leviathan
52e8c99022
- core/module.h: struct iamroot_module + iamroot_result_t
- core/registry.{h,c}: flat-array module registry with find-by-name
- modules/copy_fail_family/iamroot_modules.{h,c}: bridge layer
exposing 5 modules (copy_fail, copy_fail_gcm, dirty_frag_esp,
dirty_frag_esp6, dirty_frag_rxrpc) wired to the absorbed DIRTYFAIL
detect/exploit functions; df_result_t/iamroot_result_t share numeric
values intentionally for zero-cost translation
- iamroot.c: top-level CLI dispatcher with --scan / --list / --exploit /
--mitigate / --cleanup, JSON output, --i-know gate
- Restored modules/copy_fail_family/src/ structure (DIRTYFAIL Makefile
expects it; the initial flat copy broke that contract)
- Top-level Makefile builds one binary; filters out DIRTYFAIL's
original dirtyfail.c main so it doesn't conflict with iamroot.c
Verified end-to-end on kctf-mgr (Linux): clean compile, 5 modules
register, --scan --json output ingest-ready, exit codes propagate.
35 lines
1.3 KiB
C
35 lines
1.3 KiB
C
/*
|
|
* DIRTYFAIL — dirtyfrag_rxrpc.h
|
|
*
|
|
* RxRPC variant of Dirty Frag (CVE-2026-43500).
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_DIRTYFRAG_RXRPC_H
|
|
#define DIRTYFAIL_DIRTYFRAG_RXRPC_H
|
|
|
|
#include "common.h"
|
|
|
|
/* Precondition probe: kernel + rxrpc.ko + AF_RXRPC openable. */
|
|
df_result_t dirtyfrag_rxrpc_detect(void);
|
|
|
|
/* Real PoC: brute-force three rxkad session keys K_A, K_B, K_C such
|
|
* that pcbc(fcrypt)-decrypting /etc/passwd line 1 at offsets 4/6/8
|
|
* with last-write-wins produces "root::0:0:GGGGGG:/root:/bin/bash".
|
|
* Then enter a fresh user/net namespace, run the three forged-handshake
|
|
* splice triggers, and (if do_shell) execve `su -` to drop a root shell
|
|
* via PAM `pam_unix nullok`. */
|
|
df_result_t dirtyfrag_rxrpc_exploit(bool do_shell);
|
|
df_result_t dirtyfrag_rxrpc_exploit_inner(void);
|
|
|
|
/* Active probe: fires ONE rxkad handshake-forgery trigger against a
|
|
* /tmp sentinel (never /etc/passwd). The trigger writes ~8 bytes of
|
|
* pcbc(fcrypt)-decrypted ciphertext into the sentinel page; we don't
|
|
* need to predict what landed — any byte change confirms the kernel
|
|
* STORE happened. Skips fcrypt brute force entirely (a random 8-byte
|
|
* key is fine for a structural probe). Returns DF_VULNERABLE if the
|
|
* sentinel changed, DF_OK if intact, DF_PRECOND_FAIL on AA-block. */
|
|
df_result_t dirtyfrag_rxrpc_active_probe(void);
|
|
df_result_t dirtyfrag_rxrpc_active_probe_inner(void);
|
|
|
|
#endif
|