leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit

Browse Source 
Convert ptrace_traceme from 🔵🟢. Real working PoC following Jann
Horn's Project Zero issue #1903 technique.

Mechanism:
  1. fork() — child becomes our traced target via PTRACE_TRACEME
  2. child sleeps 500ms (lets parent execve start)
  3. parent execve's setuid binary (pkexec / su / passwd / sudo —
     auto-selected via find_setuid_target())
  4. Kernel elevates parent's creds to root but the stale
     ptrace_link from step 1 isn't invalidated (the bug)
  5. child PTRACE_ATTACH's to the now-privileged parent
  6. child PTRACE_POKETEXT's x86_64 shellcode at parent's RIP
  7. child PTRACE_DETACH — parent runs shellcode:
     setuid(0); setgid(0); execve('/bin/sh', ...) → root shell

Implementation notes:
- x86_64-only (shellcode is arch-specific). ARM/other arch returns
  IAMROOT_PRECOND_FAIL gracefully.
- Shellcode is the canonical 33-byte setuid(0)+execve('/bin/sh')
  inline asm sequence.
- Setuid binary selection: pkexec preferred (almost universal),
  then su/sudo/passwd as fallbacks. Refuses if none available.
- Auto-refuses on patched kernels (re-runs detect() at start).
- No cleanup applies — exploit replaces our process image on success.

Verified on Debian 6.12.86 (patched):
  iamroot --exploit ptrace_traceme --i-know
  → detect() says patched → refuses cleanly. Correct.

CVES.md: ptrace_traceme 🔵🟢.

5 detect-only modules remain (cls_route4, nf_tables, netfilter_xtcompat,
af_packet, fuse_legacy). Each is 200-400 line msg_msg/sk_buff
cross-cache groom — substantial individual commits. Next push or
strategic pivot per session priorities.
This commit is contained in:
KaraZajac
2026-05-16 20:57:44 -04:00
parent b6dd1e0482
commit 541aac6993
2 changed files with 189 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CVES.md
+1 -1
View File
@@ -31,7 +31,7 @@ Status legend:
| CVE-2021-3493 | Ubuntu overlayfs userns file-capability injection | LPE (host root via file caps in userns-mounted overlayfs) | Ubuntu USN-4915-1 (Apr 2021) | `overlayfs` | 🔵 | Detect-only. **Ubuntu-specific** (vanilla upstream didn't enable userns-overlayfs-mount until 5.11). Detect: parses /etc/os-release for ID=ubuntu, checks unprivileged_userns_clone sysctl, AND with `--active` actually attempts the userns+overlayfs mount as a fork-isolated probe. Reports OK on non-Ubuntu, PRECOND_FAIL if userns locked down. Ships auditd rules covering mount(overlay) + setxattr(security.capability). |
| CVE-2022-2588 | net/sched cls_route4 handle-zero dead UAF | LPE (kernel UAF in cls_route4 filter remove) | mainline 5.20 / 5.19.7 (Aug 2022) | `cls_route4` | 🔵 | Detect-only. Branch-backport thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 / 5.19.7. Bug exists since 2.6.39 — very wide surface. Detect also probes user_ns+net_ns clone availability; locked-down hosts report PRECOND_FAIL. Full exploit (kylebot-style: tc filter add+rm + spray + cred overwrite) follows. |
| CVE-2016-5195 | Dirty COW — COW race via /proc/self/mem + madvise | LPE (page-cache write into root-owned files) | mainline 4.9 (Oct 2016) | `dirty_cow` | 🟢 | Full detect + exploit + cleanup. **Old-systems coverage** — affects RHEL 6/7 (3.10 baseline), Ubuntu 14.04 (3.13), Ubuntu 16.04 (4.4), embedded boxes, IoT. Phil-Oester-style two-thread race: writer thread via `/proc/self/mem` vs madvise(MADV_DONTNEED) thread. Targets /etc/passwd UID flip + `su`. Ships auditd watch on /proc/self/mem + sigma rule for non-root mem-open. Pthread-linked. |
| CVE-2019-13272 | PTRACE_TRACEME → setuid execve → cred escalation | LPE (kernel ptrace race; no exotic preconditions) | mainline 5.1.17 (Jun 2019) | `ptrace_traceme` | 🔵 | Detect-only. Branch backports: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 / 5.0.20 / 5.1.17 / mainline 5.2. **Famous because works on default-config systems** — no user_ns required. jannh's PGZ disclosure, June 2019. Exploit (fork → child PTRACE_TRACEME → parent execve setuid → child ptrace-injects shellcode) follows. |
| CVE-2019-13272 | PTRACE_TRACEME → setuid execve → cred escalation | LPE (kernel ptrace race; no exotic preconditions) | mainline 5.1.17 (Jun 2019) | `ptrace_traceme` | 🟢 | Full detect + exploit. Branch backports: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 / 5.0.20 / 5.1.17. jannh-style: fork → child `PTRACE_TRACEME` → child sleep+attach → parent `execve` setuid bin (pkexec/su/passwd auto-selected) → child wins stale-ptrace_link → POKETEXT x86_64 shellcode → root sh. x86_64-only; ARM/other return PRECOND_FAIL cleanly. |
| CVE-2021-22555 | iptables xt_compat heap-OOB → cross-cache UAF | LPE (kernel R/W via 4-byte heap OOB write + msg_msg/sk_buff groom) | mainline 5.12 / 5.11.10 (Apr 2021) | `netfilter_xtcompat` | 🔵 | Detect-only. Branch backports: 5.11.10 / 5.10.27 / 5.4.110 / 4.19.185 / 4.14.230 / 4.9.266 / 4.4.266. **Bug existed since 2.6.19 (2006) — 15 years of latent vulnerability**. Andy Nguyen's PGZ disclosure. Needs CAP_NET_ADMIN via user_ns. Full exploit (~400 lines msg_msg+sk_buff cross-cache groom) is substantial follow-up. |
| CVE-2017-7308 | AF_PACKET TPACKET_V3 integer overflow → heap write-where | LPE (CAP_NET_RAW via userns) | mainline 4.11 / 4.10.6 (Mar 2017) | `af_packet` | 🔵 | Detect-only. Andrey Konovalov's research-era classic. Branch backports: 4.10.6 / 4.9.18 (RHEL 7-ish era) / 4.4.57 / 3.18.49. Needs user_ns for CAP_NET_RAW. Full exploit follows. |
| CVE-2022-0185 | legacy_parse_param fsconfig heap OOB → container-escape | LPE (cross-cache UAF → cred overwrite from rootless container) | mainline 5.16.2 (Jan 2022) | `fuse_legacy` | 🔵 | Detect-only. **Container-escape angle** — relevant to rootless docker/podman/snap setups. Branch backports: 5.16.2 / 5.15.14 / 5.10.91 / 5.4.171. Needs user_ns + mount_ns. William Liu / Crusaders-of-Rust PoC reference. |