Dirty Frag: Linux kernel xfrm ESP shared skb fragment in-place decrypt page-cache write

This repository is a Go-based local privilege escalation exploit named dirtyfrag-go. It is not part of a common exploitation framework and consists of 9 files, with the main logic spread across 6 Go source files: main.go orchestrates execution, esp.go implements the ESP/XFRM exploit path, rxrpc.go implements the AF_RXRPC/rxkad exploit path, alg.go provides AF_ALG helpers for kernel crypto operations, fcrypt.go ports the kernel fcrypt algorithm and brute-force helpers, and pty.go launches an interactive root shell through a PTY. The exploit targets two Linux kernel vulnerabilities identified in comments as CVE-2026-43284 and CVE-2026-43500. Its purpose is to gain root from an unprivileged local account by abusing kernel page-cache write primitives. The primary path in esp.go uses XFRM/ESP-in-UDP over loopback, installs many Security Associations through NETLINK_XFRM, and abuses in-place decryption triggered through vmsplice/splice to overwrite the first 192 bytes of /usr/bin/su with an embedded minimal x86_64 ELF payload. That payload performs privilege-changing syscalls and executes /bin/sh. The code re-execs itself into a child created with CLONE_NEWUSER|CLONE_NEWNET, brings up loopback, installs the SAs, performs repeated 4-byte writes, and verifies the patch by checking bytes at offset 0x78 in /usr/bin/su. The fallback path in rxrpc.go targets AF_RXRPC/rxkad. It constructs RxRPC headers and challenge packets, creates an rxrpc token with add_key into the process keyring, uses AF_ALG pcbc(fcrypt) helpers from alg.go to compute csum_iv and checksums, and leverages splice-based in-place decryption on file-backed pages. The goal is to patch /etc/passwd so the root entry becomes empty-password compatible. The repository includes a full userspace port of fcrypt in fcrypt.go plus parallel brute-force routines to discover suitable 8-byte session keys that decrypt chosen ciphertext blocks into desired plaintext fragments. The exploit performs three overlapping 8-byte writes with last-write-wins ordering to transform the root passwd entry. After either patch succeeds, pty.go opens /dev/ptmx, creates a slave PTY, runs su -, bridges terminal I/O, and automatically submits a blank password when prompted. main.go supports --force-esp, --force-rxrpc, and verbose mode, suppresses stderr by default, checks whether /usr/bin/su or /etc/passwd already appear patched, and either executes /bin/bash directly if already root or launches the exploit chain. Overall, this is a real operational local Linux kernel LPE exploit with embedded payloads and post-exploitation shell handling, not merely a detector or proof-of-concept stub.

Small standalone local privilege-escalation repository centered on a single C program, dirtyfrag.c, plus a minimal Makefile and README. The README describes exploitation of CVE-2026-43284 in Linux XFRM/ESP page-cache handling using a 4-byte write primitive repeated across 64 iterations. The exploit is not a scanner or detector; it is operational exploit code with an embedded payload. Repository structure: README.md documents prerequisites, tested environments, exploitation method, and restoration guidance; Makefile builds the binary; dirtyfrag.c contains all exploit logic and the hardcoded payload. No external framework is used. Core exploit flow: the program defaults to targeting /usr/bin/su, verifies it is setuid and readable, saves the original bytes, then forks. In the child, it creates new user and network namespaces, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, brings up loopback, and uses NETLINK_XFRM to register multiple ESP security associations bound to 127.0.0.1 with ESN enabled. Per the README and visible code, the exploit then uses UDP encapsulated ESP on port 4500 and splice-based file-to-pipe-to-socket operations so a page-cache page from the target file is pulled into an ESP scatter-gather path where kernel processing writes attacker-controlled 4-byte values from seq_hi into the cached file page. Repeating this across many SAs patches the target binary with the embedded ELF payload. Payload/capability: the embedded shell_elf is a minimal x86_64 ELF whose entry point performs setgid(0), setuid(0), and execve(/bin/sh) with TERM=xterm. After corruption succeeds, the parent verifies modified bytes at the expected entry offset, executes the now-corrupted setuid binary via forkpty to provide an interactive root shell, proxies terminal I/O, and finally attempts to restore the original bytes from backup when the shell exits. Notable endpoints and observables are entirely local: /usr/bin/su, /bin/sh, procfs namespace mapping files, loopback address 127.0.0.1, UDP port 4500, and NETLINK_XFRM. Overall, this is a concise but complete Linux LPE proof-of-concept with a built-in hardcoded root-shell payload and cleanup logic.

This repository contains a standalone local privilege escalation exploit for Linux kernels, with two identical C source files (CVE-2026-43284.c and dirtyfrag.c) plus a README. The code is not part of a common exploitation framework. The main exploit logic is in the C files, which embed a compact x86_64 ELF payload and attempt to corrupt page-cache-backed contents of privileged executables using two kernel bug paths described as xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit first checks whether it is already root and spawns /bin/bash if so. Otherwise it parses flags (--force-esp, --force-rxrpc, -v/--verbose), optionally suppresses stderr, and tries the ESP path first unless forced otherwise; if that does not patch the target, it falls back to the RxRPC path and retries. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface. Constants indicate use of UDP encapsulated ESP on port 4500. The payload overwrites /usr/bin/su starting at offset 0 with a 192-byte ELF whose entry point performs setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). After detecting that either target has been patched in page cache, the exploit launches an interactive root PTY session. Overall, the repository’s purpose is offensive proof-of-concept/operational exploitation of a local Linux kernel arbitrary page-cache write primitive to obtain a root shell by replacing a setuid binary in memory.

This repository is a compact local privilege escalation exploit for Linux named 'Dirty Frag'. It contains one substantive code file, exp.c, plus a README and .gitignore. The exploit is not part of a common exploitation framework; it is a standalone C proof-of-concept with operational payloading. Core purpose: chain two Linux kernel page-cache write vulnerabilities—CVE-2026-43284 (xfrm-ESP Page-Cache Write) and CVE-2026-43500 (RxRPC Page-Cache Write)—to gain root on vulnerable Linux systems. The code supports multiple paths: an xfrm-ESP-based path, an RxRPC-based path, and fallback logic that tries one then the other. Command-line flags shown in main include --force-esp, --force-rxrpc, and verbose options. Main exploit capability: overwrite the beginning of a privileged setuid executable in page cache with a hardcoded 192-byte x86_64 ELF payload. The default target path visible in the code is /usr/bin/su. The embedded ELF performs setgid(0), setuid(0), setgroups(0, NULL), and execve('/bin/sh', ...), yielding a root shell. The main routine then invokes a PTY-backed interactive shell helper (run_root_pty) if patching succeeded. There are also indicators that the code can target passwd as an alternate path, based on functions such as passwd_already_patched() and either_target_patched(). Exploit structure highlights from exp.c: - Embedded payload blob (shell_elf) containing a minimal root-shell ELF. - Namespace setup helper setup_userns_netns() that unshares CLONE_NEWUSER | CLONE_NEWNET, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface lo. - Networking-related logic using AF_INET/UDP and Linux netlink/xfrm headers, consistent with xfrm-ESP exploitation. UDP port 4500 is explicitly defined for ESP-in-UDP encapsulation. - Main orchestration logic that selects exploit path(s), suppresses stderr unless verbose, retries RxRPC exploitation, checks whether target binaries were patched in page cache, and launches an interactive root shell on success. Repository structure: - .gitignore: trivial editor ignore. - README.md: vulnerability overview, affected versions, quick compile/run instructions, cleanup guidance, mitigation steps, and tested distributions. - exp.c: full standalone exploit implementation. Overall assessment: this is a real local Linux kernel LPE exploit, not a detector. It is operational because it includes a built-in privilege-escalation payload and post-exploitation shell handling, but it is not highly modular or framework-driven.

Repository is a small local Linux privilege-escalation exploit repo with 2 files: a README and one C++ proof-of-concept at poc/dirtyfrag.cpp. Despite README language framing it as research, the C++ file is a functional exploit, not just documentation. The exploit targets CVE-2026-43284 ('Dirty Frag') in the Linux kernel XFRM ESP receive path. Code structure: main() checks if already root and spawns /bin/bash if so; otherwise it calls corrupt_su(), verifies the patch with verify_patch(), and executes /usr/bin/su -. setup_userns_netns() creates new user and network namespaces, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, then brings up the loopback interface. add_xfrm_sa() opens a NETLINK_XFRM socket and installs many ESP transport-mode Security Associations for 127.0.0.1->127.0.0.1 with UDP encapsulation on port 4500, AES-CBC encryption, HMAC-SHA256 auth, and attacker-controlled ESN replay state. do_one_write() creates local UDP sockets on 127.0.0.1:4500, enables UDP_ENCAP_ESPINUDP, uses vmsplice/splice with SPLICE_F_MOVE to move file-backed data from /usr/bin/su into the packet path, and triggers the vulnerable receive-side in-place write. corrupt_su() iterates over the embedded 192-byte ELF payload in 4-byte chunks, encoding each chunk into seq_hi of a separate SA and then triggering one write per chunk at successive offsets into /usr/bin/su. Main exploit capability: page-cache corruption of a read-only executable file from an unprivileged context, specifically replacing the cached in-memory image of /usr/bin/su with a tiny x86_64 ELF payload. The exploit does not modify the on-disk file directly; it relies on later execution using the corrupted cached page contents. The embedded payload is intended to yield a root shell. Because the payload is hardcoded and the exploit is a standalone PoC rather than a reusable framework module, maturity is best classified as OPERATIONAL. Notable observables include loopback IP 127.0.0.1, UDP port 4500, NETLINK_XFRM usage, namespace mapping writes under /proc/self/*, and target executable paths /usr/bin/su, /bin/bash, and /bin/sh.

Repository contains a single substantive exploit source file, dirtyfrag_arm64.c, plus a README and license. This is a standalone C local privilege escalation exploit for arm64/aarch64 Linux, described as a port of the upstream dirtyfrag PoC targeting CVE-2026-43284 and CVE-2026-43500. The README explains that the original x86_64 exploit had two paths (ESP/xfrm and rxrpc/rxkad), but on arm64 only the ESP path is usable because the rxrpc path triggers a kernel oops via flush_dcache_page rather than yielding reliable exploitation. The exploit’s main capability is page-cache corruption of a privileged executable, specifically /usr/bin/su on arm64. It embeds a 212-byte minimal aarch64 ELF payload directly in the C source. That payload performs setgid(0), setuid(0), setgroups(0,NULL), and execve("/bin/sh", NULL, envp), effectively yielding a root shell. The main function supports flags such as --force-esp and --force-rxrpc, but README states --force-esp should be used on arm64 to avoid the rxrpc crash. After attempting corruption, the code checks whether a target was patched and, on success, invokes run_root_pty() to provide an interactive root shell. Structurally, the code includes namespace setup and network preparation logic. setup_userns_netns() calls unshare(CLONE_NEWUSER | CLONE_NEWNET), writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, then creates an AF_INET datagram socket and brings up the loopback interface lo. The presence of Linux netlink/rtnetlink and xfrm headers, UDP encapsulation constants, and ENC_PORT 4500 indicates the exploit uses IPsec/ESP-in-UDP mechanics as part of the corruption primitive. This makes the exploit both a local privilege escalation and one that leverages local networking/kernel network stack features. Fingerprintable observables include the hardcoded target path /usr/bin/su, payload execution path /bin/sh, direct exec of /bin/bash when already root, procfs namespace mapping files, loopback interface lo, and UDP port 4500 for ESP encapsulation. README also references /etc/passwd as the upstream fallback target on x86_64 and provides mitigation-related paths such as /etc/modprobe.d/dirtyfrag.conf. Overall, this is a real exploit rather than a detector. It is operational: it contains a working embedded payload and exploitation logic, but it is not part of a larger exploitation framework. Its purpose is to demonstrate and weaponize an arm64-specific port of Dirty Frag for authorized security research by obtaining root on vulnerable Linux systems where unprivileged user namespaces are enabled and the ESP path is available.

Repository contains a single substantial C exploit (CVE-2026-43284.c) plus a README. This is a real local Linux privilege-escalation exploit, not a scanner or proof-only stub. The code targets Linux kernel page-cache corruption primitives described in the README as Dirty Frag / Copy Fail 2, using two kernel attack paths: xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit is operational: it embeds a ready-to-use 192-byte x86_64 ELF payload that sets UID/GID to 0 and execs /bin/sh, then attempts to overwrite a privileged target such as /usr/bin/su in page cache so execution yields root. Structurally, the exploit includes namespace setup helpers, procfs UID/GID mapping, loopback interface activation, netlink/xfrm-related code for the ESP path, alternate RxRPC exploitation logic, patch-state checks (e.g., whether su/passwd targets are already modified), stderr suppression/restore, argument rewriting, and PTY-based root shell handling. The main function selects the ESP path first by default, falls back to RxRPC if needed, or allows explicit selection with --force-esp / --force-rxrpc. If exploitation succeeds, it launches an interactive root shell. Fingerprintable artifacts are primarily local file and kernel-interface paths rather than remote infrastructure: /usr/bin/su, /bin/sh, /bin/bash, /proc/self/setgroups, /proc/self/uid_map, /proc/self/gid_map, the loopback interface lo, and UDP encapsulation port 4500 for the ESP vector. Overall purpose: deterministic local root escalation on vulnerable Linux systems by abusing kernel fragment/page-cache corruption to replace privileged executable contents with a minimal root-shell ELF.

This repository is a small Linux local privilege escalation exploit set combining two kernel issues: Copy-Fail (CVE-2026-31431) and Dirty-frag (CVE-2026-43284). It contains three files: a README with build/run instructions and tested distributions, a compact Python proof-of-concept, and a much larger C exploit implementing more complete exploitation logic. The Python script is a concise local exploit for Copy-Fail. It opens /usr/bin/su read-only, creates an AF_ALG crypto socket bound to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), uses setsockopt/sendmsg/splice to drive kernel crypto scatterlist handling, and writes attacker-controlled bytes into the page cache of the read-only SUID binary in 4-byte chunks. After patching, it invokes su to execute the modified privileged binary. The C program is the main operational exploit. It embeds a 192-byte x86_64 ELF payload that becomes a root shell by calling setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). It targets /usr/bin/su and appears to support multiple exploitation paths: a su-focused path and an rxrpc/dirty-frag path, with command-line switches --force-esp and --force-rxrpc. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/{setgroups,uid_map,gid_map}, loopback interface manipulation, and constants for UDP encapsulation/IPsec-related behavior including port 4500, indicating a network-kernel attack surface even though exploitation is local. The main function retries alternate paths until a target binary is patched, then spawns an interactive PTY-backed root shell. Overall, this is a real exploit repository rather than a detector. Its purpose is to obtain local root on vulnerable Linux systems by corrupting privileged executables through vulnerable kernel code paths reachable from userspace syscalls. The Python file is a compact PoC; the C file is the more featureful exploit with built-in payload and fallback logic.

This repository is a standalone C exploit toolkit named DIRTYFAIL that builds a single binary (`dirtyfail`) from multiple source modules. It is not just a detector: it contains real local privilege-escalation PoCs for three Linux kernel vulnerability families/variants: Copy Fail (CVE-2026-31431), Dirty Frag xfrm-ESP IPv4/IPv6 (CVE-2026-43284), and Dirty Frag RxRPC (CVE-2026-43500), plus a GCM-based xfrm variant and a page-cache backdoor mode. Repository structure: `src/dirtyfail.c` is the main CLI entry point and dispatches scan, exploit, cleanup, and AppArmor-bypass-assisted modes. `src/common.[ch]` provides shared helpers for logging, kernel/module checks, passwd parsing, cache eviction, and confirmation prompts. `src/copyfail.[ch]` implements the AF_ALG `authencesn(hmac(sha256),cbc(aes))` 4-byte arbitrary page-cache write primitive and uses it to flip the current user’s UID in `/etc/passwd` to `0000`, then invokes `su`. `src/copyfail_gcm.[ch]` implements a more granular 1-byte write primitive using xfrm-ESP with `rfc4106(gcm(aes))`, including AF_ALG keystream-byte computation and IV brute force; this primitive is also exposed to other modules. `src/dirtyfrag_esp.[ch]` and `src/dirtyfrag_esp6.[ch]` implement IPv4 and IPv6 xfrm-ESP exploit chains that register attacker-controlled SAs via NETLINK_XFRM, use loopback UDP encapsulation on port 4500, and splice `/etc/passwd` into the vulnerable in-place decrypt path. `src/dirtyfrag_rxrpc.[ch]` implements the RxRPC variant, including forged RxRPC/rxkad traffic and brute-forced fcrypt session keys to shape 8-byte overwrites that empty root’s password field in the page-cache copy of `/etc/passwd`. `src/fcrypt.[ch]` contains the rxkad/fcrypt implementation and brute-force harness used by the RxRPC exploit. `src/apparmor_bypass.[ch]` adds a multi-stage self-reexec bypass for Ubuntu AppArmor restrictions on unprivileged user namespaces by writing to `/proc/self/attr/exec` and switching into permissive profiles such as `crun` or `chrome`. `src/backdoor.[ch]` uses the GCM 1-byte primitive to rewrite a length-matched `nologin` passwd entry into `dirtyfail::0:0:<pad>:/:/bin/bash`, storing restoration state in `/var/tmp/.dirtyfail.state`. Main exploit capabilities: (1) safe-ish detection modes that probe prerequisites or use a temporary sentinel file rather than system files; (2) real page-cache-only overwrite of `/etc/passwd` to gain root; (3) optional spawning of `su`, `su -`, or `su - dirtyfail`; (4) temporary persistence via a page-cache backdoor user; and (5) cleanup via `POSIX_FADV_DONTNEED` and `/proc/sys/vm/drop_caches`. The exploit is operational rather than framework-integrated: payloads are hardcoded around local root escalation and page-cache manipulation, but the code is complete and modular.

This repository is a real exploit PoC for CVE-2026-43284 ('Dirty Frag') adapted to a Kubernetes/EKS container-escape scenario. The main exploit is exploit/dirtyfrag.c, a static C program that unshares into new user and network namespaces, configures UID/GID mappings via /proc/self/*, brings up loopback, registers crafted xfrm Security Associations over NETLINK_XFRM, and uses ESP-in-UDP traffic to 127.0.0.1:4500 together with splice/vmsplice mechanics to corrupt page-cache contents of read-only binaries. Its default targets are /usr/sbin/ipset, /usr/sbin/xtables-legacy-multi, /usr/sbin/xtables-nft-multi, and /usr/sbin/nft—binaries likely present in shared image layers used by privileged Kubernetes components such as kube-proxy. The exploit does not directly spawn a shell. Instead, it embeds a second-stage static ELF payload generated from payload/payload-eks.c. That payload is written into the page cache of the target binaries so that when a privileged DaemonSet later executes one of them, the payload runs with elevated privileges. The included payload is a validation payload: it mounts likely EKS host root devices (/dev/nvme0n1p1, /dev/nvme0n1p2, /dev/xvda1) using xfs/ext4 and writes '[*] success' to /mnt/root/res, which corresponds to /root/res on the host. Repository structure supports building and demonstrating the PoC in EKS. The Makefile builds the nolibc-based payload, converts it into an embedded header with xxd, and statically links the exploit. Dockerfile.eks packages the exploit into an image based on an EKS distro iptables image to maximize shared-layer overlap. deploy/poc-eks.yaml deploys the PoC as an ostensibly unprivileged pod. scripts/setup-eks.sh copies the project to a node, builds the binaries, pulls the base image, and builds the container image with nerdctl in the k8s.io namespace. scripts/run-poc.sh deploys the pod and checks /root/res on the node for success. scripts/cleanup.sh removes the deployment, deletes the marker, drops page cache, and restarts kube-proxy to restore clean binaries. Most remaining files under payload/nolibc/ are vendored minimal libc headers used to build a tiny static payload without glibc. They are support code, not separate exploit logic. Overall, the repository’s purpose is to demonstrate that an unprivileged Kubernetes pod can leverage a vulnerable Linux kernel plus shared image layers to achieve node-level code execution via a privileged workload, specifically validated on Amazon EKS.