lukasmaar/kernelsnitch

# KernelSnitch + Cross-Cache Reuse Lab Workspace This repository contains a local kernel exploitation lab setup with two execution environments: - Buildroot VM (`vm-start.sh`) - kernelCTF-style VM (`kernelctf-start.sh`) It also includes exploit PoCs, a loadable kernel module, and helper scripts to prepare matching kernels for VM and native runs. ## Repository Layout - `exploits/` user-space proof-of-concept exploits and helper binaries - see [`exploits/README.md`](exploits/README.md) - `module/` loadable kernel module (`lkm.ko`) - see [`module/README.md`](module/README.md) - `buildroot-env/` Buildroot image build inputs/scripts - see [`buildroot-env/README.md`](buildroot-env/README.md) - `linux-env/` local Linux source download + prepare script - see [`linux-env/README.md`](linux-env/README.md) - `kernelctf-env/` kernelCTF download/prepare/rootfs patch scripts - see [`kernelctf-env/README.md`](kernelctf-env/README.md) - `vmshare/` host-shared directory mounted inside guests ## Common Workflows ### 1) Buildroot VM workflow Prepare local VM assets: make prepare-vm Build exploits + module and start VM: make run-vm ### 2) kernelCTF VM workflow Download releases, prepare per-release kernel trees, and patch rootfs: make prepare-kernelctf Build exploits + module for a selected profile and start kernelCTF VM: make MODULE_PROFILE_KERNELCTF=kernelctf-6.12 run-kernelctf Supported kernelCTF profiles are defined in `kernelctf-env/releases.map`. ## Native Execution Profiles Use this when running directly on host/device kernels (not in the VM images). | Target | Kernel family | Exploit binary | Module profile | |---|---|---|---| | Ubuntu | 6.5.0-14-generic | `*.x86.elf` | `ubuntu-old` | | Ubuntu | 6.8.0-101-generic | `*.x86.elf` | `ubuntu` | | Fedora | 6.18.13-200.fc43.x86_64 | `*.x86.elf` | `fedora` | | Raspberry Pi | 6.12.47+rpt-rpi-v8 | `*.arm.elf` | `rasp` | | Android | 6.1.145-android14 | `*.arm.elf` | no dedicated native profile (see note below) | Android note: - Exploit binaries are supported (`make -C exploits arm` + `adb push`). - A native Android module profile is not defined in `module/Makefile`, but can be directly be used. ### Native Build Commands Exploits: make -C exploits x86 make -C exploits arm Module examples: make -C module PROFILE=ubuntu-old all # Ubuntu 6.5 make -C module PROFILE=ubuntu all # Ubuntu 6.8 make -C module PROFILE=fedora all # Fedora 6.18 make -C module PROFILE=rasp all # Raspberry 6.12 make -C module insert make -C module remove ## Build-only Targets make build-exploits make build-module make build-module-vm make build-module-kernelctf MODULE_PROFILE_KERNELCTF=kernelctf-6.12 ## Requirements - `make`, `gcc`, `git`, `curl`, `awk` - `qemu-system-x86_64` (for VM runs) - `aarch64-linux-gnu-gcc` (optional, for ARM exploit builds) - `debugfs` + `fdisk` (for `kernelctf-env/patch-rootfs.sh`) - kernel headers/source for module builds - `adb` (optional, for Android/ARM deploy via `make -C exploits push`) ## Demos Fedora v6.18 - Successful `msg_msg` reclaim: [run-fedora.webm](https://github.com/user-attachments/assets/c1a9a998-12b7-43db-b5fd-eaeb983e9d8b) KernelCTF v6.12 - Successful `msg_msg` reclaim: [run-kernelctf.webm](https://github.com/user-attachments/assets/147cfd10-a841-4306-939d-97a639d49bc5) KernelCTF v6.12 - Successful `pipe_buffer` reclaim: [run-kernelctf-pipe.webm](https://github.com/user-attachments/assets/62c747db-e1b8-42ce-9a6c-4e4c4090d8cf) Android `untrusted_app` - Successful `pipe_buffer` reclaim. Here, the second terminal is for validation the leaked `pipe_buffer` address, showing the correct slab `kmalloc-cg-1k` owner: [run-app.webm](https://github.com/user-attachments/assets/bf7adb74-05b0-426a-9645-e98651a60e32)

标签：客户端加密