Phase 7: ptrace_traceme CVE-2019-13272 — port FULL jannh-style exploit
Convert ptrace_traceme from 🔵 → 🟢. Real working PoC following Jann
Horn's Project Zero issue #1903 technique.
Mechanism:
1. fork() — child becomes our traced target via PTRACE_TRACEME
2. child sleeps 500ms (lets parent execve start)
3. parent execve's setuid binary (pkexec / su / passwd / sudo —
auto-selected via find_setuid_target())
4. Kernel elevates parent's creds to root but the stale
ptrace_link from step 1 isn't invalidated (the bug)
5. child PTRACE_ATTACH's to the now-privileged parent
6. child PTRACE_POKETEXT's x86_64 shellcode at parent's RIP
7. child PTRACE_DETACH — parent runs shellcode:
setuid(0); setgid(0); execve('/bin/sh', ...) → root shell
Implementation notes:
- x86_64-only (shellcode is arch-specific). ARM/other arch returns
IAMROOT_PRECOND_FAIL gracefully.
- Shellcode is the canonical 33-byte setuid(0)+execve('/bin/sh')
inline asm sequence.
- Setuid binary selection: pkexec preferred (almost universal),
then su/sudo/passwd as fallbacks. Refuses if none available.
- Auto-refuses on patched kernels (re-runs detect() at start).
- No cleanup applies — exploit replaces our process image on success.
Verified on Debian 6.12.86 (patched):
iamroot --exploit ptrace_traceme --i-know
→ detect() says patched → refuses cleanly. Correct.
CVES.md: ptrace_traceme 🔵 → 🟢.
5 detect-only modules remain (cls_route4, nf_tables, netfilter_xtcompat,
af_packet, fuse_legacy). Each is 200-400 line msg_msg/sk_buff
cross-cache groom — substantial individual commits. Next push or
strategic pivot per session priorities.
leviathan
541aac6993