leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md

Browse Source 
Pwnkit: 🔵🟢
- Implements the canonical Qualys-style PoC end-to-end:
  1. Locate setuid pkexec
  2. mkdtemp working directory under /tmp
  3. Detect target's gcc/cc (fail-soft if absent)
  4. Write payload.c (gconv constructor: unsetenv hostile vars,
     setuid(0), execle /bin/sh -p with clean PATH)
  5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so
  6. Write gconv-modules cache pointing UTF-8// → PWNKIT//
  7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit,
     PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit})
     → argc=0 triggers argv-overflow-into-envp; pkexec re-execs
     with PATH set to our tmpdir; libc's iconv loads PWNKIT.so
     as root; constructor pops /bin/sh with uid=0.
- Cleanup: removes /tmp/iamroot-pwnkit-* workdirs.
- Auto-refuses on patched hosts (re-runs detect() first).
- GCC -Wformat-truncation warnings fixed by sizing path buffers
  generously (1024/2048 bytes — way more than needed in practice).

Verified end-to-end on kctf-mgr (polkit 126 = patched):
  iamroot --exploit pwnkit --i-know
  → detect() says fixed → refuses cleanly. Correct behavior.
Vulnerable-kernel validation is Phase 4 CI matrix work.

docs/DEFENDERS.md — blue-team deployment guide:
- TL;DR: scan, deploy rules, mitigate, watch
- Operations cheat sheet (--list, --scan, --detect-rules, --mitigate)
- Audit-key table mapping rule keys to modules to caught behavior
- Fleet-scanning recipe (ssh + jq aggregation)
- Known false-positive shapes per rule with tuning hints

CVES.md: pwnkit row updated 🔵🟢.
ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.
This commit is contained in:
KaraZajac
2026-05-16 20:13:11 -04:00
parent 43e290b224
commit f1bd896ca8
4 changed files with 395 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ROADMAP.md
+7 -5
View File
@@ -138,11 +138,13 @@ primitive** that other modules can chain. Bundled because:
Backfill of historical and recent LPEs as time allows:
- [ ] **CVE-2021-3493** — overlayfs nested-userns LPE
- [x] **CVE-2021-4034** — Pwnkit (pkexec env handling): 🔵 detect-only
landed. Version parser handles both formats: "0.X.Y" (older
polkit) and bare "121"/"126" (modern). Reports VULNERABLE if
pkexec is setuid AND version < 121. First userspace LPE in the
corpus. Full Qualys-PoC exploit is the next Phase 7 commit.
- [x] **CVE-2021-4034** — Pwnkit (pkexec env handling): 🟢 FULL detect
+ exploit + cleanup. Detect handles legacy ("0.105") and modern
("126") version strings. Exploit: canonical Qualys-style — writes
payload.c, compiles via target's gcc, builds gconv-modules cache,
execve(pkexec, NULL_argv, crafted_envp). Auto-refuses on patched
kernels. Cleanup removes /tmp/iamroot-pwnkit-* workdirs.
Falls back gracefully on hosts without cc.
- [ ] **CVE-2022-2588** — net/sched route4 dead UAF
- [ ] **CVE-2023-2008** — vmwgfx OOB write
- [ ] **CVE-2024-1086** — netfilter nf_tables UAF