milliways-infosec/dirtyfrag
5
0
Fork 0
mirror of https://github.com/V4bel/dirtyfrag.git synced 2026-05-16 18:56:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge f01824fc22 into aab16fcada

Browse source
This commit is contained in:
Yao Zi 2026-05-11 08:28:12 +08:00 committed by GitHub
commit 0906c4d8be
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 59 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
assets/write-up.md
View file

@ -451,7 +451,7 @@ The chain exploit proceeds as follows.
2. Check whether the first byte of the shellcode has been planted at the entry offset of /usr/bin/su.
On modification success → parent process performs forkpty + execve("/usr/bin/su") → root shell.
3. On modification failure (e.g. unshare(USER) returns -EPERM, or esp4.ko is not loaded, or SA registration fails):
3. On modification failure (e.g. unshare(USER) returns -EPERM, or neither esp4.ko nor esp6.ko is loaded, or SA registration fails):
Fall back to the RxRPC variant:
/etc/passwd line 1 K search → three splice triggers → passwd field empty
forkpty + execve("/usr/bin/su") → PAM nullok → root shell.