SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	541aac6993	Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit Convert ptrace_traceme from 🔵 → 🟢. Real working PoC following Jann Horn's Project Zero issue #1903 technique. Mechanism: 1. fork() — child becomes our traced target via PTRACE_TRACEME 2. child sleeps 500ms (lets parent execve start) 3. parent execve's setuid binary (pkexec / su / passwd / sudo — auto-selected via find_setuid_target()) 4. Kernel elevates parent's creds to root but the stale ptrace_link from step 1 isn't invalidated (the bug) 5. child PTRACE_ATTACH's to the now-privileged parent 6. child PTRACE_POKETEXT's x86_64 shellcode at parent's RIP 7. child PTRACE_DETACH — parent runs shellcode: setuid(0); setgid(0); execve('/bin/sh', ...) → root shell Implementation notes: - x86_64-only (shellcode is arch-specific). ARM/other arch returns IAMROOT_PRECOND_FAIL gracefully. - Shellcode is the canonical 33-byte setuid(0)+execve('/bin/sh') inline asm sequence. - Setuid binary selection: pkexec preferred (almost universal), then su/sudo/passwd as fallbacks. Refuses if none available. - Auto-refuses on patched kernels (re-runs detect() at start). - No cleanup applies — exploit replaces our process image on success. Verified on Debian 6.12.86 (patched): iamroot --exploit ptrace_traceme --i-know → detect() says patched → refuses cleanly. Correct. CVES.md: ptrace_traceme 🔵 → 🟢. 5 detect-only modules remain (cls_route4, nf_tables, netfilter_xtcompat, af_packet, fuse_legacy). Each is 200-400 line msg_msg/sk_buff cross-cache groom — substantial individual commits. Next push or strategic pivot per session priorities.	2026-05-16 20:57:44 -04:00
leviathan	102b117d4e	Phase 7: PTRACE_TRACEME (CVE-2019-13272) + xt_compat (CVE-2021-22555) Two famous 2017-2020-era LPEs to broaden 'THE tool for folks' coverage. Both detect-only initially; exploit ports as follow-ups. ptrace_traceme (CVE-2019-13272 — jannh @ Google P0, Jun 2019): - Famous because works on default-config systems with no user_ns required — locked-down environments were still vulnerable. - kernel_range thresholds: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 / 5.0.20 / 5.1.17 / mainline 5.2+ - Exploit shape (deferred): fork → child PTRACE_TRACEME → parent execve setuid binary → child ptrace-injects shellcode → root. - Auditd: flag PTRACE_TRACEME (request 0) — false positives via gdb/strace; tune by exclusion. netfilter_xtcompat (CVE-2021-22555 — Andy Nguyen @ Google P0): - Bug existed since 2.6.19 (2006) — 15 years of latent vuln. Famous for that age + default-config reachability via unprivileged_userns. - kernel_range thresholds: 4.4.266 / 4.9.266 / 4.14.230 / 4.19.185 / 5.4.110 / 5.10.27 / 5.11.10 / mainline 5.12+ - detect() probes user_ns+net_ns clone; locked-down → PRECOND_FAIL. - Exploit shape (deferred): heap massage via msg_msg + sk_buff cross- cache groom → kernel R/W → cred or modprobe_path overwrite. ~400 lines port from Andy's public exploit.c. - Auditd: unshare + iptables-style setsockopt + msgsnd — combined, the canonical exploit footprint. Both wired into iamroot.c, core/registry.h, Makefile. CVES.md rows added with detailed status. Coverage by year now: 2016: dirty_cow 🟢 2019: ptrace_traceme 🔵 2021: pwnkit, overlayfs, netfilter_xtcompat 🟢/🟢/🔵 2022: dirty_pipe, cls_route4 🟢/🔵 2023: entrybleed 🟢 2024: nf_tables 🔵 2026: copy_fail family (×5) 🟢 Module count: 14. Build clean (no warnings).	2026-05-16 20:47:24 -04:00

Author

SHA1

Message

Date

leviathan

541aac6993

Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit

Convert ptrace_traceme from 🔵 → 🟢. Real working PoC following Jann
Horn's Project Zero issue #1903 technique.

Mechanism:
  1. fork() — child becomes our traced target via PTRACE_TRACEME
  2. child sleeps 500ms (lets parent execve start)
  3. parent execve's setuid binary (pkexec / su / passwd / sudo —
     auto-selected via find_setuid_target())
  4. Kernel elevates parent's creds to root but the stale
     ptrace_link from step 1 isn't invalidated (the bug)
  5. child PTRACE_ATTACH's to the now-privileged parent
  6. child PTRACE_POKETEXT's x86_64 shellcode at parent's RIP
  7. child PTRACE_DETACH — parent runs shellcode:
     setuid(0); setgid(0); execve('/bin/sh', ...) → root shell

Implementation notes:
- x86_64-only (shellcode is arch-specific). ARM/other arch returns
  IAMROOT_PRECOND_FAIL gracefully.
- Shellcode is the canonical 33-byte setuid(0)+execve('/bin/sh')
  inline asm sequence.
- Setuid binary selection: pkexec preferred (almost universal),
  then su/sudo/passwd as fallbacks. Refuses if none available.
- Auto-refuses on patched kernels (re-runs detect() at start).
- No cleanup applies — exploit replaces our process image on success.

Verified on Debian 6.12.86 (patched):
  iamroot --exploit ptrace_traceme --i-know
  → detect() says patched → refuses cleanly. Correct.

CVES.md: ptrace_traceme 🔵 → 🟢.

5 detect-only modules remain (cls_route4, nf_tables, netfilter_xtcompat,
af_packet, fuse_legacy). Each is 200-400 line msg_msg/sk_buff
cross-cache groom — substantial individual commits. Next push or
strategic pivot per session priorities.

2026-05-16 20:57:44 -04:00

leviathan

102b117d4e

Phase 7: PTRACE_TRACEME (CVE-2019-13272) + xt_compat (CVE-2021-22555)

Two famous 2017-2020-era LPEs to broaden 'THE tool for folks'
coverage. Both detect-only initially; exploit ports as follow-ups.

ptrace_traceme (CVE-2019-13272 — jannh @ Google P0, Jun 2019):
- Famous because works on default-config systems with no user_ns
  required — locked-down environments were still vulnerable.
- kernel_range thresholds: 4.4.182 / 4.9.182 / 4.14.131 / 4.19.58 /
  5.0.20 / 5.1.17 / mainline 5.2+
- Exploit shape (deferred): fork → child PTRACE_TRACEME → parent
  execve setuid binary → child ptrace-injects shellcode → root.
- Auditd: flag PTRACE_TRACEME (request 0) — false positives via
  gdb/strace; tune by exclusion.

netfilter_xtcompat (CVE-2021-22555 — Andy Nguyen @ Google P0):
- Bug existed since 2.6.19 (2006) — 15 years of latent vuln. Famous
  for that age + default-config reachability via unprivileged_userns.
- kernel_range thresholds: 4.4.266 / 4.9.266 / 4.14.230 / 4.19.185
  / 5.4.110 / 5.10.27 / 5.11.10 / mainline 5.12+
- detect() probes user_ns+net_ns clone; locked-down → PRECOND_FAIL.
- Exploit shape (deferred): heap massage via msg_msg + sk_buff cross-
  cache groom → kernel R/W → cred or modprobe_path overwrite. ~400
  lines port from Andy's public exploit.c.
- Auditd: unshare + iptables-style setsockopt + msgsnd — combined,
  the canonical exploit footprint.

Both wired into iamroot.c, core/registry.h, Makefile. CVES.md rows
added with detailed status.

Coverage by year now:
  2016: dirty_cow                              🟢
  2019: ptrace_traceme                         🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat  🟢/🟢/🔵
  2022: dirty_pipe, cls_route4                 🟢/🔵
  2023: entrybleed                             🟢
  2024: nf_tables                              🔵
  2026: copy_fail family (×5)                  🟢

Module count: 14. Build clean (no warnings).

2026-05-16 20:47:24 -04:00

2 Commits