

same_cache_ret2buddy

Return to buddy actually is not needed for same cache UAF reclaim. But I keep this directory since, this is my first attempt to return to buddy in linux kernel 7.0 slub sheaves. LPE using function pointer hijack. An UAF read for information leak & UAF write for LPE.

same_cache_socket

Same cache UAF exploitation pOc for linux kernel 7.0 slub sheaves using modprobe for LPE. Communication via socket. An UAF read for information leak & UAF write for LPE.

same_cache_write_leak_user_key

Same cache UAF write information leak pOc using user_key_payload. No LPE, just info leak. Converting an UAF write into information leak.

same_cache_write_leak_xattr

Same cache UAF write information leak pOc using simple_xattr. No LPE, just info leak. Converting an UAF write into information leak.