leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
106 Commits 1 Branch 20 Tags
4af82b82d94badaa492e84c0045956538131a34f
Commit Graph

106 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
leviathan cee368d5a4 Phase 5: --detect-rules export with dedup 
- core/module.h: struct iamroot_module gains detect_{auditd,sigma,yara,falco}
  fields. NULL = module doesn't ship a rule for that format.
  Embedded as C string literals in each module's iamroot_modules.c so
  the binary is self-contained (no data-dir install needed).
- iamroot.c: --detect-rules [--format=<f>] command. Walks module
  registry, deduplicates by pointer (family-shared rules emit once,
  siblings get a 'see family rules above' marker), writes to stdout
  for redirect into /etc/audit/rules.d/ or SIEM ingestion.
- Embedded rules for:
  - copy_fail_family (shared across 5 modules): auditd watches on
    passwd/shadow/sudoers/su + AF_ALG socket creation + xfrm setsockopt;
    Sigma rule covers the file-modification footprint.
  - dirty_pipe: auditd watches on same files + splice() syscalls;
    Sigma rule for non-root file modification.
  - entrybleed: Sigma INFORMATIONAL note (side-channel — no syscall
    trace; reliable detection needs perf-counter EDR).

Verified end-to-end on kctf-mgr:
  iamroot --detect-rules --format=auditd → 2 / 7 rules emit (deduped)
  iamroot --detect-rules --format=sigma  → 2 / 7 rules emit
 2026-05-16 19:58:26 -04:00
leviathan f03efbff13 Phase 3: EntryBleed module — working stage-1 kbase leak brick 
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
    + prefetchnta + KASLR-slot timing sweep) wired into the standard
    iamroot_module interface. x86_64 only; ARM/other gracefully
    return IAMROOT_PRECOND_FAIL.
  - detect(): reads /sys/.../vulnerabilities/meltdown to decide
    KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
  - exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
    (and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
  - entrybleed_leak_kbase_lib(off) declared as a public library
    helper so future LPE chains needing a stage-1 leak can just
    #include the module's header and call it.
  - entry_SYSCALL_64 slot offset overridable via
    IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).

- __always_inline fallback added since glibc/Linux-kernel macro
  isn't universal; module now builds clean under macOS clangd lint
  and on musl.

- iamroot.c registers entrybleed alongside the other families;
  Makefile gains it as a separate object set.

Verified end-to-end on kctf-mgr (Debian 6.12.86):
  iamroot --exploit entrybleed --i-know
  → [+] entrybleed: leaked kbase = 0xffffffff8d800000

This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
 2026-05-16 19:55:22 -04:00
leviathan 1552a3bfcb Phase 2 (partial): Dirty Pipe DETECT-ONLY module + core/kernel_range 
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
  Every future module needs 'is the host kernel in the affected
  range?'; centralized here. Models stable-branch backports
  (e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
  VULNERABLE while a 5.15.50 host reports OK.

- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
  - iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
    parses /proc/version and compares against the four known patched
    branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
    IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
    hints in human-readable scan mode.
  - exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
    implemented' message; landing the actual exploit needs Phase 1.5
    extraction of passwd/su helpers into core/.
  - detect/auditd.rules: splice() syscall + passwd/shadow file watches
  - detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers

- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
  the copy_fail_family registration.

- Makefile gains the dirty_pipe family as a separate object set.

Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
 2026-05-16 19:51:47 -04:00
leviathan 19b9162b1d ROADMAP: mark Phase 1 done; CVES: use new short module names 2026-05-16 19:32:52 -04:00
leviathan 52e8c99022 Phase 1: module interface + registry + top-level dispatcher 
- core/module.h: struct iamroot_module + iamroot_result_t
- core/registry.{h,c}: flat-array module registry with find-by-name
- modules/copy_fail_family/iamroot_modules.{h,c}: bridge layer
  exposing 5 modules (copy_fail, copy_fail_gcm, dirty_frag_esp,
  dirty_frag_esp6, dirty_frag_rxrpc) wired to the absorbed DIRTYFAIL
  detect/exploit functions; df_result_t/iamroot_result_t share numeric
  values intentionally for zero-cost translation
- iamroot.c: top-level CLI dispatcher with --scan / --list / --exploit /
  --mitigate / --cleanup, JSON output, --i-know gate
- Restored modules/copy_fail_family/src/ structure (DIRTYFAIL Makefile
  expects it; the initial flat copy broke that contract)
- Top-level Makefile builds one binary; filters out DIRTYFAIL's
  original dirtyfail.c main so it doesn't conflict with iamroot.c

Verified end-to-end on kctf-mgr (Linux): clean compile, 5 modules
register, --scan --json output ingest-ready, exit codes propagate.
 2026-05-16 19:32:11 -04:00
leviathan cf30b249de Initial skeleton: README, CVE inventory, roadmap, ARCH, ethics + copy_fail_family module absorbed from DIRTYFAIL 2026-05-16 19:26:24 -04:00