PinTheft: Linux kernel RDS zerocopy double-free local privilege escalation

This repository is a compact single-file local privilege escalation PoC for CVE-2026-43494 ('PinTheft'). It is not part of a larger exploit framework. The repository contains only three files: .gitignore, README.md, and the main exploit source sley.c. The README documents the vulnerability, prerequisites, build instructions, and expected outcome; the exploit logic resides in sley.c. The exploit targets the Linux kernel's RDS zerocopy path and chains it with io_uring fixed-buffer registration. Its core capability is to steal page pin references via repeated failing RDS zerocopy sends, free a previously pinned anonymous page, reclaim that page into the page cache of a chosen SUID-root executable, and then use stale io_uring fixed-buffer state to overwrite the first page of that executable with an embedded x86_64 ELF stub. Finally, it execs the chosen SUID binary to obtain a root shell. Operational flow visible in the code and README: (1) reconnaissance to find a usable SUID target from a hardcoded candidate list; (2) mmap of one anonymous page; (3) io_uring setup and fixed-buffer registration; (4) cloning of the buffer table into a second ring using IORING_REGISTER_CLONE_BUFFERS; (5) spawning a helper process to keep the cloned ring alive; (6) issuing 1024 RDS zerocopy operations across a loopback TCP port range beginning at 20000 to drain the GUP pin bias; (7) munmap of the page to create a reclaim window; (8) opening and execing the SUID target after page-cache overwrite. The payload is embedded directly in the source as a 129-byte ELF blob containing '/bin/sh'. This makes the exploit more than a bare PoC: it includes a concrete post-exploitation payload and an automated handoff to the SUID target, so OPERATIONAL is the best maturity fit. There is no evidence it is a detector or fake exploit. Fingerprintable observables include the hardcoded SUID target paths, the embedded /bin/sh string, and the local loopback RDS activity over ports 20000-21023. The README also highlights environmental dependencies such as kernel.io_uring_disabled, /proc/sys/kernel/io_uring_disabled, and /boot/config-$(uname -r).

This repository is a compact single-file local privilege escalation PoC named SLEY for CVE-2026-43494 (PinTheft). The repo contains only three files: .gitignore, README.md, and the main exploit source sley.c. The README explains the vulnerability, prerequisites, build steps, and expected outcome; the exploit logic resides in sley.c. The exploit is not a scanner or detector. It is an actual local exploit that chains a Linux kernel RDS zerocopy reference-count bug with io_uring fixed-buffer registration/cloning to create a stale pinned-page condition. The intended flow is: map an anonymous page, register it as an io_uring fixed buffer, clone the buffer table into a second ring, repeatedly trigger failing RDS zerocopy sends to steal/drop page references, unmap the page so it can be reclaimed, reopen a readable SUID-root binary so its page cache reuses the freed page, overwrite that cached first page with an embedded ELF stub, and finally exec the SUID binary to obtain a root shell. Notable capabilities visible from the code and README include CPU pinning/recon, discovery of candidate SUID binaries, io_uring ring setup and buffer registration, cloned ring state persistence via a helper process, repeated RDS activity over loopback using a fixed port range beginning at 20000, and execution handoff to the chosen SUID target. The payload is embedded directly in the binary as a 129-byte x86_64 ELF blob containing '/bin/sh', indicating a hardcoded shell-spawning post-exploitation stage rather than a customizable framework payload. Fingerprintable artifacts include the candidate SUID paths (/usr/bin/su, /bin/su, /usr/bin/mount, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/newgrp, /usr/bin/umount, /usr/bin/pkexec), the shell path /bin/sh, and loopback TCP/RDS activity against 127.0.0.1 on ports 20000 through 21023. Operationally, the exploit requires a vulnerable Linux environment with RDS and io_uring enabled and is best characterized as an operational PoC rather than a weaponized framework module.

Small repository containing a standalone Linux local privilege escalation exploit written entirely in x86-64 NASM assembly. Structure is minimal: a Makefile to build the binary, a README describing usage, and a single large assembly source file (pintheft.asm) implementing the exploit logic. The exploit is not a framework module; it is a self-contained operational PoC. The README says it is a rewrite of a prior Go implementation and that it 'drops a root shell.' The assembly comments describe the exploit chain in detail: pin to CPU 0, locate a SUID target, back it up, map a page with guard space, register io_uring buffers with a +1024 bias, clone the buffer registration, fork a daemon, steal 1024 refs via RDS zero-copy, evict page cache with fadvise(DONTNEED), drain per-CPU page lists, unmap, pread, issue io_uring READ_FIXED, verify corruption, and finally execute via PTY. Core capabilities observed from the code and comments: - Local kernel exploitation using AF_RDS and io_uring primitives. - Refcount manipulation / dangling buffer abuse to obtain a page-cache overwrite primitive. - Discovery and backup of a SUID executable target. - Replacement of the target with an embedded minimal ELF payload. - Payload behavior is explicit: setuid(0) followed by execve('/bin/sh'). - Interactive shell handling via PTY-related ioctls. - Cleanup/operational usability features such as logging and printing a restore command for the overwritten SUID binary. Notable technical indicators include direct use of Linux syscalls for socket, bind, sendmsg, setsockopt, fadvise64, sched_setaffinity, memfd_create, and io_uring operations; constants for AF_RDS, SO_ZEROCOPY, SOL_RDS, IORING_REGISTER_BUFFERS, IORING_REGISTER_CLONE, and IORING_OP_READ_FIXED; and a hardcoded PORT_BASE of 20000. No external network infrastructure, remote C2, or hardcoded IP/domain endpoints are present. The exploit is purely local and targets the host kernel and local filesystem/SUID binaries rather than remote services. Overall, this repository's purpose is to provide a compact, low-level assembly implementation of a Linux kernel LPE exploit chain culminating in a root shell.

This repository is a compact single-file local privilege escalation PoC named SLEY for CVE-2026-43494 (PinTheft). The repo contains only a README, .gitignore, and one C source file, sley.c, which is the full exploit implementation and UI. It is not part of a larger exploit framework. The exploit targets the Linux kernel locally and chains an RDS zerocopy reference-count bug with io_uring fixed-buffer handling. The intended flow is: allocate and register an anonymous page as an io_uring fixed buffer, clone buffer metadata to a second ring, trigger many failing RDS zerocopy sends to drain/steal FOLL_PIN references, unmap/free the page, reclaim it into the page cache of a chosen SUID-root binary, then use stale io_uring buffer state to overwrite that cached page with a tiny embedded x86_64 ELF stub. Finally, the exploit execs the modified SUID binary to obtain a root shell. Main capabilities observed: CPU affinity pinning for exploit stability, discovery of common SUID-root binaries, backup of the chosen target before overwrite, repeated exploitation attempts (MAX_RETRIES=5), creation/destruction of io_uring instances including clone-buffer usage, use of RDS sockets over localhost with a base port of 20000, page-cache overwrite of a SUID executable, and execution handoff to the overwritten target. The payload is operational rather than just demonstrative because it includes a real embedded shell-spawning ELF stub and attempts to deliver root access automatically. Fingerprintable artifacts include hardcoded SUID target paths (/usr/bin/su, /bin/su, /usr/bin/mount, /usr/bin/passwd, /usr/bin/chsh, /usr/bin/newgrp, /usr/bin/umount, /usr/bin/pkexec), the shell path /bin/sh inside the payload, a temporary backup naming pattern under /tmp/.backup_%s_%d, and localhost RDS/TCP usage with port base 20000. The README also documents dependency on /proc/sys/kernel/io_uring_disabled and kernel configuration/features such as RDS and io_uring. Overall, this is a real exploit PoC for a Linux kernel LPE, not a detection script. It is designed for vulnerable x86_64 Linux systems with RDS and io_uring enabled, and its end goal is root shell execution via SUID page-cache corruption.

This repository is a standalone Go local privilege escalation exploit named pintheft-go. It is not a framework module. The code implements an exploit chain against a Linux kernel bug in the RDS zerocopy send path, combined with io_uring fixed-buffer behavior, to achieve page-cache overwrite of a SUID-root executable and spawn a root shell. Repository structure: main.go is the entry point and orchestrates exploitation followed by launching an interactive PTY-backed shell. lpe.go contains most of the exploit logic: target discovery, backup creation, PFN/page-cache helpers, CPU pinning, payload preparation, retry logic, and the overall LPE workflow. rds.go contains the RDS socket primitive that repeatedly triggers the vulnerable sendmsg zerocopy path on loopback using AF_RDS, ancillary zcopy control messages, and a two-page iovec where the second page is intended to fault. iouring.go implements raw io_uring syscalls and ring management, including REGISTER_BUFFERS, CLONE_BUFFERS, and READ_FIXED submission/completion handling. pty.go provides post-exploitation interaction by opening /dev/ptmx, creating a slave PTY, and executing the chosen SUID target interactively. Main exploit capability: the exploit steals page references one at a time via repeated failing RDS zerocopy sendmsg calls, after first inflating the page refcount using io_uring fixed-buffer registration. It then frees the user page in a controlled way, attempts to reclaim it as page cache for a readable SUID binary, and uses io_uring READ_FIXED with a dangling bvec/page pointer to overwrite the reclaimed page cache with an embedded x86_64 ELF payload. The payload is a minimal setuid(0)+execve("/bin/sh") style ELF. After verifying the overwrite by rereading the target file, the exploit executes the SUID target through a PTY to obtain a root shell. Notable operational details: the exploit pins execution to CPU 0 to influence page allocator behavior, keeps a cloned io_uring buffer mapping alive in a forked child to avoid unpinning on ring close, backs up the target binary to /tmp/.backup_pintheft_<pid>, and retries exploitation multiple times. The README explicitly notes that the on-disk binary is not modified; only the page cache is overwritten, and it provides a restoration command using the backup copy. Overall, this is a real, weaponized local kernel LPE PoC with a built-in payload and interactive post-exploitation component, targeting vulnerable Linux systems with RDS and io_uring enabled.