Dirty Frag: Linux kernel xfrm ESP shared skb fragment in-place decrypt

This repository is a compact standalone local privilege escalation exploit for CVE-2026-43284 ('Dirty Frag'). It is not a framework module; the core logic is entirely in src/exp.c, with a simple Makefile and GitHub Actions workflow used to build static binaries for multiple Linux architectures. Repository structure: README.md describes the exploit and links to the original source; Makefile builds a static binary named 'exploit'; .github/workflows/build.yml cross-compiles and publishes release artifacts for x86_64, i386, aarch64, armv7, riscv64, ppc64le, and s390x; src/exp.c contains the exploit implementation. Exploit purpose and behavior: the code performs local privilege escalation on vulnerable Linux kernels. It creates new user and network namespaces, writes /proc/self/{setgroups,uid_map,gid_map}, and brings up the loopback interface. The exploit contains two exploitation paths selectable by flags: '--force-esp' and '--force-rxrpc'. The default flow tries the ESP-based path first (suggesting abuse of IPsec/ESP-in-UDP handling on UDP port 4500), then falls back to an RxRPC-based path if needed. The code retries the RxRPC path multiple times until the target appears patched. Payload and post-exploitation: the exploit embeds a 192-byte x86_64 ELF payload ('shell_elf') and is configured to overwrite a privileged executable, notably /usr/bin/su, from offset 0. The replacement ELF calls setgid(0), setuid(0), setgroups(0,NULL), and execve('/bin/sh', NULL, envp) with TERM=xterm. After successful corruption/overwrite, the program invokes a PTY helper to run the patched privileged binary and provide an interactive root shell. If already root, main simply execs /bin/bash. Notable characteristics: this is real exploit code, not just a detector. It includes an operational payload, retry logic, namespace setup, and interactive shell handling. The embedded payload is architecture-specific (x86_64), while the repository’s CI builds static binaries for many architectures, indicating the exploit wrapper is portable but the hardcoded overwrite payload shown in the analyzed source is specifically x86_64.

This repository is a standalone Go local privilege escalation exploit named `dirtyfrag-go`. It targets two Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500, and is clearly intended for host LPE/container escape scenarios rather than remote exploitation. Repository structure: `main.go` is the orchestrator and primary entry point. `esp.go` implements the ESP/XFRM exploitation path, `rxrpc.go` implements the RxRPC/rxkad fallback path, `alg.go` provides AF_ALG helpers for kernel crypto operations, `fcrypt.go` contains a userspace port of the kernel fcrypt algorithm plus brute-force helpers, and `pty.go` handles post-exploitation interaction by spawning `su -` inside a PTY. `go.mod`/`go.sum` define a minimal Go module using `golang.org/x/sys`. `README.md` describes build/run steps and lists affected Linux distributions. Main exploit capabilities: the primary ESP/XFRM path (`suLPE` / `RunESPWorker`) re-execs itself in new user and network namespaces, brings up loopback, installs many crafted XFRM Security Associations, and uses a vmsplice+splice chain to trigger in-place ESP decryption against page-cache-backed file data. The intended effect is to overwrite the first 192 bytes of `/usr/bin/su` in page cache with an embedded minimal x86_64 ELF payload. That payload performs setuid/setgid-style privilege setup and executes `/bin/sh`. After patching, the exploit verifies marker bytes in `/usr/bin/su` and then launches `su -` through a PTY. The fallback RxRPC path targets `/etc/passwd`. It constructs attacker-controlled RxRPC v1 tokens, adds them to the process keyring, sets up AF_RXRPC sockets, computes rxkad checksum material using AF_ALG `pcbc(fcrypt)`, and brute-forces suitable 8-byte session keys offline using the userspace fcrypt implementation. It then performs multiple overlapping 8-byte in-place decrypt/write triggers so the root passwd entry becomes effectively `root::0:0:...:/root:/bin/bash`, enabling empty-password root login. The code explicitly checks for the patched prefix `root::0:0`. Post-exploitation behavior: `pty.go` opens `/dev/ptmx`, allocates a slave PTY, starts `su -`, bridges the user terminal to the PTY, and automatically sends a newline when it detects a password prompt, supporting both the patched-`su` and patched-`passwd` cases. Notable endpoints/targets are all local: `/usr/bin/su`, `/etc/passwd`, `/bin/bash`, `/dev/ptmx`, `/dev/pts/*`, `/proc/self/exe`, loopback interface `lo`, loopback IP `127.0.0.1`, and UDP port `4500` for ESP-in-UDP encapsulation. There are no external C2 or internet URLs. Overall, this is a real, operational local Linux kernel exploit chain with embedded payloads and automated privilege-escalation workflow.

Repository contains a small local Linux privilege-escalation toolkit for the so-called Dirty Frag exploit chain. Structure is simple: README.md documents lab validation steps and impact; dirty_frag_detect.py is a standalone detector that checks kernel version, patch/backport status, module availability/blacklisting, socket primitive availability, and mitigations; exp.c is the actual exploit PoC. The exploit is not framework-based. Main capability: exp.c performs local privilege escalation from an unprivileged user to root on vulnerable Linux kernels by abusing page-cache write/corruption primitives associated with CVE-2026-43284 (IPsec ESP path) and CVE-2026-43500 (RxRPC path). It contains logic for both exploit paths, supports forcing either path via command-line flags, and attempts multiple runs for the RxRPC path if needed. The code sets up user and network namespaces, manipulates loopback state, uses kernel networking interfaces including XFRM/netlink and RxRPC-related primitives, and targets a privileged executable for page-cache corruption. Payload behavior is explicit and high risk: exp.c embeds a minimal 192-byte x86_64 ELF payload and targets TARGET_PATH '/usr/bin/su'. The payload overwrites the beginning of the SUID binary in page cache, then when executed it calls setgid(0), setuid(0), setgroups(0,NULL), and execve('/bin/sh', ...) to provide a root shell. The main function then launches an interactive PTY-backed root shell if patching succeeded. This makes the repository a real exploit, not merely a detector, though it remains closer to an operational PoC than a generalized weaponized framework. Fingerprintable artifacts are mostly local file paths and kernel interfaces rather than remote C2/network infrastructure. Notable endpoints include /usr/bin/su, /bin/sh, /bin/bash, /proc/self/{setgroups,uid_map,gid_map}, /proc/modules, /sys/module/{esp4,esp6,rxrpc}, modprobe configuration directories, mitigation file /etc/modprobe.d/dirtyfrag.conf, and UDP port 4500 used for ESP-in-UDP handling. The README references 127.0.0.1 as the lab target and includes upstream GitHub URLs for the detector and exploit sources. Overall purpose: validate and exploit a local kernel LPE condition in a controlled lab environment, first by determining whether the host is likely exploitable and then by obtaining root through page-cache corruption of a privileged binary.

This repository is a compact local privilege escalation proof-of-concept for CVE-2026-43284. It contains one substantive code file, sley-dirtyfrag.c, plus a README. The exploit is not part of a larger framework. The C program targets Linux x86_64 systems and abuses the kernel XFRM/ESP over UDP encapsulation path to obtain a 4-byte page-cache write primitive per iteration. It uses unshare(CLONE_NEWUSER | CLONE_NEWNET) to create user and network namespaces as an unprivileged user, registers multiple XFRM security associations, and drives the vulnerable path via splice operations into a UDP socket configured for ESP-in-UDP on port 4500. Across 48 iterations, it writes a 192-byte embedded ELF payload into the page cache of a readable setuid binary, defaulting to /usr/bin/su. The payload then executes setuid(0), setgid(0), and /bin/sh to provide a root shell. The exploit includes operational features beyond a minimal PoC: kernel configuration preflight checks, setuid binary discovery, target validation, backup of the original first 192 bytes, corruption/verification stages, PTY-backed root shell spawning, and restoration logic that attempts to drop or invalidate page cache so the clean on-disk binary is reloaded. The code and README indicate it was tested on WSL2 Ubuntu 24.04.1 LTS with kernel 6.6.87.2-microsoft-standard-WSL2, and also references Ubuntu 24.04 and Fedora 44 vulnerable builds. Fingerprintable artifacts include the default target path /usr/bin/su, optional alternate target /usr/bin/passwd, kernel config sources under /boot, /lib/modules, and /proc/config.gz, and the recovery control file /proc/sys/vm/drop_caches. The primary trigger endpoint is UDP port 4500, used for ESP-in-UDP encapsulation. Overall, this is a real exploit PoC with a built-in payload and root-shell outcome, making it more than a detector but still short of a generalized weaponized framework.

This repository is a standalone Go local privilege escalation exploit named `dirtyfrag-go`. It is not part of a larger exploit framework. The codebase contains 10 files, primarily Go source files implementing two Linux kernel exploit paths plus support code. Repository structure: `main.go` is the orchestrator and entry point. It checks whether the process is already root, parses `--force-esp`, `--force-rxrpc`, and verbose flags, tries the ESP/XFRM path first, falls back to the RxRPC path if needed, and launches a root PTY on success. `esp.go` implements the CVE-2026-43284 path: it re-execs itself into a new user and network namespace, brings up loopback, installs many XFRM Security Associations over `NETLINK_XFRM`, and uses a `vmsplice`/`splice` chain into an ESP-in-UDP socket on port 4500 to cause in-place decryption into the page cache of `/usr/bin/su`. The embedded payload is a 192-byte x86_64 ELF that yields a root shell. `rxrpc.go` implements the CVE-2026-43500 path: it crafts RxRPC/rxkad traffic over `AF_RXRPC`, installs attacker-controlled rxrpc keys into the process keyring, and performs three overlapping 8-byte page-cache writes against `/etc/passwd` so the root entry becomes effectively `root::0:0...`, enabling empty-password `su -`. `alg.go` provides AF_ALG helpers for kernel `pcbc(fcrypt)` operations used to compute rxkad-related values. `fcrypt.go` ports the kernel fcrypt implementation and includes a parallel brute-force routine to find session keys that decrypt to desired byte patterns. `pty.go` creates a PTY, runs `su -`, bridges terminal I/O, and auto-sends a blank password when prompted. Main exploit capabilities: (1) local kernel exploitation without disk writes by modifying only page-cache-backed file contents; (2) namespace-isolated execution to avoid requiring host `CAP_NET_ADMIN`; (3) two independent exploitation paths for resilience; (4) automatic privilege escalation to an interactive root shell. The exploit is operational rather than a simple PoC because it contains complete trigger logic, embedded payloading, fallback behavior, verification checks, and post-exploitation shell handling. Fingerprintable targets and artifacts are mostly local rather than remote: `/usr/bin/su`, `/etc/passwd`, `/dev/ptmx`, `/dev/pts/*`, `/proc/self/exe`, `/bin/bash`, `/dev/null`, loopback `127.0.0.1`, UDP port 4500, `AF_ALG`, `AF_RXRPC`, and `NETLINK_XFRM`. No external C2 or internet-hosted endpoints are present; the exploit is self-contained and uses kernel interfaces and local sockets only.

This repository is a small standalone Rust local privilege-escalation exploit project named 'dirtyfrag'. It contains one substantive code file, src/main.rs, plus Cargo metadata and build configuration. The code is Linux-only and uses raw syscalls, libc bindings, Linux namespaces, netlink/XFRM structures, splice/vmsplice primitives, and interface ioctls to trigger a kernel-side page-cache corruption condition. The exploit is not a scanner or detector: it performs active exploitation. Its apparent goal is to overwrite the cached contents of /usr/bin/su with an embedded 192-byte ELF payload. That payload contains a minimal x86_64 executable that ultimately execs /bin/sh. After the corruption stage, the parent process verifies the first bytes at the target entry offset and reports success, then instructs the operator to run /usr/bin/su to trigger the implanted payload. Repository structure is minimal: Cargo.toml and Cargo.lock define a Rust binary depending only on libc; .cargo/config.toml sets Linux gcc linkers for musl and gnu x86_64 targets; readme.md is non-technical and does not document the exploit. The main.rs file defines many Linux/XFRM data structures and constants, including AF_NETLINK, NETLINK_XFRM, UDP encapsulation settings, namespace flags, ioctl constants, and the target path /usr/bin/su. The visible execution flow forks a child for the corruption stage, waits for completion, verifies the modified bytes, and then announces successful patching. Overall, this is an operational local Linux kernel exploit implementation with a hardcoded post-exploitation payload, targeting page-cache corruption of /usr/bin/su to obtain shell execution.

This repository is a Go-based local privilege escalation exploit named dirtyfrag-go. It is not part of a common exploitation framework and consists of 9 files, with the main logic spread across 6 Go source files: main.go orchestrates execution, esp.go implements the ESP/XFRM exploit path, rxrpc.go implements the AF_RXRPC/rxkad exploit path, alg.go provides AF_ALG helpers for kernel crypto operations, fcrypt.go ports the kernel fcrypt algorithm and brute-force helpers, and pty.go launches an interactive root shell through a PTY. The exploit targets two Linux kernel vulnerabilities identified in comments as CVE-2026-43284 and CVE-2026-43500. Its purpose is to gain root from an unprivileged local account by abusing kernel page-cache write primitives. The primary path in esp.go uses XFRM/ESP-in-UDP over loopback, installs many Security Associations through NETLINK_XFRM, and abuses in-place decryption triggered through vmsplice/splice to overwrite the first 192 bytes of /usr/bin/su with an embedded minimal x86_64 ELF payload. That payload performs privilege-changing syscalls and executes /bin/sh. The code re-execs itself into a child created with CLONE_NEWUSER|CLONE_NEWNET, brings up loopback, installs the SAs, performs repeated 4-byte writes, and verifies the patch by checking bytes at offset 0x78 in /usr/bin/su. The fallback path in rxrpc.go targets AF_RXRPC/rxkad. It constructs RxRPC headers and challenge packets, creates an rxrpc token with add_key into the process keyring, uses AF_ALG pcbc(fcrypt) helpers from alg.go to compute csum_iv and checksums, and leverages splice-based in-place decryption on file-backed pages. The goal is to patch /etc/passwd so the root entry becomes empty-password compatible. The repository includes a full userspace port of fcrypt in fcrypt.go plus parallel brute-force routines to discover suitable 8-byte session keys that decrypt chosen ciphertext blocks into desired plaintext fragments. The exploit performs three overlapping 8-byte writes with last-write-wins ordering to transform the root passwd entry. After either patch succeeds, pty.go opens /dev/ptmx, creates a slave PTY, runs su -, bridges terminal I/O, and automatically submits a blank password when prompted. main.go supports --force-esp, --force-rxrpc, and verbose mode, suppresses stderr by default, checks whether /usr/bin/su or /etc/passwd already appear patched, and either executes /bin/bash directly if already root or launches the exploit chain. Overall, this is a real operational local Linux kernel LPE exploit with embedded payloads and post-exploitation shell handling, not merely a detector or proof-of-concept stub.

Small standalone local privilege-escalation repository centered on a single C program, dirtyfrag.c, plus a minimal Makefile and README. The README describes exploitation of CVE-2026-43284 in Linux XFRM/ESP page-cache handling using a 4-byte write primitive repeated across 64 iterations. The exploit is not a scanner or detector; it is operational exploit code with an embedded payload. Repository structure: README.md documents prerequisites, tested environments, exploitation method, and restoration guidance; Makefile builds the binary; dirtyfrag.c contains all exploit logic and the hardcoded payload. No external framework is used. Core exploit flow: the program defaults to targeting /usr/bin/su, verifies it is setuid and readable, saves the original bytes, then forks. In the child, it creates new user and network namespaces, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, brings up loopback, and uses NETLINK_XFRM to register multiple ESP security associations bound to 127.0.0.1 with ESN enabled. Per the README and visible code, the exploit then uses UDP encapsulated ESP on port 4500 and splice-based file-to-pipe-to-socket operations so a page-cache page from the target file is pulled into an ESP scatter-gather path where kernel processing writes attacker-controlled 4-byte values from seq_hi into the cached file page. Repeating this across many SAs patches the target binary with the embedded ELF payload. Payload/capability: the embedded shell_elf is a minimal x86_64 ELF whose entry point performs setgid(0), setuid(0), and execve(/bin/sh) with TERM=xterm. After corruption succeeds, the parent verifies modified bytes at the expected entry offset, executes the now-corrupted setuid binary via forkpty to provide an interactive root shell, proxies terminal I/O, and finally attempts to restore the original bytes from backup when the shell exits. Notable endpoints and observables are entirely local: /usr/bin/su, /bin/sh, procfs namespace mapping files, loopback address 127.0.0.1, UDP port 4500, and NETLINK_XFRM. Overall, this is a concise but complete Linux LPE proof-of-concept with a built-in hardcoded root-shell payload and cleanup logic.

This repository contains a standalone local privilege escalation exploit for Linux kernels, with two identical C source files (CVE-2026-43284.c and dirtyfrag.c) plus a README. The code is not part of a common exploitation framework. The main exploit logic is in the C files, which embed a compact x86_64 ELF payload and attempt to corrupt page-cache-backed contents of privileged executables using two kernel bug paths described as xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit first checks whether it is already root and spawns /bin/bash if so. Otherwise it parses flags (--force-esp, --force-rxrpc, -v/--verbose), optionally suppresses stderr, and tries the ESP path first unless forced otherwise; if that does not patch the target, it falls back to the RxRPC path and retries. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface. Constants indicate use of UDP encapsulated ESP on port 4500. The payload overwrites /usr/bin/su starting at offset 0 with a 192-byte ELF whose entry point performs setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). After detecting that either target has been patched in page cache, the exploit launches an interactive root PTY session. Overall, the repository’s purpose is offensive proof-of-concept/operational exploitation of a local Linux kernel arbitrary page-cache write primitive to obtain a root shell by replacing a setuid binary in memory.

This repository is a compact local privilege escalation exploit for Linux named 'Dirty Frag'. It contains one substantive code file, exp.c, plus a README and .gitignore. The exploit is not part of a common exploitation framework; it is a standalone C proof-of-concept with operational payloading. Core purpose: chain two Linux kernel page-cache write vulnerabilities—CVE-2026-43284 (xfrm-ESP Page-Cache Write) and CVE-2026-43500 (RxRPC Page-Cache Write)—to gain root on vulnerable Linux systems. The code supports multiple paths: an xfrm-ESP-based path, an RxRPC-based path, and fallback logic that tries one then the other. Command-line flags shown in main include --force-esp, --force-rxrpc, and verbose options. Main exploit capability: overwrite the beginning of a privileged setuid executable in page cache with a hardcoded 192-byte x86_64 ELF payload. The default target path visible in the code is /usr/bin/su. The embedded ELF performs setgid(0), setuid(0), setgroups(0, NULL), and execve('/bin/sh', ...), yielding a root shell. The main routine then invokes a PTY-backed interactive shell helper (run_root_pty) if patching succeeded. There are also indicators that the code can target passwd as an alternate path, based on functions such as passwd_already_patched() and either_target_patched(). Exploit structure highlights from exp.c: - Embedded payload blob (shell_elf) containing a minimal root-shell ELF. - Namespace setup helper setup_userns_netns() that unshares CLONE_NEWUSER | CLONE_NEWNET, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface lo. - Networking-related logic using AF_INET/UDP and Linux netlink/xfrm headers, consistent with xfrm-ESP exploitation. UDP port 4500 is explicitly defined for ESP-in-UDP encapsulation. - Main orchestration logic that selects exploit path(s), suppresses stderr unless verbose, retries RxRPC exploitation, checks whether target binaries were patched in page cache, and launches an interactive root shell on success. Repository structure: - .gitignore: trivial editor ignore. - README.md: vulnerability overview, affected versions, quick compile/run instructions, cleanup guidance, mitigation steps, and tested distributions. - exp.c: full standalone exploit implementation. Overall assessment: this is a real local Linux kernel LPE exploit, not a detector. It is operational because it includes a built-in privilege-escalation payload and post-exploitation shell handling, but it is not highly modular or framework-driven.

Repository is a small local Linux privilege-escalation exploit repo with 2 files: a README and one C++ proof-of-concept at poc/dirtyfrag.cpp. Despite README language framing it as research, the C++ file is a functional exploit, not just documentation. The exploit targets CVE-2026-43284 ('Dirty Frag') in the Linux kernel XFRM ESP receive path. Code structure: main() checks if already root and spawns /bin/bash if so; otherwise it calls corrupt_su(), verifies the patch with verify_patch(), and executes /usr/bin/su -. setup_userns_netns() creates new user and network namespaces, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, then brings up the loopback interface. add_xfrm_sa() opens a NETLINK_XFRM socket and installs many ESP transport-mode Security Associations for 127.0.0.1->127.0.0.1 with UDP encapsulation on port 4500, AES-CBC encryption, HMAC-SHA256 auth, and attacker-controlled ESN replay state. do_one_write() creates local UDP sockets on 127.0.0.1:4500, enables UDP_ENCAP_ESPINUDP, uses vmsplice/splice with SPLICE_F_MOVE to move file-backed data from /usr/bin/su into the packet path, and triggers the vulnerable receive-side in-place write. corrupt_su() iterates over the embedded 192-byte ELF payload in 4-byte chunks, encoding each chunk into seq_hi of a separate SA and then triggering one write per chunk at successive offsets into /usr/bin/su. Main exploit capability: page-cache corruption of a read-only executable file from an unprivileged context, specifically replacing the cached in-memory image of /usr/bin/su with a tiny x86_64 ELF payload. The exploit does not modify the on-disk file directly; it relies on later execution using the corrupted cached page contents. The embedded payload is intended to yield a root shell. Because the payload is hardcoded and the exploit is a standalone PoC rather than a reusable framework module, maturity is best classified as OPERATIONAL. Notable observables include loopback IP 127.0.0.1, UDP port 4500, NETLINK_XFRM usage, namespace mapping writes under /proc/self/*, and target executable paths /usr/bin/su, /bin/bash, and /bin/sh.

Repository contains a single substantive exploit source file, dirtyfrag_arm64.c, plus a README and license. This is a standalone C local privilege escalation exploit for arm64/aarch64 Linux, described as a port of the upstream dirtyfrag PoC targeting CVE-2026-43284 and CVE-2026-43500. The README explains that the original x86_64 exploit had two paths (ESP/xfrm and rxrpc/rxkad), but on arm64 only the ESP path is usable because the rxrpc path triggers a kernel oops via flush_dcache_page rather than yielding reliable exploitation. The exploit’s main capability is page-cache corruption of a privileged executable, specifically /usr/bin/su on arm64. It embeds a 212-byte minimal aarch64 ELF payload directly in the C source. That payload performs setgid(0), setuid(0), setgroups(0,NULL), and execve("/bin/sh", NULL, envp), effectively yielding a root shell. The main function supports flags such as --force-esp and --force-rxrpc, but README states --force-esp should be used on arm64 to avoid the rxrpc crash. After attempting corruption, the code checks whether a target was patched and, on success, invokes run_root_pty() to provide an interactive root shell. Structurally, the code includes namespace setup and network preparation logic. setup_userns_netns() calls unshare(CLONE_NEWUSER | CLONE_NEWNET), writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, then creates an AF_INET datagram socket and brings up the loopback interface lo. The presence of Linux netlink/rtnetlink and xfrm headers, UDP encapsulation constants, and ENC_PORT 4500 indicates the exploit uses IPsec/ESP-in-UDP mechanics as part of the corruption primitive. This makes the exploit both a local privilege escalation and one that leverages local networking/kernel network stack features. Fingerprintable observables include the hardcoded target path /usr/bin/su, payload execution path /bin/sh, direct exec of /bin/bash when already root, procfs namespace mapping files, loopback interface lo, and UDP port 4500 for ESP encapsulation. README also references /etc/passwd as the upstream fallback target on x86_64 and provides mitigation-related paths such as /etc/modprobe.d/dirtyfrag.conf. Overall, this is a real exploit rather than a detector. It is operational: it contains a working embedded payload and exploitation logic, but it is not part of a larger exploitation framework. Its purpose is to demonstrate and weaponize an arm64-specific port of Dirty Frag for authorized security research by obtaining root on vulnerable Linux systems where unprivileged user namespaces are enabled and the ESP path is available.

Repository contains a single substantial C exploit (CVE-2026-43284.c) plus a README. This is a real local Linux privilege-escalation exploit, not a scanner or proof-only stub. The code targets Linux kernel page-cache corruption primitives described in the README as Dirty Frag / Copy Fail 2, using two kernel attack paths: xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit is operational: it embeds a ready-to-use 192-byte x86_64 ELF payload that sets UID/GID to 0 and execs /bin/sh, then attempts to overwrite a privileged target such as /usr/bin/su in page cache so execution yields root. Structurally, the exploit includes namespace setup helpers, procfs UID/GID mapping, loopback interface activation, netlink/xfrm-related code for the ESP path, alternate RxRPC exploitation logic, patch-state checks (e.g., whether su/passwd targets are already modified), stderr suppression/restore, argument rewriting, and PTY-based root shell handling. The main function selects the ESP path first by default, falls back to RxRPC if needed, or allows explicit selection with --force-esp / --force-rxrpc. If exploitation succeeds, it launches an interactive root shell. Fingerprintable artifacts are primarily local file and kernel-interface paths rather than remote infrastructure: /usr/bin/su, /bin/sh, /bin/bash, /proc/self/setgroups, /proc/self/uid_map, /proc/self/gid_map, the loopback interface lo, and UDP encapsulation port 4500 for the ESP vector. Overall purpose: deterministic local root escalation on vulnerable Linux systems by abusing kernel fragment/page-cache corruption to replace privileged executable contents with a minimal root-shell ELF.

This repository is a small Linux local privilege escalation exploit set combining two kernel issues: Copy-Fail (CVE-2026-31431) and Dirty-frag (CVE-2026-43284). It contains three files: a README with build/run instructions and tested distributions, a compact Python proof-of-concept, and a much larger C exploit implementing more complete exploitation logic. The Python script is a concise local exploit for Copy-Fail. It opens /usr/bin/su read-only, creates an AF_ALG crypto socket bound to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), uses setsockopt/sendmsg/splice to drive kernel crypto scatterlist handling, and writes attacker-controlled bytes into the page cache of the read-only SUID binary in 4-byte chunks. After patching, it invokes su to execute the modified privileged binary. The C program is the main operational exploit. It embeds a 192-byte x86_64 ELF payload that becomes a root shell by calling setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). It targets /usr/bin/su and appears to support multiple exploitation paths: a su-focused path and an rxrpc/dirty-frag path, with command-line switches --force-esp and --force-rxrpc. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/{setgroups,uid_map,gid_map}, loopback interface manipulation, and constants for UDP encapsulation/IPsec-related behavior including port 4500, indicating a network-kernel attack surface even though exploitation is local. The main function retries alternate paths until a target binary is patched, then spawns an interactive PTY-backed root shell. Overall, this is a real exploit repository rather than a detector. Its purpose is to obtain local root on vulnerable Linux systems by corrupting privileged executables through vulnerable kernel code paths reachable from userspace syscalls. The Python file is a compact PoC; the C file is the more featureful exploit with built-in payload and fallback logic.

This repository is a standalone C exploit toolkit named DIRTYFAIL that builds a single binary (`dirtyfail`) from multiple source modules. It is not just a detector: it contains real local privilege-escalation PoCs for three Linux kernel vulnerability families/variants: Copy Fail (CVE-2026-31431), Dirty Frag xfrm-ESP IPv4/IPv6 (CVE-2026-43284), and Dirty Frag RxRPC (CVE-2026-43500), plus a GCM-based xfrm variant and a page-cache backdoor mode. Repository structure: `src/dirtyfail.c` is the main CLI entry point and dispatches scan, exploit, cleanup, and AppArmor-bypass-assisted modes. `src/common.[ch]` provides shared helpers for logging, kernel/module checks, passwd parsing, cache eviction, and confirmation prompts. `src/copyfail.[ch]` implements the AF_ALG `authencesn(hmac(sha256),cbc(aes))` 4-byte arbitrary page-cache write primitive and uses it to flip the current user’s UID in `/etc/passwd` to `0000`, then invokes `su`. `src/copyfail_gcm.[ch]` implements a more granular 1-byte write primitive using xfrm-ESP with `rfc4106(gcm(aes))`, including AF_ALG keystream-byte computation and IV brute force; this primitive is also exposed to other modules. `src/dirtyfrag_esp.[ch]` and `src/dirtyfrag_esp6.[ch]` implement IPv4 and IPv6 xfrm-ESP exploit chains that register attacker-controlled SAs via NETLINK_XFRM, use loopback UDP encapsulation on port 4500, and splice `/etc/passwd` into the vulnerable in-place decrypt path. `src/dirtyfrag_rxrpc.[ch]` implements the RxRPC variant, including forged RxRPC/rxkad traffic and brute-forced fcrypt session keys to shape 8-byte overwrites that empty root’s password field in the page-cache copy of `/etc/passwd`. `src/fcrypt.[ch]` contains the rxkad/fcrypt implementation and brute-force harness used by the RxRPC exploit. `src/apparmor_bypass.[ch]` adds a multi-stage self-reexec bypass for Ubuntu AppArmor restrictions on unprivileged user namespaces by writing to `/proc/self/attr/exec` and switching into permissive profiles such as `crun` or `chrome`. `src/backdoor.[ch]` uses the GCM 1-byte primitive to rewrite a length-matched `nologin` passwd entry into `dirtyfail::0:0:<pad>:/:/bin/bash`, storing restoration state in `/var/tmp/.dirtyfail.state`. Main exploit capabilities: (1) safe-ish detection modes that probe prerequisites or use a temporary sentinel file rather than system files; (2) real page-cache-only overwrite of `/etc/passwd` to gain root; (3) optional spawning of `su`, `su -`, or `su - dirtyfail`; (4) temporary persistence via a page-cache backdoor user; and (5) cleanup via `POSIX_FADV_DONTNEED` and `/proc/sys/vm/drop_caches`. The exploit is operational rather than framework-integrated: payloads are hardcoded around local root escalation and page-cache manipulation, but the code is complete and modular.

This repository is a real exploit PoC for CVE-2026-43284 ('Dirty Frag') adapted to a Kubernetes/EKS container-escape scenario. The main exploit is exploit/dirtyfrag.c, a static C program that unshares into new user and network namespaces, configures UID/GID mappings via /proc/self/*, brings up loopback, registers crafted xfrm Security Associations over NETLINK_XFRM, and uses ESP-in-UDP traffic to 127.0.0.1:4500 together with splice/vmsplice mechanics to corrupt page-cache contents of read-only binaries. Its default targets are /usr/sbin/ipset, /usr/sbin/xtables-legacy-multi, /usr/sbin/xtables-nft-multi, and /usr/sbin/nft—binaries likely present in shared image layers used by privileged Kubernetes components such as kube-proxy. The exploit does not directly spawn a shell. Instead, it embeds a second-stage static ELF payload generated from payload/payload-eks.c. That payload is written into the page cache of the target binaries so that when a privileged DaemonSet later executes one of them, the payload runs with elevated privileges. The included payload is a validation payload: it mounts likely EKS host root devices (/dev/nvme0n1p1, /dev/nvme0n1p2, /dev/xvda1) using xfs/ext4 and writes '[*] success' to /mnt/root/res, which corresponds to /root/res on the host. Repository structure supports building and demonstrating the PoC in EKS. The Makefile builds the nolibc-based payload, converts it into an embedded header with xxd, and statically links the exploit. Dockerfile.eks packages the exploit into an image based on an EKS distro iptables image to maximize shared-layer overlap. deploy/poc-eks.yaml deploys the PoC as an ostensibly unprivileged pod. scripts/setup-eks.sh copies the project to a node, builds the binaries, pulls the base image, and builds the container image with nerdctl in the k8s.io namespace. scripts/run-poc.sh deploys the pod and checks /root/res on the node for success. scripts/cleanup.sh removes the deployment, deletes the marker, drops page cache, and restarts kube-proxy to restore clean binaries. Most remaining files under payload/nolibc/ are vendored minimal libc headers used to build a tiny static payload without glibc. They are support code, not separate exploit logic. Overall, the repository’s purpose is to demonstrate that an unprivileged Kubernetes pod can leverage a vulnerable Linux kernel plus shared image layers to achieve node-level code execution via a privileged workload, specifically validated on Amazon EKS.