DirtyClone

This repository is a small standalone local privilege escalation exploit PoC for CVE-2026-43503 ('DirtyClone'). It contains two files: a README describing the vulnerability and affected Linux kernel versions, and a single Python exploit script, dirtyclone.py, which is the main entry point. The exploit is clearly intended for local execution on Linux, not remote exploitation. Its overall flow is: create a new user and network namespace, map the current user to UID/GID 0 inside the namespace, configure loopback networking, prepare XFRM/IPsec-related state, and then trigger a kernel memory corruption condition associated with clone/namespace handling. The script indicates use of kernel attack primitives to obtain an arbitrary write and overwrite credentials or otherwise hijack execution to gain root. Notable capabilities visible in the code include: - Namespace setup via unshare() using CLONE_NEWUSER and CLONE_NEWNET. - Writes to /proc/self/setgroups, /proc/self/uid_map, and /proc/self/gid_map to establish namespace privileges. - Loopback configuration using the ip command and assignment of 10.99.0.2/24 to lo. - Use of AF_ALG and XFRM/IPsec-related constants, suggesting the exploit abuses kernel crypto/IPsec plumbing as part of heap shaping or trigger logic. - A hardcoded target SUID binary (/usr/bin/su) and offset constant, implying a file overwrite or code-stomping stage against a privileged executable. - Embedded x86_64 shellcode that calls setgid(0), setuid(0), and execve('/bin/sh'). - Fallback/interactive root shell behavior via /bin/bash when already privileged. The repository appears to be more than a detector: it contains operational exploit logic and a real payload. Based on the visible code, it is best classified as an OPERATIONAL PoC rather than a framework-integrated or highly modular weaponized exploit. The script includes environment checks, troubleshooting guidance, and local system manipulation consistent with a practical LPE exploit.

Repository contains a single C proof-of-concept exploit and a README describing the vulnerability. The exploit targets CVE-2026-43503 ('DirtyClone'), a Linux kernel local privilege escalation bug in networking/SKB fragment handling. The code is a standalone local exploit, not part of a framework. Structure: README.md provides vulnerability background, impact, and fixed kernel versions. CVE-2026-43503.c is the operational exploit entry point. It creates new user and network namespaces, writes /proc/self/{setgroups,uid_map,gid_map}, and brings up the loopback interface. It then interacts with the kernel XFRM/IPsec subsystem over NETLINK_XFRM, creating many security associations whose SPI/sequence-related values are derived from an embedded 192-byte ELF payload. The exploit appears to use a page-cache corruption/write primitive against /usr/bin/su, writing the payload in 4-byte chunks. After the corruption stage, it verifies expected bytes at a fixed entry offset and, on success, executes /usr/bin/su -c /bin/sh to obtain a root shell. Main capability: local privilege escalation to root by modifying the page cache of a root-owned executable (/usr/bin/su) and then invoking it. The payload is embedded and hardcoded rather than user-configurable, so the exploit is best classified as OPERATIONAL rather than weaponized. No external C2 or remote network infrastructure is present; all networking activity is local to the host, primarily loopback and kernel netlink/XFRM interactions.

This repository is a compact two-file local privilege escalation PoC for CVE-2026-43503 (DirtyClone). The main code is in CVE-2026-43503.py, with README.md providing a short vulnerability description, usage example, and prerequisites. The exploit is not part of a larger framework. The Python script targets a Linux kernel flaw involving cloned sk_buff handling during ESP-in-UDP processing. It creates new user and network namespaces with unshare(), configures loopback XFRM/IPsec state and policy using ip xfrm, and installs an iptables TEE rule to clone outbound UDP/4500 traffic toward 127.0.0.2. It then opens /etc/passwd read-only, derives crafted IVs using AES decryption with a static 16-byte key, and sends specially formed ESP-in-UDP packets over 127.0.0.1:4500 so that in-place decryption corrupts file-backed page-cache memory. The intended corruption replaces the beginning of /etc/passwd in cache with a new root-level account entry. The hardcoded payload injects account 'firefart' with password 'pwned' and a preset SHA-512 hash, preserving the original root line and appending a second UID 0 entry. After the overwrite attempt, the script checks whether the account is visible through the system password database, runs 'su' with the known password to execute 'id', and if successful offers an interactive root shell via /bin/bash on a PTY. Capabilities include: local kernel exploitation, namespace setup, XFRM/IPsec and iptables manipulation, page-cache-only modification of /etc/passwd, creation of a usable UID 0 account, privilege verification, and interactive root shell access. There are no external internet endpoints; all network activity is local loopback traffic using 127.0.0.1/127.0.0.2 and UDP port 4500.