Dirty Frag: RxRPC page-cache write in Linux kernel

This repository is a standalone Go local privilege escalation exploit named `dirtyfrag-go`. It targets two Linux kernel vulnerabilities, CVE-2026-43284 and CVE-2026-43500, and is clearly intended for host LPE/container escape scenarios rather than remote exploitation. Repository structure: `main.go` is the orchestrator and primary entry point. `esp.go` implements the ESP/XFRM exploitation path, `rxrpc.go` implements the RxRPC/rxkad fallback path, `alg.go` provides AF_ALG helpers for kernel crypto operations, `fcrypt.go` contains a userspace port of the kernel fcrypt algorithm plus brute-force helpers, and `pty.go` handles post-exploitation interaction by spawning `su -` inside a PTY. `go.mod`/`go.sum` define a minimal Go module using `golang.org/x/sys`. `README.md` describes build/run steps and lists affected Linux distributions. Main exploit capabilities: the primary ESP/XFRM path (`suLPE` / `RunESPWorker`) re-execs itself in new user and network namespaces, brings up loopback, installs many crafted XFRM Security Associations, and uses a vmsplice+splice chain to trigger in-place ESP decryption against page-cache-backed file data. The intended effect is to overwrite the first 192 bytes of `/usr/bin/su` in page cache with an embedded minimal x86_64 ELF payload. That payload performs setuid/setgid-style privilege setup and executes `/bin/sh`. After patching, the exploit verifies marker bytes in `/usr/bin/su` and then launches `su -` through a PTY. The fallback RxRPC path targets `/etc/passwd`. It constructs attacker-controlled RxRPC v1 tokens, adds them to the process keyring, sets up AF_RXRPC sockets, computes rxkad checksum material using AF_ALG `pcbc(fcrypt)`, and brute-forces suitable 8-byte session keys offline using the userspace fcrypt implementation. It then performs multiple overlapping 8-byte in-place decrypt/write triggers so the root passwd entry becomes effectively `root::0:0:...:/root:/bin/bash`, enabling empty-password root login. The code explicitly checks for the patched prefix `root::0:0`. Post-exploitation behavior: `pty.go` opens `/dev/ptmx`, allocates a slave PTY, starts `su -`, bridges the user terminal to the PTY, and automatically sends a newline when it detects a password prompt, supporting both the patched-`su` and patched-`passwd` cases. Notable endpoints/targets are all local: `/usr/bin/su`, `/etc/passwd`, `/bin/bash`, `/dev/ptmx`, `/dev/pts/*`, `/proc/self/exe`, loopback interface `lo`, loopback IP `127.0.0.1`, and UDP port `4500` for ESP-in-UDP encapsulation. There are no external C2 or internet URLs. Overall, this is a real, operational local Linux kernel exploit chain with embedded payloads and automated privilege-escalation workflow.

Repository contains a small local Linux privilege-escalation toolkit for the so-called Dirty Frag exploit chain. Structure is simple: README.md documents lab validation steps and impact; dirty_frag_detect.py is a standalone detector that checks kernel version, patch/backport status, module availability/blacklisting, socket primitive availability, and mitigations; exp.c is the actual exploit PoC. The exploit is not framework-based. Main capability: exp.c performs local privilege escalation from an unprivileged user to root on vulnerable Linux kernels by abusing page-cache write/corruption primitives associated with CVE-2026-43284 (IPsec ESP path) and CVE-2026-43500 (RxRPC path). It contains logic for both exploit paths, supports forcing either path via command-line flags, and attempts multiple runs for the RxRPC path if needed. The code sets up user and network namespaces, manipulates loopback state, uses kernel networking interfaces including XFRM/netlink and RxRPC-related primitives, and targets a privileged executable for page-cache corruption. Payload behavior is explicit and high risk: exp.c embeds a minimal 192-byte x86_64 ELF payload and targets TARGET_PATH '/usr/bin/su'. The payload overwrites the beginning of the SUID binary in page cache, then when executed it calls setgid(0), setuid(0), setgroups(0,NULL), and execve('/bin/sh', ...) to provide a root shell. The main function then launches an interactive PTY-backed root shell if patching succeeded. This makes the repository a real exploit, not merely a detector, though it remains closer to an operational PoC than a generalized weaponized framework. Fingerprintable artifacts are mostly local file paths and kernel interfaces rather than remote C2/network infrastructure. Notable endpoints include /usr/bin/su, /bin/sh, /bin/bash, /proc/self/{setgroups,uid_map,gid_map}, /proc/modules, /sys/module/{esp4,esp6,rxrpc}, modprobe configuration directories, mitigation file /etc/modprobe.d/dirtyfrag.conf, and UDP port 4500 used for ESP-in-UDP handling. The README references 127.0.0.1 as the lab target and includes upstream GitHub URLs for the detector and exploit sources. Overall purpose: validate and exploit a local kernel LPE condition in a controlled lab environment, first by determining whether the host is likely exploitable and then by obtaining root through page-cache corruption of a privileged binary.

This repository is a standalone Go local privilege escalation exploit named `dirtyfrag-go`. It is not part of a larger exploit framework. The codebase contains 10 files, primarily Go source files implementing two Linux kernel exploit paths plus support code. Repository structure: `main.go` is the orchestrator and entry point. It checks whether the process is already root, parses `--force-esp`, `--force-rxrpc`, and verbose flags, tries the ESP/XFRM path first, falls back to the RxRPC path if needed, and launches a root PTY on success. `esp.go` implements the CVE-2026-43284 path: it re-execs itself into a new user and network namespace, brings up loopback, installs many XFRM Security Associations over `NETLINK_XFRM`, and uses a `vmsplice`/`splice` chain into an ESP-in-UDP socket on port 4500 to cause in-place decryption into the page cache of `/usr/bin/su`. The embedded payload is a 192-byte x86_64 ELF that yields a root shell. `rxrpc.go` implements the CVE-2026-43500 path: it crafts RxRPC/rxkad traffic over `AF_RXRPC`, installs attacker-controlled rxrpc keys into the process keyring, and performs three overlapping 8-byte page-cache writes against `/etc/passwd` so the root entry becomes effectively `root::0:0...`, enabling empty-password `su -`. `alg.go` provides AF_ALG helpers for kernel `pcbc(fcrypt)` operations used to compute rxkad-related values. `fcrypt.go` ports the kernel fcrypt implementation and includes a parallel brute-force routine to find session keys that decrypt to desired byte patterns. `pty.go` creates a PTY, runs `su -`, bridges terminal I/O, and auto-sends a blank password when prompted. Main exploit capabilities: (1) local kernel exploitation without disk writes by modifying only page-cache-backed file contents; (2) namespace-isolated execution to avoid requiring host `CAP_NET_ADMIN`; (3) two independent exploitation paths for resilience; (4) automatic privilege escalation to an interactive root shell. The exploit is operational rather than a simple PoC because it contains complete trigger logic, embedded payloading, fallback behavior, verification checks, and post-exploitation shell handling. Fingerprintable targets and artifacts are mostly local rather than remote: `/usr/bin/su`, `/etc/passwd`, `/dev/ptmx`, `/dev/pts/*`, `/proc/self/exe`, `/bin/bash`, `/dev/null`, loopback `127.0.0.1`, UDP port 4500, `AF_ALG`, `AF_RXRPC`, and `NETLINK_XFRM`. No external C2 or internet-hosted endpoints are present; the exploit is self-contained and uses kernel interfaces and local sockets only.

This repository is a Go-based local privilege escalation exploit named dirtyfrag-go. It is not part of a common exploitation framework and consists of 9 files, with the main logic spread across 6 Go source files: main.go orchestrates execution, esp.go implements the ESP/XFRM exploit path, rxrpc.go implements the AF_RXRPC/rxkad exploit path, alg.go provides AF_ALG helpers for kernel crypto operations, fcrypt.go ports the kernel fcrypt algorithm and brute-force helpers, and pty.go launches an interactive root shell through a PTY. The exploit targets two Linux kernel vulnerabilities identified in comments as CVE-2026-43284 and CVE-2026-43500. Its purpose is to gain root from an unprivileged local account by abusing kernel page-cache write primitives. The primary path in esp.go uses XFRM/ESP-in-UDP over loopback, installs many Security Associations through NETLINK_XFRM, and abuses in-place decryption triggered through vmsplice/splice to overwrite the first 192 bytes of /usr/bin/su with an embedded minimal x86_64 ELF payload. That payload performs privilege-changing syscalls and executes /bin/sh. The code re-execs itself into a child created with CLONE_NEWUSER|CLONE_NEWNET, brings up loopback, installs the SAs, performs repeated 4-byte writes, and verifies the patch by checking bytes at offset 0x78 in /usr/bin/su. The fallback path in rxrpc.go targets AF_RXRPC/rxkad. It constructs RxRPC headers and challenge packets, creates an rxrpc token with add_key into the process keyring, uses AF_ALG pcbc(fcrypt) helpers from alg.go to compute csum_iv and checksums, and leverages splice-based in-place decryption on file-backed pages. The goal is to patch /etc/passwd so the root entry becomes empty-password compatible. The repository includes a full userspace port of fcrypt in fcrypt.go plus parallel brute-force routines to discover suitable 8-byte session keys that decrypt chosen ciphertext blocks into desired plaintext fragments. The exploit performs three overlapping 8-byte writes with last-write-wins ordering to transform the root passwd entry. After either patch succeeds, pty.go opens /dev/ptmx, creates a slave PTY, runs su -, bridges terminal I/O, and automatically submits a blank password when prompted. main.go supports --force-esp, --force-rxrpc, and verbose mode, suppresses stderr by default, checks whether /usr/bin/su or /etc/passwd already appear patched, and either executes /bin/bash directly if already root or launches the exploit chain. Overall, this is a real operational local Linux kernel LPE exploit with embedded payloads and post-exploitation shell handling, not merely a detector or proof-of-concept stub.

This repository contains a standalone local privilege escalation exploit for Linux kernels, with two identical C source files (CVE-2026-43284.c and dirtyfrag.c) plus a README. The code is not part of a common exploitation framework. The main exploit logic is in the C files, which embed a compact x86_64 ELF payload and attempt to corrupt page-cache-backed contents of privileged executables using two kernel bug paths described as xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit first checks whether it is already root and spawns /bin/bash if so. Otherwise it parses flags (--force-esp, --force-rxrpc, -v/--verbose), optionally suppresses stderr, and tries the ESP path first unless forced otherwise; if that does not patch the target, it falls back to the RxRPC path and retries. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface. Constants indicate use of UDP encapsulated ESP on port 4500. The payload overwrites /usr/bin/su starting at offset 0 with a 192-byte ELF whose entry point performs setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). After detecting that either target has been patched in page cache, the exploit launches an interactive root PTY session. Overall, the repository’s purpose is offensive proof-of-concept/operational exploitation of a local Linux kernel arbitrary page-cache write primitive to obtain a root shell by replacing a setuid binary in memory.

This repository is a compact local privilege escalation exploit for Linux named 'Dirty Frag'. It contains one substantive code file, exp.c, plus a README and .gitignore. The exploit is not part of a common exploitation framework; it is a standalone C proof-of-concept with operational payloading. Core purpose: chain two Linux kernel page-cache write vulnerabilities—CVE-2026-43284 (xfrm-ESP Page-Cache Write) and CVE-2026-43500 (RxRPC Page-Cache Write)—to gain root on vulnerable Linux systems. The code supports multiple paths: an xfrm-ESP-based path, an RxRPC-based path, and fallback logic that tries one then the other. Command-line flags shown in main include --force-esp, --force-rxrpc, and verbose options. Main exploit capability: overwrite the beginning of a privileged setuid executable in page cache with a hardcoded 192-byte x86_64 ELF payload. The default target path visible in the code is /usr/bin/su. The embedded ELF performs setgid(0), setuid(0), setgroups(0, NULL), and execve('/bin/sh', ...), yielding a root shell. The main routine then invokes a PTY-backed interactive shell helper (run_root_pty) if patching succeeded. There are also indicators that the code can target passwd as an alternate path, based on functions such as passwd_already_patched() and either_target_patched(). Exploit structure highlights from exp.c: - Embedded payload blob (shell_elf) containing a minimal root-shell ELF. - Namespace setup helper setup_userns_netns() that unshares CLONE_NEWUSER | CLONE_NEWNET, writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, and brings up the loopback interface lo. - Networking-related logic using AF_INET/UDP and Linux netlink/xfrm headers, consistent with xfrm-ESP exploitation. UDP port 4500 is explicitly defined for ESP-in-UDP encapsulation. - Main orchestration logic that selects exploit path(s), suppresses stderr unless verbose, retries RxRPC exploitation, checks whether target binaries were patched in page cache, and launches an interactive root shell on success. Repository structure: - .gitignore: trivial editor ignore. - README.md: vulnerability overview, affected versions, quick compile/run instructions, cleanup guidance, mitigation steps, and tested distributions. - exp.c: full standalone exploit implementation. Overall assessment: this is a real local Linux kernel LPE exploit, not a detector. It is operational because it includes a built-in privilege-escalation payload and post-exploitation shell handling, but it is not highly modular or framework-driven.

Repository contains a single substantive exploit source file, dirtyfrag_arm64.c, plus a README and license. This is a standalone C local privilege escalation exploit for arm64/aarch64 Linux, described as a port of the upstream dirtyfrag PoC targeting CVE-2026-43284 and CVE-2026-43500. The README explains that the original x86_64 exploit had two paths (ESP/xfrm and rxrpc/rxkad), but on arm64 only the ESP path is usable because the rxrpc path triggers a kernel oops via flush_dcache_page rather than yielding reliable exploitation. The exploit’s main capability is page-cache corruption of a privileged executable, specifically /usr/bin/su on arm64. It embeds a 212-byte minimal aarch64 ELF payload directly in the C source. That payload performs setgid(0), setuid(0), setgroups(0,NULL), and execve("/bin/sh", NULL, envp), effectively yielding a root shell. The main function supports flags such as --force-esp and --force-rxrpc, but README states --force-esp should be used on arm64 to avoid the rxrpc crash. After attempting corruption, the code checks whether a target was patched and, on success, invokes run_root_pty() to provide an interactive root shell. Structurally, the code includes namespace setup and network preparation logic. setup_userns_netns() calls unshare(CLONE_NEWUSER | CLONE_NEWNET), writes /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map, then creates an AF_INET datagram socket and brings up the loopback interface lo. The presence of Linux netlink/rtnetlink and xfrm headers, UDP encapsulation constants, and ENC_PORT 4500 indicates the exploit uses IPsec/ESP-in-UDP mechanics as part of the corruption primitive. This makes the exploit both a local privilege escalation and one that leverages local networking/kernel network stack features. Fingerprintable observables include the hardcoded target path /usr/bin/su, payload execution path /bin/sh, direct exec of /bin/bash when already root, procfs namespace mapping files, loopback interface lo, and UDP port 4500 for ESP encapsulation. README also references /etc/passwd as the upstream fallback target on x86_64 and provides mitigation-related paths such as /etc/modprobe.d/dirtyfrag.conf. Overall, this is a real exploit rather than a detector. It is operational: it contains a working embedded payload and exploitation logic, but it is not part of a larger exploitation framework. Its purpose is to demonstrate and weaponize an arm64-specific port of Dirty Frag for authorized security research by obtaining root on vulnerable Linux systems where unprivileged user namespaces are enabled and the ESP path is available.

Repository contains a single substantial C exploit (CVE-2026-43284.c) plus a README. This is a real local Linux privilege-escalation exploit, not a scanner or proof-only stub. The code targets Linux kernel page-cache corruption primitives described in the README as Dirty Frag / Copy Fail 2, using two kernel attack paths: xfrm/ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500). The exploit is operational: it embeds a ready-to-use 192-byte x86_64 ELF payload that sets UID/GID to 0 and execs /bin/sh, then attempts to overwrite a privileged target such as /usr/bin/su in page cache so execution yields root. Structurally, the exploit includes namespace setup helpers, procfs UID/GID mapping, loopback interface activation, netlink/xfrm-related code for the ESP path, alternate RxRPC exploitation logic, patch-state checks (e.g., whether su/passwd targets are already modified), stderr suppression/restore, argument rewriting, and PTY-based root shell handling. The main function selects the ESP path first by default, falls back to RxRPC if needed, or allows explicit selection with --force-esp / --force-rxrpc. If exploitation succeeds, it launches an interactive root shell. Fingerprintable artifacts are primarily local file and kernel-interface paths rather than remote infrastructure: /usr/bin/su, /bin/sh, /bin/bash, /proc/self/setgroups, /proc/self/uid_map, /proc/self/gid_map, the loopback interface lo, and UDP encapsulation port 4500 for the ESP vector. Overall purpose: deterministic local root escalation on vulnerable Linux systems by abusing kernel fragment/page-cache corruption to replace privileged executable contents with a minimal root-shell ELF.

This repository is a standalone C exploit toolkit named DIRTYFAIL that builds a single binary (`dirtyfail`) from multiple source modules. It is not just a detector: it contains real local privilege-escalation PoCs for three Linux kernel vulnerability families/variants: Copy Fail (CVE-2026-31431), Dirty Frag xfrm-ESP IPv4/IPv6 (CVE-2026-43284), and Dirty Frag RxRPC (CVE-2026-43500), plus a GCM-based xfrm variant and a page-cache backdoor mode. Repository structure: `src/dirtyfail.c` is the main CLI entry point and dispatches scan, exploit, cleanup, and AppArmor-bypass-assisted modes. `src/common.[ch]` provides shared helpers for logging, kernel/module checks, passwd parsing, cache eviction, and confirmation prompts. `src/copyfail.[ch]` implements the AF_ALG `authencesn(hmac(sha256),cbc(aes))` 4-byte arbitrary page-cache write primitive and uses it to flip the current user’s UID in `/etc/passwd` to `0000`, then invokes `su`. `src/copyfail_gcm.[ch]` implements a more granular 1-byte write primitive using xfrm-ESP with `rfc4106(gcm(aes))`, including AF_ALG keystream-byte computation and IV brute force; this primitive is also exposed to other modules. `src/dirtyfrag_esp.[ch]` and `src/dirtyfrag_esp6.[ch]` implement IPv4 and IPv6 xfrm-ESP exploit chains that register attacker-controlled SAs via NETLINK_XFRM, use loopback UDP encapsulation on port 4500, and splice `/etc/passwd` into the vulnerable in-place decrypt path. `src/dirtyfrag_rxrpc.[ch]` implements the RxRPC variant, including forged RxRPC/rxkad traffic and brute-forced fcrypt session keys to shape 8-byte overwrites that empty root’s password field in the page-cache copy of `/etc/passwd`. `src/fcrypt.[ch]` contains the rxkad/fcrypt implementation and brute-force harness used by the RxRPC exploit. `src/apparmor_bypass.[ch]` adds a multi-stage self-reexec bypass for Ubuntu AppArmor restrictions on unprivileged user namespaces by writing to `/proc/self/attr/exec` and switching into permissive profiles such as `crun` or `chrome`. `src/backdoor.[ch]` uses the GCM 1-byte primitive to rewrite a length-matched `nologin` passwd entry into `dirtyfail::0:0:<pad>:/:/bin/bash`, storing restoration state in `/var/tmp/.dirtyfail.state`. Main exploit capabilities: (1) safe-ish detection modes that probe prerequisites or use a temporary sentinel file rather than system files; (2) real page-cache-only overwrite of `/etc/passwd` to gain root; (3) optional spawning of `su`, `su -`, or `su - dirtyfail`; (4) temporary persistence via a page-cache backdoor user; and (5) cleanup via `POSIX_FADV_DONTNEED` and `/proc/sys/vm/drop_caches`. The exploit is operational rather than framework-integrated: payloads are hardcoded around local root escalation and page-cache manipulation, but the code is complete and modular.