Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days

This write-up documents an authenticated kernel remote code execution exploit against ksmbd on Linux 6.1.45: the author chains a controlled SLUB overflow (CVE-2023-52440) with an authenticated extended-attribute leak (CVE-2023-4130) to obtain kernel heap and KASLR leaks, perform arbitrary free/reclaim, overwrite a ksmbd object to hijack control flow, and build a ROP chain that calls call_usermodehelper to spawn a reverse shell. The exploit requires credentials or write access to an SMB share, is reported as highly reliable in the author’s lab (single-core preferred), and is noted as less impactful in practice because ksmbd is not commonly deployed in production.