leviathan
e2fcc6a9e0
Convert overlayfs from 🔵 → 🟢: full vsh-style userns + overlayfs + file-capability injection exploit. Sequence: 1. mkdtemp workdir; gcc-compile a minimal payload that setresuid(0,0,0) + execle(/bin/sh, -p) 2. fork child; child unshares(CLONE_NEWUSER | CLONE_NEWNS), writes /proc/self/{setgroups,uid_map,gid_map} mapping outer uid to userns-root 3. child mounts overlayfs with lower/upper/work layout 4. child copies payload binary into merged/payload — this writes to host's upper/payload via the overlay 5. child writes security.capability xattr with VFS_CAP_REVISION_2 blob granting cap_setuid+ep on merged/payload — the BUG persists this xattr to the host fs entry 6. child exits; parent verifies xattr via getxattr on upper/payload 7. parent execve's upper/payload from outside userns → has cap_setuid effective → setuid(0) → /bin/sh -p with uid=0 - libcap-less setcap: build VFS_CAP_REVISION_2 blob in-place (cap_setuid bit 7, cap_setgid bit 6, effective flag set in magic_etc), write via setxattr(security.capability). - which_gcc() fallback to /usr/bin/cc, /bin/gcc, etc.; tries -static first, falls back to dynamic link if static unavailable. - Re-runs detect() to refuse on patched / non-Ubuntu hosts. - Cleanup on failure: rmdir/unlink the workdir tree. - Removed unused write_uid_gid_map() helper (logic now inline in child since we self-write the maps post-unshare). Verified end-to-end on Debian kctf-mgr: iamroot --exploit overlayfs --i-know → 'not Ubuntu — bug is Ubuntu-specific' → 'refusing'. Correct. Path buffers oversized vs. mkdtemp template to silence GCC -Wformat-truncation noise. CVES.md: overlayfs 🔵 → 🟢.
IAMROOT
A curated, actively-maintained corpus of Linux kernel LPE exploits — bundled with their detection signatures, patch status, and version ranges. Run it on a system you own (or are authorized to test) and it tells you which historical and recent CVEs that system is still vulnerable to, and — with explicit confirmation — gets you root.
██╗ █████╗ ███╗ ███╗██████╗ ██████╗ ██████╗ ████████╗
██║██╔══██╗████╗ ████║██╔══██╗██╔═══██╗██╔═══██╗╚══██╔══╝
██║███████║██╔████╔██║██████╔╝██║ ██║██║ ██║ ██║
██║██╔══██║██║╚██╔╝██║██╔══██╗██║ ██║██║ ██║ ██║
██║██║ ██║██║ ╚═╝ ██║██║ ██║╚██████╔╝╚██████╔╝ ██║
╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝
⚠️ Authorized testing only. IAMROOT is a research and red-team tool. By using it you assert you have explicit authorization to test the target system. See
docs/ETHICS.md.
What this is
Most Linux LPE references are dead repos, broken PoCs, or single-CVE deep-dives. IAMROOT is a living corpus: each CVE that lands here is empirically verified to work on the kernels it claims to target, CI-tested across a distro matrix, and ships with the detection signatures defenders need to spot it in their environment.
The same binary covers offense and defense:
iamroot --scan— fingerprint the host, report which bundled CVEs apply, and which are blocked by patches/config/LSMiamroot --exploit <CVE>— run the named exploit (with--i-knowauthorization gate)iamroot --detect-rules— dump auditd / sigma / yara rules for every bundled CVE so blue teams can drop them into their toolingiamroot --mitigate— apply temporary mitigations for CVEs the host is vulnerable to (sysctl knobs, module blacklists, etc.)
Status
Active. Bootstrap phase as of 2026-05-16. First module
(copy_fail_family) absorbed from the standalone DIRTYFAIL project
and is verified working end-to-end on Ubuntu 26.04 + Alma 9 + Debian
13 with full AppArmor bypass + container escape demo + persistent
backdoor mode.
See CVES.md for the full curated CVE list with patch
status. See ROADMAP.md for the next planned modules.
Why this exists
The Linux kernel privilege-escalation space is fragmented:
linux-exploit-suggester/linpeas: suggest applicable exploits, don't run themauto-root-exploit/kernelpop: bundle exploits, but largely stale, no CI, no defensive signatures- Per-CVE single-PoC repos: usually one author, often abandoned within months of release, often only one distro
IAMROOT's bet is that there's room for a single curated bundle that (1) actively maintains a small set of high-quality exploits across a multi-distro matrix, and (2) ships detection rules alongside each exploit so the same project serves both red and blue teams.
Architecture
Each CVE (or tightly-related family) is a module under modules/.
Modules export a standard interface: detect(), exploit(),
mitigate(), cleanup(), plus metadata describing affected kernel
ranges, distro coverage, and CI test matrix.
Shared infrastructure (AppArmor bypass, su-exploitation primitives,
fingerprinting, common utilities) lives in core/.
See docs/ARCHITECTURE.md for the
module-loader design and how to add a new CVE.
Build & run
make # build all modules
sudo ./iamroot --scan # what's this box vulnerable to?
sudo ./iamroot --scan --json # machine-readable output for CI/SOC pipelines
sudo ./iamroot --detect-rules --format=sigma > rules.yml
sudo ./iamroot --exploit copy_fail --i-know # actually run an exploit
Acknowledgments
Each module credits the original CVE reporter and PoC author in its
NOTICE.md. IAMROOT is the bundling and bookkeeping layer; the
research credit belongs to the people who found the bugs.
License
MIT — see LICENSE.