Initial skeleton: README, CVE inventory, roadmap, ARCH, ethics + copy_fail_family module absorbed from DIRTYFAIL
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
/*
|
||||
* DIRTYFAIL — copyfail.h
|
||||
*
|
||||
* Public surface for the Copy Fail (CVE-2026-31431) module.
|
||||
*/
|
||||
|
||||
#ifndef DIRTYFAIL_COPYFAIL_H
|
||||
#define DIRTYFAIL_COPYFAIL_H
|
||||
|
||||
#include "common.h"
|
||||
|
||||
/* Run all preflight checks and the sentinel-file primitive probe.
|
||||
* Never modifies system files. */
|
||||
df_result_t copyfail_detect(void);
|
||||
|
||||
/* Real PoC: flip the running user's 4-digit UID in /etc/passwd page
|
||||
* cache to "0000" and (optionally) execve `su <user>` to drop a root
|
||||
* shell. `do_shell` controls whether to invoke su; if false, the patch
|
||||
* is reverted via POSIX_FADV_DONTNEED before returning so the system
|
||||
* does not stay in a broken state. */
|
||||
df_result_t copyfail_exploit(bool do_shell);
|
||||
|
||||
/* Low-level building block: write 4 bytes into the page cache of
|
||||
* `target_path` at `target_off`. Caller must have read access to
|
||||
* the file. Same primitive that copyfail_exploit uses internally;
|
||||
* exposed for exploit_su.c to chain ~12 calls into a 48-byte
|
||||
* shellcode plant against /usr/bin/su. Returns true if the AF_ALG
|
||||
* sequence completed; caller MUST verify via re-read. */
|
||||
bool cf_4byte_write(const char *target_path,
|
||||
off_t target_off,
|
||||
const unsigned char four_bytes[4]);
|
||||
|
||||
#endif
|
||||
Reference in New Issue
Block a user