milliways-infosec/dirtyfrag
5
0
Fork 0
mirror of https://github.com/V4bel/dirtyfrag.git synced 2026-05-16 10:50:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update write-up to mention that esp6.ko will be exploited in PoC

Browse source 
Signed-off-by: Yao Zi <me@ziyao.cc>
This commit is contained in:
Yao Zi 2026-05-08 02:42:18 +00:00
parent 191fe97b00
commit f01824fc22
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
assets/write-up.md
View file

@ -446,7 +446,7 @@ The chain exploit proceeds as follows.
2. Check whether the first byte of the shellcode has been planted at the entry offset of /usr/bin/su. 2. Check whether the first byte of the shellcode has been planted at the entry offset of /usr/bin/su.
On modification success → parent process performs forkpty + execve("/usr/bin/su") → root shell. On modification success → parent process performs forkpty + execve("/usr/bin/su") → root shell.
3. On modification failure (e.g. unshare(USER) returns -EPERM, or esp4.ko is not loaded, or SA registration fails): 3. On modification failure (e.g. unshare(USER) returns -EPERM, or neither esp4.ko nor esp6.ko is loaded, or SA registration fails):
Fall back to the RxRPC variant: Fall back to the RxRPC variant:
/etc/passwd line 1 K search → three splice triggers → passwd field empty /etc/passwd line 1 K search → three splice triggers → passwd field empty
forkpty + execve("/usr/bin/su") → PAM nullok → root shell. forkpty + execve("/usr/bin/su") → PAM nullok → root shell.