leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

review pass: fidelity + credits + count consistency for ported modules

Browse Source 
Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus
repo-wide doc consistency, followed by a full Linux build verification.

dirtydecrypt (NOTICE + detection rules):
- NOTICE.md: removed an unsupported "Zellic co-founder" detail and a
  fabricated disclosure-date narrative; tightened phrasing of the
  Zellic + V12 credit; noted that upstream poc.c carries no
  author/license header of its own.
- Embedded auditd + sigma rules and detect/sigma.yml broadened to
  cover every binary in dd_targets[] (added /usr/bin/mount,
  /usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so
  the embedded ruleset matches the on-disk reference and the carrier
  list the exploit actually targets.
- Exploit primitive verified byte-for-byte against the V12 PoC
  (tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic
  token-identical). docker gcc:latest compile of the Linux path:
  COMPILE_OK, zero warnings.

fragnesia: review found no defects. Exploit primitive byte-identical
to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream
table + userns/netns/XFRM + receiver/sender/run_trigger_pair all
faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop
nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full
project build links into a working skeletonkey ELF and --list shows
the module registered correctly.

Repo docs (README.md / CVES.md / ROADMAP.md):
- Chose to keep "28 verified" as the headline; the two ported
  modules are represented as a separate clearly-labelled tier
  ("ported-but-unverified") that is explicitly excluded from the
  28-module verified counts. README + CVES.md + ROADMAP.md now tell
  one consistent story.
- Filled a pre-existing documentation gap: sudo_samedit, sequoia,
  sudoedit_editor, vmwgfx were registered + built but absent from
  CVES.md's inventory + operations tables. Added rows synthesized
  from each module's .cve / .summary / .kernel_range fields.
- ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed
  since v0.1.0" group; moved vmwgfx out of the stale carry-overs.

docs site (docs/index.html):
- Stat box "28 / total modules" → "28 / verified modules" (the 14+14
  breakdown now sums to the headline consistently).
- Terminal example "scanning 28 modules" → "scanning 30 modules"
  (was factually wrong — the binary literally prints module_count()
  which is 30).
- Status line: updated to mention the 2 ported-but-unverified
  modules and mirror the README phrasing.
- docs/LAUNCH.md left as a dated v0.5.0 launch snapshot.

Build verification: `docker run gcc:latest make clean && make` —
links into a 30-module skeletonkey ELF on Linux. macOS dev box still
hits the pre-existing dirty_pipe header gap; unchanged.

.gitignore: added /skeletonkey to exclude the top-level build
artifact (the existing modules/*/skeletonkey only covered per-module
binaries; the root one was getting picked up by `git add -A`).
This commit is contained in:
KaraZajac
2026-05-22 18:41:37 -04:00
parent a8c8d5ef1f
commit ac557b67d0
8 changed files with 90 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+23 -10
View File
@@ -2,11 +2,12 @@
[![Latest release](https://img.shields.io/github/v/release/KaraZajac/SKELETONKEY?label=release)](https://github.com/KaraZajac/SKELETONKEY/releases/latest)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
[![Modules](https://img.shields.io/badge/modules-28-brightgreen.svg)](CVES.md)
[![Modules](https://img.shields.io/badge/modules-28%20verified%20%2B%202%20ported-brightgreen.svg)](CVES.md)
[![Platform: Linux](https://img.shields.io/badge/platform-linux-lightgrey.svg)](#)
> **One curated binary. 28 Linux LPE exploits, 2016 → 2026. Detection
> rules in the box. One command picks the safest one and runs it.**
> **One curated binary. 28 verified Linux LPE exploits, 2016 → 2026
> (+2 ported-but-unverified). Detection rules in the box. One command
> picks the safest one and runs it.**
```bash
curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
@@ -42,12 +43,15 @@ for every CVE in the bundle — same project for red and blue teams.
## Corpus at a glance
**28 modules** spanning the 2016 → 2026 LPE timeline:
**28 verified modules** spanning the 2016 → 2026 LPE timeline, plus
**2 ported-but-unverified** modules (`dirtydecrypt`, `fragnesia`
see note below):
| Tier | Count | What it means |
|---|---|---|
| 🟢 Full chain | **14** | Lands root (or its canonical capability) end-to-end. No per-kernel offsets needed. |
| 🟡 Primitive | **14** | Fires the kernel primitive + grooms the slab + records a witness. Default returns `EXPLOIT_FAIL` honestly. Pass `--full-chain` to engage the shared `modprobe_path` finisher (needs offsets — see [`docs/OFFSETS.md`](docs/OFFSETS.md)). |
| ⚪ Ported, unverified | **2** | `dirtydecrypt` + `fragnesia`, ported from public V12 PoCs. Built and registered, but **not yet validated on a vulnerable kernel**`detect()` is precondition-only and `--auto` will not fire them blind. Excluded from the 28-module verified counts above. |
**🟢 Modules that land root on a vulnerable host:**
copy_fail family ×5 · dirty_pipe · dirty_cow · pwnkit · overlayfs
@@ -60,6 +64,12 @@ af_packet · af_packet2 · af_unix_gc · cls_route4 · fuse_legacy ·
nf_tables · nft_set_uaf · nft_fwd_dup · nft_payload ·
netfilter_xtcompat · stackrot · sudo_samedit · sequoia · vmwgfx
**⚪ Ported-but-unverified (not in the counts above):**
dirtydecrypt (CVE-2026-31635) · fragnesia (CVE-2026-46300) — ported
from public V12 PoCs, **not yet VM-validated**. Self-contained
page-cache writes (no `--full-chain` finisher); `detect()` is
precondition-only because the CVE fix commits are not yet pinned.
See [`CVES.md`](CVES.md) for per-module CVE, kernel range, and
detection status.
@@ -97,7 +107,7 @@ uid=1000(kara) gid=1000(kara) groups=1000(kara)
$ skeletonkey --auto --i-know
[*] auto: host=demo kernel=5.15.0-56-generic arch=x86_64
[*] auto: scanning 28 modules for vulnerabilities...
[*] auto: scanning 30 modules for vulnerabilities...
[+] auto: dirty_pipe VULNERABLE (safety rank 90)
[+] auto: cgroup_release_agent VULNERABLE (safety rank 98)
[+] auto: pwnkit VULNERABLE (safety rank 100)
@@ -162,11 +172,14 @@ also compile (modules with Linux-only headers stub out gracefully).
## Status
**v0.5.0 cut 2026-05-17.** 28 modules. All build clean on Debian 13
(kernel 6.12) and refuse cleanly on patched hosts. Empirical
end-to-end validation on a vulnerable-kernel VM matrix is the next
roadmap item; until then, the corpus is best understood as
"compiles + detects + structurally correct + honest on failure."
**v0.5.0 cut 2026-05-17.** 28 verified modules, plus 2
ported-but-unverified (`dirtydecrypt`, `fragnesia`) added since the
cut. All 30 build clean on Debian 13 (kernel 6.12) and refuse cleanly
on patched hosts. Empirical end-to-end validation on a
vulnerable-kernel VM matrix is the next roadmap item; until then, the
corpus is best understood as "compiles + detects + structurally
correct + honest on failure" — and the two ported modules have not
been run against a vulnerable kernel at all.
See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and
infrastructure work.