SKELETONKEY

Files

T

leviathan 6eab6d3f70 Add cgroup_release_agent CVE-2022-0492 — FULL working exploit

Universal container-escape LPE. Doesn't need msg_msg cross-cache groom,
no arch-specific shellcode, no version-specific offsets — bug is
structural (priv check in wrong namespace).

Mechanism:
  1. unshare(CLONE_NEWUSER | CLONE_NEWNS) → become 'root' in userns
  2. write uid_map/gid_map (deny setgroups first)
  3. mount cgroup v1 (rdma controller; memory fallback)
  4. mkdir /<mnt>/iamroot subgroup
  5. write payload-path → release_agent (in mount root)
  6. write '1' → notify_on_release (in subgroup)
  7. write our pid → cgroup.procs (in subgroup)
  8. exit → cgroup empties → kernel exec's payload as INIT-ns uid=0
  9. Payload drops /tmp/iamroot-cgroup-sh with setuid root
  10. Parent polls for the setuid-shell appearance + exec's it -p

- kernel_range: K < 5.17 mainline, backports across 4.9 / 4.14 / 4.19 /
  5.4 / 5.10 / 5.15 / 5.16 LTS branches.
- Detect probes user_ns+mount_ns clone via fork-isolated child.
- Cleanup removes /tmp/iamroot-cgroup-* + umount the workspace.
- Auditd: flag unshare + mount(cgroup) + /sys/fs/cgroup writes from
  non-root. Sigma rule for unshare+cgroup-mount chain.

Path buffers oversized to silence GCC -Wformat-truncation noise
(cgdir 384, ra_path 384, nor_path/cgproc_path 512).

Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 19.

2026-05-16 21:09:34 -04:00

_stubs/fragnesia_TBD

Phase 3: EntryBleed module — working stage-1 kbase leak brick

2026-05-16 19:55:22 -04:00

af_packet2_cve_2020_14386

Add stackrot (CVE-2023-3269) + af_packet2 (CVE-2020-14386) modules

2026-05-16 21:03:36 -04:00

af_packet_cve_2017_7308

Phase 7: af_packet (CVE-2017-7308) + FUSE legacy (CVE-2022-0185)

2026-05-16 20:49:58 -04:00

cgroup_release_agent_cve_2022_0492

Add cgroup_release_agent CVE-2022-0492 — FULL working exploit