This module exploits DirtyFrag, a local privilege escalation vulnerability chain in the Linux kernel that can corrupt cached pages of privileged files through kernel networking components. The trigger binary supports two exploitation paths. The ESP path temporarily corrupts the page-cache contents of "/usr/bin/su" with a small ELF launcher that executes a caller-supplied custom ELF as root. The rxrpc/rxkad path temporarily corrupts the page-cache contents of "/etc/passwd" to allow passwordless root authentication through "su" and then executes the supplied custom ELF. Before running either path, the trigger binary creates a temporary full backup of the target file it may corrupt. The ESP path restores "/usr/bin/su" from its backup after the patched "su" process is launched. The rxrpc/rxkad path restores "/etc/passwd" from its backup and removes that backup before handing execution to the custom ELF. The module uploads the DirtyFrag trigger binary and a generated Core Impact agent ELF with random names to the temporary directory given in the TMP_DIR parameter. If no parameter is provided, the module will use "/tmp" as the default value. The exploit is executed as the uploaded trigger binary with the uploaded agent path as its custom ELF argument. Once the attack is complete, a new Core Impact agent will be deployed on the target system with root user privileges. After the new agent connects, the module attempts to drop filesystem caches with the "sysctl" command and removes the uploaded trigger and agent binaries.
CVE Link
Exploit Platform
Exploit Type
Product Name