Share
## https://sploitus.com/exploit?id=7CD0E212-4B9C-53BC-ABEE-28D11C7D9167
# CVE-2026-31431

## WARNING

These PoCs are **runtime-destructive**.

They overwrite the live **page-cache view** of privileged targets such as:

- `su`
- PAM configuration files
- any file passed into `patch` mode

This is usually not a normal persistent on-disk edit, but it **does change runtime behavior** and can affect authentication / privilege flow immediately.

This repository does **not** provide a fully non-destructive **root** mode.

---

## Files

- `copyfail_raw_su_root.c`
- `copyfail_portable_lpe.c`

Both are **Linux-only**.

---

## Default behavior

For `copyfail_portable_lpe.c`, running:

```bash
./copyfail_portable_lpe
```

uses **`auto-revert` by default**.

That means it will try the **recoverable workflow first**:

1. patch the target
2. gain root
3. attempt to revert the patched target
4. then hand off to a root shell

If recoverable mode fails, the program prints fallback mode hints.

---

## copyfail_raw_su_root.c

Minimal raw variant:

- directly patches `su`
- immediately executes the target `su`
- minimal logic

### Architecture

- **x86_64 Linux only**

### Build

```bash
gcc -O2 -s copyfail_raw_su_root.c -o copyfail_raw_su_root
```

### Run

```bash
./copyfail_raw_su_root
```

---

## copyfail_portable_lpe.c

General variant with multiple modes.

### Modes

#### auto

Explicit non-reverting mode:

```bash
./copyfail_portable_lpe auto
```

#### auto-revert

Recoverable-first mode:

```bash
./copyfail_portable_lpe
./copyfail_portable_lpe auto-revert
```

#### helper

Drop a SUID bash helper without revert:

```bash
./copyfail_portable_lpe helper ./.rootsh
```

#### helper-revert

Drop a helper, then attempt to restore patched targets:

```bash
./copyfail_portable_lpe helper-revert ./.rootsh
```

#### patch

Same-length string replacement on a chosen file:

```bash
./copyfail_portable_lpe patch   
```

#### raw-su-elf

Raw `su` patch path:

```bash
./copyfail_portable_lpe raw-su-elf
```

### Recoverable logic

`auto-revert` and `helper-revert` are still **destructive during exploitation**.

They are only "recoverable" in the sense that they:

1. patch the live runtime target
2. use the patched state to obtain root
3. attempt to restore the patched target before handing off control

So this is **destructive-then-revert**, not truly non-destructive.

### Architecture

- `auto` / `auto-revert` / `helper` / `helper-revert` / `patch`: Linux-oriented, less tightly coupled to CPU architecture when compiled on-target
- `raw-su-elf`: **x86_64 Linux only**

### Build

```bash
gcc -O2 -s copyfail_portable_lpe.c -o copyfail_portable_lpe
```