 leviathan
|
9593d90385
|
rename: IAMROOT → SKELETONKEY across the entire project
release / build (arm64) (push) Waiting to run
release / build (x86_64) (push) Waiting to run
release / release (push) Blocked by required conditions
Breaking change. Tool name, binary name, function/type names,
constant names, env vars, header guards, file paths, and GitHub
repo URL all rebrand IAMROOT → SKELETONKEY.
Changes:
- All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum
values, docs, comments)
- All "iamroot" → "skeletonkey" (functions, types, paths, CLI)
- iamroot.c → skeletonkey.c
- modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h}
- tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh
- Binary "iamroot" → "skeletonkey"
- GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY
- .gitignore now expects build output named "skeletonkey"
- /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-*
- Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_*
New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow
SKELETONKEY block letters) replaces the IAMROOT banner in
skeletonkey.c and README.md.
VERSION: 0.3.1 → 0.4.0 (breaking).
Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0.
All 24 modules still register; no functional code changes — pure
rename + banner refresh.
|
2026-05-16 22:43:49 -04:00 |
|
|
leviathan
|
f1bd896ca8
|
Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md
Pwnkit: 🔵 → 🟢
- Implements the canonical Qualys-style PoC end-to-end:
1. Locate setuid pkexec
2. mkdtemp working directory under /tmp
3. Detect target's gcc/cc (fail-soft if absent)
4. Write payload.c (gconv constructor: unsetenv hostile vars,
setuid(0), execle /bin/sh -p with clean PATH)
5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so
6. Write gconv-modules cache pointing UTF-8// → PWNKIT//
7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit,
PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit})
→ argc=0 triggers argv-overflow-into-envp; pkexec re-execs
with PATH set to our tmpdir; libc's iconv loads PWNKIT.so
as root; constructor pops /bin/sh with uid=0.
- Cleanup: removes /tmp/iamroot-pwnkit-* workdirs.
- Auto-refuses on patched hosts (re-runs detect() first).
- GCC -Wformat-truncation warnings fixed by sizing path buffers
generously (1024/2048 bytes — way more than needed in practice).
Verified end-to-end on kctf-mgr (polkit 126 = patched):
iamroot --exploit pwnkit --i-know
→ detect() says fixed → refuses cleanly. Correct behavior.
Vulnerable-kernel validation is Phase 4 CI matrix work.
docs/DEFENDERS.md — blue-team deployment guide:
- TL;DR: scan, deploy rules, mitigate, watch
- Operations cheat sheet (--list, --scan, --detect-rules, --mitigate)
- Audit-key table mapping rule keys to modules to caught behavior
- Fleet-scanning recipe (ssh + jq aggregation)
- Known false-positive shapes per rule with tuning hints
CVES.md: pwnkit row updated 🔵 → 🟢.
ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.
|
2026-05-16 20:13:11 -04:00 |
|