Kernel Exploitation

Name: Kernel Exploitation
Author: yaklang

yaklang/hack-skills

Load kernel heap exploitation reference when authorized testing or CTF work needs SLUB, cross-cache, and structure-specific Linux kernel attack patterns.

Overview

kernel-exploitation is an agent skill for the Ship phase that documents Linux SLUB heap and cross-cache kernel exploitation techniques for structured security research.

Install

npx skills add https://github.com/yaklang/hack-skills --skill kernel-exploitation

What is this skill?

SLUB allocator internals: slabs, caches, freelist, partial lists, and generic kmalloc size classes
Cross-cache attack methodology and object lifecycle for kernel heap grooming
Structure-focused paths: msg_msg, pipe_buffer, sk_buff, setxattr exploitation notes
Ties to companion KERNEL_MITIGATION_BYPASS and base SKILL.md for full exploitation model

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are analyzing a kernel heap bug and need allocator-aware exploit strategy instead of generic userspace heap notes.

Who is it for?

Authorized pentesters, kernel security researchers, and CTF players exploiting Linux kmalloc-class bugs with agent assistance.

Skip if: Solo app builders shipping web or mobile products who are not doing authorized kernel security assessment.

When should I use this skill?

Load when exploiting kernel heap vulnerabilities per AI LOAD INSTRUCTION; pair with KERNEL_MITIGATION_BYPASS and base SKILL.md.

What do I get? / Deliverables

The agent applies SLUB, cross-cache, and structure-specific guidance aligned with the hack-skills kernel exploitation stack.

Exploit strategy aligned to SLUB and target kernel structures
Cross-cache and heap grooming steps for the vulnerability class

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Kernel exploitation knowledge applies when hardening or assessing systems before production—canonical shelf is Ship → security alongside other offensive playbooks. Security subphase covers vulnerability research and exploit technique depth, not day-to-day feature build.

How it compares

Deep kernel heap playbook—not a web AppSec checklist like clickjacking or a generic CVE scanner integration.

Common Questions / FAQ

Who is kernel-exploitation for?

Security researchers and advanced testers working on Linux kernel heap vulnerabilities under legal authorization.

When should I use kernel-exploitation?

During Ship → security when modeling or exploiting kmalloc/SLUB issues and you need cross-cache or msg_msg/pipe_buffer/sk_buff patterns.

Is kernel-exploitation safe to install?

It is offensive-security reference text only; review the Security Audits panel on this page and use only on systems you own or are permitted to test.

SKILL.md

READMESKILL.md - Kernel Exploitation

# Kernel Heap Techniques — SLUB, Cross-Cache, msg_msg, pipe_buffer, sk_buff

> **AI LOAD INSTRUCTION**: Load this when exploiting kernel heap vulnerabilities. Covers SLUB allocator internals, object lifecycle, cross-cache attack methodology, and exploitation of specific kernel structures (msg_msg, pipe_buffer, sk_buff, setxattr). Assumes [SKILL.md](./SKILL.md) is loaded for kernel exploitation model and [KERNEL_MITIGATION_BYPASS.md](./KERNEL_MITIGATION_BYPASS.md) for mitigation context.

---

## 1. SLUB ALLOCATOR OVERVIEW

Linux kernel uses SLUB (Unqueued Slab Allocator) for small kernel object allocation.

### Key Concepts

| Concept | Description |
|---|---|
| Slab | Contiguous pages holding objects of the same size |
| Cache | Named pool for specific object types (e.g., `kmalloc-64`, `task_struct`) |
| Freelist | Per-CPU linked list of free objects within a slab |
| Partial list | Per-node list of slabs with some free objects |
| Generic caches | `kmalloc-{32,64,96,128,192,256,512,...}` for generic allocations |

### Object Layout in Slab

```
┌─────────┬─────────┬─────────┬─────────┐
│ Object0 │ Object1 │ Object2 │ Object3 │  ← one slab page
└─────────┴─────────┴─────────┴─────────┘
  FP→Obj2   FP→Obj3   FP→NULL   (allocated)

FP = freelist pointer (stored at object start or random offset)
```

### Freelist Randomization (SLAB_FREELIST_RANDOM)

Object allocation order within a slab is randomized. Affects heap spray reliability.

### Freelist Hardening (SLAB_FREELIST_HARDENED)

```c
// Freelist pointer is XOR'd with a random value and the address
// Similar to glibc safe-linking
stored_fp = ptr ^ random_value ^ &stored_fp
```

---

## 2. SLAB OBJECT LIFECYCLE

```
kmalloc(size, GFP_KERNEL)
  → Check per-CPU freelist (fastest)
  → Check per-CPU partial list
  → Check per-node partial list
  → Allocate new slab pages

kfree(ptr)
  → Return to per-CPU freelist (if same CPU and slab)
  → Return to per-node partial list
  → Free slab pages (if all objects freed)
```

### Heap Spray Strategy

1. Identify target slab cache (based on object size)
2. Drain existing free objects (spray dummy allocations)
3. Trigger vulnerability (UAF/OOB on target object)
4. Spray replacement objects (same size → land in freed slot)

---

## 3. CROSS-CACHE ATTACK

**Exploit UAF across different slab caches by forcing page-level reuse.**

### Why Cross-Cache?

Many kernel objects have dedicated caches (e.g., `struct cred` in `cred_jar`, not `kmalloc-192`). Cannot spray `kmalloc-192` to replace a freed `cred` object. Cross-cache forces the slab pages to be returned to the page allocator and reallocated to a different cache.

### Methodology

```
1. Spray target objects to fill slabs        [Target slab: all allocated]
2. Free target objects (leave one page worth) [Target slab: one partial page]
3. Free ALL objects in that page              [Page returned to page allocator]
4. Spray attacker objects (different cache)   [Page reallocated to attacker cache]
5. UAF on target object now aliases attacker object on same physical page
```

### Page-Level UAF Steps

```c
// Phase 1: Fill target cache so new slabs are allocated
for (int i = 0; i < SPRAY_COUNT; i++)
    target_alloc();  // allocate target objects

// Phase 2: Create hole pattern (free specific objects to isolate one slab page)
// Free all objects in one specific slab page
for (int i = PAGE_START; i < PAGE_START + OBJS_PER_PAGE; i++)
    target_free(i);

// Phase 3: Victim object freed (UAF) — was on the now-freed page
trigger_uaf();

// Phase 4: Page is returned to buddy allocator
// Phase 5: Reallocate page into attacker's cache
for (int i = 0; i < SPRAY_COUNT; i++)
    attacker_alloc();  // e.g., msgsnd() for msg_msg
```

---

## 4. msg_msg EXPLOITATION

`struct msg_msg` is allocated via `msgsnd()` and freed via `msgrcv()`. Highly flexible size (48-byte header + arbitrary data).

### Structure Layout

```c
struct msg_msg {
    struct list_head m_list;  // 0x00: prev/next pointers
    long m_typ

What is this skill?

SLUB allocator internals: slabs, caches, freelist, partial lists, and generic kmalloc size classes

Cross-cache attack methodology and object lifecycle for kernel heap grooming

Structure-focused paths: msg_msg, pipe_buffer, sk_buff, setxattr exploitation notes

Ties to companion KERNEL_MITIGATION_BYPASS and base SKILL.md for full exploitation model

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Kernel Exploitation

# Kernel Heap Techniques — SLUB, Cross-Cache, msg_msg, pipe_buffer, sk_buff

> **AI LOAD INSTRUCTION**: Load this when exploiting kernel heap vulnerabilities. Covers SLUB allocator internals, object lifecycle, cross-cache attack methodology, and exploitation of specific kernel structures (msg_msg, pipe_buffer, sk_buff, setxattr). Assumes [SKILL.md](./SKILL.md) is loaded for kernel exploitation model and [KERNEL_MITIGATION_BYPASS.md](./KERNEL_MITIGATION_BYPASS.md) for mitigation context.

---

## 1. SLUB ALLOCATOR OVERVIEW

Linux kernel uses SLUB (Unqueued Slab Allocator) for small kernel object allocation.

### Key Concepts

| Concept | Description |
|---|---|
| Slab | Contiguous pages holding objects of the same size |
| Cache | Named pool for specific object types (e.g., `kmalloc-64`, `task_struct`) |
| Freelist | Per-CPU linked list of free objects within a slab |
| Partial list | Per-node list of slabs with some free objects |
| Generic caches | `kmalloc-{32,64,96,128,192,256,512,...}` for generic allocations |

### Object Layout in Slab

```
┌─────────┬─────────┬─────────┬─────────┐
│ Object0 │ Object1 │ Object2 │ Object3 │  ← one slab page
└─────────┴─────────┴─────────┴─────────┘
  FP→Obj2   FP→Obj3   FP→NULL   (allocated)

FP = freelist pointer (stored at object start or random offset)
```

### Freelist Randomization (SLAB_FREELIST_RANDOM)

Object allocation order within a slab is randomized. Affects heap spray reliability.

### Freelist Hardening (SLAB_FREELIST_HARDENED)

```c
// Freelist pointer is XOR'd with a random value and the address
// Similar to glibc safe-linking
stored_fp = ptr ^ random_value ^ &stored_fp
```

---

## 2. SLAB OBJECT LIFECYCLE

```
kmalloc(size, GFP_KERNEL)
  → Check per-CPU freelist (fastest)
  → Check per-CPU partial list
  → Check per-node partial list
  → Allocate new slab pages

kfree(ptr)
  → Return to per-CPU freelist (if same CPU and slab)
  → Return to per-node partial list
  → Free slab pages (if all objects freed)
```

### Heap Spray Strategy

1. Identify target slab cache (based on object size)
2. Drain existing free objects (spray dummy allocations)
3. Trigger vulnerability (UAF/OOB on target object)
4. Spray replacement objects (same size → land in freed slot)

---

## 3. CROSS-CACHE ATTACK

**Exploit UAF across different slab caches by forcing page-level reuse.**

### Why Cross-Cache?

Many kernel objects have dedicated caches (e.g., `struct cred` in `cred_jar`, not `kmalloc-192`). Cannot spray `kmalloc-192` to replace a freed `cred` object. Cross-cache forces the slab pages to be returned to the page allocator and reallocated to a different cache.

### Methodology

```
1. Spray target objects to fill slabs        [Target slab: all allocated]
2. Free target objects (leave one page worth) [Target slab: one partial page]
3. Free ALL objects in that page              [Page returned to page allocator]
4. Spray attacker objects (different cache)   [Page reallocated to attacker cache]
5. UAF on target object now aliases attacker object on same physical page
```

### Page-Level UAF Steps

```c
// Phase 1: Fill target cache so new slabs are allocated
for (int i = 0; i < SPRAY_COUNT; i++)
    target_alloc();  // allocate target objects

// Phase 2: Create hole pattern (free specific objects to isolate one slab page)
// Free all objects in one specific slab page
for (int i = PAGE_START; i < PAGE_START + OBJS_PER_PAGE; i++)
    target_free(i);

// Phase 3: Victim object freed (UAF) — was on the now-freed page
trigger_uaf();

// Phase 4: Page is returned to buddy allocator
// Phase 5: Reallocate page into attacker's cache
for (int i = 0; i < SPRAY_COUNT; i++)
    attacker_alloc();  // e.g., msgsnd() for msg_msg
```

---

## 4. msg_msg EXPLOITATION

`struct msg_msg` is allocated via `msgsnd()` and freed via `msgrcv()`. Highly flexible size (48-byte header + arbitrary data).

### Structure Layout

```c
struct msg_msg {
    struct list_head m_list;  // 0x00: prev/next pointers
    long m_typ

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is kernel-exploitation for?

When should I use kernel-exploitation?

Is kernel-exploitation safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is kernel-exploitation for?

When should I use kernel-exploitation?

Is kernel-exploitation safe to install?

SKILL.md