copy_fail is a Rust-based proof-of-concept (PoC) exploit that leverages a vulnerability in the Linux kernel (using the AF_ALG socket family and splice() system calls) to overwrite read-only files in the page cache. Specifically, it targets the su binary to achieve privilege escalation.
- Page Cache Overwriting: Overwrites the
subinary in memory (page cache) without modifying the actual file on the disk (unless memory is synced/dropped). - Multi-Architecture Support: Includes zlib-compressed payloads for
x86_64,x86, andaarch64. - Backup Functionality: Optionally backs up the original
subinary before exploitation. - Custom Execution: Allows specifying a custom command to execute as root via the overwritten
su.
- Rust toolchain (
cargo,rustc) - A vulnerable Linux kernel
Build the project using Cargo:
cargo build --releaseRun the compiled executable:
./target/release/copy_fail [OPTIONS]-backup <path>: Path to copy thesubinary to before overwriting. This creates a backup of the original binary with its original permissions.-exec <command>: Command to run as root. A full path to the executable is required.-h,--help: Print the help menu.
Run with the default payload:
./target/release/copy_failRun and backup the original su binary:
./target/release/copy_fail -backup /tmp/su_backupRun and execute a custom command as root:
./target/release/copy_fail -exec /bin/bashBECAUSE WHY NOT π
libc: For raw system calls and interacting with the Linux socket API (AF_ALG,splice,sendmsg, etc.).flate2: For decompressing the zlib-compressed shellcode payloads.hex: For decoding hex-encoded payloads.
This software is provided for educational and research purposes only. Do not use this tool on systems you do not own or have explicit permission to test. The authors are not responsible for any misuse or damage caused by this tool.