charon: initial release — CVE-2026-46333 PoC
CHARON ferries file descriptors out of dying SUID/SGID processes through the __ptrace_may_access mm==NULL window in do_exit(), disclosed by Qualys 2026-05-15 (CVE-2026-46333). Default behavior: dump /etc/shadow to stdout, banner + progress on stderr. --quiet for pure-pipe output, --verbose for stats. Built-in lures cover Debian/Ubuntu (chage SGID-shadow), RHEL family (chage SUID-root), and ssh-keysign. Patched-kernel detection distinguishes "primitive fires but lure didn't open target" from "pidfd_getfd never succeeded → fix is in place". Pre-built 46KB musl-static binary included as charon-static.
This commit is contained in:
@@ -0,0 +1,22 @@
|
||||
PROG := charon
|
||||
CC ?= cc
|
||||
CFLAGS ?= -O2 -Wall -Wextra -Wno-unused-parameter
|
||||
|
||||
all: $(PROG)
|
||||
|
||||
$(PROG): charon.c
|
||||
$(CC) $(CFLAGS) -o $@ $<
|
||||
|
||||
# 38KB static binary — preferred for distribution.
|
||||
# Needs musl-tools on Debian/Ubuntu: sudo apt-get install musl-tools
|
||||
static: charon.c
|
||||
musl-gcc -static -Os -s -o $(PROG) $<
|
||||
|
||||
# glibc-static fallback (~700KB) if musl-tools unavailable
|
||||
static-glibc: charon.c
|
||||
$(CC) -static -Os -s -o $(PROG) $<
|
||||
|
||||
clean:
|
||||
rm -f $(PROG)
|
||||
|
||||
.PHONY: all static static-glibc clean
|
||||
Reference in New Issue
Block a user