SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	9d88b475c1	v0.3.1: --dump-offsets tool + NOTICE.md per module release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details The README has been claiming "each module credits the original CVE reporter and PoC author in its NOTICE.md" since v0.1.0, but only copy_fail_family actually shipped one. Fixed. modules/<name>/NOTICE.md (×19 new + 1 existing): per-module research credit covering CVE ID, discoverer, original advisory URL where public, upstream fix commit, IAMROOT's role. iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets via the existing core/offsets.c four-source chain (env → /proc/kallsyms → /boot/System.map → embedded table), then emits a ready-to-paste C struct entry for kernel_table[]. Run once as root on a target kernel build; upstream via PR. Eliminates fabricating offsets — every shipped entry traces back to a `iamroot --dump-offsets` invocation on a real kernel. docs/OFFSETS.md: documents the --dump-offsets workflow. CVES.md: notes the NOTICE.md convention + offset dump tool. iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.	2026-05-16 22:33:43 -04:00
leviathan	cb39cc5119	Phase 7: Dirty COW (CVE-2016-5195) FULL module — old-systems coverage The iconic 2016 LPE. Fills the 10-year coverage gap (now spanning 2016 → 2026): RHEL 6/7, Ubuntu 14.04, Ubuntu 16.04, embedded boxes, IoT — many still in production with kernels predating the 4.9 fix. - modules/dirty_cow_cve_2016_5195/iamroot_modules.{c,h}: - kernel_range: backport thresholds for 2.6 / 3.2 / 3.10 / 3.12 / 3.16 / 3.18 / 4.4 / 4.7 / 4.8 / mainline 4.9 - dirty_cow_write(): Phil-Oester-style two-thread race - mmap /etc/passwd MAP_PRIVATE (writes go COW) - writer thread: pwrite to /proc/self/mem at COW page offset - madviser thread: madvise(MADV_DONTNEED) to drop COW copy - poll-read /etc/passwd via separate fd to check if payload landed - 3-second timeout (race usually wins in ms on vulnerable kernels) - dirty_cow_exploit(): getpwuid → find_passwd_uid_field → race → execlp(su) - dirty_cow_cleanup(): POSIX_FADV_DONTNEED + drop_caches - Auditd rule: /proc/self/mem writes + madvise MADV_DONTNEED - Sigma rule: non-root /proc/self/mem open → high - Makefile: -lpthread added to LDFLAGS for the binary link. - iamroot.c + core/registry.h wired. - CVES.md row added with detailed status; legend updated. Verified end-to-end on kctf-mgr (6.12.86 — patched): iamroot --scan → 'dirty_cow: kernel is patched' (OK) iamroot --exploit dirty_cow --i-know → 'detect() says not vulnerable; refusing' Module count = 12.	2026-05-16 20:38:46 -04:00

Author

SHA1

Message

Date

leviathan

9d88b475c1

v0.3.1: --dump-offsets tool + NOTICE.md per module

release / build (arm64) (push) Waiting to run

Details

release / build (x86_64) (push) Waiting to run

Details

release / release (push) Blocked by required conditions

Details

The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.

  modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
    research credit covering CVE ID, discoverer, original advisory
    URL where public, upstream fix commit, IAMROOT's role.

  iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
    via the existing core/offsets.c four-source chain (env →
    /proc/kallsyms → /boot/System.map → embedded table), then emits
    a ready-to-paste C struct entry for kernel_table[]. Run once
    as root on a target kernel build; upstream via PR. Eliminates
    fabricating offsets — every shipped entry traces back to a
    `iamroot --dump-offsets` invocation on a real kernel.

  docs/OFFSETS.md: documents the --dump-offsets workflow.
  CVES.md: notes the NOTICE.md convention + offset dump tool.

  iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.

2026-05-16 22:33:43 -04:00

leviathan

cb39cc5119

Phase 7: Dirty COW (CVE-2016-5195) FULL module — old-systems coverage

The iconic 2016 LPE. Fills the 10-year coverage gap (now spanning
2016 → 2026): RHEL 6/7, Ubuntu 14.04, Ubuntu 16.04, embedded boxes,
IoT — many still in production with kernels predating the 4.9 fix.

- modules/dirty_cow_cve_2016_5195/iamroot_modules.{c,h}:
  - kernel_range: backport thresholds for 2.6 / 3.2 / 3.10 / 3.12 /
    3.16 / 3.18 / 4.4 / 4.7 / 4.8 / mainline 4.9
  - dirty_cow_write(): Phil-Oester-style two-thread race
    - mmap /etc/passwd MAP_PRIVATE (writes go COW)
    - writer thread: pwrite to /proc/self/mem at COW page offset
    - madviser thread: madvise(MADV_DONTNEED) to drop COW copy
    - poll-read /etc/passwd via separate fd to check if payload landed
    - 3-second timeout (race usually wins in ms on vulnerable kernels)
  - dirty_cow_exploit(): getpwuid → find_passwd_uid_field → race
    → execlp(su)
  - dirty_cow_cleanup(): POSIX_FADV_DONTNEED + drop_caches
  - Auditd rule: /proc/self/mem writes + madvise MADV_DONTNEED
  - Sigma rule: non-root /proc/self/mem open → high
- Makefile: -lpthread added to LDFLAGS for the binary link.
- iamroot.c + core/registry.h wired.
- CVES.md row added with detailed status; legend updated.

Verified end-to-end on kctf-mgr (6.12.86 — patched):
  iamroot --scan       → 'dirty_cow: kernel is patched' (OK)
  iamroot --exploit dirty_cow --i-know
                       → 'detect() says not vulnerable; refusing'
Module count = 12.

2026-05-16 20:38:46 -04:00

2 Commits