Hacker News

not_your_vase 20 hours ago [ - ]

Is there a readable version of the exploit readily available by any chance? Gotta admit that I failed binary-zip-interpretation-with-naked-eye class twice

tommy_axle 9 minutes ago [ - ]

Go version came in handy https://github.com/badsectorlabs/copyfail-go especially for systems without the very latest python (os.slice)

Slightly more readable Python version at https://gist.github.com/grenkoca/b82281a4706e936072979acf54b...

progval 19 hours ago [ - ]

The binary "zip" isn't the exploit, it's the shellcode. The exploit is the rest, which changes the code of a SUID executable (su).

tgies 13 hours ago [ - ]

I have a C translation here that should be pretty readable https://github.com/tgies/copy-fail-c

stackghost 18 hours ago [ - ]

The call to zlib basically overwrites a minimal ELF into a portion of the `su` binary, which exceve's /bin/sh.

Sophira 4 hours ago [ - ]

To be specific, the zlib'd binary basically does this (except that it directly uses Linux syscalls to do so rather then C wrappers):

    setuid(0);
    execve("/bin/sh", NULL, NULL);
    exit(0);