ssh-keysign-pwn

This is a compact standalone local privilege escalation repository for CVE-2026-46333. It is not a framework module. The repo contains 5 files: a Makefile, README, headers, a D-Bus marshaling/payload file (dbus.c/dbus.h), and the main exploit (ptrace_may_dream.c). The Makefile builds a single binary, ptrace_may_dream, from ptrace_may_dream.c and dbus.c and links pthread, crypt, and util libraries. The exploit targets a Linux kernel race in ptrace_may_access() when mm == NULL during pidfd_getfd(2). The core idea is to race pidfd_getfd() against the exit of a privileged short-lived process so that ptrace access checks are skipped, allowing an unprivileged user to duplicate an open file descriptor from that process. Here, the chosen victim is accounts-daemon. The exploit searches /proc for the accounts-daemon PID, uses busctl to trigger activity in AccountsService, and specifically abuses SetIconFile to cause a short-lived child process. Multiple racing threads repeatedly call pidfd_getfd() against a guessed FD slot (default 5, matching the README note for dbus-broker) until one thread steals the D-Bus socket FD. Once the FD is stolen, the exploit writes a handcrafted D-Bus payload directly to that socket. dbus.c constructs three concatenated method calls on org.freedesktop.Accounts.User for the current user's object path: SetShell("/bin/bash"), SetAccountType(admin), and SetPassword(hash, ""). The password is hardcoded in dbus.h as pwned123 and hashed with crypt() using SHA-512 salt $6$xpl01t$. After sending the payload, the main program waits for accounts-daemon to apply the changes, verifies success by checking /etc/group for wheel membership and /etc/passwd for /bin/bash, then attempts to launch a root-capable shell path. Capabilities are therefore: local process enumeration, race-based FD theft via pidfd_getfd, direct D-Bus wire-format message construction, privilege escalation through AccountsService account modification, and post-exploitation shell access. There are no external network callbacks or C2 endpoints; all observables are local filesystem paths, procfs paths, D-Bus service/interface/object names, and external busctl invocations.

This repository is a small Go-based local proof-of-concept for CVE-2026-46333. It is not a remote exploit and contains no network functionality. The repo structure is simple: documentation in README.md and docs/, Go module metadata in go.mod/go.sum, a Linux-only implementation in main.go, and a non-Linux stub in main_nonlinux.go that exits with an informational message. The main exploit logic repeatedly spawns a user-chosen local binary, suppresses its standard streams by redirecting them to /dev/null, obtains a pidfd for the child process, and repeatedly probes file descriptors 3 through 499 using pidfd_getfd across up to 500 probe iterations and 500 rounds. If any descriptor duplication succeeds, it treats that as a race-condition hit, inspects each duplicated descriptor through /proc/self/fd/<n>, logs the resolved file path and permissions, and optionally reads up to 8 MiB from a specific captured file if its path matches the operator-provided capture path. Overall, the exploit capability is local file-descriptor theft/inspection and optional file-content disclosure from a spawned target process in a Linux environment supporting pidfd syscalls. The code is clearly positioned as a research/validation PoC rather than a weaponized exploit: no persistence, privilege escalation chain, remote delivery, or customizable post-exploitation payloads are present.

This repository contains a small standalone local Linux exploit PoC set for CVE-2026-46333, with 3 files total: two C programs and a README. It is not part of a larger exploit framework. The code targets a kernel race condition during privileged process exit, abusing pidfd_open/pidfd_getfd to duplicate file descriptors from dying SUID/root-owned processes before normal dumpability protections are enforced. Repository structure: CVE-2026-46333.c is the primary PoC and targets ssh-keysign from OpenSSH. It searches several standard filesystem locations for the ssh-keysign binary, forks a child to execute it silently, opens a pidfd to the child, then repeatedly scans file descriptors 3-63 across many attempts and rounds. For each duplicated descriptor, it resolves /proc/self/fd/<n> and checks whether the backing path matches an SSH host key naming pattern (contains both "ssh_host_" and "_key"). On success, it seeks to offset 0, reads the file contents, and prints the stolen private key material to stdout. The second code file, CVE-2026-46333-shadow.c, uses the same primitive against /usr/bin/chage. It executes "chage -l root" to induce opening of /etc/shadow, races pidfd_getfd against the exiting process, identifies a duplicated descriptor whose resolved path contains /etc/shadow, then reads and prints the shadow file contents. Capabilities: both programs are local information-disclosure exploits, not code-execution payloads. They steal sensitive file descriptors from privileged processes and dump the contents of protected files. The main practical outcomes are disclosure of SSH host private keys and password hashes from /etc/shadow, which could enable follow-on credential attacks or host impersonation. No network communication, C2, or remote callback behavior is present. The only fingerprintable observables are local filesystem paths and process interfaces such as ssh-keysign locations, /usr/bin/chage, /etc/shadow, /etc/ssh/ssh_host_*_key, /dev/null, and /proc/self/fd/%d. The README documents usage, impact, mitigation, and example output, and confirms the intended purpose as a working PoC for local privilege-boundary bypass via kernel race condition.

Small standalone exploit repository with 3 files: GPL license, README, and a single Python entry point (passwd.py). The repository is a local privilege-abuse exploit, not a remote exploit and not part of a major framework. Its purpose is to change any local user's password without first obtaining a root shell by chaining two vulnerabilities: CVE-2026-46333 to steal a readable file descriptor for /etc/shadow from a transient /usr/bin/chage process, and CVE-2026-31431 (CopyFail) to convert that readable FD into a 4-byte arbitrary page-cache write primitive. passwd.py contains the full exploit flow. It loads libc and libcrypt via ctypes, implements get_shadow_fd() to repeatedly fork/exec chage -l root, opens a pidfd to the child, and brute-forces pidfd_getfd across candidate descriptors until one resolves via /proc/self/fd/* to /etc/shadow. It then reads/parses shadow entries, extracts the target user's existing hash and salt, prompts for a new password, hashes it with crypt(3) using the existing salt, and writes the replacement hash plus trailing field padding back into the cached /etc/shadow contents in 4-byte chunks. The write primitive is implemented with Linux AF_ALG crypto sockets using the authencesn(hmac(sha256),cbc(aes)) algorithm and splice-based manipulation described as CopyFail. The script includes cleanup/error handling for failed writes and warns that the modification is temporary because it affects page cache rather than durable on-disk state. Operationally, the exploit provides a practical local account takeover capability on vulnerable Linux systems: once the password hash is replaced, the attacker can authenticate as the chosen user with the known password. The README notes limitations: failure if the target entry is near the end of /etc/shadow, reuse of the old salt, and loss of the modified password after reboot or page-cache clearing. No C2, hardcoded IPs, or network callbacks are present; the notable fingerprintable artifacts are local file paths and the use of /usr/bin/chage, /etc/shadow, /proc/self/fd, /dev/null, and AF_ALG crypto sockets.

Small standalone local Linux exploit repository centered on a single C program, charon.c, plus a Makefile and documentation. The code is a dependency-free PoC/operational exploit for CVE-2026-46333, a Linux kernel bug in __ptrace_may_access during the exit_mm()/exit_files() window of a dying SUID/SGID process. The exploit races pidfd_getfd(2) against that transient state to duplicate privileged file descriptors from the target process. Repository structure is simple: README.md explains the vulnerability, affected kernels, usage, built-in lures, mitigations, and expected results; Makefile builds either a normal or static binary; charon.c contains the full exploit logic and CLI. No external framework is used. Main exploit capability: local sensitive-file disclosure / privilege-escalation primitive via FD theft. By default it targets /etc/shadow and prints the contents to stdout. It can also target SSH host private keys or arbitrary files if a suitable SUID/SGID bait opens them. The code includes built-in bait definitions for /usr/bin/chage, /usr/sbin/chage, /usr/bin/passwd, and /usr/lib/openssh/ssh-keysign, and supports auto-discovery of additional SUID/SGID binaries under common filesystem roots. The visible code path shows two phases: try built-in baits matching the requested target, then optionally auto-discover candidates. It also tracks statistics and distinguishes likely patched kernels when repeated pidfd_getfd attempts never succeed. This is clearly exploit code rather than a detector: it repeatedly forks/races privileged helper binaries and attempts to steal live file descriptors, returning success when it can read the requested file. Because the payload is fixed to reading files rather than spawning a shell, maturity is best classified as OPERATIONAL rather than WEAPONIZED.