leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
dce158e33ac8c6aec2a6c3d7d706303725d0bd9c
SKELETONKEY/README.md
T
leviathan dce158e33a release: v0.1.0 — 20-module corpus, 13 root-pop + 7 primitive 
iamroot.c: bump IAMROOT_VERSION from 0.1.0-phase1 → 0.1.0
  README.md: replace "bootstrap phase" status with v0.1.0 corpus
             breakdown (13🟢 / 7🟡 across 2016→2026 timeline)
  CVES.md:   redefine 🟡 to mean "primitive fires + groom + witness,
             stops short of cred-overwrite chain — refuses to claim
             root unless empirically demonstrated"; flip 7 entries
             from 🔵🟡; add the two missing 🟢 entries
             (cgroup_release_agent, overlayfs_setuid); extend the
             operations matrix from 7 → 20 rows.
  ROADMAP.md: mark all Phase-7 items landed; add Phase 8 covering
              full-chain promotions (nf_tables / xtcompat / af_packet
              prioritized — each has a public reference exploit;
              IAMROOT's no-fabricated-offsets rule means each needs
              an env-var offset table or System.map auto-resolve).

Build clean on Debian 6.12.86; iamroot --version reports 0.1.0.
2026-05-16 21:40:51 -04:00

133 lines
5.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IAMROOT
> A curated, actively-maintained corpus of Linux kernel LPE exploits —
> bundled with their detection signatures, patch status, and version
> ranges. Run it on a system you own (or are authorized to test) and
> it tells you which historical and recent CVEs that system is still
> vulnerable to, and — with explicit confirmation — gets you root.
```
██╗ █████╗ ███╗ ███╗██████╗ ██████╗ ██████╗ ████████╗
██║██╔══██╗████╗ ████║██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██║███████║██╔████╔██║██████╔╝██║ ██║██║ ██║ ██║
██║██╔══██║██║╚██╔╝██║██╔══██╗██║ ██║██║ ██║ ██║
██║██║ ██║██║ ╚═╝ ██║██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
```
> ⚠️ **Authorized testing only.** IAMROOT is a research and red-team
> tool. By using it you assert you have explicit authorization to test
> the target system. See [`docs/ETHICS.md`](docs/ETHICS.md).
## Quickstart
```bash
# One-shot install (x86_64 / arm64; checksum-verified)
curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh
# What's this box vulnerable to?
sudo iamroot --scan
# Broader system hygiene (setuid binaries, world-writable, capabilities, sudo)
sudo iamroot --audit
# Deploy detection rules across every bundled module
sudo iamroot --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-iamroot.rules
# Fleet scan (any-sized host list via SSH; aggregated JSON for SIEM)
./tools/iamroot-fleet-scan.sh --binary iamroot --ssh-key ~/.ssh/id_rsa hosts.txt
```
`iamroot --help` lists every command. See [`CVES.md`](CVES.md) for the
curated CVE inventory and [`docs/DEFENDERS.md`](docs/DEFENDERS.md) for
the blue-team deployment guide.
## What this is
Most Linux LPE references are dead repos, broken PoCs, or single-CVE
deep-dives. **IAMROOT is a living corpus**: each CVE that lands here
is empirically verified to work on the kernels it claims to target,
CI-tested across a distro matrix, and ships with the detection
signatures defenders need to spot it in their environment.
The same binary covers offense and defense:
- `iamroot --scan` — fingerprint the host, report which bundled CVEs
apply, and which are blocked by patches/config/LSM
- `iamroot --exploit <CVE>` — run the named exploit (with `--i-know`
authorization gate)
- `iamroot --detect-rules` — dump auditd / sigma / yara rules for
every bundled CVE so blue teams can drop them into their tooling
- `iamroot --mitigate` — apply temporary mitigations for CVEs the
host is vulnerable to (sysctl knobs, module blacklists, etc.)
## Status
**Active — v0.1.0 cut 2026-05-16.** Corpus covers **20 modules**
across the 2016 → 2026 LPE timeline:
- 🟢 **13 modules land root** end-to-end on a vulnerable host
(copy_fail family ×5, dirty_pipe, entrybleed leak, pwnkit,
overlayfs CVE-2021-3493, dirty_cow, ptrace_traceme,
cgroup_release_agent, overlayfs_setuid CVE-2023-0386).
- 🟡 **7 modules fire the kernel primitive** (trigger + slab groom +
empirical witness) but stop short of the full cred-overwrite /
R/W chain — they return `EXPLOIT_FAIL` honestly rather than
fabricate per-kernel offsets. Useful as vuln-verification probes.
(af_packet, af_packet2, cls_route4, fuse_legacy, nf_tables,
netfilter_xtcompat, stackrot.)
- Detection rules ship inline (auditd / sigma / yara / falco) and
are exported via `iamroot --detect-rules --format=…`.
See [`CVES.md`](CVES.md) for the per-CVE inventory + patch status.
See [`ROADMAP.md`](ROADMAP.md) for the next planned modules.
## Why this exists
The Linux kernel privilege-escalation space is fragmented:
- **`linux-exploit-suggester` / `linpeas`**: suggest applicable
exploits, don't run them
- **`auto-root-exploit` / `kernelpop`**: bundle exploits, but largely
stale, no CI, no defensive signatures
- **Per-CVE single-PoC repos**: usually one author, often abandoned
within months of release, often only one distro
IAMROOT's bet is that there's room for a single curated bundle that
(1) actively maintains a small set of high-quality exploits across a
multi-distro matrix, and (2) ships detection rules alongside each
exploit so the same project serves both red and blue teams.
## Architecture
Each CVE (or tightly-related family) is a **module** under `modules/`.
Modules export a standard interface: `detect()`, `exploit()`,
`mitigate()`, `cleanup()`, plus metadata describing affected kernel
ranges, distro coverage, and CI test matrix.
Shared infrastructure (AppArmor bypass, su-exploitation primitives,
fingerprinting, common utilities) lives in `core/`.
See [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) for the
module-loader design and how to add a new CVE.
## Build & run
```bash
make # build all modules
sudo ./iamroot --scan # what's this box vulnerable to?
sudo ./iamroot --scan --json # machine-readable output for CI/SOC pipelines
sudo ./iamroot --detect-rules --format=sigma > rules.yml
sudo ./iamroot --exploit copy_fail --i-know # actually run an exploit
```
## Acknowledgments
Each module credits the original CVE reporter and PoC author in its
`NOTICE.md`. IAMROOT is the bundling and bookkeeping layer; the
research credit belongs to the people who found the bugs.
## License
MIT — see [`LICENSE`](LICENSE).
Reference in New Issue View Git Blame Copy Permalink