leviathan
95b37066df
* New --auto flag: walk /usr/bin, /usr/sbin, /usr/local/{bin,sbin},
/usr/lib/openssh, /usr/libexec, /bin, /sbin; try every SUID/SGID
regular file as a bait against the requested target. Skips
known-interactive baits (su, sudo, newgrp, pkexec, mount, …).
Per-bait budget capped (5 rounds × 2000 inner) + 60s wall clock,
so a full scan finishes in ~10s even on systems where no bait
opens the requested file.
* New --list-baits flag: enumerate built-in + discoverable bait
candidates without firing the exploit. Useful for distro surveys.
* SIGKILL daemonic baits (ssh-agent etc.) instead of waiting
forever in waitpid().
* Accept SGID-shadow baits, not just SUID-root — chage on
Debian/Ubuntu is mode 2755 not 4755 and we kept skipping it.
* Banner upgraded to ANSI Shadow block letters with a Styx wave
motif beneath the version line.
* Cleaner diagnostics: distinguish "primitive fires but no bait
opens this file" from "kernel patched (no pidfd_getfd success)".
Tested on Debian 13 / kernel 6.12.88-kctf-poc:
- default run hits /etc/shadow in 1 fork (~160 tries, <1s)
- --auto on /etc/sudoers correctly times out in 11s with diagnostic
- --quiet pipes 35 lines of pure shadow to stdout
- --verbose shows per-hit + final stats
- --list-baits enumerates 26 candidates incl. /usr/bin/chage
62 KiB
Executable File
62 KiB
Executable File