[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81906":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":13,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":14,"stars7d":15,"stars30d":15,"stars90d":13,"forks30d":13,"starsTrendScore":16,"compositeScore":17,"rankGlobal":8,"rankLanguage":8,"license":8,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":8,"pushedAt":8,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":13,"starSnapshotCount":13,"syncStatus":14,"lastSyncTime":25,"discoverSource":26},81906,"CVE-2026-31431","0xShe\u002FCVE-2026-31431","0xShe",null,"C",36,17,33,0,2,3,6,43.57,false,"main",true,[],"2026-06-12 04:01:36","Author: 0xShe\n\nLanguage \u002F 语言\n\n- English: https:\u002F\u002Fgithub.com\u002F0xShe\u002FCVE-2026-31431\u002Fblob\u002Fmain\u002FREADME.md\n- 中文: https:\u002F\u002Fgithub.com\u002F0xShe\u002FCVE-2026-31431\u002Fblob\u002Fmain\u002FREADME-CN.md\n\u003Cimg width=\"356\" height=\"129\" alt=\"1\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F8b69c9e6-42c9-4edd-a819-658a5a83532f\" \u002F>\n\nCVE-2026-31431 Kernel Privilege Escalation Tool Guide\n\n0x01 Quick Start\n\nSome target environments do not have Python installed, so this privilege\nescalation logic was rewritten in C.\n\n1. Compile\n\nRun the following command on your Linux machine or WSL (using -static is\nrecommended to avoid GLIBC version issues):\n\n    gcc -static exploit.c -o exploit\n\n2. Deploy and Execute\n\nUpload the generated binary to the target machine:\n\n    chmod +x exploit\n    .\u002Fexploit\n\nIf the exploit succeeds, the program will automatically execute su and\nspawn a root shell directly without requiring a password.\n\n------------------------------------------------------------------------\n\n0x02 Privilege Escalation Logic: How Does It Work?\n\nThis exploit abuses a logic flaw in the Linux kernel’s AF_ALG interface\n(Kernel Crypto API).\n\n1.  Create a Crypto Socket\n    The program creates an AEAD (Authenticated Encryption with\n    Associated Data) socket using socket(AF_ALG, ...).\n\n2.  Memory Injection (Splice)\n    By leveraging Linux’s splice system call, data from a file\n    descriptor (in this case \u002Fbin\u002Fsu) can be directly redirected into\n    the kernel crypto buffer.\n\n3.  Payload Overwrite\n    Using specific memory offsets, the exploit replaces part of\n    \u002Fbin\u002Fsu’s authentication logic with a privilege escalation payload\n    (a minimal ELF program that launches \u002Fbin\u002Fsh).\n\n4.  Trigger Privilege Escalation\n    After the kernel completes the series of crypto operations, the\n    in-memory su process has already been tampered with. When\n    system(\"su\") is finally executed, the system actually runs the\n    modified root shell payload instead.\n\n------------------------------------------------------------------------\n\n0x03 Troubleshooting Guide: Why Does It Still Ask for a Password?\n\nDuring debugging, if the program outputs Exploit finished but running su\nstill requires a password, the issue is usually caused by one of the\nfollowing details.\n\n1. The Critical MSG_MORE Flag\n\nThis is the most common failure point. The sendmsg call must include the\nMSG_MORE flag.\n\n-   Reason:\n    This flag tells the kernel that more data is coming and prevents the\n    crypto buffer from being finalized too early.\n\n-   Consequence:\n    Without this flag, the kernel immediately closes the current crypto\n    context. As a result, the subsequent splice injection cannot enter\n    the correct kernel buffer, making the overwrite impossible.\n\n2. Associated Data Length (Assoclen)\n\nThe kernel is extremely strict about alignment and length checks for\nAEAD associated data.\n\n-   Pitfall:\n    If ASSOCLEN in the C code is set to 4 bytes while the kernel expects\n    8 bytes (or vice versa), the kernel may either throw an invalid\n    argument error or silently skip the injection logic entirely.\n\n3. File Offset Reset\n\nDuring the loop that modifies \u002Fbin\u002Fsu, each splice operation must start\nreading from offset 0.\n\n-   Pitfall:\n    If off_su is not explicitly reset to 0, splice behaves similarly to\n    read() and continues advancing the file pointer. On the second\n    iteration, the injected data becomes misaligned, which may corrupt\n    su or break the exploit logic.\n\n4. Kernel Patches\n\nSome systems may already have silent security patches applied. This was\nconfirmed during testing on multiple machines — certain targets had\nalready received unofficial or backported fixes.\n\n------------------------------------------------------------------------\n\n0x04 Notes\n\n-   Kernel Version:\n    This vulnerability mainly affects early 5.x Linux kernels (such as\n    the initial release of Ubuntu 20.04). If the kernel has already been\n    patched, this method will no longer work.\n\n-   Path Differences:\n    Different Linux distributions may store su in different locations\n    (\u002Fbin\u002Fsu or \u002Fusr\u002Fbin\u002Fsu). The code attempts to detect the correct\n    path automatically, but if neither exists, manually verify it using\n    which su and modify the code accordingly.\n\n-   Disclaimer:\n    This article is intended strictly for technical research and\n    educational purposes. Do not use it for illegal activities. Users\n    are solely responsible for any legal consequences resulting from\n    misuse of the tool.\n","该项目是一个针对CVE-2026-31431漏洞的内核提权工具，利用Linux内核AF_ALG接口的逻辑缺陷实现权限提升。核心功能包括创建加密套接字、通过splice系统调用注入数据、覆盖\u002Fbin\u002Fsu的部分认证逻辑以执行提权payload，并最终触发提权过程。技术特点在于其完全使用C语言编写，避免了目标环境中Python依赖的问题，且提供了详细的编译和部署指南。适用于需要在无Python环境下进行内核级权限提升的安全测试场景。","2026-06-11 04:07:10","CREATED_QUERY"]