From 7fbabb745dfa50ec02bcd7c4a28367b69bbcdea1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 30 Apr 2026 22:07:55 +0200 Subject: [PATCH 1/2] Update expl_copy_fail_cve_2026_31431.yar --- yara/expl_copy_fail_cve_2026_31431.yar | 33 ++++++++++++++++---------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/yara/expl_copy_fail_cve_2026_31431.yar b/yara/expl_copy_fail_cve_2026_31431.yar index 2354f901..42b449fa 100644 --- a/yara/expl_copy_fail_cve_2026_31431.yar +++ b/yara/expl_copy_fail_cve_2026_31431.yar @@ -3,25 +3,32 @@ rule EXPL_LNX_Copy_Fail_Artefacts_CVE_2026_31431_Apr26 { description = "Detects forensic artifacts related to public Copy Fail (CVE-2026-31431) exploit PoCs, including known tiny ELF shell payloads, Python exploit code fragments, AF_ALG/authencesn/splice usage patterns, public PoC URLs, and other indicators observed in online proof-of-concept material." author = "Florian Roth" reference = "https://copy.fail" - reference_1 = "https://github.com/tgies/copy-fail-c" - reference_2 = "https://github.com/theori-io/copy-fail-CVE-2026-31431" - reference_3 = "https://hackerspace.pl/~q3k/alpine.py" - reference_4 = "https://github.com/badsectorlabs/copyfail-go" + reference_2 = "https://github.com/tgies/copy-fail-c" + reference_3 = "https://github.com/theori-io/copy-fail-CVE-2026-31431" + reference_4 = "https://hackerspace.pl/~q3k/alpine.py" + reference_5 = "https://github.com/badsectorlabs/copyfail-go" date = "2026-04-30" score = 75 strings: // Network indicators (e.g. in bash history, logs, etc.) - $xs1 = "curl https://copy.fail/exp" ascii + $xn1 = "curl https://copy.fail/exp" ascii // Code fragments from public PoCs - $x1 = "| python3 && su" - $x2 = "g.open(\"/usr/bin/su\",0);i=0;" - $x3 = "[-] page-cache mutation failed" - $x4 = "[+] /etc/passwd page cache mutated" - $x5 = "bind(AF_ALG: authencesn(hmac(sha256),cbc(aes)))" + $xs1 = "| python3 && su" + $xs2 = "g.open(\"/usr/bin/su\",0);i=0;" + $xs3 = "[-] page-cache mutation failed" + $xs4 = "[+] /etc/passwd page cache mutated" + $xs5 = "bind(AF_ALG: authencesn(hmac(sha256),cbc(aes)))" + $xs6 = "/tmp/.cve_test" - $s1 = "0800010000000010" ascii - $s2 = "authencesn(hmac(sha256),cbc(aes))" ascii + // Indicator Combo + $sa1 = "authencesn(hmac(sha256),cbc(aes))" ascii + + $sb1 = { 08 00 01 00 00 00 00 10 } + $sb2 = "0800010000000010" ascii + + // Base64 encoded payloads + $xe1 = "authencesn(hmac(sha256),cbc(aes))" base64 // Tiny x86-64 ELF shell payload: setuid(0) -> execve("/bin/sh") -> exit(0) $xc1 = { 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 02 00 3e 00 01 00 00 00 78 00 40 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 38 00 01 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 9e 00 00 00 00 00 00 00 9e 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 31 c0 31 ff b0 69 0f 05 48 8d 3d 0f 00 00 00 31 f6 6a 3b 58 99 0f 05 31 ff 6a 3c 58 0f 05 2f 62 69 6e 2f 73 68 00 00 00 } @@ -44,5 +51,5 @@ rule EXPL_LNX_Copy_Fail_Artefacts_CVE_2026_31431_Apr26 { $xge6 = { 78 9c ab 77 f5 71 63 62 64 64 80 01 26 86 ed 0c 20 5e 05 83 03 98 ef c0 80 09 1c 18 2c 18 60 3a 40 34 2b 9a 2c 32 bd 04 ca 5b 02 97 87 e9 6c b8 e4 21 d4 70 09 c8 bb f2 80 db e1 27 23 90 cf 04 c4 2b a4 21 62 20 f9 15 dc 10 36 00 d7 2b 15 09 } condition: 1 of ($x*) - or all of ($s*) + or ($sa1 and 1 of ($sb*)) } From 682f9b011abd6af6c2adf3270d4bfad7d28bb21f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 30 Apr 2026 22:09:31 +0200 Subject: [PATCH 2/2] Update expl_copy_fail_cve_2026_31431.yar --- yara/expl_copy_fail_cve_2026_31431.yar | 1 + 1 file changed, 1 insertion(+) diff --git a/yara/expl_copy_fail_cve_2026_31431.yar b/yara/expl_copy_fail_cve_2026_31431.yar index 42b449fa..4c1cb062 100644 --- a/yara/expl_copy_fail_cve_2026_31431.yar +++ b/yara/expl_copy_fail_cve_2026_31431.yar @@ -7,6 +7,7 @@ rule EXPL_LNX_Copy_Fail_Artefacts_CVE_2026_31431_Apr26 { reference_3 = "https://github.com/theori-io/copy-fail-CVE-2026-31431" reference_4 = "https://hackerspace.pl/~q3k/alpine.py" reference_5 = "https://github.com/badsectorlabs/copyfail-go" + reference_6 = "https://github.com/iss4cf0ng/CVE-2026-31431-Linux-Copy-Fail" date = "2026-04-30" score = 75 strings: