leviathan
5d48a7b0b5
Two additions on top of v0.7.0:
1. skeletonkey-arm64-static is now published alongside the existing
x86_64-static binary. Built native-arm64 in Alpine via GitHub's
ubuntu-24.04-arm runner pool (free for public repos as of 2024).
install.sh auto-picks it based on 'uname -m'; SKELETONKEY_DYNAMIC=1
fetches the dynamic build instead. Works on Raspberry Pi 4+, Apple
Silicon Linux VMs, AWS Graviton, Oracle Ampere, Hetzner ARM, etc.
.github/workflows/release.yml refactor: the previous single
build-static-x86_64 job becomes a build-static matrix with two
entries (x86_64-static on ubuntu-latest, arm64-static on
ubuntu-24.04-arm). Both share the same Alpine container + build
recipe.
2. .arch_support field on struct skeletonkey_module — honest per-module
labeling of which architectures the exploit() body has been verified
on. Three categories:
'any' (4 modules): pwnkit, sudo_samedit, sudoedit_editor,
pack2theroot. Purely userspace; arch-independent.
'x86_64' (1 module): entrybleed. KPTI prefetchnta side-channel;
x86-only by physics. Already source-gated (returns
PRECOND_FAIL on non-x86_64).
'x86_64+unverified-arm64' (26 modules): kernel exploitation
code. The bug class is generic but the exploit primitives
(msg_msg sprays, finisher chain, struct offsets) haven't been
confirmed on arm64. detect() still works (just reads ctx->host);
only the --exploit path is in question.
--list now has an ARCH column (any / x64 / x64?) and the footer
prints 'N arch-independent (any)'.
--module-info prints 'arch support: <value>'.
--scan --json adds 'arch_support' to each module record.
This is the honest 'arm64 works for detection on every module +
exploitation on 4 of them today; the rest await empirical arm64
sweep' framing — not pretending the kernel exploits already work
there, but not blocking the arm64 binary on that either. arm64
users get the full triage workflow + a handful of userspace exploits
out of the box, plus a clear roadmap for the rest.
Future work to promote modules from 'x86_64+unverified-arm64' to
'any': add an arm64 Vagrant box (generic/debian12-arm64 etc.) to
tools/verify-vm/ and run a verification sweep on Apple Silicon /
ARM Linux hardware.
137 lines
4.9 KiB
Bash
Executable File
137 lines
4.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# SKELETONKEY one-shot installer.
|
|
#
|
|
# Usage:
|
|
# curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh
|
|
#
|
|
# Or with explicit version:
|
|
# SKELETONKEY_VERSION=v0.1.0 curl ... | sh
|
|
#
|
|
# Or install to a different prefix:
|
|
# SKELETONKEY_PREFIX=$HOME/.local/bin curl ... | sh
|
|
#
|
|
# Environment:
|
|
# SKELETONKEY_VERSION release tag (default: latest)
|
|
# SKELETONKEY_PREFIX install dir (default: /usr/local/bin if writable, else error)
|
|
# SKELETONKEY_REPO override repo (default: KaraZajac/SKELETONKEY)
|
|
#
|
|
# Exit codes:
|
|
# 0 — installed successfully
|
|
# 1 — error (unsupported arch, download failure, permission denied)
|
|
|
|
# POSIX-friendly: -eu is universal, pipefail only on shells that
|
|
# support it (bash, ksh, dash >= 0.5.12). Without pipefail the
|
|
# installer still exits on the first hard error since every curl/
|
|
# tar/install step is checked explicitly.
|
|
set -eu
|
|
(set -o pipefail) 2>/dev/null && set -o pipefail || true
|
|
|
|
REPO="${SKELETONKEY_REPO:-KaraZajac/SKELETONKEY}"
|
|
VERSION="${SKELETONKEY_VERSION:-latest}"
|
|
PREFIX="${SKELETONKEY_PREFIX:-/usr/local/bin}"
|
|
|
|
log() { printf '[\033[1;36m*\033[0m] %s\n' "$*" >&2; }
|
|
ok() { printf '[\033[1;32m+\033[0m] %s\n' "$*" >&2; }
|
|
fail() { printf '[\033[1;31m-\033[0m] %s\n' "$*" >&2; exit 1; }
|
|
|
|
# Detect architecture. Default to the musl-static binary on both
|
|
# x86_64 and arm64 — works on every libc (glibc 2.x of any version,
|
|
# musl, uclibc); costs ~800 KB extra vs dynamic but eliminates the
|
|
# GLIBC_2.NN portability ceiling that bites on Debian-stable, older
|
|
# RHEL hosts, and Alpine. Set SKELETONKEY_DYNAMIC=1 to fetch the
|
|
# smaller dynamic build (needs glibc >= 2.38 for x86_64 — Ubuntu
|
|
# 24.04 / Debian 13 / RHEL 10).
|
|
arch=$(uname -m)
|
|
case "$arch" in
|
|
x86_64|amd64)
|
|
if [ "${SKELETONKEY_DYNAMIC:-0}" = "1" ]; then
|
|
target=x86_64
|
|
else
|
|
target=x86_64-static
|
|
fi
|
|
;;
|
|
aarch64|arm64)
|
|
if [ "${SKELETONKEY_DYNAMIC:-0}" = "1" ]; then
|
|
target=arm64
|
|
else
|
|
target=arm64-static
|
|
fi
|
|
;;
|
|
*) fail "Unsupported architecture: $arch (only x86_64 and arm64 currently)" ;;
|
|
esac
|
|
log "detected arch: $target"
|
|
|
|
# Resolve version → download URL
|
|
if [ "$VERSION" = "latest" ]; then
|
|
url="https://github.com/${REPO}/releases/latest/download/skeletonkey-${target}"
|
|
sha_url="https://github.com/${REPO}/releases/latest/download/skeletonkey-${target}.sha256"
|
|
else
|
|
url="https://github.com/${REPO}/releases/download/${VERSION}/skeletonkey-${target}"
|
|
sha_url="https://github.com/${REPO}/releases/download/${VERSION}/skeletonkey-${target}.sha256"
|
|
fi
|
|
log "downloading from: $url"
|
|
|
|
# Need curl. wget fallback would be nice but skipping for simplicity.
|
|
if ! command -v curl >/dev/null 2>&1; then
|
|
fail "curl is required (apt install curl / dnf install curl)"
|
|
fi
|
|
|
|
tmp=$(mktemp -d)
|
|
trap 'rm -rf "$tmp"' EXIT
|
|
|
|
if ! curl -fsSLo "$tmp/skeletonkey" "$url"; then
|
|
fail "download failed. Check the version exists at https://github.com/${REPO}/releases"
|
|
fi
|
|
|
|
# Verify checksum if available
|
|
if curl -fsSLo "$tmp/skeletonkey.sha256" "$sha_url" 2>/dev/null; then
|
|
# The .sha256 file has the binary's original name; normalize for our local copy
|
|
expected=$(awk '{print $1}' "$tmp/skeletonkey.sha256")
|
|
if command -v sha256sum >/dev/null 2>&1; then
|
|
actual=$(sha256sum "$tmp/skeletonkey" | awk '{print $1}')
|
|
elif command -v shasum >/dev/null 2>&1; then
|
|
actual=$(shasum -a 256 "$tmp/skeletonkey" | awk '{print $1}')
|
|
else
|
|
actual=""
|
|
log "no sha256sum/shasum available — skipping checksum verification"
|
|
fi
|
|
if [ -n "$actual" ]; then
|
|
if [ "$actual" = "$expected" ]; then
|
|
ok "checksum verified"
|
|
else
|
|
fail "checksum mismatch (expected $expected, got $actual)"
|
|
fi
|
|
fi
|
|
else
|
|
log "no checksum file at $sha_url — skipping verification"
|
|
fi
|
|
|
|
chmod +x "$tmp/skeletonkey"
|
|
|
|
# Install. Try $PREFIX directly; if not writable, sudo.
|
|
target_path="$PREFIX/skeletonkey"
|
|
if [ -w "$PREFIX" ] || [ "$(id -u)" -eq 0 ]; then
|
|
mv "$tmp/skeletonkey" "$target_path"
|
|
elif command -v sudo >/dev/null 2>&1; then
|
|
log "$PREFIX needs sudo; you may be prompted for password"
|
|
sudo mv "$tmp/skeletonkey" "$target_path"
|
|
else
|
|
fail "$PREFIX not writable and sudo not available. Try SKELETONKEY_PREFIX=\$HOME/.local/bin"
|
|
fi
|
|
|
|
ok "installed: $target_path"
|
|
"$target_path" --version
|
|
|
|
cat >&2 <<EOF
|
|
|
|
[\033[1;33m!\033[0m] AUTHORIZED TESTING ONLY — see https://github.com/${REPO}/blob/main/docs/ETHICS.md
|
|
|
|
Quickstart:
|
|
sudo skeletonkey --scan # what's this box vulnerable to?
|
|
sudo skeletonkey --audit # broader system hygiene
|
|
sudo skeletonkey --detect-rules --format=auditd \\
|
|
| sudo tee /etc/audit/rules.d/99-skeletonkey.rules # deploy detection rules
|
|
|
|
See \`skeletonkey --help\` for all commands.
|
|
EOF
|