leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
498bb36404294024544fc351da7bf102cfe9a4f9
SKELETONKEY/modules
T
History
leviathan 498bb36404 modules: port 5 detect-only modules to trigger+groom (Option B) 
Converts the 5 remaining detect-only network/fs LPE modules to fire
the actual kernel primitive on a vulnerable host, with honest
EXPLOIT_FAIL return values since none ship the per-kernel cred-overwrite
finisher.

  af_packet (CVE-2017-7308):     +444 LoC — TPACKET_V3 int-overflow
                                  + skb spray + best-effort cred race
  af_packet2 (CVE-2020-14386):   +446 LoC — tp_reserve underflow
                                  + sendmmsg skb spray
  cls_route4 (CVE-2022-2588):    +410 LoC — route4 dangling-filter UAF
                                  + msg_msg 1k spray + classify drive
  fuse_legacy (CVE-2022-0185):   +420 LoC — fsconfig 4k OOB write
                                  + msg_msg cross-cache groom
  nf_tables (CVE-2024-1086):     +613 LoC — hand-rolled nfnetlink batch
                                  builder + NFT_GOTO/DROP double-free
                                  + msg_msg groom skeleton

All five share:
  - userns+netns reach (unshare(CLONE_NEWUSER|CLONE_NEWNET))
  - Detect-refuse-on-patched re-call from exploit()
  - geteuid()==0 short-circuit
  - Honest EXPLOIT_FAIL with continuation roadmap comments
  - macOS dev-build stubs via #ifdef __linux__ where needed

Build verified clean on Debian 6.12.86 (kctf-mgr). All five refuse on
the patched kernel.
2026-05-16 21:22:17 -04:00
..
_stubs/fragnesia_TBD
Phase 3: EntryBleed module — working stage-1 kbase leak brick
2026-05-16 19:55:22 -04:00
af_packet2_cve_2020_14386
modules: port 5 detect-only modules to trigger+groom (Option B)
2026-05-16 21:22:17 -04:00
af_packet_cve_2017_7308
modules: port 5 detect-only modules to trigger+groom (Option B)
2026-05-16 21:22:17 -04:00
cgroup_release_agent_cve_2022_0492
Add cgroup_release_agent CVE-2022-0492 — FULL working exploit
2026-05-16 21:09:34 -04:00
cls_route4_cve_2022_2588
modules: port 5 detect-only modules to trigger+groom (Option B)
2026-05-16 21:22:17 -04:00
copy_fail_family
Phase 6 (partial): --mitigate bridged for copy_fail_family
2026-05-16 20:04:32 -04:00
dirty_cow_cve_2016_5195
Phase 7: Dirty COW (CVE-2016-5195) FULL module — old-systems coverage
2026-05-16 20:38:46 -04:00
dirty_pipe_cve_2022_0847
Phase 7: nf_tables CVE-2024-1086 + active probe for dirty_pipe
2026-05-16 20:19:11 -04:00
entrybleed_cve_2023_0458
entrybleed: active probe (--active runs reduced sweep + sanity-checks kbase)
2026-05-16 20:20:41 -04:00
fuse_legacy_cve_2022_0185
modules: port 5 detect-only modules to trigger+groom (Option B)
2026-05-16 21:22:17 -04:00
netfilter_xtcompat_cve_2021_22555
Phase 7: PTRACE_TRACEME (CVE-2019-13272) + xt_compat (CVE-2021-22555)
2026-05-16 20:47:24 -04:00
nf_tables_cve_2024_1086
modules: port 5 detect-only modules to trigger+groom (Option B)
2026-05-16 21:22:17 -04:00
overlayfs_cve_2021_3493
Phase 7: overlayfs CVE-2021-3493 — port FULL exploit (vsh-style)
2026-05-16 20:42:28 -04:00
overlayfs_setuid_cve_2023_0386
Add overlayfs_setuid CVE-2023-0386 — FULL working exploit
2026-05-16 21:11:37 -04:00
ptrace_traceme_cve_2019_13272
Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit
2026-05-16 20:57:44 -04:00
pwnkit_cve_2021_4034
Phase 7: Pwnkit FULL exploit (Qualys-style PoC) + DEFENDERS.md
2026-05-16 20:13:11 -04:00
stackrot_cve_2023_3269
Add stackrot (CVE-2023-3269) + af_packet2 (CVE-2020-14386) modules
2026-05-16 21:03:36 -04:00