Copy Fail

This repository is a small but fully functional Linux post-exploitation/cryptojacking toolkit rather than a simple PoC. It contains 6 files: a README, two top-level bash scripts (setup.sh and killservice.sh), and a kernel subdirectory with a Makefile, a DKMS installer script, and a C-based kernel module rootkit. The README also references additional binaries not included in the provided file list: getroot (the local privilege-escalation exploit for CVE-2026-31431), xrandom (renamed XMRig miner), and a packaged archive. Primary structure and purpose: - setup.sh is the main orchestrator and likely entry point. It decides whether it already has root privileges; if not, it attempts to use a bundled getroot helper to execute commands as root. In root mode it installs the miner to /opt/kernel-kd/xrandom, creates and enables a persistent systemd service at /etc/systemd/system/kernel-kd.service, runs kernel/install.sh to deploy the rootkit, then executes killservice.sh. In non-root mode it falls back to userland persistence by copying the miner into ~/.xrandom, creating a launcher script, and adding cron entries for @reboot and every minute. - kernel/install.sh installs the disguised kernel module intel_uncore_freq_aux using DKMS when available, or direct compilation otherwise. It establishes persistence through /etc/modules-load.d, /etc/modprobe.d, udev rules, and initramfs-related configuration files across multiple Linux distributions. It then loads the module live with modprobe/insmod. - kernel/stealth.c is the stealth component. It masquerades as an Intel uncore frequency driver but behaves like a rootkit: it hides module presence, filters process/file names matching hardcoded strings such as xrandom and masscan, creates a sysfs control interface under /sys/kernel/intel_uncore_freq, and tampers with procfs output to falsify CPU and memory usage so monitoring tools show lower utilization. - killservice.sh is a post-install hardening and competitor-eviction script. It checks whether common exposed services are listening publicly and, if so, stops/disables/masks them, blocks their ports with iptables/ip6tables/nftables, and chmods associated binaries to 000. It also kills and removes known miner/XMRig artifacts and related systemd units. Exploit capability assessment: - Initial access is described in the README as abuse of exposed Docker Engine API on TCP 2375 to launch a privileged container with host mounts and chroot into the host. - Local privilege escalation is delegated to the referenced getroot binary targeting CVE-2026-31431 on vulnerable Linux kernels. Although the binary itself is not present in the provided files, setup.sh clearly expects and invokes it. - Persistence is implemented both as root (systemd service plus kernel module autoload) and as userland (cron plus launcher script). - Stealth is substantial due to the kernel module’s hiding and procfs falsification. - Monetization is cryptomining via the renamed xrandom/XMRig payload. Overall, this is a real operational malware toolkit with exploit-assisted privilege escalation, persistence, stealth, and environment hardening, not merely a detector or documentation-only repository.

This repository is a real local privilege-escalation exploit implementation for CVE-2026-31431 ('Copy Fail'), plus a safer vulnerability checker and a minimal embedded payload. The repo structure is straightforward: the actual exploit logic lives in src/, while the large nolibc/ tree is a bundled tiny libc/syscall layer used to build small static cross-architecture binaries. The Makefile builds four artifacts: payload, exploit, exploit-passwd, and vulnerable. CI workflows compile static binaries for multiple architectures and libc modes. Core exploit capability: src/utils.c implements the shared primitive patch_chunk(), which uses Linux AF_ALG crypto sockets with the authencesn(hmac(sha256),cbc(aes)) AEAD template, sendmsg(), pipe(), and splice() to corrupt page-cache-backed file contents without modifying the on-disk inode. This is the heart of the Copy Fail technique. Main exploit path: src/exploit.c embeds a static ELF payload produced from src/payload.c and writes it into the page cache of a target file, defaulting to /usr/bin/su. After overwriting the cached image in 4-byte chunks, it executes su. Because the inode remains setuid-root while execution pulls mutated bytes from page cache, the payload runs with elevated privileges. The payload itself is simple and operational: setgid(0), setuid(0), then execve(/bin/sh). Alternate exploit path: src/exploit-passwd.c targets /etc/passwd instead of a setuid binary. It finds the current user's UID field, overwrites the cached UID digits with zeroes, and then runs su <user>. If authentication succeeds, su consults the corrupted cached passwd entry and yields a root shell. This variant is intended for environments where direct mutation of setuid binaries is harder but /etc/passwd remains readable. Detection/checker: src/vulnerable.c is not the main exploit but a legitimate non-destructive checker. It creates a local file named testfile, attempts the same page-cache mutation primitive against it, and checks whether the cached contents changed to 'vulnerable'. It exits 100 if vulnerable, 0 if not, 2 if AF_ALG support/template availability prevents determination. Notable endpoints/targets are entirely local: /usr/bin/su, /etc/passwd, /bin/sh, /proc/sys/vm/drop_caches, and the AF_ALG algorithm name authencesn(hmac(sha256),cbc(aes)). There are no C2, network beacons, or remote targets. This is a local Linux kernel LPE PoC with an included operational root-shell payload, not a framework module or a mere detector.

Single-file Python local privilege-escalation exploit. The script monkey-patches os.splice via ctypes to call libc splice directly, then uses Linux AF_ALG crypto sockets with the algorithm string `authencesn(hmac(sha256),cbc(aes))` to trigger a kernel-side vulnerability. It opens `/usr/bin/su`, decompresses an embedded binary blob, and writes it into the target file in 4-byte chunks through a crafted sendmsg/splice sequence. After the overwrite completes, it executes `su`, indicating the intended outcome is root/elevated access via a trojaned or attacker-controlled replacement su binary. There are no network indicators such as remote URLs or IPs; the exploit is purely local and Linux-specific. Repository structure is minimal: one Python entry-point file (`exploit.py`) containing all exploit logic, embedded payload data, and final execution step.

This repository contains a compact Go local privilege escalation exploit for CVE-2026-31431, plus a short README listing build instructions and claimed affected Linux distributions. The main file, CVE-2026-31431.go, is a standalone exploit with no external dependencies beyond Go's syscall/unsafe packages. The exploit logic is implemented in two functions: main() and exploit(). The exploit() function builds the kernel corruption primitive by creating an AF_ALG socket (family 38, SOCK_SEQPACKET), binding it to the AEAD crypto interface with algorithm string authencesn(hmac(sha256),cbc(aes)), setting key/auth parameters via setsockopt, accepting an operation socket, crafting control messages for sendmsg, and then using splice twice to move data between the target file descriptor, a pipe, and the AF_ALG socket. This sequence is intended to trigger page-cache corruption. A read drains the socket/pipe state, and the sockets are closed. The main() function opens /usr/bin/su read-only, defines an embedded minimal x86_64 ELF payload as raw bytes, and iteratively calls exploit() in 4-byte chunks to overwrite the page cache for /usr/bin/su. The embedded ELF contains code that performs setuid(0) and then execve("/bin/sh"). After patching, the program executes /usr/bin/su, expecting the setuid-root binary to run the attacker-controlled cached payload and return a root shell. There are no network callbacks, C2 addresses, or remote targets in the code. All activity is local to the host kernel and filesystem. The only concrete filesystem targets are /usr/bin/su and /bin/sh. The README describes the exploit as 'local privilege escalation / container escape' and lists many Linux distributions and versions as affected. Overall, this is an operational local Linux kernel exploit that weaponizes a kernel memory/page-cache corruption bug to hijack a privileged executable and obtain root.

Repository contains a small local Linux privilege/behavior-manipulation proof of concept centered on page-cache corruption/patching via AF_ALG sockets. There are 4 files total: two exploit implementations in C (exploit.c and a shorter exploit-simple.c), one benign demonstration target (test.c), and a short README with build/run instructions. The main exploit logic creates an AF_ALG socket, binds to the AEAD algorithm string 'authencesn(hmac(sha256),cbc(aes))', sets a dummy key, accepts an operation socket, opens a target file, aligns to the page boundary, sends 8 bytes of AAD, splices file data into the crypto socket, then performs a 4-byte pwrite at a user-chosen offset. The code comments claim this abuses a kernel bug to dirty/modify page cache so the running file behavior changes without changing the file on disk. The exploit is entirely local: no remote networking, C2, or external URLs/domains are present. The intended use is patching executable code, with examples showing how to locate a conditional jump using objdump and replace bytes to invert logic in the sample test program so it prints 'Access Granted' instead of 'Access Denied'. exploit.c is the fuller version with error handling, usage guidance, and explanatory comments; exploit-simple.c is a condensed variant of the same technique; test.c is only a toy binary used to demonstrate the patch effect.

This repository is a very small local privilege-escalation PoC consisting of one Python exploit script and a README. The main file, CVE-2026-31431.py, prints a banner, defines a small hex-decoding helper, and implements a core exploitation routine that creates an AF_ALG socket, binds it to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), sets crafted socket options at SOL_ALG (numeric 279), accepts the operation socket, and uses sendmsg() ancillary data together with splice() to move attacker-controlled bytes into a target file descriptor. The script opens /usr/bin/su read-only, decompresses a hardcoded zlib blob into a payload, and iterates over that payload in 4-byte chunks, invoking the exploitation primitive repeatedly to corrupt/overwrite the su binary. After the overwrite loop, it executes su via os.system("su"). The exploit is clearly local-only: there are no network callbacks, remote URLs, or C2 endpoints. Its notable fingerprintable targets are the local file path /usr/bin/su and the Linux AF_ALG crypto interface identifiers used to trigger the bug. The README describes the issue as a copy-on-write/length-confusion flaw in the Linux kernel AF_ALG authencesn AEAD implementation and states that the PoC demonstrates arbitrary file corruption leading to root privilege escalation. Overall, this is an operational PoC with a built-in hardcoded payload rather than a detection script or framework module.

Repository contains a small standalone local privilege escalation exploit for CVE-2026-31431 ('Copy Fail') targeting the Linux kernel algif_aead AF_ALG interface. There are two Python exploit variants: one for x86_64 (CVE-2026-31431-x64.py) and one for Ubuntu 24.04 aarch64 (ubuntu24.04-aarch64.py), plus a README describing affected distributions and reproduction notes. Both scripts are nearly identical: they create an AF_ALG AEAD socket, bind it to the algorithm string 'authencesn(hmac(sha256),cbc(aes))', configure it with setsockopt/sendmsg control messages, and abuse splice/pipe interactions against an open handle to /usr/bin/su. A zlib-compressed embedded blob is decompressed and written in 4-byte chunks through repeated calls to helper function c(), suggesting architecture-specific replacement bytes for su. After the overwrite/corruption step, the script executes 'su' to obtain elevated privileges. No network communication, C2, or remote target endpoints are present; this is a purely local kernel LPE exploit. The code is concise and operational rather than framework-based, with hardcoded payload bytes and target path.

This repository is a compact Python local privilege escalation PoC for CVE-2026-31431 ('Copy Fail'). It contains one executable script, copy_fail_exp.py, plus a README and .gitignore. The exploit is not part of a larger framework. The Python script uses only standard-library modules (os, zlib, socket, ctypes). It creates an AF_ALG socket bound to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), configures it with setsockopt, and uses ctypes to call the libc splice() syscall. The core routine repeatedly targets offsets in /usr/bin/su, sending crafted data through the AF_ALG socket and splicing file data through a pipe into the accepted socket. A zlib-compressed blob embedded in the script is decompressed and applied in 4-byte chunks, indicating the exploit patches the page cache contents of /usr/bin/su rather than editing the file conventionally. After patching, the script executes su to obtain elevated privileges. Repository structure is minimal and purpose-built: README.md explains the vulnerability, prerequisites, and intended outcome; copy_fail_exp.py is the sole exploit implementation and likely entry point. There are no network C2 endpoints, remote targets, or exfiltration logic. The exploit capability is strictly local: privilege escalation on a vulnerable Linux kernel with access to a readable privileged binary such as /usr/bin/su. The code appears operational rather than a mere detection script because it contains a full exploitation path and a concrete post-exploitation action (launching su for a root shell).

This repository is a minimal local privilege escalation exploit for CVE-2026-31431 ('Copy Fail'). It contains two files: a short Python exploit (exp.py) and a README describing usage and tested environment. The exploit is not network-facing and does not contact remote infrastructure; it is a local kernel exploit that abuses the Linux AF_ALG crypto socket interface together with splice/sendmsg behavior to corrupt file contents despite opening /etc/passwd read-only. The script defines a helper to decode hex, then a core function c(f,t,c) that creates an AF_ALG socket, binds to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), sets socket options at level 279 (ALG_SET_* style options), accepts an operation socket, sends crafted ancillary data, and uses os.splice to move data between the passwd file descriptor, a pipe, and the accepted socket. In a loop, it writes 4-byte chunks from a zlib-compressed blob into successive offsets of /etc/passwd. The README explains that the decompressed blob contains the string 'root::0:0:', replacing the normal 'root:x:0:0:' prefix so root no longer requires a password. After patching, the script runs 'su', which should yield a root shell. Overall, this is a compact, functional LPE proof-of-concept with a hardcoded payload, making it operational rather than merely demonstrative.

This repository is a minimal local privilege escalation PoC for CVE-2026-31431 ('Copy Fail'). It contains one Python exploit script and a README. The script is heavily minified but functional: it determines the current username, reads /etc/passwd, locates the current user's passwd entry and specifically the UID field offset, opens /etc/passwd read-only, primes the file descriptor with a read, then creates an AF_ALG socket (family 38) bound to the AEAD transform 'authencesn(hmac(sha256),cbc(aes))'. It configures the crypto socket, accepts an operation socket, and uses sendmsg with crafted ancillary data plus splice() through a pipe to inject the bytes '0000' at the UID offset in the page cache view of /etc/passwd. After the in-memory overwrite, it calls 'su <username>'; because account lookup now sees UID 0 for that user, entering the user's normal password can yield a root shell. The exploit is local-only, targets Linux kernel AF_ALG behavior, and does not include remote networking or C2. Repository structure is simple: CopyFail_mini.py is the sole exploit entry point, while README.md explains the vulnerability, prerequisites, execution flow, and cleanup guidance. The exploit's main capability is volatile page-cache corruption of a read-only file to achieve root privilege escalation without persisting changes to disk.

This repository is a compact C implementation of a local Linux privilege-escalation exploit and detector for CVE-2026-31431 ('Copy Fail'). It is not part of a larger exploit framework. The project builds two binaries via the Makefile: bin/copy-fail-test for safe-ish vulnerability detection using a temporary sentinel file, and bin/copy-fail-exploit for actual exploitation. Repository structure: include/copy_fail.h defines constants, AF_ALG parameters, algorithm name, and function prototypes. include/su_payload_zlib.h contains a small zlib-compressed embedded payload. src/alg.c implements the core primitive: creating AF_ALG AEAD sockets, binding to authencesn(hmac(sha256),cbc(aes)), configuring control messages, and using splice() to trigger the vulnerable path that causes 4-byte writes into page cache. It exposes cf_theori_write4_fd() for arbitrary 4-byte chunk writes into the first 512 bytes of a target file's cached page and cf_trigger_sentinel() for detector use. src/util.c performs environmental prechecks, including AF_ALG availability, /proc/crypto presence, algorithm bindability, and simple LD_PRELOAD/ld.so.preload checks for AF_ALG-blocking shims. src/test_main.c creates a temporary file under /tmp, fills it with sentinel content, triggers the bug, rereads the page, and reports vulnerability based on marker insertion or byte differences. src/exploit_main.c is the main exploit entry point: it decompresses the embedded payload, opens /usr/bin/su read-only, warms the first page into cache, writes the payload into the cached image in 4-byte increments using cf_theori_write4_fd(), and finally execs /usr/bin/su. Main exploit capability: local privilege escalation on vulnerable Linux systems by corrupting the page cache of /usr/bin/su without modifying on-disk contents. The exploit relies on the AF_ALG AEAD + splice bug path and uses a hardcoded embedded payload, making it operational rather than merely demonstrative. No network communication, C2, or remote endpoints are present; the attack surface is entirely local kernel functionality and local filesystem targets.

This is a compact standalone local privilege escalation repository for CVE-2026-46333. It is not a framework module. The repo contains 5 files: a Makefile, README, headers, a D-Bus marshaling/payload file (dbus.c/dbus.h), and the main exploit (ptrace_may_dream.c). The Makefile builds a single binary, ptrace_may_dream, from ptrace_may_dream.c and dbus.c and links pthread, crypt, and util libraries. The exploit targets a Linux kernel race in ptrace_may_access() when mm == NULL during pidfd_getfd(2). The core idea is to race pidfd_getfd() against the exit of a privileged short-lived process so that ptrace access checks are skipped, allowing an unprivileged user to duplicate an open file descriptor from that process. Here, the chosen victim is accounts-daemon. The exploit searches /proc for the accounts-daemon PID, uses busctl to trigger activity in AccountsService, and specifically abuses SetIconFile to cause a short-lived child process. Multiple racing threads repeatedly call pidfd_getfd() against a guessed FD slot (default 5, matching the README note for dbus-broker) until one thread steals the D-Bus socket FD. Once the FD is stolen, the exploit writes a handcrafted D-Bus payload directly to that socket. dbus.c constructs three concatenated method calls on org.freedesktop.Accounts.User for the current user's object path: SetShell("/bin/bash"), SetAccountType(admin), and SetPassword(hash, ""). The password is hardcoded in dbus.h as pwned123 and hashed with crypt() using SHA-512 salt $6$xpl01t$. After sending the payload, the main program waits for accounts-daemon to apply the changes, verifies success by checking /etc/group for wheel membership and /etc/passwd for /bin/bash, then attempts to launch a root-capable shell path. Capabilities are therefore: local process enumeration, race-based FD theft via pidfd_getfd, direct D-Bus wire-format message construction, privilege escalation through AccountsService account modification, and post-exploitation shell access. There are no external network callbacks or C2 endpoints; all observables are local filesystem paths, procfs paths, D-Bus service/interface/object names, and external busctl invocations.

Repository contains a complete local Linux privilege-escalation exploit set for CVE-2026-31431 ('CopyFail'), plus primitive-only PoCs and runtime tracing helpers. Structure is split into: proof-of-concept/ with Python and C demos that overwrite a harmless local file in page cache; exploit-scripts/ with full exploit implementations in Python, C, Perl, and x86_64 assembly; a BusyBox self-extracting dropper generator; and bpftrace-scripts/ for observing relevant kernel paths during exploitation. Core exploit logic is consistent across languages: open an AF_ALG AEAD socket bound to authencesn(hmac(sha256),cbc(aes)), configure key/authsize, queue attacker-controlled AAD where bytes 4..7 hold the desired 4-byte overwrite value, splice a file-backed region from the target executable into the AF_ALG operation socket so the last imported 4 bytes align with the destination-side scratch write, then call recv()/recvfrom() to trigger decrypt. Even though authentication fails, the vulnerable kernel path performs the 4-byte write first. Repeating this loop stages an entire attacker-controlled ELF into the page cache of the target executable, after which the exploit executes the target so the cached modified image runs. Default target is /usr/bin/su in all full exploit variants, making the intended outcome local privilege escalation. The Python exploit embeds a compressed payload blob and invokes su via os.system. The C exploit embeds raw ELF bytes and then execls /bin/su; comments indicate the payload can be replaced and the included bytes resemble a compact ELF with an exec('/bin/sh') style payload. The Perl and assembly variants require an external ELF payload file. The BusyBox script packages the assembly exploit and payload into a portable self-extracting runner for constrained environments. No remote C2 or network infrastructure is present; attack vector is strictly local and kernel-dependent. The bpftrace helpers are not exploit code themselves but aid analysis by tracing filemap_splice_read, splice_folio_into_pipe, af_alg_sendmsg, and crypto_authenc_esn_decrypt. Overall, this is a real, multi-language operational exploit repository rather than a detector or README-only artifact.

Single-file Python local privilege escalation exploit for CVE-2026-31431 ('Copy Fail'). The repository contains one executable script, exp_2026_31431.py, with all exploit logic embedded. The script targets Linux systems and abuses an AF_ALG AEAD/authencesn kernel crypto path to achieve a 4-byte write into the page cache of any readable file. It specifically chooses /etc/passwd because it is world-readable and consulted during account resolution and su/PAM flows. The exploit locates the current user's UID field in /etc/passwd, requires that the UID be exactly 4 digits, and overwrites those four bytes in the cached page with '0000'. It then verifies the modified cached contents by rereading /etc/passwd and checking pwd.getpwnam(). If run with --shell, it executes 'su <user>' so the user authenticates with their own password while the account is perceived as UID 0, yielding a root shell via setuid(0). Without --shell, it performs a dry run and then evicts the cached page using POSIX_FADV_DONTNEED to restore normal lookups. No network communication or remote C2 is present; this is a straightforward local LPE PoC/operational exploit with a hardcoded target file and privilege-escalation path.

This repository is a small Python-based local privilege escalation lab for CVE-2026-31431 ('Copy Fail') affecting the Linux kernel's algif_aead crypto path. It contains two substantive code files: a real PoC exploit (exploit_cve_2026_31431.py) and a separate safe detector (test_cve_2026_31431.py), plus documentation and a screenshots placeholder. The main exploit is a local-only Python script that abuses AF_ALG with the AEAD algorithm string 'authencesn(hmac(sha256),cbc(aes))' to trigger a 4-byte page-cache write primitive. Its core logic opens /etc/passwd read-only, ensures the page is cached, then uses socket.sendmsg control messages and os.splice into an AF_ALG socket to place attacker-controlled 4 bytes into the page cache at a chosen file offset. It locates the current user's UID field in /etc/passwd, requires that UID to be exactly four characters long, and overwrites it with '0000' in memory only. It then verifies the modified page-cache contents and checks pwd.getpwnam() to see whether libc now resolves the user as UID 0. If successful, it instructs the operator to run 'su <user>' with their own password, or automatically execs 'su' when invoked with --shell. The intended result is a root shell via setuid(0), while leaving the on-disk /etc/passwd unchanged. The detector script is not the exploit itself; it is a non-destructive local test harness. It creates a temporary sentinel file, primes its page cache, and attempts the same AF_ALG/splice corruption path against that user-owned file. It reports vulnerability if the marker bytes appear in the cached page or if other unexpected page-cache modifications occur. This script checks prerequisites such as /proc/crypto, AF_ALG availability, and whether the target algorithm can be instantiated. Repository structure is straightforward: README.md summarizes the vulnerability, lab findings, and mitigations; exploit_cve_2026_31431.py is the offensive PoC; test_cve_2026_31431.py is the defensive detector; screenshots/README.md is only a placeholder. There are no network callbacks, C2 endpoints, or remote targets. The exploit is a practical local PoC with a basic built-in execution path, so OPERATIONAL is the best maturity fit rather than mere POC.

Repository contains a small, focused local privilege escalation exploit set for the Linux kernel issue dubbed CopyFail (CVE-2026-31431). Structure is split into: (1) exploit-scripts/ with four exploit implementations in C, Python, Perl, and x86_64 assembly plus a BusyBox self-extracting dropper builder; (2) proof-of-concept/ with safer lab PoCs in C and Python that overwrite a controlled local file page-cache region instead of a privileged binary; and (3) bpftrace-scripts/ with tracing helpers for observing af_alg_sendmsg, crypto_authenc_esn_decrypt, filemap_splice_read, and splice_folio_into_pipe during exploitation. Core exploit capability: all exploit variants build the same primitive using AF_ALG AEAD sockets bound to authencesn(hmac(sha256),cbc(aes)). They place attacker-controlled bytes in AAD[4:8], set authsize/assoclen so the imported file bytes align with the destination-side scratch write, splice a file-backed region from the target executable into the AF_ALG operation socket, then call recv()/recvfrom() to trigger decrypt. Even though authentication is expected to fail, the code relies on the kernel reaching the scratch-write path first, yielding a controlled 4-byte overwrite into the target file's page cache. Repeating this loop stages an entire replacement ELF payload into the cached image of the target executable. Operational behavior by file: exploit.c is the clearest standalone implementation, embedding a compact ELF payload and patching /usr/bin/su in 4-byte increments before executing it. exploit.py performs the same logic with a zlib-compressed embedded payload and finally invokes su. exploit.pl and exploit.asm use an external payload.pwnkit.elf and then exec the target. mk_busybox_dropper.sh packages the assembly exploit and payload into a self-extracting shell script for constrained BusyBox environments. The proof-of-concept files are genuine exploit demonstrations rather than mere detectors: they create ./target.bin, mark a known offset with ORIG, trigger the primitive to change cached bytes to PWN!, and instruct the user to compare cached contents versus on-disk contents after dropping caches. The bpftrace scripts are auxiliary observability tools, not exploit logic. No remote C2 or external network infrastructure is present. The attack vector is purely local and kernel-facing via AF_ALG sockets and file/page-cache manipulation. The repository is a real exploit collection with working code and payload staging, not a fake or readme-only artifact.

Small standalone exploit repository with 3 files: GPL license, README, and a single Python entry point (passwd.py). The repository is a local privilege-abuse exploit, not a remote exploit and not part of a major framework. Its purpose is to change any local user's password without first obtaining a root shell by chaining two vulnerabilities: CVE-2026-46333 to steal a readable file descriptor for /etc/shadow from a transient /usr/bin/chage process, and CVE-2026-31431 (CopyFail) to convert that readable FD into a 4-byte arbitrary page-cache write primitive. passwd.py contains the full exploit flow. It loads libc and libcrypt via ctypes, implements get_shadow_fd() to repeatedly fork/exec chage -l root, opens a pidfd to the child, and brute-forces pidfd_getfd across candidate descriptors until one resolves via /proc/self/fd/* to /etc/shadow. It then reads/parses shadow entries, extracts the target user's existing hash and salt, prompts for a new password, hashes it with crypt(3) using the existing salt, and writes the replacement hash plus trailing field padding back into the cached /etc/shadow contents in 4-byte chunks. The write primitive is implemented with Linux AF_ALG crypto sockets using the authencesn(hmac(sha256),cbc(aes)) algorithm and splice-based manipulation described as CopyFail. The script includes cleanup/error handling for failed writes and warns that the modification is temporary because it affects page cache rather than durable on-disk state. Operationally, the exploit provides a practical local account takeover capability on vulnerable Linux systems: once the password hash is replaced, the attacker can authenticate as the chosen user with the known password. The README notes limitations: failure if the target entry is near the end of /etc/shadow, reuse of the old salt, and loss of the modified password after reboot or page-cache clearing. No C2, hardcoded IPs, or network callbacks are present; the notable fingerprintable artifacts are local file paths and the use of /usr/bin/chage, /etc/shadow, /proc/self/fd, /dev/null, and AF_ALG crypto sockets.

Repository contains a minimal Python local privilege-escalation exploit and a detailed French README. The code file, copy_fail_exp.py, is the sole executable component and implements a compact exploit for CVE-2026-31431 ('Copy Fail'), targeting the Linux kernel AF_ALG/authencesn AEAD path. It opens /usr/bin/su read-only, creates an AF_ALG socket (family 38, type 5) bound to authencesn(hmac(sha256),cbc(aes)), configures the socket with setsockopt, and uses os.splice through a pipe to feed file-backed pages into the vulnerable kernel path. A zlib-compressed payload blob is decompressed, then written in 4-byte chunks by repeated calls to function c(), which appears to induce controlled 4-byte corruption in the page cache of the target setuid binary. After patching all chunks, the script executes su, aiming to run the corrupted cached image and obtain root privileges. There are no network callbacks or remote C2 endpoints; this is a purely local exploit. The README provides vulnerability background, affected distributions, exploitation steps, IOCs, and mitigations, but the actual exploit logic is entirely in the Python script. Overall, this is a real, compact, operational local kernel LPE PoC with a hardcoded target path and embedded payload.

This repository is a compact local Linux privilege-escalation PoC for CVE-2026-31431. It contains only a README and a single C source file, copy_fail.c. The exploit is not framework-based. The code uses the Linux AF_ALG crypto socket interface with the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)) to obtain a controlled 4-byte page-cache write primitive. It prepares crafted ancillary data with ALG_SET_OP, ALG_SET_IV, and ALG_SET_AEAD_ASSOCLEN/ALG_SET_AEAD_AUTHSIZE, then uses sendmsg plus splice from a readable target file descriptor into the AF_ALG socket to corrupt page-cache contents despite recv returning an authentication failure. The exploit decompresses an embedded shellcode blob with zlib, backs up the original target bytes, writes the shellcode into the target binary 4 bytes at a time, forks, execs the modified setuid binary, waits for completion, and restores the original bytes afterward. The default target is /usr/bin/su, though the README shows /usr/bin/passwd as another example. The code also detects WSL by reading /proc/version and adjusts AF_ALG control constants accordingly. Overall, this is an operational local LPE PoC demonstrating transient page-cache corruption of setuid binaries to achieve root, with automatic cleanup/restoration.

This repository is a very small Metasploit exploit module package consisting of a README and a single Ruby module, copy_fail.rb. Because it is clearly a Metasploit module, the main exploit logic is concentrated in copy_fail.rb. The module is a post-exploitation local privilege escalation exploit targeting CVE-2026-31431, described as a Linux kernel AF_ALG/algif_aead page-cache overwrite flaw ('Copy Fail'). It is intended to be run after an attacker already has a shell or meterpreter session on a Linux host. The Ruby module defines a Metasploit Post module for Linux and supports shell and meterpreter sessions. It exposes two configurable options: TARGET_BINARY, defaulting to /usr/bin/su, and WRITABLE_DIR, defaulting to /tmp. In run(), it first exits if the session is already root, then checks for python3 on the target. If Python 3 is present, it dynamically writes an embedded Python helper script to WRITABLE_DIR/.cf_exp.py, executes it, and registers the file for cleanup. The embedded Python code is the actual exploitation payload. It opens the chosen setuid binary read-only, creates an AF_ALG socket using the AEAD type and algorithm string authencesn(sha256,aes), sets a key, accepts a connection, uses os.splice() to move file data into the AF_ALG socket path, then sends a crafted message intended to trigger a controlled 4-byte overwrite in page cache memory. Finally, it executes the target binary via os.system(). The overwrite value is hardcoded as 0x90909090, so this is not a generic payload framework but an operational exploit implementation with a fixed corruption primitive. Capabilities: local privilege escalation to root on vulnerable Linux kernels; staging and execution of a Python helper on the target; support for Metasploit cleanup; compatibility with existing shell or meterpreter sessions. There are no external C2 or network callback endpoints in the exploit logic. The only meaningful targetable observables are local file paths (/usr/bin/su, /usr/bin/sudo, /tmp/.cf_exp.py, /tmp) and the AF_ALG crypto socket binding string. Overall, this is a real exploit module rather than a detector or README-only repository.

Small standalone local privilege-escalation PoC for CVE-2026-31431. Repository contains only a README and one C source file, copy_fail.c. The code opens an AF_ALG socket for the AEAD algorithm authencesn(hmac(sha256),cbc(aes)), sets a key, and abuses a kernel page-cache write primitive to overwrite a readable target executable 4 bytes at a time. It auto-detects WSL versus mainline Linux by reading /proc/version and adjusts AF_ALG control-message constants accordingly. The exploit decompresses an embedded shellcode blob with zlib, backs up the original bytes from the target file, writes the shellcode into the target binary's page cache using sendmsg plus splice, forks, execs the modified setuid binary, waits for completion, and then restores the original bytes. Default target is /usr/bin/su, with README showing /usr/bin/passwd as another example. No network communication or remote C2 is present; this is a local kernel-to-root exploit PoC with an embedded payload and automatic cleanup/restore behavior.

This repository is a minimal local privilege-escalation exploit for CopyFail, identified in the README as CVE-2026-31431. It contains only two files: a short README and a single Python exploit script, copyfail.py. The script is self-contained and operational rather than a detector. The exploit targets Linux systems and abuses AF_ALG crypto sockets together with sendmsg/splice behavior to write a payload into /usr/bin/su in 4-byte chunks. It opens /usr/bin/su read-only, repeatedly creates socket family 38 (AF_ALG) sockets, binds them to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), applies several AF_ALG-related setsockopt calls, accepts a connection, and sends crafted ancillary data alongside payload fragments. It then uses os.pipe() and os.splice() with the su file descriptor and the accepted socket descriptor, suggesting a kernel-side copy/write primitive that corrupts or replaces the SUID binary contents. The embedded payload is a raw x86_64 ELF blob. The active payload is annotated as generated by msfvenom for linux/x64/exec with CMD="whoami" and PrependSetuid=True, indicating the author expects the overwritten SUID binary to execute a privileged command. A commented-out earlier payload would instead execute /bin/sh. After all chunks are written, the script runs /bin/su to trigger the modified binary and obtain elevated execution. There are no network, HTTP, or C2 endpoints. The only fingerprintable targets are local file paths and Linux kernel socket/algorithm identifiers. Overall, this is a compact local Linux privilege-escalation PoC/operational exploit that weaponizes a kernel bug to overwrite a SUID executable with attacker-controlled ELF content.

This repository is a self-contained research lab and proof-of-concept for CVE-2026-31431 (“Copy Fail”), a Linux kernel local privilege escalation vulnerability in the AF_ALG/algif_aead crypto path. The main exploit logic is in exploit/poc.py, a Python 3.10+ script that uses AF_ALG sockets and os.splice() to demonstrate a controlled 4-byte write into page cache. The PoC is intentionally safer than a full weaponized LPE: it creates and targets a local test file (/tmp/copyfail_target_binary) and overwrites the marker bytes 'SAFE' with 'PWND' at offset 0x100, then verifies the apparent corruption by rereading the file. The code binds an AF_ALG AEAD socket to the algorithm string authencesn(hmac(sha256),cbc(aes)), sets key/authsize, splices a page from the target file into the accepted AF_ALG socket, and triggers a decrypt operation intended to exercise the vulnerable authencesn scratch-write behavior. Exploit capability: the repository demonstrates the core primitive behind the vulnerability—controlled 4-byte page-cache corruption of a readable file without modifying the on-disk inode contents. The documentation explains how this primitive could be adapted to patch in-memory instructions in setuid binaries such as /usr/bin/sudo or /usr/bin/su for root escalation, and how shared-kernel container environments could enable host compromise/container escape. However, the included code itself does not implement a full privilege-escalation payload; it remains a PoC demonstration. Repository structure: README.md provides the high-level vulnerability description, exploitation chain, Docker lab instructions, and mitigation overview. docs/technical-analysis.md gives a detailed explanation of the vulnerable scatterlist/in-place optimization and why the write lands in page cache. docs/affected-kernels.md lists affected and patched kernel versions across major distributions. exploit/README.md documents expected PoC behavior. mitigation/check-vulnerable.sh is a detection/assessment script that checks kernel version heuristics, module state, modprobe blocking, and module availability. mitigation/disable-algif.conf is a sample modprobe rule to block algif_aead. docker/Dockerfile.vulnerable and docker/Dockerfile.patched build lab containers for vulnerable and mitigated scenarios, and scripts/setup-lab.sh automates building/running them. Notable operational details: exploitation is local, not remote; it depends on a vulnerable host kernel and availability of algif_aead/AF_ALG. The Docker environment is only a lab wrapper because containers share the host kernel. No external C2, callback, or hardcoded remote network infrastructure is present. The only meaningful exploitation interface is the local AF_ALG kernel socket family and local file targets.

This repository is a minimal local Linux privilege-escalation exploit for CVE-2026-31431 ('Copy Fail'). It contains only two files: a short README identifying the CVE and tested distributions, and a single Python exploit script, copy_fail_exp.py. The script is compact and intentionally obfuscated through short variable names, but its behavior is clear: it opens /usr/bin/su read-only, creates an AF_ALG crypto socket (family 38, type 5) bound to the AEAD algorithm string authencesn(hmac(sha256),cbc(aes)), configures several socket options, and then uses sendmsg plus splice/pipe operations to abuse a kernel bug that permits attacker-controlled writes into the target file. A zlib-compressed payload blob is decompressed at runtime and written into /usr/bin/su in 4-byte chunks by repeatedly calling the exploit primitive. After patching/corrupting the SUID binary, the script runs su, presumably expecting the modified binary to yield root privileges. There are no network callbacks, C2 endpoints, or remote targets; the attack vector is strictly local. The exploit is operational rather than a mere proof of concept because it includes a concrete payload and an end-to-end privilege-escalation flow, but it is not part of a larger exploitation framework.

This repository is a compact local privilege escalation exploit for CVE-2026-31431 (“Copy Fail”). It contains only two files: a README describing the vulnerability, requirements, affected kernels, and usage; and a single executable Bash script, copyfail.sh, which implements the exploit workflow. The script is not merely a checker: it performs target discovery, payload preparation, runtime compilation of a C helper, and execution of the exploit to obtain root. The exploit targets vulnerable Linux kernels via the AF_ALG AEAD interface (algif_aead/authencesn). According to the README and script comments, the bug allows deterministic 4-byte writes into the page cache of any readable file by abusing splice/sendmsg interactions with AF_ALG. The practical goal is to corrupt a readable setuid-root executable in page cache only, then execute it to gain elevated privileges. This is a purely local attack vector; there are no remote C2 or network callbacks in the exploit itself. Repository structure and behavior: - README.md: documents the vulnerability, usage flags (-c compatibility check, -s scan setuid binaries, -t choose target), mitigation guidance, architecture support, and references. - copyfail.sh: main exploit entry point. It includes helper functions, architecture-based payload selection, target enumeration, compatibility checks, runtime payload decompression, generation of inline C source, compilation with gcc, and final execution of the compiled helper. Main exploit capabilities observed in copyfail.sh: - Detects supported architecture and selects an embedded compressed shellcode blob. - Checks prerequisites: Linux, non-root execution, gcc availability, AF_ALG socket availability, and presence of a setuid-root target. - Enumerates likely setuid-root binaries and can scan common filesystem roots for all such binaries. - Auto-selects a target from common privileged executables such as su, passwd, sudo, pkexec, mount, and others. - Uses python3 to decompress the embedded shellcode into a temporary payload file. - Generates and compiles a minimal C helper at runtime to perform kernel-facing operations unavailable directly in Bash, specifically AF_ALG socket interaction and likely splice/sendmsg-based corruption primitives. - Executes the compiled helper against the chosen target and payload, resulting in a root shell by default or a specified root command when using -e. The exploit is operational rather than a bare PoC because it includes a real payload, target selection logic, compatibility checks, and automated compilation/execution. However, it is not part of a larger exploitation framework and does not expose highly modular payload customization beyond the built-in shellcode and optional command execution mode.

This repository contains a single Python exploit, copyfail.py, implementing a local Linux privilege-escalation technique rather than a remote exploit. The script is heavily minimized/obfuscated but its flow is clear: it imports os, zlib, and socket; defines a helper to decode hex; defines function c() that creates an AF_ALG socket (family 38), binds it to the kernel crypto transform "aead" / "authencesn(hmac(sha256),cbc(aes))", sets several socket options at level 279 (ALG_* options), accepts an operation socket, and uses sendmsg plus os.splice() to combine attacker-controlled data with bytes sourced from an opened file descriptor. The main routine opens /usr/bin/su, decompresses an embedded payload blob, and iterates over that payload in 4-byte chunks, calling c() repeatedly with increasing offsets. After patching the target binary, it runs "su" via os.system(). The exploit’s main capability is overwriting/corrupting the local setuid su binary to achieve privilege escalation. There are no network, HTTP, DNS, or C2 endpoints; all activity is local to the host. Fingerprintable artifacts are the targeted file path /usr/bin/su and the Linux AF_ALG crypto interface using the authencesn(hmac(sha256),cbc(aes)) algorithm string. Repository structure is trivial: one standalone Python entry point with an embedded compressed payload and no auxiliary files. Overall, this is a real operational local exploit PoC that weaponizes a kernel/userspace interaction to modify a privileged executable and then invoke it for elevated access.

This repository is a standalone local privilege-escalation exploit for CVE-2026-31431 ('Copyfail') targeting vulnerable Linux x86-64 systems. It is not part of a common exploit framework. The repo contains 6 files: the main exploit source (cfail.cpp), a custom minimal syscall/header library (libMinIO.hpp), a makefile, a Python helper (printbin.py), README, and .gitignore. The core exploit logic is in cfail.cpp. It avoids libc and uses a custom inline-assembly syscall layer from libMinIO.hpp, making the resulting binary highly self-contained and statically oriented. The exploit creates an AF_ALG socket with type 'aead' and algorithm name 'authencesn(hmac(sha256),cbc(aes))', sets key/auth parameters, opens /usr/bin/su, and repeatedly uses accept(), sendmsg(), pipe(), splice(), and read() in a loop while feeding 4-byte chunks of an embedded ELF payload. The embedded payload is a tiny x86-64 ELF that ultimately executes /bin/sh. After the overwrite/copy sequence, the exploit directly execves /bin/sh with arguments '-c' and 'su'. Overall capability: local unprivileged-to-root escalation by corrupting or replacing the privileged /usr/bin/su path using the vulnerable kernel behavior. libMinIO.hpp provides the low-level primitives used by the exploit: wrappers for syscalls such as write, read, open, socket-related operations, sendmsg, pipe, splice, execve, and supporting AF_ALG/CMSG structures and macros. It is not a separate exploit, but an implementation detail enabling a libc-free build. The makefile builds the cfail binary, strips it, and then uses printbin.py to generate cfail.sh, a bootstrap script that reconstructs the binary using bash printf statements. This indicates an operational convenience feature for transferring/deploying the exploit where only text/script delivery is practical. printbin.py itself is not malicious beyond converting arbitrary binary bytes into shell-safe printf output. There are no network C2 endpoints, remote URLs, or external IPs/domains. The meaningful fingerprintable targets are local: /usr/bin/su, /bin/sh, and the AF_ALG crypto socket interface. The exploit is a real offensive local exploit, not a detector or README-only repository.

Repository contains a small Python exploit (exploit.py), a much larger commented C port (copyfail.c), and a README describing the vulnerability and usage. This is a real local privilege escalation exploit for CVE-2026-31431 ('Copy Fail'), targeting the Linux kernel AF_ALG AEAD crypto interface. The exploit is not a scanner or detector: it opens /usr/bin/su read-only, repeatedly creates an AF_ALG socket bound to authencesn(hmac(sha256),cbc(aes)), sets a crafted key and anomalous AEAD authsize, initiates a decrypt operation with sendmsg control messages, and uses splice to move bytes from the target file into the crypto socket. The intended effect is corruption/modification of the page cache for /usr/bin/su in 4-byte chunks using an embedded compressed payload. After all chunks are written, the exploit executes su, which then runs from the modified page cache and yields a root shell. The Python version is compact and serves as the original PoC; the C version is the main operational implementation, designed for static compilation and minimal environments. No external network C2 or remote URLs are used; the key observables are local file paths and the AF_ALG algorithm string. The README also notes container relevance because AF_ALG exposure inside containers may permit host-impacting escalation if the vulnerable kernel/module is present.