JimmyPughtron/CVE-2026-31431-Copy-Fail---Minified-LPE-PoC

# CVE-2026-31431-CopyFail---Minified-LPE-PoC ⚠️ Disclaimer For Educational and Authorized Security Testing Purposes Only. This Proof-of-Concept (PoC) was synthesized for authorized Red Team emulation and vulnerability auditing. The authors and contributors assume no liability for the misuse of this code. Do not use this exploit against systems you do not own or do not have explicit, written permission to test. 📝 Overview CVE-2026-31431 (colloquially known as "Copy Fail") is a Local Privilege Escalation (LPE) vulnerability in the Linux Kernel's Cryptographic API (AF_ALG). By combining an AF_ALG socket with the splice() system call, an unprivileged user can force the kernel to write arbitrary bytes directly into the in-memory page cache of a read-only file. This specific implementation is highly minified (18 lines), making it ideal for Red Team operations where an attacker has a restricted shell, lacks file upload capabilities, and must type the exploit manually via python3 interactive mode. ⚙️ Exploit Strategy Instead of attempting to inject complex ELF shellcode into a setuid binary (which often crashes due to padding and header constraints), this script targets /etc/passwd. 1. It locates the running user's UID field in the file. 2. It uses the AF_ALG socket to zero-copy splice a payload of 0000 over the existing UID. 3. Because the modification happens in RAM (the Page Cache) and not on disk, it bypasses standard File Integrity Monitoring (FIM). 4. Calling su checks the corrupted cache, sees UID 0, validates the user's normal password, and drops a root shell. 5. 🚀 Pre-Requisites The vulnerable crypto modules must be loaded in the kernel for this exploit to function: sudo modprobe algif_aead authencesn 🎯 Execution & Verification 1. Run the script. 2. The script will pause and prompt you for a password: Password: 3. Enter your current user's password. 4. The prompt will change to #. Verify with id (uid=0(root)). Note: If the script completes but you encounter an "Authentication Failure", the system's Name Service Cache Daemon (nscd or sssd) may be caching your old UID. Run nscd -i passwd (if available) or execute su - to force a refresh. 🧹 Cleanup / Remediation This exploit only alters the system's volatile memory. To revert the system to its secure state and restore the proper UID mapping without rebooting, evict the corrupted page from the cache: # Must be executed as root echo 3 > /proc/sys/vm/drop_caches