Skip to content

Implement DirtyFrag and DirtyPipe exploit modules#132

Merged
brightio merged 1 commit into
brightio:mainfrom
halilkirazkaya:halilkirazkaya-patch-1
Jun 4, 2026
Merged

Implement DirtyFrag and DirtyPipe exploit modules#132
brightio merged 1 commit into
brightio:mainfrom
halilkirazkaya:halilkirazkaya-patch-1

Conversation

@halilkirazkaya

Copy link
Copy Markdown
Contributor

Overview

This PR adds two new Privilege Escalation modules to Penelope's module system, following the same upload pattern as existing modules (e.g., ligolo, traitor, ghostpack).


New Modules

dirtyfrag — Universal Linux LPE

  • CVE-2026-43284: xfrm-ESP Page-Cache Write
  • CVE-2026-43500: RxRPC Page-Cache Write
  • Source: https://github.com/v4bel/dirtyfrag
  • Downloads the full repository as a dirtyfrag/ folder on the target.
  • Deterministic logic bug — no race condition required, no kernel panic on failure. Chains two page-cache write primitives to cover each other's blind spots (e.g., Ubuntu with AppArmor + systems without rxrpc.ko), achieving reliable root on virtually all major Linux distributions (Ubuntu, RHEL, Fedora, openSUSE, CentOS Stream, AlmaLinux, etc.).

dirtypipe — Linux Pipe Privilege Escalation


Usage

(Penelope)─(Session [1])> run dirtyfrag
(Penelope)─(Session [1])> run dirtypipe

After upload, compile on the target with:

# DirtyFrag
cd tmp/dirtyfrag && gcc -O0 -Wall -o exp exp.c -lutil && ./exp

# DirtyPipe
cd tmp/dirtypipe && gcc exploit-1.c -o exploit-1 && ./exploit-1

Testing

Both modules were tested against the TryHackMe — Dirty Pipe room, which provides a vulnerable Linux environment ideal for verifying CVE-2022-0847. Notably, the same machine is also susceptible to the DirtyFrag vulnerability chain, making it a convenient single target for testing both modules end-to-end.


Added modules for DirtyFrag and DirtyPipe privilege escalation exploits, including upload functionality and error handling for Unix environments.
@brightio brightio merged commit 2181a9e into brightio:main Jun 4, 2026
@brightio

brightio commented Jun 4, 2026

Copy link
Copy Markdown
Owner

Good job @halilkirazkaya !

@brightio

brightio commented Jun 8, 2026

Copy link
Copy Markdown
Owner

@halilkirazkaya regarding https://github.com/v4bel/dirtyfrag I will modify the module to upload only the .c file. is there any problem with that?

@halilkirazkaya

Copy link
Copy Markdown
Contributor Author

@halilkirazkaya regarding https://github.com/v4bel/dirtyfrag I will modify the module to upload only the .c file. is there any problem with that?

No, there is no problem with that; it might even be better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants