# Linux kernel exploit development

Inspired by [Midas's series](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) on Linux kernel exploit development, this series follows the same pattern of exploit mitigations using [pwn.college's kernel](https://github.com/pwncollege/pwnkernel) and includes all of my code and examples [here ](https://github.com/ChrisTheCoolHut/Linux_kernel_exploitation)

Topics include:\
 \* [Setup](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/setup)\
 \* [Interacting with kernel modules (ioctl,  character devices)](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/interacting-with-kernel-modules)\
 \* [Stack cookies](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/stack-cookies)\
 \* [KASLR](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/kernel-address-space-layout-randomization-kalsr)\
 \* [SMEP](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/supervisor-mode-execution-protection-smep)\
 \* [SMAP](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/supervisor-mode-access-prevention-smap)\
 \* [KPTI](https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/kernel-page-table-isolation-kpti)\
 \* modprobe\_path\
 *\** cred\_struct overwritting

Protections TLDR:

**KASLR** - Requires a leak to exploit

**SMEP** - Can't execute shellcode in userspace while in kernelmode (Kind of like DEP/NX)

**SMAP** - No reading or writing from userspace pages while in kernelmode (Stack pivots harder)

**KPTI** - Separate kernel space from user space. Need to swap between pages