## https://sploitus.com/exploit?id=F95820C5-70F5-58B0-A461-C5EE73431203
# eBPF Kernel Exploit Scanner
This repository contains a simplified eBPF kernel exploit scanner.
The program may be run using the eBPF backend only or for better visualisation also using the ncurses TUI frontend.
## About
The program detects common memory vulnerability and privilege escalation exploit patterns.
For more information, consult the included documentation.
## Usage
### Installation Requirements
eBPF requires specific kernel settings, libraries and tools to work. The kernel of the ADSS VMs is "eBPF-ready":
```bash
cat /boot/config-$(uname -r) | grep -i bpf
CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# BPF subsystem
...
```
However, the following userland tools and libraries need to be installed for eBPF development:
```bash
sudo apt install -y clang llvm libbpf-dev bpftool linux-headers-$(uname -r)
```
Next, generate the header file vmlinux.h.
```bash
/usr/sbin/bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
```
The 'vmlinux.h' header file must reside in the 'module' folder for the program to work.
### Installation
For either program components, use the provided Makefiles to compile them. All dependencies should be included automatically when running 'make'.
### Running the Program
Having done so, run both the 'loader' and 'main' file with sudo permissions. It is recommended to load the eBPF modules first, before running the 'main' file, since they are responsible for actually log the data.. However execution should work either way, since the data is saved into maps, accessible in both user and kernel space.
---
# Troubleshooting
## `bpf_obj_get()`: no file found
Make sure to first run the loader before the user space program.
## maps contain only zeros or gibberish data
Maps are persistent over program instances. Hence it might be possible that user and kernel space reference different map states.
To ensure a clean program run, execute the following commands.
```bash
sudo bpftool map show
sudo rm /sys/fs/bpf/proc_stats_map
sudo rm /sys/fs/bpf/pid_record_map
```
The nuclear way is to just reboot the whole machine...