SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	498bb36404	modules: port 5 detect-only modules to trigger+groom (Option B) Converts the 5 remaining detect-only network/fs LPE modules to fire the actual kernel primitive on a vulnerable host, with honest EXPLOIT_FAIL return values since none ship the per-kernel cred-overwrite finisher. af_packet (CVE-2017-7308): +444 LoC — TPACKET_V3 int-overflow + skb spray + best-effort cred race af_packet2 (CVE-2020-14386): +446 LoC — tp_reserve underflow + sendmmsg skb spray cls_route4 (CVE-2022-2588): +410 LoC — route4 dangling-filter UAF + msg_msg 1k spray + classify drive fuse_legacy (CVE-2022-0185): +420 LoC — fsconfig 4k OOB write + msg_msg cross-cache groom nf_tables (CVE-2024-1086): +613 LoC — hand-rolled nfnetlink batch builder + NFT_GOTO/DROP double-free + msg_msg groom skeleton All five share: - userns+netns reach (unshare(CLONE_NEWUSER\|CLONE_NEWNET)) - Detect-refuse-on-patched re-call from exploit() - geteuid()==0 short-circuit - Honest EXPLOIT_FAIL with continuation roadmap comments - macOS dev-build stubs via #ifdef __linux__ where needed Build verified clean on Debian 6.12.86 (kctf-mgr). All five refuse on the patched kernel.	2026-05-16 21:22:17 -04:00
leviathan	3ad1446489	Add cls_route4 CVE-2022-2588 module (detect-only) 11th module. net/sched cls_route4 handle-zero dead UAF — discovered by kylebot Aug 2022, fixed mainline 5.20 (commit 9efd23297cca). Bug existed since 2.6.39 → very wide attack surface. - modules/cls_route4_cve_2022_2588/iamroot_modules.{c,h}: - kernel_range thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 / 5.19.7 / mainline 5.20+ - can_unshare_userns() probes user_ns+net_ns clone availability (the exploit's CAP_NET_ADMIN-in-userns gate) - cls_route4_module_available() checks /proc/modules - Reports VULNERABLE if kernel in range AND user_ns allowed; PRECOND_FAIL if user_ns denied; OK if patched. - Exploit stub returns IAMROOT_PRECOND_FAIL with reference to kylebot's public PoC. - Auditd rule: tc-style sendto syscalls (rough; legit traffic shaping will trip — tune by user). iamroot.c + Makefile + core/registry.h wired. CVES.md row added. Verified on kctf-mgr (6.12.86): module reports OK, total module count = 11.	2026-05-16 20:33:14 -04:00

Author

SHA1

Message

Date

leviathan

498bb36404

modules: port 5 detect-only modules to trigger+groom (Option B)

Converts the 5 remaining detect-only network/fs LPE modules to fire
the actual kernel primitive on a vulnerable host, with honest
EXPLOIT_FAIL return values since none ship the per-kernel cred-overwrite
finisher.

  af_packet (CVE-2017-7308):     +444 LoC — TPACKET_V3 int-overflow
                                  + skb spray + best-effort cred race
  af_packet2 (CVE-2020-14386):   +446 LoC — tp_reserve underflow
                                  + sendmmsg skb spray
  cls_route4 (CVE-2022-2588):    +410 LoC — route4 dangling-filter UAF
                                  + msg_msg 1k spray + classify drive
  fuse_legacy (CVE-2022-0185):   +420 LoC — fsconfig 4k OOB write
                                  + msg_msg cross-cache groom
  nf_tables (CVE-2024-1086):     +613 LoC — hand-rolled nfnetlink batch
                                  builder + NFT_GOTO/DROP double-free
                                  + msg_msg groom skeleton

All five share:
  - userns+netns reach (unshare(CLONE_NEWUSER|CLONE_NEWNET))
  - Detect-refuse-on-patched re-call from exploit()
  - geteuid()==0 short-circuit
  - Honest EXPLOIT_FAIL with continuation roadmap comments
  - macOS dev-build stubs via #ifdef __linux__ where needed

Build verified clean on Debian 6.12.86 (kctf-mgr). All five refuse on
the patched kernel.

2026-05-16 21:22:17 -04:00

leviathan

3ad1446489

Add cls_route4 CVE-2022-2588 module (detect-only)

11th module. net/sched cls_route4 handle-zero dead UAF — discovered
by kylebot Aug 2022, fixed mainline 5.20 (commit 9efd23297cca).
Bug existed since 2.6.39 → very wide attack surface.

- modules/cls_route4_cve_2022_2588/iamroot_modules.{c,h}:
  - kernel_range thresholds: 5.4.213 / 5.10.143 / 5.15.69 / 5.18.18 /
    5.19.7 / mainline 5.20+
  - can_unshare_userns() probes user_ns+net_ns clone availability
    (the exploit's CAP_NET_ADMIN-in-userns gate)
  - cls_route4_module_available() checks /proc/modules
  - Reports VULNERABLE if kernel in range AND user_ns allowed;
    PRECOND_FAIL if user_ns denied; OK if patched.
  - Exploit stub returns IAMROOT_PRECOND_FAIL with reference to
    kylebot's public PoC.
  - Auditd rule: tc-style sendto syscalls (rough; legit traffic
    shaping will trip — tune by user).

iamroot.c + Makefile + core/registry.h wired. CVES.md row added.

Verified on kctf-mgr (6.12.86): module reports OK, total module
count = 11.

2026-05-16 20:33:14 -04:00

2 Commits