Share
## https://sploitus.com/exploit?id=3A3572A6-D06E-5ED6-A03A-AFD82C98F2FD
# Angband - Kernel Exploit Framework

**A staged, modular framework for Linux kernel exploit development and PoC automation.**

## Setup & Quick Start

**1. Install System Dependencies**
```bash
sudo apt-get update
sudo apt-get install -y qemu-system-x86 cloud-image-utils telnet
```

**2. Setup Python Environment**
```bash
python3 -m venv venv
source venv/bin/activate
pip install -e .
```

**3. Initialize and Run**
```bash
angband init CVE-2023-1234
angband generate
```

## Features
- **Clear stage separation**: Grooming, Trigger, Leak, Primitive, Escalation, Cleanup
- **Automation**: `angband new ` generates YAML configs + C skeletons
- **Vulnerable test module**: `module/vuln_drill/` (build & load for safe testing)
- **Modern mitigations aware**: CFI, CET, PAC, KASLR, SMEP/SMAP
- **Focus**: Reliability through grooming. Prefers data-only attacks (DirtyCred, page table).

## Workflow

```text
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”    angband init     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ CVE / Bug       โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚ exploit.yaml  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                                โ”‚
                               angband generate โ”‚
                                                โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”       GCC           โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ exploit binary  โ”‚โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค exploit.c     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚
         โ”‚ run_and_verify.sh (via SSH & 9p)
         โ–ผ
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘                 QEMU Test Environment                 โ•‘
โ•‘                                                       โ•‘
โ•‘  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”         โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ•‘
โ•‘  โ”‚ vuln_drill.koโ”‚โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค Executes against OS    โ”‚  โ•‘
โ•‘  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜         โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜  โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
         โ”‚
         โ”‚ extracts results
         โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ exploit_run.log โ”‚
โ”‚ dmesg_tail.log  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Current Status
- **Core engine** and grooming stage implemented.
- **Armory (C Primitives)**: Initial library for `msg_msg`, `pipe_buffer`, and `dirty_cred` primitives ready.
- **Vulnerable kernel module**: `module/vuln_drill/` ready (supports UAF/OOB for testing all stages).
- **CLI + venv** setup complete.

### Primitives in the Armory:
- `msg_msg.c`: Spraying and allocation helpers.
- `pipe_buffer.c`: Pipe-based heap allocation and spraying.
- `dirty_cred.c`: Credential spraying via user namespaces.

Build & load the test module:
```bash
cd module/vuln_drill
make
sudo insmod vuln_drill.ko
```

## Manual Verification in QEMU

If you encounter networking issues or SSH connection resets with `run_and_verify.sh`, you can test manually by logging into the VM:

1. Connect to QEMU via SSH:
   ```bash
   ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i .ssh_key -p 2222 ubuntu@localhost
   ```
2. Navigate to the 9p mount where the framework is shared:
   ```bash
   cd /mnt/angband
   ```
3. Run the generated exploit:
   ```bash
   ./exploit
   ```
4. Check the kernel logs for faults:
   ```bash
   dmesg | tail -n 50
   ```

See `exploit.yaml` for example configuration.

**Next**: Expand primitives (pipe_buffer, dirty_cred), QEMU harness for Ubuntu 26.04, full PoC generator.