copyfail_su.py

Python port of badsectorlabs/copyfail-go (CVE-2026-31431). Linux only; requires Python 3.10+ (os.splice).

How it gets root (important)

This tool does not use the /etc/passwd page-cache trick.

• It overwrites the page cache of the setuid su binary with embedded shellcode (same payloads as the Go main.go), then executes su.
• Elevation comes from running the corrupted cached image of su as a setuid root program, not from making getpwnam() think your UID is 0 via /etc/passwd.

Other public Python PoCs for the same CVE may patch /etc/passwd in the page cache and then instruct you to run su <user>. That is a different target file and a different follow-up than this script.

Usage

Authorized testing only — use only on hosts you own or are explicitly permitted to assess.

chmod +x copyfail_su.py

# Interactive-style flow (same idea as copyfail-go without --exec)
./copyfail_su.py --backup /tmp/su.bak

# Run another program elevated (passes path as argv to su; uses exec-argv1 payload)
./copyfail_su.py --backup /tmp/su.bak --exec /full/path/to/binary

After a successful run, restore the real su.

Recovery without --backup

The PoC corrupts the page cache for /usr/bin/su. Do not assume the on-disk file is still trustworthy until you verify or reinstall.

1. Reinstall the package that owns /usr/bin/su (find it first, then reinstall):

   • RPM family: rpm -qf /usr/bin/su then sudo dnf reinstall shadow-utils (use the reported package name).
   • Debian/Ubuntu: dpkg -S /usr/bin/su then sudo apt install --reinstall <package>.

2. Verify: sudo rpm -V <package> for unexpected changes to /usr/bin/su, or debsums on Debian-style systems.

3. Optional: reboot after reinstall to avoid stale cache assumptions.

4. If you cannot reinstall as root: recovery boot, Live USB, or replace /usr/bin/su from a known-good same distro/version/arch image; ensure ownership root:root and mode 4755 (-rwsr-xr-x).

References

• copyfail-go
• copy.fail