* New --auto flag: walk /usr/bin, /usr/sbin, /usr/local/{bin,sbin},
/usr/lib/openssh, /usr/libexec, /bin, /sbin; try every SUID/SGID
regular file as a bait against the requested target. Skips
known-interactive baits (su, sudo, newgrp, pkexec, mount, …).
Per-bait budget capped (5 rounds × 2000 inner) + 60s wall clock,
so a full scan finishes in ~10s even on systems where no bait
opens the requested file.
* New --list-baits flag: enumerate built-in + discoverable bait
candidates without firing the exploit. Useful for distro surveys.
* SIGKILL daemonic baits (ssh-agent etc.) instead of waiting
forever in waitpid().
* Accept SGID-shadow baits, not just SUID-root — chage on
Debian/Ubuntu is mode 2755 not 4755 and we kept skipping it.
* Banner upgraded to ANSI Shadow block letters with a Styx wave
motif beneath the version line.
* Cleaner diagnostics: distinguish "primitive fires but no bait
opens this file" from "kernel patched (no pidfd_getfd success)".
Tested on Debian 13 / kernel 6.12.88-kctf-poc:
- default run hits /etc/shadow in 1 fork (~160 tries, <1s)
- --auto on /etc/sudoers correctly times out in 11s with diagnostic
- --quiet pipes 35 lines of pure shadow to stdout
- --verbose shows per-hit + final stats
- --list-baits enumerates 26 candidates incl. /usr/bin/chage
CHARON ferries file descriptors out of dying SUID/SGID processes
through the __ptrace_may_access mm==NULL window in do_exit(),
disclosed by Qualys 2026-05-15 (CVE-2026-46333).
Default behavior: dump /etc/shadow to stdout, banner + progress on
stderr. --quiet for pure-pipe output, --verbose for stats.
Built-in lures cover Debian/Ubuntu (chage SGID-shadow), RHEL family
(chage SUID-root), and ssh-keysign. Patched-kernel detection
distinguishes "primitive fires but lure didn't open target" from
"pidfd_getfd never succeeded → fix is in place".
Pre-built 46KB musl-static binary included as charon-static.
leviathan