Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md
Pwnkit: 🔵 → 🟢
- Implements the canonical Qualys-style PoC end-to-end:
1. Locate setuid pkexec
2. mkdtemp working directory under /tmp
3. Detect target's gcc/cc (fail-soft if absent)
4. Write payload.c (gconv constructor: unsetenv hostile vars,
setuid(0), execle /bin/sh -p with clean PATH)
5. gcc -shared -fPIC payload.c -o pwnkit/PWNKIT.so
6. Write gconv-modules cache pointing UTF-8// → PWNKIT//
7. execve(pkexec, NULL_argv, envp{GCONV_PATH=workdir/pwnkit,
PATH=GCONV_PATH=., CHARSET=PWNKIT, SHELL=pwnkit})
→ argc=0 triggers argv-overflow-into-envp; pkexec re-execs
with PATH set to our tmpdir; libc's iconv loads PWNKIT.so
as root; constructor pops /bin/sh with uid=0.
- Cleanup: removes /tmp/iamroot-pwnkit-* workdirs.
- Auto-refuses on patched hosts (re-runs detect() first).
- GCC -Wformat-truncation warnings fixed by sizing path buffers
generously (1024/2048 bytes — way more than needed in practice).
Verified end-to-end on kctf-mgr (polkit 126 = patched):
iamroot --exploit pwnkit --i-know
→ detect() says fixed → refuses cleanly. Correct behavior.
Vulnerable-kernel validation is Phase 4 CI matrix work.
docs/DEFENDERS.md — blue-team deployment guide:
- TL;DR: scan, deploy rules, mitigate, watch
- Operations cheat sheet (--list, --scan, --detect-rules, --mitigate)
- Audit-key table mapping rule keys to modules to caught behavior
- Fleet-scanning recipe (ssh + jq aggregation)
- Known false-positive shapes per rule with tuning hints
CVES.md: pwnkit row updated 🔵 → 🟢.
ROADMAP.md: Phase 7 Pwnkit checkbox marked complete.
leviathan
f1bd896ca8