来自:https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
#!/bin/bash#
# Copyright (c) -, mzet
#
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
# This is free software, and you are welcome to redistribute it
# under the terms of the GNU General Public License. See LICENSE
# file for usage of this software.
#VERSION=v0.# bash colors
#txtred="\e[0;31m"
txtred="\e[91;1m"
txtgrn="\e[1;32m"
txtgray="\e[1;30m"
txtblu="\e[0;36m"
txtrst="\e[0m"
bldwht='\e[1;37m'
wht='\e[0;36m'
bldblu='\e[1;34m'
yellow='\e[1;93m'
lightyellow='\e[0;93m'# input data
UNAME_A=""# parsed data for current OS
KERNEL=""
OS=""
DISTRO=""
ARCH=""
PKG_LIST=""# kernel config
KCONFIG=""CVELIST_FILE=""opt_fetch_bins=false
opt_fetch_srcs=false
opt_kernel_version=false
opt_uname_string=false
opt_pkglist_file=false
opt_cvelist_file=false
opt_checksec_mode=false
opt_full=false
opt_summary=false
opt_kernel_only=false
opt_userspace_only=false
opt_show_dos=false
opt_skip_more_checks=false
opt_skip_pkg_versions=falseARGS=
SHORTOPTS="hVfbsu:k:dp:g"
LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec"## exploits database
declare -a EXPLOITS
declare -a EXPLOITS_USERSPACE############ LINUX KERNELSPACE EXPLOITS ####################
n=EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} elflbl
Reqs: pkg=linux-kernel,ver=2.4.
Tags:
analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/elflbl
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} uselib()
Reqs: pkg=linux-kernel,ver=2.4.
Tags:
analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
exploit-db:
Comments: Known to work only for 2.4 series (even though 2.6 is also vulnerable)
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} krad3
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} mremap_pte
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} raptor_prctl
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} prctl
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} prctl2
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} prctl3
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} prctl4
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} h00lyshit
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} vmsplice1
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} vmsplice2
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} ftrex
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} exit_notify
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} sock_sendpage (simple version)
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=7.10,RHEL=,fedora=|||||||
exploit-db:
Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} sock_sendpage
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=9.04
analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz
exploit-db:
Comments: /proc/sys/vm/mmap_min_addr needs to equal OR pulseaudio needs to be installed
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} sock_sendpage2
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz
exploit-db:
Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} sock_sendpage3
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz
exploit-db:
Comments: /proc/sys/vm/mmap_min_addr needs to equal OR pulseaudio needs to be installed
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} sock_sendpage (ppc)
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=8.10,RHEL=|
exploit-db:
Comments: /proc/sys/vm/mmap_min_addr needs to equal
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} udp_sendmsg (by spender)
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} udp_sendmsg
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: debian=
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} ip_append_data
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.,x86
Tags: fedora=||,RHEL=
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} pipe.c
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} pipe.c
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} pipe.c
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} ptrace_kmod2
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: debian=,ubuntu=10.04|10.10
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod
bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace_kmod2-64
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} reiserfs
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=9.10
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} can_bcm
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=10.04
bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can_bcm
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} rds
Reqs: pkg=linux-kernel,ver>=2.6.,ver<2.6.
Tags: debian=,ubuntu=10.10|9.10,fedora={kernel:2.6.33.3-.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.--generic}
analysis-url: http://www.securityfocus.com/archive/1/514379
src-url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds
bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--,CVE--]${txtrst} half_nelson
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=10.04|9.10
bin-url: http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} caps_to_root
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.,x86
Tags: ubuntu=10.10
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} caps_to_root
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=10.10
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} american-sign-language
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} pktcdvd
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=10.04
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} video4linux
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: RHEL=
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} memodipper
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=3.1.
Tags: ubuntu=10.04|11.10
analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/
src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--,CVE--]${txtrst} full-nelson
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=2.6.
Tags: ubuntu=9.10|10.04|10.10,ubuntu=10.04.
src-url: http://vulnfactory.org/exploits/full-nelson.c
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} CLONE_NEWUSER|CLONE_FS
Reqs: pkg=linux-kernel,ver=3.8,CONFIG_USER_NS=y
Tags:
src-url: http://stealth.openwall.net/xSports/clown-newuser.c
analysis-url: https://lwn.net/Articles/543273/
exploit-db:
author: Sebastian Krahmer
Comments: CONFIG_USER_NS needs to be enabled
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} perf_swevent
Reqs: pkg=linux-kernel,ver>=2.6.,ver<3.8.
Tags: RHEL=,ubuntu=12.04
analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent64
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} perf_swevent
Reqs: pkg=linux-kernel,ver>=2.6.,ver<3.8.,x86_64
Tags: ubuntu=12.04
analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
src-url: https://cyseclabs.com/exploits/vnik_v1.c
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} msr
Reqs: pkg=linux-kernel,ver>=2.6.,ver<3.7.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} userns_root_sploit
Reqs: pkg=linux-kernel,ver>=3.0.,ver<3.8.
Tags:
analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} semtex
Reqs: pkg=linux-kernel,ver>=2.6.,ver<3.8.
Tags: RHEL=
analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} timeoutpwn
Reqs: pkg=linux-kernel,ver>=3.4.,ver<=3.13.,CONFIG_X86_X32=y
Tags: ubuntu=13.10
analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64
exploit-db:
Comments: CONFIG_X86_X32 needs to be enabled
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} timeoutpwn
Reqs: pkg=linux-kernel,ver>=3.4.,ver<=3.13.,CONFIG_X86_X32=y
Tags: ubuntu=13.10|13.04
analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
exploit-db:
Comments: CONFIG_X86_X32 needs to be enabled
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} rawmodePTY
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=3.14.
Tags:
analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} use-after-free in ping_init_sock() ${bldblu}(DoS)${txtrst}
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=3.14
Tags:
analysis-url: https://cyseclabs.com/page?n=02012016
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} inode_capable
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=3.13
Tags: ubuntu=12.04
analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} ptrace/sysret
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=3.8
Tags: ubuntu=12.04
analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} PPPoL2TP ${bldblu}(DoS)${txtrst}
Reqs: pkg=linux-kernel,ver>=3.2,ver<=3.15.
Tags:
analysis-url: https://cyseclabs.com/page?n=01102015
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} fuse_suid
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=3.16.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} BadIRET
Reqs: pkg=linux-kernel,ver>=3.0.,ver<3.17.,x86_64
Tags: RHEL<=,fedora=
analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
src-url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
exploit-db:
author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} espfix64_NMI
Reqs: pkg=linux-kernel,ver>=3.13,ver<4.1.,x86_64
Tags:
analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} bluetooth
Reqs: pkg=linux-kernel,ver<=2.6.
Tags:
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} overlayfs
Reqs: pkg=linux-kernel,ver>=3.13.,ver<=3.19.
Tags: ubuntu=12.04|14.04|14.10|15.04
analysis-url: http://seclists.org/oss-sec/2015/q2/717
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_32
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_64
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} overlayfs (ovl_setattr)
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=4.3.
Tags:
analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} overlayfs (ovl_setattr)
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=4.3.
Tags: ubuntu=14.04|15.10
analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exploit-db:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} keyring
Reqs: pkg=linux-kernel,ver>=3.10,ver<4.4.
Tags:
analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
exploit-db:
Comments: Exploit takes about ~ minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} usb-midi
Reqs: pkg=linux-kernel,ver>=3.0.,ver<=4.4.
Tags: ubuntu=14.04,fedora=
analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384
src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
exploit-db:
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
author: Andrey 'xairy' Konovalov
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} target_offset
Reqs: pkg=linux-kernel,ver>=4.4.,ver<=4.4.,cmd:grep -qi ip_tables /proc/modules
Tags: ubuntu=16.04{kernel:4.4.-}
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip
Comments: ip_tables.ko needs to be loaded
exploit-db:
author: Vitaly Nikolenko (vnik)
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} double-fdput()
Reqs: pkg=linux-kernel,ver>=4.4,ver<4.5.,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=
Tags: ubuntu=16.04{kernel:4.4.--generic}
analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled !=
exploit-db:
author: Jann Horn
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} dirtycow
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=4.8.
Tags: debian=|,RHEL={kernel:2.6.(||)-*},RHEL={kernel:2.6.-*|.(||||).*|2.6.33.9-rt31},RHEL={kernel:3.10.-*|4.2.-0.21.el7},ubuntu=16.04|14.04|12.04
analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
exploit-db:
author: Phil Oester
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} dirtycow
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=4.8.
Tags: debian=|,RHEL=||,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.--generic},ubuntu=16.04{kernel:4.4.--generic}
analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
ext-url: https://www.exploit-db.com/download/40847.cpp
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
exploit-db:
author: FireFart (author of exploit at EDB ); Gabriele Bonacini (author of exploit at 'ext-url')
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} chocobo_root
Reqs: pkg=linux-kernel,ver>=4.4.,ver<4.9,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==
Tags: ubuntu=(14.04|16.04){kernel:4.4.-(||||||||||||)-generic}
analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo_root
exploit-db:
author: rebel
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} SO_{SND|RCV}BUFFORCE
Reqs: pkg=linux-kernel,ver>=3.11,ver<4.8.,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==
Tags:
analysis-url: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
exploit-db:
author: Andrey 'xairy' Konovalov
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} dccp
Reqs: pkg=linux-kernel,ver>=2.6.,ver<=4.9.,CONFIG_IP_DCCP=[my]
Tags: ubuntu=(14.04|16.04){kernel:4.4.--generic}
analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
exploit-db:
author: Andrey 'xairy' Konovalov
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} af_packet
Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==
Tags: ubuntu=16.04{kernel:4.8.-(||||||)-generic}
analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-7308/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploit
exploit-db:
author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} eBPF_verifier
Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=
Tags: debian=,fedora=||,ubuntu=14.04|16.04|17.04
analysis-url: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled !=
bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.out
exploit-db:
author: Rick Larabee
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} NETIF_F_UFO
Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.13,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==
Tags: ubuntu=14.04{kernel:4.4.-*},ubuntu=16.04{kernel:4.8.-*}
analysis-url: http://www.openwall.com/lists/oss-security/2017/08/13/1
src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.out
exploit-db:
author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} PIE_stack_corruption
Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64
Tags: RHEL=,RHEL={kernel:3.10.-514.21.|3.10.-514.26.}
analysis-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
src-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
exploit-db:
author: Qualys
Comments:
EOF
)EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} subuid_shell
Reqs: pkg=linux-kernel,ver>=4.15,ver<=4.19.,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==,cmd:[ -u /usr/bin/newuidmap ],cmd:[ -u /usr/bin/newgidmap ]
Tags: ubuntu=
analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
exploit-db:
author: Jann Horn
Comments: CONFIG_USER_NS needs to be enabled
EOF
)############ USERSPACE EXPLOITS ###########################
n=EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} samba
Reqs: pkg=samba,ver<=2.2.
Tags:
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} udev
Reqs: pkg=udev,cmd:[[ -f /etc/udev/rules.d/-udev-late.rules || -f /lib/udev/rules.d/-udev-late.rules ]]
Tags: ubuntu=8.10|9.04
exploit-db:
Comments: Version<1.4. vulnerable but distros use own versioning scheme. Manual verification needed
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} udev
Reqs: pkg=udev
Tags:
exploit-db:
Comments: SSH access to non privileged user is needed. Version<1.4. vulnerable but distros use own versioning scheme. Manual verification needed
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} PAM MOTD
Reqs: pkg=libpam-modules,ver<=1.1.
Tags: ubuntu=9.10|10.04
exploit-db:
Comments: SSH access to non privileged user is needed
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} pkexec
Reqs: pkg=polkit,ver=0.96
Tags: RHEL=,ubuntu=10.04|10.10
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} death_star (sudo)
Reqs: pkg=sudo,ver>=1.8.,ver<=1.8.
Tags: fedora=
analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} chkrootkit
Reqs: pkg=chkrootkit,ver<0.50
Tags:
analysis-url: http://seclists.org/oss-sec/2014/q2/430
exploit-db:
Comments: Rooting depends on the crontab (up to one day of delay)
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} __gconv_translit_find
Reqs: pkg=glibc|libc6,x86
Tags: debian=
analysis-url: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/34421.tar.gz
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} newpid (abrt)
Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
Tags: fedora=
analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} raceabrt
Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
Tags: fedora=||,RHEL=
analysis-url: http://seclists.org/oss-sec/2015/q2/130
src-url: https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} newpid (apport)
Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern
Tags: ubuntu=14.04
analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} newpid (apport)
Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern
Tags: ubuntu=14.04.
analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} fuse (fusermount)
Reqs: pkg=fuse,ver<2.9.
Tags: debian=7.0|8.0,ubuntu=*
analysis-url: http://seclists.org/oss-sec/2015/q2/520
exploit-db:
Comments: Needs cron or system admin interaction
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} setroubleshoot
Reqs: pkg=setroubleshoot,ver<3.2.
Tags: fedora=
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} userhelper
Reqs: pkg=libuser,ver<=0.60
Tags: RHEL<=,centos<=,fedora<=
analysis-url: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} not_an_sshnuke
Reqs: pkg=openssh-server,ver>=6.8,ver<=6.9
Tags:
analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2
exploit-db:
author: Federico Bento
Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation)
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} tomcat-rootprivesc-deb.sh
Reqs: pkg=tomcat
Tags: debian=,ubuntu=16.04
analysis-url: https://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
src-url: http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
exploit-db:
author: Dawid Golunski
Comments: Affects only Debian-based distros
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} nginxed-root.sh
Reqs: pkg=nginx|nginx-full
Tags: debian=,ubuntu=14.04|16.04|16.10
analysis-url: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
src-url: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
exploit-db:
author: Dawid Golunski
Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.; 14.04: <1.4.; 16.04: 1.10.
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} perl_startup (exim)
Reqs: pkg=exim,ver<4.86.
Tags:
analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} perl_startup (exim)
Reqs: pkg=exim,ver<4.86.
Tags:
analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} setroubleshoot
Reqs: pkg=setroubleshoot
Tags: RHEL=|
analysis-url: https://c-skills.blogspot.com/2016/06/lets-feed-attacker-input-to-sh-c-to-see.html
src-url: https://github.com/stealth/troubleshooter/raw/master/straight-shooter.c
exploit-db:
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} tomcat-RH-root.sh
Reqs: pkg=tomcat
Tags: RHEL=
analysis-url: http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
src-url: http://legalhackers.com/exploits/tomcat-RH-root.sh
exploit-db:
author: Dawid Golunski
Comments: Affects only RedHat-based distros
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--|CVE--]${txtrst} mysql-exploit-chain
Reqs: pkg=mysql-server|mariadb-server,ver<5.5.
Tags: ubuntu=16.04.
analysis-url: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
src-url: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
exploit-db:
author: Dawid Golunski
Comments: Also MariaDB ver<10.1. and ver<10.0. affected
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} nagios-root-privesc
Reqs: pkg=nagios,ver<4.2.
Tags:
analysis-url: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
src-url: https://legalhackers.com/exploits/CVE-2016-9566/nagios-root-privesc.sh
exploit-db:
author: Dawid Golunski
Comments: Allows priv escalation from nagios user or nagios group
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} ntfs-3g-modprobe
Reqs: pkg=ntfs-3g
Tags: ubuntu=16.04|16.10,debian=|
analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
exploit-db:
author: Jann Horn
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} s-nail-privget
Reqs: pkg=s-nail,ver<14.8.
Tags: ubuntu=16.04,manjaro=16.10
analysis-url: https://www.openwall.com/lists/oss-security/2017/01/27/7
src-url: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
author: wapiflapi (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
Comments: Distros use own versioning scheme. Manual verification needed.
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} Sudoer-to-root
Reqs: pkg=sudo,ver<=1.8.,cmd:[ -f /usr/sbin/getenforce ]
Tags: RHEL={sudo:1.8.6p7}
analysis-url: https://www.sudo.ws/alerts/linux_tty.html
src-url: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
exploit-db:
author: Qualys
Comments: Needs to be sudoer. Works only on SELinux enabled systems
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} sudopwn
Reqs: pkg=sudo,ver<=1.8.,cmd:[ -f /usr/sbin/getenforce ]
Tags:
analysis-url: https://www.sudo.ws/alerts/linux_tty.html
src-url: https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c
exploit-db:
author: c0d3z3r0
Comments: Needs to be sudoer. Works only on SELinux enabled systems
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} linux_ldso_hwcap
Reqs: pkg=glibc|libc6,ver<=2.25,x86
Tags:
analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
exploit-db:
author: Qualys
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} linux_ldso_dynamic
Reqs: pkg=glibc|libc6,ver<=2.25,x86
Tags: debian=|,ubuntu=14.04.|16.04.|17.04,fedora=||
analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
exploit-db:
author: Qualys
Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} linux_ldso_hwcap_64
Reqs: pkg=glibc|libc6,ver<=2.25,x86_64
Tags: debian=7.7|8.5|9.0,ubuntu=14.04.|16.04.|17.04,fedora=|,centos=7.3.
analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
exploit-db:
author: Qualys
Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--,CVE--]${txtrst} linux_offset2lib
Reqs: pkg=glibc|libc6,ver<=2.25,x86
Tags:
analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
exploit-db:
author: Qualys
Comments: Uses "Stack Clash" technique
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} RationalLove
Reqs: pkg=glibc|libc6,ver<2.27,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==,x86_64
Tags: debian={glibc:2.24-+deb9u1},ubuntu=16.04.{glibc:2.23-0ubuntu9}
analysis-url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
src-url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
Comments: kernel.unprivileged_userns_clone= required
bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2018-1000001/RationalLove
exploit-db:
author: halfdog
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} vpnc_privesc.py
Reqs: pkg=networkmanager-vpnc|network-manager-vpnc,ver<1.2.
Tags: ubuntu=16.04,debian=,manjaro=
analysis-url: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
src-url: https://bugzilla.novell.com/attachment.cgi?id=779110
exploit-db:
author: Denis Andzakovic
Comments: Distros use own versioning scheme. Manual verification needed.
EOF
)EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE--]${txtrst} raptor_xorgy
Reqs: pkg=xorg-x11-server-Xorg,cmd:[ -u /usr/bin/Xorg ]
Tags: centos=7.4
analysis-url: https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
exploit-db:
author: raptor
Comments: X.Org Server before 1.20. is vulnerable. Distros use own versioning scheme. Manual verification needed.
EOF
)###########################################################
## security related HW/kernel features
###########################################################
n=FEATURES[((n++))]=$(cat <<EOF
section: Mainline kernel protection mechanisms:
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: GCC stack protector support
available: CONFIG_HAVE_STACKPROTECTOR=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: GCC stack protector STRONG support
available: CONFIG_STACKPROTECTOR_STRONG=y,ver>=3.14
analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Low address space to protect from user allocation
available: CONFIG_DEFAULT_MMAP_MIN_ADDR=[-]+
enabled: sysctl:vm.mmap_min_addr!=
analysis-url: https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Restrict unprivileged access to kernel syslog
available: CONFIG_SECURITY_DMESG_RESTRICT=y,ver>=2.6.
enabled: sysctl:kernel.dmesg_restrict!=
analysis-url: https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Randomize the address of the kernel image (KASLR)
available: CONFIG_RANDOMIZE_BASE=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/kaslr.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Hardened user copy support
available: CONFIG_HARDENED_USERCOPY=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/hardened_usercopy.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Make kernel text and rodata read-only
available: CONFIG_STRICT_KERNEL_RWX=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_kernel_rwx.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Set loadable kernel module data as NX and text as RO
available: CONFIG_STRICT_MODULE_RWX=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_module_rwx.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Restrict /dev/mem access
available: CONFIG_STRICT_DEVMEM=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_devmem.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Restrict I/O access to /dev/mem
available: CONFIG_IO_STRICT_DEVMEM=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/io_strict_devmem.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
section: Hardware features:
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Supervisor Mode Execution Protection (SMEP) support
available: ver>=3.0,cmd:grep -qi smep /proc/cpuinfo
enabled: cmd:grep -qi smep /proc/cpuinfo
analysis-url: https://github.com/mzet-/les-res/blob/master/features/smep.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Supervisor Mode Access Prevention (SMAP) support
available: ver>=3.7,cmd:grep -qi smap /proc/cpuinfo
enabled: cmd:grep -qi smap /proc/cpuinfo
analysis-url: https://github.com/mzet-/les-res/blob/master/features/smap.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
section: 3rd party kernel protection mechanisms:
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Grsecurity
available: CONFIG_GRKERNSEC=y
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: PaX
available: CONFIG_PAX=y
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Linux Kernel Runtime Guard (LKRG) kernel module
available: cmd:test -d /proc/sys/lkrg
analysis-url: https://github.com/mzet-/les-res/blob/master/features/lkrg.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
section: Attack Surface:
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Support for /dev/mem access
available: CONFIG_DEVMEM=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/devmem.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Support for /dev/kmem access
available: CONFIG_DEVKMEM=y
analysis-url: https://github.com/mzet-/les-res/blob/master/features/devkmem.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: User namespaces for unprivileged accounts
available: CONFIG_USER_NS=y
enabled: sysctl:kernel.unprivileged_userns_clone==
analysis-url: https://github.com/mzet-/les-res/blob/master/features/user_ns.md
EOF
)FEATURES[((n++))]=$(cat <<EOF
feature: Unprivileged access to bpf() system call
available: CONFIG_BPF_SYSCALL=y
enabled: sysctl:kernel.unprivileged_bpf_disabled!=
analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
EOF
)version() {
echo "linux-exploit-suggester "$VERSION", mzet, http://z-labs.eu, February 2018"
}usage() {
echo "Usage: linux-exploit-suggester.sh [OPTIONS]"
echo
echo " -V | --version - print version of this script"
echo " -h | --help - print this help"
echo " -k | --kernel <version> - provide kernel version"
echo " -u | --uname <string> - provide 'uname -a' string"
echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable"
echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)"
echo " -p | --pkglist-file <file> - provide file with 'dpkg -l' or 'rpm -qa' command output"
echo " --cvelist-file <file> - provide file with Linux kernel CVEs list"
echo " --checksec - list security related features for your HW/kernel"
echo " -s | --fetch-sources - automatically downloads source for matched exploit"
echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available"
echo " -f | --full - show full info about matched exploit"
echo " -g | --short - show shorten info about matched exploit"
echo " --kernelspace-only - show only kernel vulnerabilities"
echo " --userspace-only - show only userspace vulnerabilities"
echo " -d | --show-dos - show also DoSes in results"
}exitWithErrMsg() {
echo "$1" >&
exit
}# extracts all information from output of 'uname -a' command
parseUname() {
local uname=$ KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f )
KERNEL_ALL=$(echo "$uname" | awk '{print $3}')
ARCH=$(echo "$uname" | awk '{print $(NF-1)}') OS=""
echo "$uname" | grep -q -i 'deb' && OS="debian"
echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu"
echo "$uname" | grep -q -i '\-ARCH' && OS="arch"
echo "$uname" | grep -q -i '\-deepin' && OS="deepin"
echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro"
echo "$uname" | grep -q -i '\.fc' && OS="fedora"
echo "$uname" | grep -q -i '\.el' && OS="RHEL"
echo "$uname" | grep -q -i '\.mga' && OS="mageia" # 'uname -a' output doesn't contain distribution number (at least not in case of all distros)
}getPkgList() {
local distro=$
local pkglist_file=$ # take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' or 'pacman -Q' listing of not recognized listing
if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then # ubuntu/debian package listing file
if [ $(cat "$pkglist_file" | head - | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then
PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g') OS="debian"
[ "$(cat "$pkglist_file" | grep "ubuntu")" ] && OS="ubuntu"
# redhat package listing file
elif [ $(cat "$pkglist_file" | head - | grep -E '\.el[1-9]+\.') ]; then
PKG_LIST=$(cat "$pkglist_file")
OS="RHEL"
# fedora package listing file
elif [ $(cat "$pkglist_file" | head - | grep -E '\.fc[1-9]+') ]; then
PKG_LIST=$(cat "$pkglist_file")
OS="fedora"
# mageia package listing file
elif [ $(cat "$pkglist_file" | head - | grep -E '\.mga[1-9]+') ]; then
PKG_LIST=$(cat "$pkglist_file")
OS="mageia"
# pacman package listing file
elif [ "$(head -1 $pkglist_file | grep -E '\ [0-9]+\.')" ]; then
PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}')
OS="arch"
# file not recognized - skipping
else
PKG_LIST=""
fi elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then
PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g')
elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then
PKG_LIST=$(rpm -qa)
elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then
PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}')
elif [ -x /usr/bin/equery ]; then
PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}')
else
# packages listing not available
PKG_LIST=""
fi
}# from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash
verComparision() { if [[ $ == $ ]]
then
return
fi local IFS=.
local i ver1=($) ver2=($) # fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=
done for ((i=; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=
fi
if ((#${ver1[i]} > #${ver2[i]}))
then
return
fi
if ((#${ver1[i]} < #${ver2[i]}))
then
return
fi
done return
}doVersionComparision() {
local reqVersion="$1"
local reqRelation="$2"
local currentVersion="$3" verComparision $currentVersion $reqVersion
case $? in
) currentRelation='=';;
) currentRelation='>';;
) currentRelation='<';;
esac if [ "$reqRelation" == "=" ]; then
[ $currentRelation == "=" ] && return
elif [ "$reqRelation" == ">" ]; then
[ $currentRelation == ">" ] && return
elif [ "$reqRelation" == "<" ]; then
[ $currentRelation == "<" ] && return
elif [ "$reqRelation" == ">=" ]; then
[ $currentRelation == "=" ] && return
[ $currentRelation == ">" ] && return
elif [ "$reqRelation" == "<=" ]; then
[ $currentRelation == "=" ] && return
[ $currentRelation == "<" ] && return
fi
}compareValues() {
curVal=$
val=$
sign=$ if [ "$sign" == "==" ]; then
[ "$val" == "$curVal" ] && return
elif [ "$sign" == "!=" ]; then
[ "$val" != "$curVal" ] && return
fi return
}checkRequirement() {
#echo "Checking requirement: $1"
local IN="$1"
local pkgName="${2:4}" if [[ "$IN" =~ ^pkg=.*$ ]]; then # always true for Linux OS
[ ${pkgName} == "linux-kernel" ] && return # verify if package is present
pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -)
if [ -n "$pkg" ]; then
return
fi elif [[ "$IN" =~ ^ver.*$ ]]; then
version="${IN//[^0-9.]/}"
rest="${IN#ver}"
operator=${rest%$version} if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then # for --cvelist-file mode skip kernel version comparision
[ "$opt_cvelist_file" = "true" ] && return doVersionComparision $version $operator $KERNEL && return
else
# extract package version and check if requiremnt is true
pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -) # skip (if run with --skip-pkg-versions) version checking if package with given name is installed
[ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return # versioning:
#echo "pkg: $pkg"
pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
#echo "version: $pkgVersion"
#echo "operator: $operator"
#echo "required version: $version"
#echo
doVersionComparision $version $operator $pkgVersion && return
fi
elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then
return
elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then
return
elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then # skip if check is not applicable (-k or --uname or -p set) or if user said so (--skip-more-checks)
[ "$opt_skip_more_checks" = "true" ] && return # if kernel config IS available:
if [ -n "$KCONFIG" ]; then
if $KCONFIG | grep -E -qi $IN; then
return ;
# required option wasn't found, exploit is not applicable
else
return ;
fi
# config is not available
else
return ;
fi
elif [[ "$IN" =~ ^sysctl:.*$ ]]; then # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
[ "$opt_skip_more_checks" = "true" ] && return sysctlCondition="${IN:7}" # extract sysctl entry, relation sign and required value
if echo $sysctlCondition | grep -qi "!="; then
sign="!="
elif echo $sysctlCondition | grep -qi "=="; then
sign="=="
else
exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting."
fi
val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}')
entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}') # get current setting of sysctl entry
curVal=$(/sbin/sysctl -a > /dev/null | grep "$entry" | awk -F'=' '{print $2}') # special case for --checksec mode: return if there is no such switch in sysctl
[ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return # for other modes: skip if there is no such switch in sysctl
[ -z "$curVal" ] && return # compare & return result
compareValues $curVal $val $sign && return elif [[ "$IN" =~ ^cmd:.*$ ]]; then # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
[ "$opt_skip_more_checks" = "true" ] && return cmd="${IN:4}"
if eval "${cmd}"; then
return
fi
fi return
}getKernelConfig() {
if [ -f /proc/config.gz ] ; then
KCONFIG="zcat /proc/config.gz"
elif [ -f /boot/config-`uname -r` ] ; then
KCONFIG="cat /boot/config-`uname -r`"
elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then
KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"
else
KCONFIG=""
fi
}checksecMode() { MODE= # start analysis
for FEATURE in "${FEATURES[@]}"; do # create array from current exploit here doc and fetch needed lines
i=
# ('-r' is used to not interpret backslash used for bash colors)
while read -r line
do
arr[i]="$line"
i=$((i + ))
done <<< "$FEATURE" # modes: kernel-feature () | hw-feature () | 3rdparty-feature () | attack-surface ()
NAME="${arr[0]}"
PRE_NAME="${NAME:0:8}"
NAME="${NAME:9}"
if [ "${PRE_NAME}" = "section:" ]; then
# advance to next MODE
MODE=$(($MODE + )) echo
echo -e "${bldwht}${NAME}${txtrst}"
echo
continue
fi AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}"
ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}')
analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}') # split line with availability requirements & loop thru all availability reqs one by one & check whether it is met
IFS=',' read -r -a array <<< "$AVAILABLE"
AVAILABLE_REQS_NUM=${#array[@]}
AVAILABLE_PASSED_REQ=
CONFIG=""
for REQ in "${array[@]}"; do # find CONFIG_ (if present) for current feature
if [ -z "$CONFIG" ]; then
config=$(echo "$REQ" | grep "CONFIG_")
[ -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))"
fi if (checkRequirement "$REQ"); then
AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + ))
else
break
fi
done # split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met
ENABLE_PASSED_REQ=
ENABLE_REQS_NUM=
noSysctl=
if [ -n "$ENABLE" ]; then
IFS=',' read -r -a array <<< "$ENABLE"
ENABLE_REQS_NUM=${#array[@]}
for REQ in "${array[@]}"; do
checkRequirement "$REQ"
retVal=$?
if [ $retVal -eq ]; then
ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + ))
elif [ $retVal -eq ]; then
# special case: sysctl entry is not present on given system: signal it as: N/A
noSysctl=
break
else
break
fi
done
fi feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f -) # for 4rd party () mode display "N/A" or "Enabled"
if [ $MODE -eq ]; then
enabled="[ ${txtgrn}Enabled${txtrst} ]"
disabled="[ ${txtgray}N/A${txtrst} ]" # for attack-surface () mode display "Locked" or "Exposed"
elif [ $MODE -eq ]; then
enabled="[ ${txtred}Exposed${txtrst} ]"
disabled="[ ${txtgrn}Locked${txtrst} ]" #other modes" "Disabled" / "Enabled"
else
enabled="[ ${txtgrn}Enabled${txtrst} ]"
disabled="[ ${txtred}Disabled${txtrst} ]"
fi state=$disabled
if [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then
state=$enabled
fi echo -e " $state $feature ${wht}${CONFIG}${txtrst}"
[ -n "$analysis_url" ] && echo -e " $analysis_url"
echodone}# parse command line parameters
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
[ $? != ] && exitWithErrMsg "Aborting."eval set -- "$ARGS"while true; do
case "$1" in
-u|--uname)
shift
UNAME_A="$1"
opt_uname_string=true
;;
-V|--version)
version
exit
;;
-h|--help)
usage
exit
;;
-f|--full)
opt_full=true
;;
-g|--short)
opt_summary=true
;;
-b|--fetch-binaries)
opt_fetch_bins=true
;;
-s|--fetch-sources)
opt_fetch_srcs=true
;;
-k|--kernel)
shift
KERNEL="$1"
opt_kernel_version=true
;;
-d|--show-dos)
opt_show_dos=true
;;
-p|--pkglist-file)
shift
PKGLIST_FILE="$1"
opt_pkglist_file=true
;;
--cvelist-file)
shift
CVELIST_FILE="$1"
opt_cvelist_file=true
;;
--checksec)
opt_checksec_mode=true
;;
--kernelspace-only)
opt_kernel_only=true
;;
--userspace-only)
opt_userspace_only=true
;;
--skip-more-checks)
opt_skip_more_checks=true
;;
--skip-pkg-versions)
opt_skip_pkg_versions=true
;;
*)
shift
if [ "$#" != "" ]; then
exitWithErrMsg "Unknown option '$1'. Aborting."
fi
break
;;
esac
shift
done# check Bash version (associative arrays need Bash in version 4.0+)
if ((BASH_VERSINFO[] < )); then
exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting."
fi# exit if both --kernel and --uname are set
[ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting."# exit if both --full and --short are set
[ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting."# --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are set
if [ "$opt_cvelist_file" = "true" ]; then
[ ! -e "$CVELIST_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting."
[ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting."
[ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting."
[ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting."
fi# --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are set
if [ "$opt_checksec_mode" = "true" ]; then
[ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting."
[ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting."
[ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting."
fi# extract kernel version and other OS info like distro name, distro version, etc. possibilities here:
# case : --kernel set
if [ "$opt_kernel_version" == "true" ]; then
# TODO: add kernel version number validation
[ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting."
ARCH=""
OS="" # do not perform additional checks on current machine
opt_skip_more_checks=true # do not consider current OS
getPkgList "" "$PKGLIST_FILE"# case : --uname set
elif [ "$opt_uname_string" == "true" ]; then
[ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
parseUname "$UNAME_A" # do not perform additional checks on current machine
opt_skip_more_checks=true # do not consider current OS
getPkgList "" "$PKGLIST_FILE"# case : --cvelist-file mode
elif [ "$opt_cvelist_file" = "true" ]; then # get kernel configuration in this mode
[ "$opt_skip_more_checks" = "false" ] && getKernelConfig# case : --checksec mode
elif [ "$opt_checksec_mode" = "true" ]; then # this switch is not applicable in this mode
opt_skip_more_checks=false # get kernel configuration in this mode
getKernelConfig
[ -z "$KCONFIG" ] && exitWithErrMsg "Kernel configuration file not available. Aborting." # launch checksec mode
checksecMode exit # case : no --uname | --kernel | --cvelist-file | --checksec set
else # --pkglist-file NOT provided: take all info from current machine
# case for vanilla execution: ./linux-exploit-suggester.sh
if [ "$opt_pkglist_file" == "false" ]; then
UNAME_A=$(uname -a)
[ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
parseUname "$UNAME_A" # get kernel configuration in this mode
[ "$opt_skip_more_checks" = "false" ] && getKernelConfig # extract distribution version from /etc/issue
[ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(cat /etc/issue | grep -E -o '[0-9\.]+' | head -) # extract package listing from current OS
getPkgList "$OS" "" # --pkglist-file provided: only consider userspace exploits against provided package listing
else
KERNEL=""
#TODO: extract machine arch from package listing
ARCH=""
unset EXPLOITS
declare -A EXPLOITS
getPkgList "" "$PKGLIST_FILE" # additional checks are not applicable for this mode
opt_skip_more_checks=true
fi
fiecho
echo -e "${bldwht}Available information:${txtrst}"
echo
[ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}"
echo "Architecture: $([ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
echo "Distribution: $([ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
echo -e "Distribution version: $([ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")"echo "Additional checks (CONFIG_*, sysctl entries, custom Bash commands): $([ "$opt_skip_more_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")"if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then
pkgListFile="${txtgrn}$PKGLIST_FILE${txtrst}"
elif [ -n "$PKGLIST_FILE" ]; then
pkgListFile="${txtred}unrecognized file provided${txtrst}"
elif [ -n "$PKG_LIST" ]; then
pkgListFile="${txtgrn}from current OS${txtrst}"
fiecho -e "Package listing: $([ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")"# handle --kernelspacy-only & --userspace-only filter options
if [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then
unset EXPLOITS_USERSPACE
declare -A EXPLOITS_USERSPACE
fiif [ "$opt_userspace_only" = "true" ]; then
unset EXPLOITS
declare -A EXPLOITS
fiecho
echo -e "${bldwht}Searching among:${txtrst}"
echo
echo "${#EXPLOITS[@]} kernel space exploits"
echo "${#EXPLOITS_USERSPACE[@]} user space exploits"
echoecho -e "${bldwht}Possible Exploits:${txtrst}"
echo# start analysis
for EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do # create array from current exploit here doc and fetch needed lines
i=
# ('-r' is used to not interpret backslash used for bash colors)
while read -r line
do
arr[i]="$line"
i=$((i + ))
done <<< "$EXP" REQS="${arr[1]}" && REQS="${REQS:6}"
NAME="${arr[0]}" && NAME="${NAME:6}"
TAGS="${arr[2]}" && TAGS="${TAGS:6}" # split line with requirements & loop thru all reqs one by one & check whether it is met
IFS=',' read -r -a array <<< "$REQS"
REQS_NUM=${#array[@]}
PASSED_REQ=
for REQ in "${array[@]}"; do
if (checkRequirement "$REQ" "${array[0]}"); then
PASSED_REQ=$(($PASSED_REQ + ))
else
break
fi
done # execute for exploits with all requirements met
if [ $PASSED_REQ -eq $REQS_NUM ]; then # additional requirement for --cvelist-file mode: check if CVE associated with the exploit is on the CVELIST_FILE
if [ "$opt_cvelist_file" = "true" ]; then # extract CVE(s) associated with given exploit (also translates ',' to '|' for easy handling multiple CVEs case - via extended regex)
cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|")
#echo "CVE: $cve" # check if it's on CVELIST_FILE list, if no move to next exploit
[ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue
fi # process tags and highlight those that match current OS (only for deb|ubuntu|RHEL and if we know distro version - direct mode)
tags=""
if [ -n "$TAGS" -a -n "$OS" -a -n "$DISTRO" ]; then
IFS=',' read -r -a tags_array <<< "$TAGS"
TAGS_NUM=${#tags_array[@]}
for TAG in "${tags_array[@]}"; do
tag_distro=$(echo "$TAG" | cut -d'=' -f1)
tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2)
# in case of tag of form: 'ubuntu=16.04{kernel:4.4.0-21} remove kernel versioning part for comparision
tag_distro_num="${tag_distro_num_all%{*}" # if distro matches:
if [ "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" ]; then # get name (kernel or package name) and version of kernel/pkg if provided:
tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{' -f | tr -d '}' | cut -d':' -f )
tag_pkg_num=""
[ $(echo "$tag_distro_num_all" | grep '{') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{' -f | tr -d '}' | cut -d':' -f ) #[ -n "$tag_pkg_num" ] && echo "tag_pkg_num: $tag_pkg_num; kernel: $KERNEL_ALL" # if pkg/kernel version is not provided:
if [ -z "$tag_pkg_num" ]; then
TAG="${lightyellow}[ ${TAG} ]${txtrst}" # kernel version provided, check for match:
elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then
[ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ] && TAG="${yellow}[ ${TAG} ]${txtrst}" || TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}" # pkg version provided, check for match (TBD):
elif [ -n "$tag_pkg_num" -a -n "$tag_pkg" ]; then
TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}"
fi fi # append current tag to tags list
tags="${tags}${TAG},"
done
# trim ',' added by above loop
[ -n "$tags" ] && tags="${tags%?}"
else
tags="$TAGS"
fi EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}')
analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}')
ext_url=$(echo "$EXP" | grep "ext-url: " | awk '{print $2}')
comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f -)
reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f ) # exploit name without CVE number and without commonly used special chars
name=$(echo "$NAME" | cut -d' ' -f - | tr -d ' ()/') src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}')
[ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB"
[ -z "$src_url" ] && exitWithErrMsg "Both 'src-url' and 'exploit-db' entries are empty for '$NAME' exploit - fix that. Aborting." if [ -n "$analysis_url" ]; then
details="$analysis_url"
elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then
details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then
details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
else
details="$src_url"
fi # skip DoS by default
dos=$(echo "$EXP" | grep -o -i "(dos")
[ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue # handles --fetch-binaries option
if [ $opt_fetch_bins = "true" ]; then
for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do
[ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)"
wget -q -k "$i" -O "${name}_$(basename $i)"
done
fi # handles --fetch-sources option
if [ $opt_fetch_srcs = "true" ]; then
[ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)"
wget -q -k "$src_url" -O "${name}_$(basename $src_url)" &
fi # display result (short)
if [ "$opt_summary" = "true" ]; then
[ -z "$tags" ] && tags="-"
echo -e "$NAME || $tags || $src_url"
continue
fi # display result (standard)
echo -e "[+] $NAME"
echo -e "\n Details: $details"
[ -n "$tags" ] && echo -e " Tags: $tags"
echo -e " Download URL: $src_url"
[ -n "$ext_url" ] && echo -e " ext-url: $ext_url"
[ -n "$comments" ] && echo -e " Comments: $comments" # handles --full filter option
if [ "$opt_full" = "true" ]; then
[ -n "$reqs" ] && echo -e " Requirements: $reqs" [ -n "$EXPLOIT_DB" ] && echo -e " exploit-db: $EXPLOIT_DB" author=$(echo "$EXP" | grep "author: " | cut -d' ' -f -)
[ -n "$author" ] && echo -e " author: $author"
fi echo
fi
done
