Skip to content

feature: out-of-bound write primitive and an exploit #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
a13xp0p0v merged 31 commits into from
Apr 8, 2026
Merged

feature: out-of-bound write primitive and an exploit #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
0787ba9
feat(mod): intorduce out-of-bounds write primitive for drill_item
d1sgr4c3 Mar 27, 2026
b785a16
feat(oobw): out-of-bounds write exploit built
d1sgr4c3 Dec 9, 2025
d917d88
feat(oobw): repair modprobe_path
d1sgr4c3 Jan 15, 2026
b43b51c
update(README.md): update README.md according to new oobw exploit
d1sgr4c3 Dec 9, 2025
325c510
Style fixes
a13xp0p0v Jan 19, 2026
d1a3242
review(oobw): order variables properly
d1sgr4c3 Feb 15, 2026
4823625
review(oobw): improve README.md
d1sgr4c3 Feb 15, 2026
c59b32d
review(oobw): simpilfy the code
d1sgr4c3 Feb 16, 2026
1ceb1e1
review(oobw): simpilfy the attack
d1sgr4c3 Feb 16, 2026
9dcec23
fix(oobw): overwite checking, missing \n
d1sgr4c3 Feb 16, 2026
1052448
fix(oobw): defines style
d1sgr4c3 Feb 16, 2026
24bf0df
review(oobw): spray partial -> drill -> spray on top
d1sgr4c3 Feb 26, 2026
4c9712d
style(oobw): remove some unnecessary whitespaces
d1sgr4c3 Mar 27, 2026
626ed93
Improve the description of drill_oob_w_pipe_buffer.c
a13xp0p0v Mar 29, 2026
ca21c7a
Restore modprobe_path in drill_uaf_w_pud.c
a13xp0p0v Mar 29, 2026
d959232
Minimize the diff between drill_oob_w_pipe_buffer.c and drill_uaf_w_p…
a13xp0p0v Apr 1, 2026
4e0d161
Drop the CONFIG_CRYPTO_USER_API requirement
a13xp0p0v Mar 31, 2026
a8de3bc
Simplify working with pipes in drill_uaf_w_pipe_buffer.c
a13xp0p0v Mar 29, 2026
86f063d
Free the resources in the reverse order (good practice)
a13xp0p0v Apr 1, 2026
9a7f469
Avoid hitting /proc/sys/fs/pipe-user-pages-soft limit, which is 16384
a13xp0p0v Apr 1, 2026
272b2c0
Fix wrong VIRTUAL_TO_PAGE macro
a13xp0p0v Apr 1, 2026
38fb2c1
Use a proper act() helper preparing the arguments and checking the re…
a13xp0p0v Apr 1, 2026
9c1ee01
Seriously rethink the number of pipes that we need for spraying
a13xp0p0v Apr 1, 2026
7e1b00f
Significantly improve working with the corrupted pipe_buffer
a13xp0p0v Apr 2, 2026
86a0a0f
Improve the output
a13xp0p0v Apr 2, 2026
28c5996
Check that the modprobe_path is restored by the privesc script
a13xp0p0v Apr 3, 2026
7832b52
Don't close the corrupted pipe to avoid freeing the page pointing to …
a13xp0p0v Apr 3, 2026
69b4ff1
Finish the increase_fd_limit() implementation
a13xp0p0v Apr 3, 2026
e7f5828
Improve the output in drill_oob_w_pipe_buffer.c
a13xp0p0v Apr 3, 2026
075cfdd
Improve README
a13xp0p0v Apr 6, 2026
d1f973d
Add clang-format fixes
a13xp0p0v Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ all:
gcc drill_uaf_w_pipe_buffer.c -Wall -static -o drill_uaf_w_pipe_buffer
gcc drill_uaf_w_pte.c -Wall -static -o drill_uaf_w_pte -lrt -lpthread
gcc drill_uaf_w_pud.c -Wall -static -o drill_uaf_w_pud -lrt -lpthread
gcc drill_oob_w_pipe_buffer.c -Wall -static -o drill_oob_w_pipe_buffer
make -C $(KPATH) M=$(PWD) modules

clean:
Expand All @@ -26,3 +27,4 @@ clean:
rm drill_uaf_w_pipe_buffer
rm drill_uaf_w_pte
rm drill_uaf_w_pud
rm drill_oob_w_pipe_buffer
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ __Contents:__
| __drill_uaf_w_pipe_buffer.c__ | a basic a UAF exploit that writes into a freed `drill_item_t`; it performs a cross-cache attack and overwrites `pipe_buffer.flags` to implement the Dirty Pipe technique and gain LPE |
| __drill_uaf_w_pte.c__ | a basic UAF exploit that writes to a freed `drill_item_t`; it performs a cross-allocator attack and overwrites a page table entry (PTE) to implement the Dirty Pagetable technique and gain LPE on `x86_64` |
| __drill_uaf_w_pud.c__ | an improved version of `drill_uaf_w_pte.c` that overwrites an entry in Page Directory Pointer Table (PDPT), which is called Page Upper Directory (PUD) in the Linux kernel; that allows to implement the Dirty Pagetable attack via huge pages |
| __drill_oob_w_pipe_buffer.c__ | a basic out-of-bounds write (OOBW) exploit that corrupts the `pipe_buffer.page` pointer to perform arbitrary address read/write (AARW) of kernel memory via a pipe and gain LPE. |

N.B. Only basic exploit techniques here.

Expand Down
5 changes: 0 additions & 5 deletions drill_mod.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,11 +89,6 @@ static int drill_act_exec(long act, char *arg1_str, char *arg2_str, char *arg3_s
return -EINVAL;
}

if (offset > DRILL_ITEM_SIZE - sizeof(struct drill_item_t) - sizeof(val)) {
pr_err("drill: save_val: oob offset %ld\n", offset);
return -EINVAL;
}

data_addr = (unsigned long *)(drill.items[n]->data + offset);
pr_notice("drill: save val 0x%lx to item %lu (0x%lx) at data offset %ld (0x%lx)\n",
val, n, (unsigned long)drill.items[n], offset, (unsigned long)data_addr);
Expand Down
Loading
Loading