Copy Fail

This is a compact standalone local privilege escalation repository for CVE-2026-46333. It is not a framework module. The repo contains 5 files: a Makefile, README, headers, a D-Bus marshaling/payload file (dbus.c/dbus.h), and the main exploit (ptrace_may_dream.c). The Makefile builds a single binary, ptrace_may_dream, from ptrace_may_dream.c and dbus.c and links pthread, crypt, and util libraries. The exploit targets a Linux kernel race in ptrace_may_access() when mm == NULL during pidfd_getfd(2). The core idea is to race pidfd_getfd() against the exit of a privileged short-lived process so that ptrace access checks are skipped, allowing an unprivileged user to duplicate an open file descriptor from that process. Here, the chosen victim is accounts-daemon. The exploit searches /proc for the accounts-daemon PID, uses busctl to trigger activity in AccountsService, and specifically abuses SetIconFile to cause a short-lived child process. Multiple racing threads repeatedly call pidfd_getfd() against a guessed FD slot (default 5, matching the README note for dbus-broker) until one thread steals the D-Bus socket FD. Once the FD is stolen, the exploit writes a handcrafted D-Bus payload directly to that socket. dbus.c constructs three concatenated method calls on org.freedesktop.Accounts.User for the current user's object path: SetShell("/bin/bash"), SetAccountType(admin), and SetPassword(hash, ""). The password is hardcoded in dbus.h as pwned123 and hashed with crypt() using SHA-512 salt $6$xpl01t$. After sending the payload, the main program waits for accounts-daemon to apply the changes, verifies success by checking /etc/group for wheel membership and /etc/passwd for /bin/bash, then attempts to launch a root-capable shell path. Capabilities are therefore: local process enumeration, race-based FD theft via pidfd_getfd, direct D-Bus wire-format message construction, privilege escalation through AccountsService account modification, and post-exploitation shell access. There are no external network callbacks or C2 endpoints; all observables are local filesystem paths, procfs paths, D-Bus service/interface/object names, and external busctl invocations.

Repository contains a complete local Linux privilege-escalation exploit set for CVE-2026-31431 ('CopyFail'), plus primitive-only PoCs and runtime tracing helpers. Structure is split into: proof-of-concept/ with Python and C demos that overwrite a harmless local file in page cache; exploit-scripts/ with full exploit implementations in Python, C, Perl, and x86_64 assembly; a BusyBox self-extracting dropper generator; and bpftrace-scripts/ for observing relevant kernel paths during exploitation. Core exploit logic is consistent across languages: open an AF_ALG AEAD socket bound to authencesn(hmac(sha256),cbc(aes)), configure key/authsize, queue attacker-controlled AAD where bytes 4..7 hold the desired 4-byte overwrite value, splice a file-backed region from the target executable into the AF_ALG operation socket so the last imported 4 bytes align with the destination-side scratch write, then call recv()/recvfrom() to trigger decrypt. Even though authentication fails, the vulnerable kernel path performs the 4-byte write first. Repeating this loop stages an entire attacker-controlled ELF into the page cache of the target executable, after which the exploit executes the target so the cached modified image runs. Default target is /usr/bin/su in all full exploit variants, making the intended outcome local privilege escalation. The Python exploit embeds a compressed payload blob and invokes su via os.system. The C exploit embeds raw ELF bytes and then execls /bin/su; comments indicate the payload can be replaced and the included bytes resemble a compact ELF with an exec('/bin/sh') style payload. The Perl and assembly variants require an external ELF payload file. The BusyBox script packages the assembly exploit and payload into a portable self-extracting runner for constrained environments. No remote C2 or network infrastructure is present; attack vector is strictly local and kernel-dependent. The bpftrace helpers are not exploit code themselves but aid analysis by tracing filemap_splice_read, splice_folio_into_pipe, af_alg_sendmsg, and crypto_authenc_esn_decrypt. Overall, this is a real, multi-language operational exploit repository rather than a detector or README-only artifact.

Single-file Python local privilege escalation exploit for CVE-2026-31431 ('Copy Fail'). The repository contains one executable script, exp_2026_31431.py, with all exploit logic embedded. The script targets Linux systems and abuses an AF_ALG AEAD/authencesn kernel crypto path to achieve a 4-byte write into the page cache of any readable file. It specifically chooses /etc/passwd because it is world-readable and consulted during account resolution and su/PAM flows. The exploit locates the current user's UID field in /etc/passwd, requires that the UID be exactly 4 digits, and overwrites those four bytes in the cached page with '0000'. It then verifies the modified cached contents by rereading /etc/passwd and checking pwd.getpwnam(). If run with --shell, it executes 'su <user>' so the user authenticates with their own password while the account is perceived as UID 0, yielding a root shell via setuid(0). Without --shell, it performs a dry run and then evicts the cached page using POSIX_FADV_DONTNEED to restore normal lookups. No network communication or remote C2 is present; this is a straightforward local LPE PoC/operational exploit with a hardcoded target file and privilege-escalation path.

This repository is a small Python-based local privilege escalation lab for CVE-2026-31431 ('Copy Fail') affecting the Linux kernel's algif_aead crypto path. It contains two substantive code files: a real PoC exploit (exploit_cve_2026_31431.py) and a separate safe detector (test_cve_2026_31431.py), plus documentation and a screenshots placeholder. The main exploit is a local-only Python script that abuses AF_ALG with the AEAD algorithm string 'authencesn(hmac(sha256),cbc(aes))' to trigger a 4-byte page-cache write primitive. Its core logic opens /etc/passwd read-only, ensures the page is cached, then uses socket.sendmsg control messages and os.splice into an AF_ALG socket to place attacker-controlled 4 bytes into the page cache at a chosen file offset. It locates the current user's UID field in /etc/passwd, requires that UID to be exactly four characters long, and overwrites it with '0000' in memory only. It then verifies the modified page-cache contents and checks pwd.getpwnam() to see whether libc now resolves the user as UID 0. If successful, it instructs the operator to run 'su <user>' with their own password, or automatically execs 'su' when invoked with --shell. The intended result is a root shell via setuid(0), while leaving the on-disk /etc/passwd unchanged. The detector script is not the exploit itself; it is a non-destructive local test harness. It creates a temporary sentinel file, primes its page cache, and attempts the same AF_ALG/splice corruption path against that user-owned file. It reports vulnerability if the marker bytes appear in the cached page or if other unexpected page-cache modifications occur. This script checks prerequisites such as /proc/crypto, AF_ALG availability, and whether the target algorithm can be instantiated. Repository structure is straightforward: README.md summarizes the vulnerability, lab findings, and mitigations; exploit_cve_2026_31431.py is the offensive PoC; test_cve_2026_31431.py is the defensive detector; screenshots/README.md is only a placeholder. There are no network callbacks, C2 endpoints, or remote targets. The exploit is a practical local PoC with a basic built-in execution path, so OPERATIONAL is the best maturity fit rather than mere POC.

Repository contains a small, focused local privilege escalation exploit set for the Linux kernel issue dubbed CopyFail (CVE-2026-31431). Structure is split into: (1) exploit-scripts/ with four exploit implementations in C, Python, Perl, and x86_64 assembly plus a BusyBox self-extracting dropper builder; (2) proof-of-concept/ with safer lab PoCs in C and Python that overwrite a controlled local file page-cache region instead of a privileged binary; and (3) bpftrace-scripts/ with tracing helpers for observing af_alg_sendmsg, crypto_authenc_esn_decrypt, filemap_splice_read, and splice_folio_into_pipe during exploitation. Core exploit capability: all exploit variants build the same primitive using AF_ALG AEAD sockets bound to authencesn(hmac(sha256),cbc(aes)). They place attacker-controlled bytes in AAD[4:8], set authsize/assoclen so the imported file bytes align with the destination-side scratch write, splice a file-backed region from the target executable into the AF_ALG operation socket, then call recv()/recvfrom() to trigger decrypt. Even though authentication is expected to fail, the code relies on the kernel reaching the scratch-write path first, yielding a controlled 4-byte overwrite into the target file's page cache. Repeating this loop stages an entire replacement ELF payload into the cached image of the target executable. Operational behavior by file: exploit.c is the clearest standalone implementation, embedding a compact ELF payload and patching /usr/bin/su in 4-byte increments before executing it. exploit.py performs the same logic with a zlib-compressed embedded payload and finally invokes su. exploit.pl and exploit.asm use an external payload.pwnkit.elf and then exec the target. mk_busybox_dropper.sh packages the assembly exploit and payload into a self-extracting shell script for constrained BusyBox environments. The proof-of-concept files are genuine exploit demonstrations rather than mere detectors: they create ./target.bin, mark a known offset with ORIG, trigger the primitive to change cached bytes to PWN!, and instruct the user to compare cached contents versus on-disk contents after dropping caches. The bpftrace scripts are auxiliary observability tools, not exploit logic. No remote C2 or external network infrastructure is present. The attack vector is purely local and kernel-facing via AF_ALG sockets and file/page-cache manipulation. The repository is a real exploit collection with working code and payload staging, not a fake or readme-only artifact.

Small standalone exploit repository with 3 files: GPL license, README, and a single Python entry point (passwd.py). The repository is a local privilege-abuse exploit, not a remote exploit and not part of a major framework. Its purpose is to change any local user's password without first obtaining a root shell by chaining two vulnerabilities: CVE-2026-46333 to steal a readable file descriptor for /etc/shadow from a transient /usr/bin/chage process, and CVE-2026-31431 (CopyFail) to convert that readable FD into a 4-byte arbitrary page-cache write primitive. passwd.py contains the full exploit flow. It loads libc and libcrypt via ctypes, implements get_shadow_fd() to repeatedly fork/exec chage -l root, opens a pidfd to the child, and brute-forces pidfd_getfd across candidate descriptors until one resolves via /proc/self/fd/* to /etc/shadow. It then reads/parses shadow entries, extracts the target user's existing hash and salt, prompts for a new password, hashes it with crypt(3) using the existing salt, and writes the replacement hash plus trailing field padding back into the cached /etc/shadow contents in 4-byte chunks. The write primitive is implemented with Linux AF_ALG crypto sockets using the authencesn(hmac(sha256),cbc(aes)) algorithm and splice-based manipulation described as CopyFail. The script includes cleanup/error handling for failed writes and warns that the modification is temporary because it affects page cache rather than durable on-disk state. Operationally, the exploit provides a practical local account takeover capability on vulnerable Linux systems: once the password hash is replaced, the attacker can authenticate as the chosen user with the known password. The README notes limitations: failure if the target entry is near the end of /etc/shadow, reuse of the old salt, and loss of the modified password after reboot or page-cache clearing. No C2, hardcoded IPs, or network callbacks are present; the notable fingerprintable artifacts are local file paths and the use of /usr/bin/chage, /etc/shadow, /proc/self/fd, /dev/null, and AF_ALG crypto sockets.

Repository contains a minimal Python local privilege-escalation exploit and a detailed French README. The code file, copy_fail_exp.py, is the sole executable component and implements a compact exploit for CVE-2026-31431 ('Copy Fail'), targeting the Linux kernel AF_ALG/authencesn AEAD path. It opens /usr/bin/su read-only, creates an AF_ALG socket (family 38, type 5) bound to authencesn(hmac(sha256),cbc(aes)), configures the socket with setsockopt, and uses os.splice through a pipe to feed file-backed pages into the vulnerable kernel path. A zlib-compressed payload blob is decompressed, then written in 4-byte chunks by repeated calls to function c(), which appears to induce controlled 4-byte corruption in the page cache of the target setuid binary. After patching all chunks, the script executes su, aiming to run the corrupted cached image and obtain root privileges. There are no network callbacks or remote C2 endpoints; this is a purely local exploit. The README provides vulnerability background, affected distributions, exploitation steps, IOCs, and mitigations, but the actual exploit logic is entirely in the Python script. Overall, this is a real, compact, operational local kernel LPE PoC with a hardcoded target path and embedded payload.

This repository is a compact local Linux privilege-escalation PoC for CVE-2026-31431. It contains only a README and a single C source file, copy_fail.c. The exploit is not framework-based. The code uses the Linux AF_ALG crypto socket interface with the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)) to obtain a controlled 4-byte page-cache write primitive. It prepares crafted ancillary data with ALG_SET_OP, ALG_SET_IV, and ALG_SET_AEAD_ASSOCLEN/ALG_SET_AEAD_AUTHSIZE, then uses sendmsg plus splice from a readable target file descriptor into the AF_ALG socket to corrupt page-cache contents despite recv returning an authentication failure. The exploit decompresses an embedded shellcode blob with zlib, backs up the original target bytes, writes the shellcode into the target binary 4 bytes at a time, forks, execs the modified setuid binary, waits for completion, and restores the original bytes afterward. The default target is /usr/bin/su, though the README shows /usr/bin/passwd as another example. The code also detects WSL by reading /proc/version and adjusts AF_ALG control constants accordingly. Overall, this is an operational local LPE PoC demonstrating transient page-cache corruption of setuid binaries to achieve root, with automatic cleanup/restoration.

This repository is a very small Metasploit exploit module package consisting of a README and a single Ruby module, copy_fail.rb. Because it is clearly a Metasploit module, the main exploit logic is concentrated in copy_fail.rb. The module is a post-exploitation local privilege escalation exploit targeting CVE-2026-31431, described as a Linux kernel AF_ALG/algif_aead page-cache overwrite flaw ('Copy Fail'). It is intended to be run after an attacker already has a shell or meterpreter session on a Linux host. The Ruby module defines a Metasploit Post module for Linux and supports shell and meterpreter sessions. It exposes two configurable options: TARGET_BINARY, defaulting to /usr/bin/su, and WRITABLE_DIR, defaulting to /tmp. In run(), it first exits if the session is already root, then checks for python3 on the target. If Python 3 is present, it dynamically writes an embedded Python helper script to WRITABLE_DIR/.cf_exp.py, executes it, and registers the file for cleanup. The embedded Python code is the actual exploitation payload. It opens the chosen setuid binary read-only, creates an AF_ALG socket using the AEAD type and algorithm string authencesn(sha256,aes), sets a key, accepts a connection, uses os.splice() to move file data into the AF_ALG socket path, then sends a crafted message intended to trigger a controlled 4-byte overwrite in page cache memory. Finally, it executes the target binary via os.system(). The overwrite value is hardcoded as 0x90909090, so this is not a generic payload framework but an operational exploit implementation with a fixed corruption primitive. Capabilities: local privilege escalation to root on vulnerable Linux kernels; staging and execution of a Python helper on the target; support for Metasploit cleanup; compatibility with existing shell or meterpreter sessions. There are no external C2 or network callback endpoints in the exploit logic. The only meaningful targetable observables are local file paths (/usr/bin/su, /usr/bin/sudo, /tmp/.cf_exp.py, /tmp) and the AF_ALG crypto socket binding string. Overall, this is a real exploit module rather than a detector or README-only repository.

Small standalone local privilege-escalation PoC for CVE-2026-31431. Repository contains only a README and one C source file, copy_fail.c. The code opens an AF_ALG socket for the AEAD algorithm authencesn(hmac(sha256),cbc(aes)), sets a key, and abuses a kernel page-cache write primitive to overwrite a readable target executable 4 bytes at a time. It auto-detects WSL versus mainline Linux by reading /proc/version and adjusts AF_ALG control-message constants accordingly. The exploit decompresses an embedded shellcode blob with zlib, backs up the original bytes from the target file, writes the shellcode into the target binary's page cache using sendmsg plus splice, forks, execs the modified setuid binary, waits for completion, and then restores the original bytes. Default target is /usr/bin/su, with README showing /usr/bin/passwd as another example. No network communication or remote C2 is present; this is a local kernel-to-root exploit PoC with an embedded payload and automatic cleanup/restore behavior.

This repository is a minimal local privilege-escalation exploit for CopyFail, identified in the README as CVE-2026-31431. It contains only two files: a short README and a single Python exploit script, copyfail.py. The script is self-contained and operational rather than a detector. The exploit targets Linux systems and abuses AF_ALG crypto sockets together with sendmsg/splice behavior to write a payload into /usr/bin/su in 4-byte chunks. It opens /usr/bin/su read-only, repeatedly creates socket family 38 (AF_ALG) sockets, binds them to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), applies several AF_ALG-related setsockopt calls, accepts a connection, and sends crafted ancillary data alongside payload fragments. It then uses os.pipe() and os.splice() with the su file descriptor and the accepted socket descriptor, suggesting a kernel-side copy/write primitive that corrupts or replaces the SUID binary contents. The embedded payload is a raw x86_64 ELF blob. The active payload is annotated as generated by msfvenom for linux/x64/exec with CMD="whoami" and PrependSetuid=True, indicating the author expects the overwritten SUID binary to execute a privileged command. A commented-out earlier payload would instead execute /bin/sh. After all chunks are written, the script runs /bin/su to trigger the modified binary and obtain elevated execution. There are no network, HTTP, or C2 endpoints. The only fingerprintable targets are local file paths and Linux kernel socket/algorithm identifiers. Overall, this is a compact local Linux privilege-escalation PoC/operational exploit that weaponizes a kernel bug to overwrite a SUID executable with attacker-controlled ELF content.

This repository is a self-contained research lab and proof-of-concept for CVE-2026-31431 (“Copy Fail”), a Linux kernel local privilege escalation vulnerability in the AF_ALG/algif_aead crypto path. The main exploit logic is in exploit/poc.py, a Python 3.10+ script that uses AF_ALG sockets and os.splice() to demonstrate a controlled 4-byte write into page cache. The PoC is intentionally safer than a full weaponized LPE: it creates and targets a local test file (/tmp/copyfail_target_binary) and overwrites the marker bytes 'SAFE' with 'PWND' at offset 0x100, then verifies the apparent corruption by rereading the file. The code binds an AF_ALG AEAD socket to the algorithm string authencesn(hmac(sha256),cbc(aes)), sets key/authsize, splices a page from the target file into the accepted AF_ALG socket, and triggers a decrypt operation intended to exercise the vulnerable authencesn scratch-write behavior. Exploit capability: the repository demonstrates the core primitive behind the vulnerability—controlled 4-byte page-cache corruption of a readable file without modifying the on-disk inode contents. The documentation explains how this primitive could be adapted to patch in-memory instructions in setuid binaries such as /usr/bin/sudo or /usr/bin/su for root escalation, and how shared-kernel container environments could enable host compromise/container escape. However, the included code itself does not implement a full privilege-escalation payload; it remains a PoC demonstration. Repository structure: README.md provides the high-level vulnerability description, exploitation chain, Docker lab instructions, and mitigation overview. docs/technical-analysis.md gives a detailed explanation of the vulnerable scatterlist/in-place optimization and why the write lands in page cache. docs/affected-kernels.md lists affected and patched kernel versions across major distributions. exploit/README.md documents expected PoC behavior. mitigation/check-vulnerable.sh is a detection/assessment script that checks kernel version heuristics, module state, modprobe blocking, and module availability. mitigation/disable-algif.conf is a sample modprobe rule to block algif_aead. docker/Dockerfile.vulnerable and docker/Dockerfile.patched build lab containers for vulnerable and mitigated scenarios, and scripts/setup-lab.sh automates building/running them. Notable operational details: exploitation is local, not remote; it depends on a vulnerable host kernel and availability of algif_aead/AF_ALG. The Docker environment is only a lab wrapper because containers share the host kernel. No external C2, callback, or hardcoded remote network infrastructure is present. The only meaningful exploitation interface is the local AF_ALG kernel socket family and local file targets.

This repository is a minimal local Linux privilege-escalation exploit for CVE-2026-31431 ('Copy Fail'). It contains only two files: a short README identifying the CVE and tested distributions, and a single Python exploit script, copy_fail_exp.py. The script is compact and intentionally obfuscated through short variable names, but its behavior is clear: it opens /usr/bin/su read-only, creates an AF_ALG crypto socket (family 38, type 5) bound to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), configures several socket options, and then uses sendmsg plus splice/pipe operations to abuse a kernel bug that permits attacker-controlled writes into the target file. A zlib-compressed payload blob is decompressed at runtime and written into /usr/bin/su in 4-byte chunks by repeatedly calling the exploit primitive. After patching/corrupting the SUID binary, the script runs su, presumably expecting the modified binary to yield root privileges. There are no network callbacks, C2 endpoints, or remote targets; the attack vector is strictly local. The exploit is operational rather than a mere proof of concept because it includes a concrete payload and an end-to-end privilege-escalation flow, but it is not part of a larger exploitation framework.

This repository is a compact local privilege escalation exploit for CVE-2026-31431 (“Copy Fail”). It contains only two files: a README describing the vulnerability, requirements, affected kernels, and usage; and a single executable Bash script, copyfail.sh, which implements the exploit workflow. The script is not merely a checker: it performs target discovery, payload preparation, runtime compilation of a C helper, and execution of the exploit to obtain root. The exploit targets vulnerable Linux kernels via the AF_ALG AEAD interface (algif_aead/authencesn). According to the README and script comments, the bug allows deterministic 4-byte writes into the page cache of any readable file by abusing splice/sendmsg interactions with AF_ALG. The practical goal is to corrupt a readable setuid-root executable in page cache only, then execute it to gain elevated privileges. This is a purely local attack vector; there are no remote C2 or network callbacks in the exploit itself. Repository structure and behavior: - README.md: documents the vulnerability, usage flags (-c compatibility check, -s scan setuid binaries, -t choose target), mitigation guidance, architecture support, and references. - copyfail.sh: main exploit entry point. It includes helper functions, architecture-based payload selection, target enumeration, compatibility checks, runtime payload decompression, generation of inline C source, compilation with gcc, and final execution of the compiled helper. Main exploit capabilities observed in copyfail.sh: - Detects supported architecture and selects an embedded compressed shellcode blob. - Checks prerequisites: Linux, non-root execution, gcc availability, AF_ALG socket availability, and presence of a setuid-root target. - Enumerates likely setuid-root binaries and can scan common filesystem roots for all such binaries. - Auto-selects a target from common privileged executables such as su, passwd, sudo, pkexec, mount, and others. - Uses python3 to decompress the embedded shellcode into a temporary payload file. - Generates and compiles a minimal C helper at runtime to perform kernel-facing operations unavailable directly in Bash, specifically AF_ALG socket interaction and likely splice/sendmsg-based corruption primitives. - Executes the compiled helper against the chosen target and payload, resulting in a root shell by default or a specified root command when using -e. The exploit is operational rather than a bare PoC because it includes a real payload, target selection logic, compatibility checks, and automated compilation/execution. However, it is not part of a larger exploitation framework and does not expose highly modular payload customization beyond the built-in shellcode and optional command execution mode.

This repository contains a single Python exploit, copyfail.py, implementing a local Linux privilege-escalation technique rather than a remote exploit. The script is heavily minimized/obfuscated but its flow is clear: it imports os, zlib, and socket; defines a helper to decode hex; defines function c() that creates an AF_ALG socket (family 38), binds it to the kernel crypto transform "aead" / "authencesn(hmac(sha256),cbc(aes))", sets several socket options at level 279 (ALG_* options), accepts an operation socket, and uses sendmsg plus os.splice() to combine attacker-controlled data with bytes sourced from an opened file descriptor. The main routine opens /usr/bin/su, decompresses an embedded payload blob, and iterates over that payload in 4-byte chunks, calling c() repeatedly with increasing offsets. After patching the target binary, it runs "su" via os.system(). The exploit’s main capability is overwriting/corrupting the local setuid su binary to achieve privilege escalation. There are no network, HTTP, DNS, or C2 endpoints; all activity is local to the host. Fingerprintable artifacts are the targeted file path /usr/bin/su and the Linux AF_ALG crypto interface using the authencesn(hmac(sha256),cbc(aes)) algorithm string. Repository structure is trivial: one standalone Python entry point with an embedded compressed payload and no auxiliary files. Overall, this is a real operational local exploit PoC that weaponizes a kernel/userspace interaction to modify a privileged executable and then invoke it for elevated access.

This repository is a standalone local privilege-escalation exploit for CVE-2026-31431 ('Copyfail') targeting vulnerable Linux x86-64 systems. It is not part of a common exploit framework. The repo contains 6 files: the main exploit source (cfail.cpp), a custom minimal syscall/header library (libMinIO.hpp), a makefile, a Python helper (printbin.py), README, and .gitignore. The core exploit logic is in cfail.cpp. It avoids libc and uses a custom inline-assembly syscall layer from libMinIO.hpp, making the resulting binary highly self-contained and statically oriented. The exploit creates an AF_ALG socket with type 'aead' and algorithm name 'authencesn(hmac(sha256),cbc(aes))', sets key/auth parameters, opens /usr/bin/su, and repeatedly uses accept(), sendmsg(), pipe(), splice(), and read() in a loop while feeding 4-byte chunks of an embedded ELF payload. The embedded payload is a tiny x86-64 ELF that ultimately executes /bin/sh. After the overwrite/copy sequence, the exploit directly execves /bin/sh with arguments '-c' and 'su'. Overall capability: local unprivileged-to-root escalation by corrupting or replacing the privileged /usr/bin/su path using the vulnerable kernel behavior. libMinIO.hpp provides the low-level primitives used by the exploit: wrappers for syscalls such as write, read, open, socket-related operations, sendmsg, pipe, splice, execve, and supporting AF_ALG/CMSG structures and macros. It is not a separate exploit, but an implementation detail enabling a libc-free build. The makefile builds the cfail binary, strips it, and then uses printbin.py to generate cfail.sh, a bootstrap script that reconstructs the binary using bash printf statements. This indicates an operational convenience feature for transferring/deploying the exploit where only text/script delivery is practical. printbin.py itself is not malicious beyond converting arbitrary binary bytes into shell-safe printf output. There are no network C2 endpoints, remote URLs, or external IPs/domains. The meaningful fingerprintable targets are local: /usr/bin/su, /bin/sh, and the AF_ALG crypto socket interface. The exploit is a real offensive local exploit, not a detector or README-only repository.

Repository contains a small Python exploit (exploit.py), a much larger commented C port (copyfail.c), and a README describing the vulnerability and usage. This is a real local privilege escalation exploit for CVE-2026-31431 ('Copy Fail'), targeting the Linux kernel AF_ALG AEAD crypto interface. The exploit is not a scanner or detector: it opens /usr/bin/su read-only, repeatedly creates an AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes)), sets a crafted key and anomalous AEAD authsize, initiates a decrypt operation with sendmsg control messages, and uses splice to move bytes from the target file into the crypto socket. The intended effect is corruption/modification of the page cache for /usr/bin/su in 4-byte chunks using an embedded compressed payload. After all chunks are written, the exploit executes su, which then runs from the modified page cache and yields a root shell. The Python version is compact and serves as the original PoC; the C version is the main operational implementation, designed for static compilation and minimal environments. No external network C2 or remote URLs are used; the key observables are local file paths and the AF_ALG algorithm string. The README also notes container relevance because AF_ALG exposure inside containers may permit host-impacting escalation if the vulnerable kernel/module is present.

Small repository with one Python exploit and two README files (English and Spanish). The exploit is a standalone local privilege-escalation PoC/operational script for CVE-2026-31431, a Linux kernel authencesn/AF_ALG/splice page-cache corruption bug. The code creates an AF_ALG socket (family 38, type 5), binds it to the authencesn(hmac(sha256),cbc(aes)) AEAD template, sets socket options, and uses sendmsg plus splice to cause a 4-byte out-of-bounds write into page-cache-backed data from /usr/bin/su. A zlib-compressed hex blob is decompressed into a binary payload, then written into the target in 4-byte chunks via repeated calls to function c(). After corruption completes, the script runs su, intending to execute the modified cached setuid image and spawn a root shell. There are no network callbacks or remote endpoints; the exploit is purely local and targets the Linux kernel crypto subsystem and a local setuid binary.

Repository contains a single Python exploit script plus supporting documentation and a detached PGP signature. The main code is script_5.py, a local Linux privilege-escalation/page-cache corruption proof-of-concept targeting CVE-2026-31431 as described in the report. The script loads libc.so.6 with ctypes to call splice(), opens /usr/bin/su read-only, creates an AF_ALG crypto socket bound to the AEAD algorithm string 'authencesn(hmac(sha256),cbc(aes))', and uses crafted sendmsg ancillary data plus two splice operations (file->pipe and pipe->AF_ALG socket) to push attacker-controlled 4-byte chunks into the target file's page cache. A zlib-compressed payload blob is decompressed at runtime and iteratively injected across the cached image of /usr/bin/su. After injection, the script runs 'id' and 'su -c 'id'' to test whether the modified cached binary yields privilege escalation. The included report states the intended payload behavior is setuid(0) followed by execve('/bin/sh'), but the observed result in testing was corruption of su leading to 'Exec format error', which the author interprets as evidence of successful in-memory overwrite without on-disk modification. Overall, this is a real local exploit/validation script rather than a detector: it performs active memory corruption against a system binary and attempts to obtain elevated execution.

Small repository containing two Python proof-of-concept local privilege escalation exploits plus English and Turkish READMEs. The code targets CVE-2026-31431 ('Copy-Fail'), a Linux kernel AF_ALG/authenc/authencesn page-cache poisoning issue. Both scripts are nearly identical: they load libc.so.6 via ctypes, wrap libc.splice(), create an AF_ALG socket bound to the algorithm string 'authencesn(hmac(sha256),cbc(aes))', configure socket options, and use sendmsg plus splice through a pipe to corrupt cached pages of a setuid su binary. A compressed payload blob is decompressed and written in 4-byte chunks across the target file mapping. After poisoning, the script executes 'su' to trigger privilege escalation. The Ubuntu 18.04 variant targets /bin/su; the Ubuntu 22.04 variant targets /usr/bin/su. No remote C2, network scanning, or exfiltration is present; this is a purely local kernel/LPE PoC. The READMEs provide vulnerability background, tested kernel versions, mitigation guidance, and a simple detection procedure. Overall, the repository is a real operational PoC for local root escalation on specific unpatched Ubuntu/Linux kernel builds, not merely a detector or documentation-only repo.

This repository is a small standalone Python proof-of-concept for a claimed local privilege-escalation vulnerability, CVE-2026-31431 ('Copy Fail'). It contains two files: a README describing usage and context, and a single executable script, exploit.py, which implements detection, exploitation, and cleanup logic. The exploit is clearly local, not remote. Its core primitive is implemented in function c(), which creates an AF_ALG socket, binds to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), configures socket options, and combines sendmsg() with splice() on a readable file descriptor to induce an in-place 4-byte write into page-cache-backed file contents. The script wraps libc.splice via ctypes to access the syscall behavior needed for the primitive. The check_vulnerability() routine performs a practical test rather than a pure version check: it verifies /proc/crypto exists, confirms AF_ALG/authencesn can be bound, creates /dev/shm/.copyfail_test, attempts to overwrite its cached contents with 'PWND', and then rereads the file to determine whether the corruption is observable. This makes the default mode a detection-and-validation step. The exploit() routine targets /usr/bin/su specifically. It opens the file read-only, decompresses an embedded zlib-compressed shellcode blob, and writes it into the cached image of /usr/bin/su in 4-byte chunks starting at offset 0. After patching, it invokes os.system('su'), expecting the modified cached executable to run with altered behavior and yield root access. Because the payload is embedded and the target path is hardcoded, this is best characterized as OPERATIONAL rather than weaponized. The cleanup() routine attempts several restoration methods: posix_fadvise(..., DONTNEED) on /usr/bin/su, rereading the file to refresh cache state, rewriting original bytes back into the page cache using the same exploit primitive starting around offset 120, and optionally writing '3' to /proc/sys/vm/drop_caches to flush caches if privileges permit. This indicates the author intended the tool to support repeated testing in a lab setting. Overall, the repository structure is simple and purpose-built: one Python entry point with CLI modes (--exploit, --cleanup, default detection), no external framework, and no network C2 or remote endpoints. The most fingerprintable observables are the hardcoded target path /usr/bin/su, the temporary file /dev/shm/.copyfail_test, the cleanup interaction with /proc/sys/vm/drop_caches, and the AF_ALG algorithm string authencesn(hmac(sha256),cbc(aes)).

Small single-script Python exploit repository for CVE-2026-31431 ('Copy Fail'). The repo contains one executable PoC (poc.py), a README with usage and environment requirements, plus license and gitignore. The exploit is a local privilege escalation PoC, not a remote exploit and not part of a larger framework. The main script creates an AF_ALG socket using Linux crypto interface constants directly (socket family 38, type 5) and binds to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)). It configures the socket with setsockopt calls, accepts an operation socket, and uses sendmsg with ancillary data plus os.splice() and a pipe to move data between a file descriptor for /usr/bin/su and the AF_ALG socket. A hardcoded compressed blob is decompressed with zlib and fed into the helper function in 4-byte chunks. After the loop, the script runs 'su' via os.system(). Operationally, the PoC appears intended to exploit the vulnerable algif_aead/AF_ALG path to interfere with page cache data for the su binary, replacing or modifying cached contents in a way that enables privilege escalation. The payload is hardcoded rather than user-configurable, which fits OPERATIONAL maturity rather than WEAPONIZED. Notable observables are limited because this is a local exploit: /usr/bin/su is the primary target path in code, /bin/su is mentioned as an alternate path in documentation, and /proc/crypto is used for prerequisite checking. No external C2, IPs, or network services are contacted. The only network-like primitive is the local kernel AF_ALG socket interface, used as the exploitation mechanism rather than for remote communication.

This repository is a compact local privilege escalation proof-of-concept for CVE-2026-31431 ('Copy Fail'). It is not a framework module; the core logic is entirely contained in a single C++ source file, copygrail.cpp, with a simple Makefile for static compilation and a README describing usage and prerequisites. Structure: LICENSE contains MIT licensing terms; Makefile builds a static binary named copygrail with zlib; README.md documents the exploit as a single-file AF_ALG + splice() page-cache corruption PoC against Linux; copygrail.cpp implements the exploit. Main capability: the exploit decompresses an embedded zlib-compressed payload into memory, opens /usr/bin/su read-only, warms the file into cache with pread(), and repeatedly invokes a patch() routine to overwrite the page cache contents of the setuid binary in 4-byte chunks. After patching, it executes /usr/bin/su, intending to obtain a root shell. Technical behavior: patch() creates an AF_ALG socket using the AEAD algorithm string 'authencesn(hmac(sha256),cbc(aes))', configures key/authsize, sends crafted ancillary data with ALG_SET_OP, ALG_SET_IV, and ALG_SET_AEAD_ASSOCLEN, then uses splice() from the target file descriptor through a pipe into the AF_ALG socket. This is the core corruption primitive used to alter cached file contents without opening the file writable. The exploit is purely local and does not contact remote hosts. Notable observables: the only clear fingerprintable target path is /usr/bin/su. There are no URLs, IPs, domains, registry keys, or C2 endpoints. The exploit depends on Linux kernel crypto socket support and the presence of the target setuid binary. The embedded payload is opaque binary shellcode rather than source-level commands, so customization appears limited; that supports an OPERATIONAL maturity assessment rather than WEAPONIZED.

Small standalone local Linux kernel exploit repository with one real code file, exp.c, plus IDE metadata and a brief README. The README says it provides a C privilege-escalation version because official code was not provided. The exploit is not network-facing; it uses the Linux AF_ALG socket interface to bind an AEAD crypto transform named "authencesn(hmac(sha256),cbc(aes))", sets a zeroed 64-byte key with setsockopt(ALG_SET_KEY), accepts an operation socket, opens /usr/bin/su, inflates a hardcoded zlib-compressed hex blob into memory, writes the decompressed bytes to stdout, then closes descriptors and executes system("su"). Overall structure suggests a proof-of-concept local privilege-escalation exploit targeting a Linux kernel crypto subsystem bug, with a basic hardcoded post-exploitation step of spawning su. No remote C2, URLs, IPs, or network endpoints are present; the only fingerprintable targets are the local binary path /usr/bin/su and the kernel crypto interface/algorithm identifiers used to reach the vulnerable code path.

This repository is a small Linux local privilege escalation exploit set combining two kernel issues: Copy-Fail (CVE-2026-31431) and Dirty-frag (CVE-2026-43284). It contains three files: a README with build/run instructions and tested distributions, a compact Python proof-of-concept, and a much larger C exploit implementing more complete exploitation logic. The Python script is a concise local exploit for Copy-Fail. It opens /usr/bin/su read-only, creates an AF_ALG crypto socket bound to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), uses setsockopt/sendmsg/splice to drive kernel crypto scatterlist handling, and writes attacker-controlled bytes into the page cache of the read-only SUID binary in 4-byte chunks. After patching, it invokes su to execute the modified privileged binary. The C program is the main operational exploit. It embeds a 192-byte x86_64 ELF payload that becomes a root shell by calling setgid(0), setuid(0), setgroups(0,NULL), and execve(/bin/sh). It targets /usr/bin/su and appears to support multiple exploitation paths: a su-focused path and an rxrpc/dirty-frag path, with command-line switches --force-esp and --force-rxrpc. The visible code shows namespace setup via unshare(CLONE_NEWUSER|CLONE_NEWNET), writes to /proc/self/{setgroups,uid_map,gid_map}, loopback interface manipulation, and constants for UDP encapsulation/IPsec-related behavior including port 4500, indicating a network-kernel attack surface even though exploitation is local. The main function retries alternate paths until a target binary is patched, then spawns an interactive PTY-backed root shell. Overall, this is a real exploit repository rather than a detector. Its purpose is to obtain local root on vulnerable Linux systems by corrupting privileged executables through vulnerable kernel code paths reachable from userspace syscalls. The Python file is a compact PoC; the C file is the more featureful exploit with built-in payload and fallback logic.

This repository is a standalone C exploit toolkit named DIRTYFAIL that builds a single binary (`dirtyfail`) from multiple source modules. It is not just a detector: it contains real local privilege-escalation PoCs for three Linux kernel vulnerability families/variants: Copy Fail (CVE-2026-31431), Dirty Frag xfrm-ESP IPv4/IPv6 (CVE-2026-43284), and Dirty Frag RxRPC (CVE-2026-43500), plus a GCM-based xfrm variant and a page-cache backdoor mode. Repository structure: `src/dirtyfail.c` is the main CLI entry point and dispatches scan, exploit, cleanup, and AppArmor-bypass-assisted modes. `src/common.[ch]` provides shared helpers for logging, kernel/module checks, passwd parsing, cache eviction, and confirmation prompts. `src/copyfail.[ch]` implements the AF_ALG `authencesn(hmac(sha256),cbc(aes))` 4-byte arbitrary page-cache write primitive and uses it to flip the current user’s UID in `/etc/passwd` to `0000`, then invokes `su`. `src/copyfail_gcm.[ch]` implements a more granular 1-byte write primitive using xfrm-ESP with `rfc4106(gcm(aes))`, including AF_ALG keystream-byte computation and IV brute force; this primitive is also exposed to other modules. `src/dirtyfrag_esp.[ch]` and `src/dirtyfrag_esp6.[ch]` implement IPv4 and IPv6 xfrm-ESP exploit chains that register attacker-controlled SAs via NETLINK_XFRM, use loopback UDP encapsulation on port 4500, and splice `/etc/passwd` into the vulnerable in-place decrypt path. `src/dirtyfrag_rxrpc.[ch]` implements the RxRPC variant, including forged RxRPC/rxkad traffic and brute-forced fcrypt session keys to shape 8-byte overwrites that empty root’s password field in the page-cache copy of `/etc/passwd`. `src/fcrypt.[ch]` contains the rxkad/fcrypt implementation and brute-force harness used by the RxRPC exploit. `src/apparmor_bypass.[ch]` adds a multi-stage self-reexec bypass for Ubuntu AppArmor restrictions on unprivileged user namespaces by writing to `/proc/self/attr/exec` and switching into permissive profiles such as `crun` or `chrome`. `src/backdoor.[ch]` uses the GCM 1-byte primitive to rewrite a length-matched `nologin` passwd entry into `dirtyfail::0:0:<pad>:/:/bin/bash`, storing restoration state in `/var/tmp/.dirtyfail.state`. Main exploit capabilities: (1) safe-ish detection modes that probe prerequisites or use a temporary sentinel file rather than system files; (2) real page-cache-only overwrite of `/etc/passwd` to gain root; (3) optional spawning of `su`, `su -`, or `su - dirtyfail`; (4) temporary persistence via a page-cache backdoor user; and (5) cleanup via `POSIX_FADV_DONTNEED` and `/proc/sys/vm/drop_caches`. The exploit is operational rather than framework-integrated: payloads are hardcoded around local root escalation and page-cache manipulation, but the code is complete and modular.

This repository is a small standalone local Linux privilege-escalation PoC consisting of a README and one Python exploit script, cve-2026-31431-poc.py. It is not part of a larger exploitation framework. The README describes CVE-2026-31431 as a Linux kernel AF_ALG + splice() page-cache corruption issue and claims the exploit is functional and non-persistent because it only modifies RAM-backed page cache. The Python script is structured as an end-to-end exploit tool with user-facing console output, vulnerability checks, target selection, exploitation, shell spawning, and optional cleanup. The visible code shows a configuration section defining preferred local targets (/usr/bin/su, /bin/su, /usr/bin/pkexec, /usr/bin/sudo, /etc/passwd), embedded compressed payload blobs, AF_ALG-related constants, helper/printing routines, and a verification phase that inspects /proc/version, /proc/modules, and /proc/crypto and attempts to create an AF_ALG AEAD socket bound to authencesn(hmac(sha256),cbc(aes)). The README and remaining visible control flow indicate later phases search for suitable SUID targets, inject a payload into page cache using splice()-related behavior, execute the modified target to obtain a root shell, and optionally clean up. Main exploit capability: local privilege escalation to root on a vulnerable Linux kernel by abusing AF_ALG and splice() to overwrite page-cache contents of privileged files in memory. The exploit appears operational rather than a simple detector because it contains hardcoded payloads and post-exploitation logic. No external network infrastructure, C2, or remote endpoints are present; the attack vector is purely local and kernel-facing.

This repository is a small standalone Python-based local privilege escalation toolkit with two files: a README and a single executable script, rosnlr5_full.py. The script is the main entry point and implements an interactive terminal menu with three practical capability groups: privilege auditing, exploitation, and temporary mitigation. The core exploit logic is in run_exploit(). It creates AF_ALG sockets using Python's socket module, binds to the AEAD algorithm string 'authencesn(hmac(sha256),cbc(aes))', sets algorithm socket options, and uses sendmsg() plus os.splice() to feed crafted data derived from a hardcoded zlib-compressed payload. The payload is decompressed at runtime and injected in 4-byte chunks while reading from /usr/bin/su. After the injection loop completes, the script invokes 'su' to open what it expects to be a root shell. This is clearly a local attack path, not a remote exploit, and it targets Linux kernel behavior around AF_ALG / algif_aead as described by the claimed CVE-2026-31431. Beyond exploitation, the repository also serves as a mitigation helper. The README and visible code indicate functions for checking whether algif_aead is present/loaded, creating /etc/modprobe.d/disable-algif.conf with an 'install algif_aead /bin/false' rule, attempting to unload the module with rmmod, and removing the mitigation file later. There is also a privilege-audit feature that reports UID, username, groups, and whether the current user belongs to sudo or wheel. No external C2, remote URLs, or network targets are used by the exploit itself. The only network-like interface is the local kernel AF_ALG socket family. Overall, this is an operational standalone Linux LPE PoC with a hardcoded payload and built-in defensive utilities, rather than a scanner or detection-only script.

This repository contains a Python implementation of the CopyFail2 local privilege escalation exploit for CVE-2026-31431. It has 3 files total: a README and two Python exploit variants. The main purpose is to exploit a Linux kernel bug in the xfrm ESP-in-UDP splice path where MSG_SPLICE_PAGES can map pages into the receiver page cache without copy-on-write, enabling modification of read-only file-backed page cache contents. Repository structure: README.md documents the vulnerability, requirements, tested kernels, usage, and cleanup. exploit.py is the optimized implementation and appears to be the primary entry point; it reuses xfrm state, sockets, and pipes, brute-forces two consecutive bytes per round, and uses active polling for faster execution. exploit_raw.py is a slower reference implementation closer to the original C exploit, recreating state for each byte mutation. Exploit capability: both scripts are real local privilege escalation exploits, not scanners. They target the local host and abuse loopback ESP-in-UDP processing on UDP port 4500. The code uses ctypes to call libc and OpenSSL/libcrypto primitives, brute-forces AES-GCM/ECB-derived keystream bytes, sets up xfrm-related state, and uses splice() to move crafted data through a UDP socket so that bytes from /etc/passwd are altered in page cache. The intended end state is replacing an existing nologin/false passwd entry with a passwordless uid 0 account named 'sick', then invoking su to obtain a root shell. A cleanup mode restores the original passwd line using saved state from /var/tmp/.cf2.state. Targeting and prerequisites: the exploit is for Linux kernels 6.5 and newer, requires libcrypto and Python 3.8+, and needs CAP_NET_ADMIN or the ability to create user and network namespaces. The code includes logic to check for CAP_NET_ADMIN, unshare into new user/network namespaces, and inspect /proc/sys/kernel/unprivileged_userns_clone. The README also notes AppArmor-related workarounds and that success depends on PAM/nullok and a suitable passwd entry. Overall, this is an operational local kernel LPE exploit with a concrete privilege-escalation payload and cleanup support, rather than a proof-of-concept or detection-only script.

This repository contains a small standalone local Linux privilege-escalation project for CVE-2026-31431 (“Copy Fail”). It has three files: a README, a safe detector (`detect.py`), and an exploit (`exp.py`). Both Python scripts are ports intended to work on Python 3.7+ by replacing `os.splice()` with a ctypes wrapper around libc `splice(2)`. The exploit is local-only and does not target remote network services. Its core capability is abusing the Linux AF_ALG AEAD interface with the algorithm `authencesn(hmac(sha256),cbc(aes))` plus splice-based file-to-pipe-to-socket transfers to trigger an in-memory page-cache overwrite primitive. The detector uses the same primitive against a temporary user-owned sentinel file to determine whether the kernel is vulnerable without touching privileged system files. It checks prerequisites such as `/proc/crypto`, AF_ALG socket availability, and whether the target AEAD algorithm can be instantiated. The main exploit (`exp.py`) targets `/etc/passwd`. It locates the current user's UID field, requires that UID to be exactly 4 characters long, and uses a helper `write4()` to overwrite those 4 bytes in page cache with `0000`. After verifying the cached change, it instructs the operator to run `su <user>` and enter their own password, or does so automatically with `--shell`. Because the cached passwd entry now shows UID 0, `su` is expected to setuid(0) and provide a root shell. The script also includes cleanup guidance via `/proc/sys/vm/drop_caches` and a non-shell path that attempts to evict the passwd page from cache. Overall, this is a real exploit repository, not just a detector, though it also includes a dedicated safe detection script. The code is concise, purpose-built, and operational rather than framework-based: it contains a hardcoded exploitation method and post-exploitation path, but no modular payload system.