Linux kernel RxRPC page-cache write in DATA/RESPONSE packet handling

This repository is a Go-based local privilege escalation exploit named dirtyfrag-go. It is not part of a common exploitation framework and consists of 9 files, with the main logic spread across 6 Go source files: main.go orchestrates execution, esp.go implements the ESP/XFRM exploit path, rxrpc.go implements the AF_RXRPC/rxkad exploit path, alg.go provides AF_ALG helpers for kernel crypto operations, fcrypt.go ports the kernel fcrypt algorithm and brute-force helpers, and pty.go launches an interactive root shell through a PTY. The exploit targets two Linux kernel vulnerabilities identified in comments as CVE-2026-43284 and CVE-2026-43500. Its purpose is to gain root from an unprivileged local account by abusing kernel page-cache write primitives. The primary path in esp.go uses XFRM/ESP-in-UDP over loopback, installs many Security Associations through NETLINK_XFRM, and abuses in-place decryption triggered through vmsplice/splice to overwrite the first 192 bytes of /usr/bin/su with an embedded minimal x86_64 ELF payload. That payload performs privilege-changing syscalls and executes /bin/sh. The code re-execs itself into a child created with CLONE_NEWUSER|CLONE_NEWNET, brings up loopback, installs the SAs, performs repeated 4-byte writes, and verifies the patch by checking bytes at offset 0x78 in /usr/bin/su. The fallback path in rxrpc.go targets AF_RXRPC/rxkad. It constructs RxRPC headers and challenge packets, creates an rxrpc token with add_key into the process keyring, uses AF_ALG pcbc(fcrypt) helpers from alg.go to compute csum_iv and checksums, and leverages splice-based in-place decryption on file-backed pages. The goal is to patch /etc/passwd so the root entry becomes empty-password compatible. The repository includes a full userspace port of fcrypt in fcrypt.go plus parallel brute-force routines to discover suitable 8-byte session keys that decrypt chosen ciphertext blocks into desired plaintext fragments. The exploit performs three overlapping 8-byte writes with last-write-wins ordering to transform the root passwd entry. After either patch succeeds, pty.go opens /dev/ptmx, creates a slave PTY, runs su -, bridges terminal I/O, and automatically submits a blank password when prompted. main.go supports --force-esp, --force-rxrpc, and verbose mode, suppresses stderr by default, checks whether /usr/bin/su or /etc/passwd already appear patched, and either executes /bin/bash directly if already root or launches the exploit chain. Overall, this is a real operational local Linux kernel LPE exploit with embedded payloads and post-exploitation shell handling, not merely a detector or proof-of-concept stub.

This repository contains a standalone local privilege escalation exploit for Linux kernels, with two identical C source files (CVE-2026-43284.c and dirtyfrag.c) plus a README. The code is not part of a common exploitation framework. The main exploit logic is in the C files, which embed a compact x86_64 ELF payload and attempt to corrupt page-cache-backed contents of privileged executables using two kernel bug paths described as xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit first checks whether it is already root and spawns /bin/bash if so. Otherwise it parses flags (--force-esp, --force-rxrpc, -v/--verbose), optionally suppresses stderr, and tries the ESP path first unless forced otherwise; if that does not patch the target, it falls back to the RxRPC path and retries. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface. Constants indicate use of UDP encapsulated ESP on port 4500. The payload overwrites /usr/bin/su starting at offset 0 with a 192-byte ELF whose entry point performs setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). After detecting that either target has been patched in page cache, the exploit launches an interactive root PTY session. Overall, the repository’s purpose is offensive proof-of-concept/operational exploitation of a local Linux kernel arbitrary page-cache write primitive to obtain a root shell by replacing a setuid binary in memory.

This repository is a compact local privilege escalation exploit for Linux named 'Dirty Frag'. It contains one substantive code file, exp.c, plus a README and .gitignore. The exploit is not part of a common exploitation framework; it is a standalone C proof-of-concept with operational payloading. Core purpose: chain two Linux kernel page-cache write vulnerabilities—CVE-2026-43284 (xfrm-ESP Page-Cache Write) and CVE-2026-43500 (RxRPC Page-Cache Write)—to gain root on vulnerable Linux systems. The code supports multiple paths: an xfrm-ESP-based path, an RxRPC-based path, and fallback logic that tries one then the other. Command-line flags shown in main include --force-esp, --force-rxrpc, and verbose options. Main exploit capability: overwrite the beginning of a privileged setuid executable in page cache with a hardcoded 192-byte x86_64 ELF payload. The default target path visible in the code is /usr/bin/su. The embedded ELF performs setgid(0), setuid(0), setgroups(0, NULL), and execve('/bin/sh', ...), yielding a root shell. The main routine then invokes a PTY-backed interactive shell helper (run_root_pty) if patching succeeded. There are also indicators that the code can target passwd as an alternate path, based on functions such as passwd_already_patched() and either_target_patched(). Exploit structure highlights from exp.c: - Embedded payload blob (shell_elf) containing a minimal root-shell ELF. - Namespace setup helper setup_userns_netns() that unshares CLONE_NEWUSER | CLONE_NEWNET, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface lo. - Networking-related logic using AF_INET/UDP and Linux netlink/xfrm headers, consistent with xfrm-ESP exploitation. UDP port 4500 is explicitly defined for ESP-in-UDP encapsulation. - Main orchestration logic that selects exploit path(s), suppresses stderr unless verbose, retries RxRPC exploitation, checks whether target binaries were patched in page cache, and launches an interactive root shell on success. Repository structure: - .gitignore: trivial editor ignore. - README.md: vulnerability overview, affected versions, quick compile/run instructions, cleanup guidance, mitigation steps, and tested distributions. - exp.c: full standalone exploit implementation. Overall assessment: this is a real local Linux kernel LPE exploit, not a detector. It is operational because it includes a built-in privilege-escalation payload and post-exploitation shell handling, but it is not highly modular or framework-driven.

Repository contains a single substantive exploit source file, dirtyfrag_arm64.c, plus a README and license. This is a standalone C local privilege escalation exploit for arm64/aarch64 Linux, described as a port of the upstream dirtyfrag PoC targeting CVE-2026-43284 and CVE-2026-43500. The README explains that the original x86_64 exploit had two paths (ESP/xfrm and rxrpc/rxkad), but on arm64 only the ESP path is usable because the rxrpc path triggers a kernel oops via flush_dcache_page rather than yielding reliable exploitation. The exploit’s main capability is page-cache corruption of a privileged executable, specifically /usr/bin/su on arm64. It embeds a 212-byte minimal aarch64 ELF payload directly in the C source. That payload performs setgid(0), setuid(0), setgroups(0,NULL), and execve("/bin/sh", NULL, envp), effectively yielding a root shell. The main function supports flags such as --force-esp and --force-rxrpc, but README states --force-esp should be used on arm64 to avoid the rxrpc crash. After attempting corruption, the code checks whether a target was patched and, on success, invokes run_root_pty() to provide an interactive root shell. Structurally, the code includes namespace setup and network preparation logic. setup_userns_netns() calls unshare(CLONE_NEWUSER | CLONE_NEWNET), writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, then creates an AF_INET datagram socket and brings up the loopback interface lo. The presence of Linux netlink/rtnetlink and xfrm headers, UDP encapsulation constants, and ENC_PORT 4500 indicates the exploit uses IPsec/ESP-in-UDP mechanics as part of the corruption primitive. This makes the exploit both a local privilege escalation and one that leverages local networking/kernel network stack features. Fingerprintable observables include the hardcoded target path /usr/bin/su, payload execution path /bin/sh, direct exec of /bin/bash when already root, procfs namespace mapping files, loopback interface lo, and UDP port 4500 for ESP encapsulation. README also references /etc/passwd as the upstream fallback target on x86_64 and provides mitigation-related paths such as /etc/modprobe.d/dirtyfrag.conf. Overall, this is a real exploit rather than a detector. It is operational: it contains a working embedded payload and exploitation logic, but it is not part of a larger exploitation framework. Its purpose is to demonstrate and weaponize an arm64-specific port of Dirty Frag for authorized security research by obtaining root on vulnerable Linux systems where unprivileged user namespaces are enabled and the ESP path is available.

Repository contains a single substantial C exploit (CVE-2026-43284.c) plus a README. This is a real local Linux privilege-escalation exploit, not a scanner or proof-only stub. The code targets Linux kernel page-cache corruption primitives described in the README as Dirty Frag / Copy Fail 2, using two kernel attack paths: xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit is operational: it embeds a ready-to-use 192-byte x86_64 ELF payload that sets UID/GID to 0 and execs /bin/sh, then attempts to overwrite a privileged target such as /usr/bin/su in page cache so execution yields root. Structurally, the exploit includes namespace setup helpers, procfs UID/GID mapping, loopback interface activation, netlink/xfrm-related code for the ESP path, alternate RxRPC exploitation logic, patch-state checks (e.g., whether su/passwd targets are already modified), stderr suppression/restore, argument rewriting, and PTY-based root shell handling. The main function selects the ESP path first by default, falls back to RxRPC if needed, or allows explicit selection with --force-esp / --force-rxrpc. If exploitation succeeds, it launches an interactive root shell. Fingerprintable artifacts are primarily local file and kernel-interface paths rather than remote infrastructure: /usr/bin/su, /bin/sh, /bin/bash, /proc/self/setgroups, /proc/self/uid_map, /proc/self/gid_map, the loopback interface lo, and UDP encapsulation port 4500 for the ESP vector. Overall purpose: deterministic local root escalation on vulnerable Linux systems by abusing kernel fragment/page-cache corruption to replace privileged executable contents with a minimal root-shell ELF.

This repository is a standalone C exploit toolkit named DIRTYFAIL that builds a single binary (`dirtyfail`) from multiple source modules. It is not just a detector: it contains real local privilege-escalation PoCs for three Linux kernel vulnerability families/variants: Copy Fail (CVE-2026-31431), Dirty Frag xfrm-ESP IPv4/IPv6 (CVE-2026-43284), and Dirty Frag RxRPC (CVE-2026-43500), plus a GCM-based xfrm variant and a page-cache backdoor mode. Repository structure: `src/dirtyfail.c` is the main CLI entry point and dispatches scan, exploit, cleanup, and AppArmor-bypass-assisted modes. `src/common.[ch]` provides shared helpers for logging, kernel/module checks, passwd parsing, cache eviction, and confirmation prompts. `src/copyfail.[ch]` implements the AF_ALG `authencesn(hmac(sha256),cbc(aes))` 4-byte arbitrary page-cache write primitive and uses it to flip the current user’s UID in `/etc/passwd` to `0000`, then invokes `su`. `src/copyfail_gcm.[ch]` implements a more granular 1-byte write primitive using xfrm-ESP with `rfc4106(gcm(aes))`, including AF_ALG keystream-byte computation and IV brute force; this primitive is also exposed to other modules. `src/dirtyfrag_esp.[ch]` and `src/dirtyfrag_esp6.[ch]` implement IPv4 and IPv6 xfrm-ESP exploit chains that register attacker-controlled SAs via NETLINK_XFRM, use loopback UDP encapsulation on port 4500, and splice `/etc/passwd` into the vulnerable in-place decrypt path. `src/dirtyfrag_rxrpc.[ch]` implements the RxRPC variant, including forged RxRPC/rxkad traffic and brute-forced fcrypt session keys to shape 8-byte overwrites that empty root’s password field in the page-cache copy of `/etc/passwd`. `src/fcrypt.[ch]` contains the rxkad/fcrypt implementation and brute-force harness used by the RxRPC exploit. `src/apparmor_bypass.[ch]` adds a multi-stage self-reexec bypass for Ubuntu AppArmor restrictions on unprivileged user namespaces by writing to `/proc/self/attr/exec` and switching into permissive profiles such as `crun` or `chrome`. `src/backdoor.[ch]` uses the GCM 1-byte primitive to rewrite a length-matched `nologin` passwd entry into `dirtyfail::0:0:<pad>:/:/bin/bash`, storing restoration state in `/var/tmp/.dirtyfail.state`. Main exploit capabilities: (1) safe-ish detection modes that probe prerequisites or use a temporary sentinel file rather than system files; (2) real page-cache-only overwrite of `/etc/passwd` to gain root; (3) optional spawning of `su`, `su -`, or `su - dirtyfail`; (4) temporary persistence via a page-cache backdoor user; and (5) cleanup via `POSIX_FADV_DONTNEED` and `/proc/sys/vm/drop_caches`. The exploit is operational rather than framework-integrated: payloads are hardcoded around local root escalation and page-cache manipulation, but the code is complete and modular.