leviathan/CHARON
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v1.1.0 — auto-discovery + --list-baits + ANSI Shadow banner

Browse Source 
* New --auto flag: walk /usr/bin, /usr/sbin, /usr/local/{bin,sbin},
  /usr/lib/openssh, /usr/libexec, /bin, /sbin; try every SUID/SGID
  regular file as a bait against the requested target. Skips
  known-interactive baits (su, sudo, newgrp, pkexec, mount, …).
  Per-bait budget capped (5 rounds × 2000 inner) + 60s wall clock,
  so a full scan finishes in ~10s even on systems where no bait
  opens the requested file.

* New --list-baits flag: enumerate built-in + discoverable bait
  candidates without firing the exploit. Useful for distro surveys.

* SIGKILL daemonic baits (ssh-agent etc.) instead of waiting
  forever in waitpid().

* Accept SGID-shadow baits, not just SUID-root — chage on
  Debian/Ubuntu is mode 2755 not 4755 and we kept skipping it.

* Banner upgraded to ANSI Shadow block letters with a Styx wave
  motif beneath the version line.

* Cleaner diagnostics: distinguish "primitive fires but no bait
  opens this file" from "kernel patched (no pidfd_getfd success)".

Tested on Debian 13 / kernel 6.12.88-kctf-poc:
- default run hits /etc/shadow in 1 fork (~160 tries, <1s)
- --auto on /etc/sudoers correctly times out in 11s with diagnostic
- --quiet pipes 35 lines of pure shadow to stdout
- --verbose shows per-hit + final stats
- --list-baits enumerates 26 candidates incl. /usr/bin/chage
This commit is contained in:
Kara Zajac
2026-05-15 23:33:59 -04:00
parent a0d7d0b75b
commit 95b37066df
3 changed files with 309 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+16 -1
View File
@@ -101,10 +101,25 @@ Output: a single ELF `./charon`.
./charon -q # no banner / progress, just shadow on stdout
./charon -v # show per-hit + final stats
./charon -r 5000 # more patience for slow systems
./charon -t /etc/ssh/ssh_host_ecdsa_key # different target (uses ssh-keysign lure)
./charon -t /etc/ssh/ssh_host_ecdsa_key # different target (uses ssh-keysign bait)
./charon -a # auto-discover SUID/SGID baits if built-ins miss
./charon -L # list candidate baits without trying any
./charon --help
```
### Auto-discovery
`--auto` walks `/usr/bin`, `/usr/sbin`, `/usr/local/{bin,sbin}`,
`/usr/lib/openssh`, `/usr/libexec`, `/bin`, `/sbin`, finds every
SUID/SGID regular file (excluding interactive baits like `su`,
`sudo`, `newgrp`, `pkexec`), and tries each as a bait against the
requested target. Per-bait budget is tight (5 rounds × 2000 inner)
so a full scan finishes in ~10 seconds even when nothing matches.
`--list-baits` is the read-only version — it enumerates the same
candidates without firing the exploit. Useful for surveying which
distros ship which baits.
### Exit codes
| Code | Meaning |