From f01824fc22e3e6debeff495194c44cdf791669f0 Mon Sep 17 00:00:00 2001 From: Yao Zi Date: Fri, 8 May 2026 02:42:18 +0000 Subject: [PATCH] Update write-up to mention that esp6.ko will be exploited in PoC Signed-off-by: Yao Zi --- assets/write-up.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/write-up.md b/assets/write-up.md index dfd6c23..555dcea 100644 --- a/assets/write-up.md +++ b/assets/write-up.md @@ -446,7 +446,7 @@ The chain exploit proceeds as follows. 2. Check whether the first byte of the shellcode has been planted at the entry offset of /usr/bin/su. On modification success → parent process performs forkpty + execve("/usr/bin/su") → root shell. -3. On modification failure (e.g. unshare(USER) returns -EPERM, or esp4.ko is not loaded, or SA registration fails): +3. On modification failure (e.g. unshare(USER) returns -EPERM, or neither esp4.ko nor esp6.ko is loaded, or SA registration fails): Fall back to the RxRPC variant: /etc/passwd line 1 K search → three splice triggers → passwd field empty forkpty + execve("/usr/bin/su") → PAM nullok → root shell.