Share
## https://sploitus.com/exploit?id=90672A09-E1DF-5E56-87CD-C9FF912D14B7
# copy-fail

**CVE-2026-31431 (Copy Fail)** – a C language PoC, logic-aligned [theori-io/copy-fail-CVE-2026-31431](https://github.com/theori-io/copy-fail-CVE-2026-31431). This is an original Python exploit. **Only intended for authorized security research and experimental environments. Use it only on authorized systems.**

## **Principle Overview**

In Linux’s `AF_ALG`, the `authencesn(hmac(sha256), cbc(aes))` function, under `splice` + AEAD pathways, can write 4 bytes from the AAD into the target file’s page cache (disk content remains unchanged). The behavior of this exploit in this repository is consistent with the original:

1. Write 4 bytes of `/usr/bin/su` into the page cache, which is then decompressed as a tiny ELF by zlib.
2. Execute `su`; the tampered page cache loads a fake `su`, typically allowing access to the root shell without a password.

## **Directory Structure**

```
copy-fail/
β”‚    β”œβ”€β”€ include/
β”‚       β”œβ”€β”€ copy_fail.h
β”‚       └── su_payload_zlib.h
β”‚
β”‚    β”œβ”€β”€ src/
β”‚       β”œβ”€β”€ alg.c           # AF_ALG / splice primitives
β”‚       β”œβ”€β”€ util.c          # Pre-checking
β”‚       β”œβ”€β”€ test_main.c     # Vulnerability detection
β”‚       └── exploit_main.c  # Privilege escalation
β”‚
β”‚    β”œβ”€β”€ Makefile
β”‚       └── README.md
β”‚
```
## **Dependencies**

**Ubuntu / Debian:**

```bash
sudo apt install build-essential zlib1g-dev
```

## **Compilation**

```bash
cd copy-fail
make
```

**Output Files:**

| Output File | Description |
|------------|-------------|
| `bin/copy-fail-test` | Vulnerability detection (temporary sentinel file, does not modify system files) |
| `bin/copy-fail-exploit` | Privilege escalation (modifies `/usr/bin/su` page cache to execute `exec su`) |

### **Static Compilation (on older versions of glibc)**

After compiling on higher versions of the system, if `GLIBC_2.34` / `GLIBC_2.38 not found` is reported, perform the following on the **compiling machine**:

```bash
make static
```

Copy `bin/copy-fail-test` and `bin/copy-fail-exploit` to the target machine for execution. You can also execute `make` on the **target machine** (dynamic linking, smaller size).

## **Usage**

### **Detection**

```bash
./bin/copy-fail-test
echo $?
```

| Exit Code | Meaning |
|------------|-------------|
| 0 | No vulnerability detected / Conditions not met |
| 2 | Vulnerability detected |
| 1 | Error occurred during testing |

### **Privilege Escalation**

```bash
./bin/copy-fail-exploit
id
```

No output means the design is correct; success leads to access to the root shell. If failed, `echo $?` will usually return `1`.

## **Prerequisites**

- The kernel must support creating `AF_ALG` sockets.
- The `authencesn(hmac(sha256), cbc(aes))` algorithm must be able to be bound.
- Access to `/usr/bin/su` is required.
- `splice` must be able to write to the AF_ALG socket.

If the detector reports β€œcannot be instantiated (No such file or directory)”, perform the following commands:

```bash
grep -r algif_aead /etc/modprobe.d/
sudo modprobe algif_aead
grep authencesn /proc/crypto
```

Some distributions disable `algif_aead` through modprobe (e.g., Ubuntu USN mitigation). You need to disable it on a root-controlled experiment machine before testing again.

## **Cleanup**

After the privilege escalation test (in the root shell), you can clear the corrupted page cache:

```bash
echo 3 > /proc/sys/vm/drop_caches
```

Or restart the virtual machine.

## **References**

- [CVE-2026-31431](https://copy.fail/)
- [theori-io/copy-fail-CVE-2026-31431](https://github.com/theori-io/copy-fail-CVE-2026-31431)