From 8382a43db0c392a8b5a275c7436e70a52102f1ba Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 8 May 2026 17:21:29 +0200 Subject: [PATCH 1/2] Create expl_lnx_dirtyfrag.yar --- yara/expl_lnx_dirtyfrag.yar | 75 +++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 yara/expl_lnx_dirtyfrag.yar diff --git a/yara/expl_lnx_dirtyfrag.yar b/yara/expl_lnx_dirtyfrag.yar new file mode 100644 index 00000000..17fde833 --- /dev/null +++ b/yara/expl_lnx_dirtyfrag.yar @@ -0,0 +1,75 @@ +rule EXPL_HKTL_LNX_DirtyFragLPE_May26 { + meta: + description = "Detects dirtyfrag, a local privilege escalation exploit for Linux." + author = "Pezier Pierre-Henri (Nextron Systems)" + date = "2026-05-07" + score = 80 + hash = "c35594d42f7a5d5d2895164147ee1bc62bb8e294c8468093b7d6fcaab0b174c8" + reference = "https://github.com/V4bel/dirtyfrag/tree/master" + strings: + // Indicators of exploitation attempts + $x1 = "gained CAP_NET_RAW within netn" ascii + $x2 = "DIRTYFRAG_VERBOSE" ascii + + $s1 = { 15 7C 4A 7F B9 79 37 9E } // fc_splitmix64 + $s2 = "/proc/self/setgroups" ascii fullword + $s3 = "pcbc(fcrypt)" ascii fullword + $s4 = { 17 bb c7 f3 3f 36 ba 71 8e 97 65 60 69 b6 f6 e6 } + condition: + filesize < 100KB + and uint32be(0) == 0x7f454c46 + and ( + 1 of ($x*) + or 3 of ($s*) + ) +} + +rule EXPL_HKTL_LNX_DirtyFragShellcode_May26 { + meta: + description = "Detects a shellcode observed in dirtyfrag, a local privilege escalation exploit for Linux." + reference = "https://github.com/V4bel/dirtyfrag/tree/master" + author = "Pezier Pierre-Henri (Nextron Systems)" + date = "2026-05-07" + score = 80 + hash = "a02ea2ba8108a9b7a997faa8808cfc55bb69af54e69178fa5aa1785681cf0ced" + strings: + $op1 = { + 31 ff // xor edi, edi + 31 f6 // xor esi, esi + 31 c0 // xor eax, eax + b0 6a // mov al, 6Ah ; 'j' + 0f 05 // syscall; LINUX - sys_setgid + b0 69 // mov al, 69h ; 'i' + 0f 05 // syscall; LINUX - sys_setuid + b0 74 // mov al, 74h ; 't' + 0f 05 // syscall; LINUX - sys_setgroups + 6a 00 // push 0 + 48 [6] // lea rax, aTermXterm; "TERM=xterm" + 50 // push rax + 48 89 e2 // mov rdx, rsp + 48 [6] // lea rdi, aBinSh; "/bin/sh" + 31 f6 // xor esi, esi + 6a 3b // push 3Bh ; ';' + 58 // pop rax + 0f 05 // syscall; LINUX - sys_execve + } + condition: + $op1 +} + +rule EXPL_LNX_DirtyFrag_ForensicArtefacts_May26 { + meta: + description = "Detects DirtyFrag exploit code POC usage in Linux environments" + author = "Florian Roth" + reference = "https://github.com/V4bel/dirtyfrag/tree/master" + date = "2026-05-08" + score = 75 + strings: + $xa1 = "echo 3 > /proc/sys/vm/drop_caches" ascii + $xa2 = "/V4bel/dirtyfrag.git" ascii + $xa3 = "static const uint8_t shell_elf[PAYLOAD_LEN] = {" ascii + $xa4 = "/usr/bin/su page-cache patched (entry 0x%x = shellcode)" ascii + condition: + filesize < 800KB + and 1 of ($xa*) +} From cd323c8621927f9a7675b6925a3b620085586749 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 8 May 2026 17:25:48 +0200 Subject: [PATCH 2/2] Update expl_lnx_dirtyfrag.yar --- yara/expl_lnx_dirtyfrag.yar | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/yara/expl_lnx_dirtyfrag.yar b/yara/expl_lnx_dirtyfrag.yar index 17fde833..eddf677a 100644 --- a/yara/expl_lnx_dirtyfrag.yar +++ b/yara/expl_lnx_dirtyfrag.yar @@ -65,10 +65,9 @@ rule EXPL_LNX_DirtyFrag_ForensicArtefacts_May26 { date = "2026-05-08" score = 75 strings: - $xa1 = "echo 3 > /proc/sys/vm/drop_caches" ascii - $xa2 = "/V4bel/dirtyfrag.git" ascii - $xa3 = "static const uint8_t shell_elf[PAYLOAD_LEN] = {" ascii - $xa4 = "/usr/bin/su page-cache patched (entry 0x%x = shellcode)" ascii + $xa1 = "/V4bel/dirtyfrag.git" ascii + $xa2 = "static const uint8_t shell_elf[PAYLOAD_LEN] = {" ascii + $xa3 = "/usr/bin/su page-cache patched (entry 0x%x = shellcode)" ascii condition: filesize < 800KB and 1 of ($xa*)