3 Commits

Author	SHA1	Message	Date
leviathan	9593d90385	rename: IAMROOT → SKELETONKEY across the entire project ... Breaking change. Tool name, binary name, function/type names, constant names, env vars, header guards, file paths, and GitHub repo URL all rebrand IAMROOT → SKELETONKEY. Changes: - All "IAMROOT" → "SKELETONKEY" (constants, env vars, enum values, docs, comments) - All "iamroot" → "skeletonkey" (functions, types, paths, CLI) - iamroot.c → skeletonkey.c - modules/*/iamroot_modules.{c,h} → modules/*/skeletonkey_modules.{c,h} - tools/iamroot-fleet-scan.sh → tools/skeletonkey-fleet-scan.sh - Binary "iamroot" → "skeletonkey" - GitHub URL KaraZajac/IAMROOT → KaraZajac/SKELETONKEY - .gitignore now expects build output named "skeletonkey" - /tmp/iamroot-* tmpfiles → /tmp/skeletonkey-* - Env vars IAMROOT_MODPROBE_PATH etc. → SKELETONKEY_* New ASCII skeleton-key banner (horizontal key icon + ANSI Shadow SKELETONKEY block letters) replaces the IAMROOT banner in skeletonkey.c and README.md. VERSION: 0.3.1 → 0.4.0 (breaking). Build clean on Debian 6.12.86. `skeletonkey --version` → 0.4.0. All 24 modules still register; no functional code changes — pure rename + banner refresh.	2026-05-16 22:43:49 -04:00
leviathan	9d88b475c1	v0.3.1: --dump-offsets tool + NOTICE.md per module ... The README has been claiming "each module credits the original CVE reporter and PoC author in its NOTICE.md" since v0.1.0, but only copy_fail_family actually shipped one. Fixed. modules/<name>/NOTICE.md (×19 new + 1 existing): per-module research credit covering CVE ID, discoverer, original advisory URL where public, upstream fix commit, IAMROOT's role. iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets via the existing core/offsets.c four-source chain (env → /proc/kallsyms → /boot/System.map → embedded table), then emits a ready-to-paste C struct entry for kernel_table[]. Run once as root on a target kernel build; upstream via PR. Eliminates fabricating offsets — every shipped entry traces back to a `iamroot --dump-offsets` invocation on a real kernel. docs/OFFSETS.md: documents the --dump-offsets workflow. CVES.md: notes the NOTICE.md convention + offset dump tool. iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.	2026-05-16 22:33:43 -04:00
leviathan	4e9741ef1f	Add overlayfs_setuid CVE-2023-0386 — FULL working exploit ... Distro-agnostic overlayfs LPE — complements Ubuntu-specific CVE-2021-3493. Same overlayfs family. The bug: overlayfs copy_up preserves setuid bits even when the unprivileged user triggering copy-up wouldn't normally have CAP_FSETID. Exploit: 1. unshare(USER|NS), uid_map self → root in userns 2. Find a setuid binary on host (/usr/bin/su, sudo, passwd auto-pick) 3. mount overlayfs with the binary's dirname as lower 4. chown(merged/<binary>, 0, 0) — triggers copy-up; THE BUG: setuid bit persists in upper-layer copy despite our unprivileged context 5. Open + truncate + replace upper-layer content with our payload (a compiled C binary that setresuid(0,0,0) + execle /bin/sh -p) 6. exec upper-layer binary — runs as root via persistent setuid bit - kernel_range: 5.11 ≤ K < 6.3, backports 5.15.110 / 6.1.27 / 6.2.13 - Detect refuses on patched / missing setuid carrier / userns denied - Cleanup: rm -rf /tmp/iamroot-ovlsu-* - Auditd: mount(overlay) + chown/fchown chain — shared with CVE-2021-3493 module via the family-level 'iamroot-overlayfs' key - Compiles payload via target's gcc/cc (fallback dynamic if no -static) Verified on Debian 6.12.86 (patched): detect reports OK; exploit refuses cleanly. Module count = 20. Coverage by year now (only 2018 gap remaining): 2016: dirty_cow 🟢 2017: af_packet 🔵 2019: ptrace_traceme 🟢 2020: af_packet2 🔵 2021: pwnkit, overlayfs, netfilter_xtcompat 🟢/🟢/🔵 2022: dirty_pipe, cls_route4, fuse_legacy, cgroup_release_agent 🟢/🔵/🔵/🟢 2023: entrybleed, stackrot, overlayfs_setuid 🟢/🔵/🟢 2024: nf_tables 🔵 2026: copy_fail family (×5) 🟢🟢🟢🟢🟢 16 of 20 modules have FULL working exploits (🟢).	2026-05-16 21:11:37 -04:00