0xspade

Linux Priv Checker

Aug 25th, 2016
250
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 25.07 KB | None | 0 0
  1. #!/usr/env python
  2.  
  3. ###############################################################################################################
  4. ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
  5. ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
  6. ##-------------------------------------------------------------------------------------------------------------
  7. ## [Details]:
  8. ## This script is intended to be executed locally on a Linux box to enumerate basic system info and
  9. ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
  10. ## passwords and applicable exploits.
  11. ##-------------------------------------------------------------------------------------------------------------
  12. ## [Warning]:
  13. ## This script comes as-is with no promise of functionality or accuracy.  I have no plans to maintain updates,
  14. ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired
  15. ## results.  For example, the function that links packages to running processes is based on keywords and will
  16. ## not always be accurate.  Also, the exploit list included in this function will need to be updated over time.
  17. ## Feel free to change or improve it any way you see fit.
  18. ##-------------------------------------------------------------------------------------------------------------  
  19. ## [Modification, Distribution, and Attribution]:
  20. ## You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original
  21. ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
  22. ## worth anything anyway :)
  23. ###############################################################################################################
  24.  
  25. # conditional import for older versions of python not compatible with subprocess
  26. try:
  27.     import subprocess as sub
  28.     compatmode = 0 # newer version of python, no need for compatibility mode
  29. except ImportError:
  30.     import os # older version of python, need to use os instead
  31.     compatmode = 1
  32.  
  33. # title / formatting
  34. bigline = "================================================================================================="
  35. smlline = "-------------------------------------------------------------------------------------------------"
  36.  
  37. print bigline
  38. print "LINUX PRIVILEGE ESCALATION CHECKER"
  39. print bigline
  40. print
  41.  
  42. # loop through dictionary, execute the commands, store the results, return updated dict
  43. def execCmd(cmdDict):
  44.     for item in cmdDict:
  45.         cmd = cmdDict[item]["cmd"]
  46.     if compatmode == 0: # newer version of python, use preferred subprocess
  47.             out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
  48.             results = out.split('\n')
  49.     else: # older version of python, use os.popen
  50.         echo_stdout = os.popen(cmd, 'r')  
  51.             results = echo_stdout.read().split('\n')
  52.         cmdDict[item]["results"]=results
  53.     return cmdDict
  54.  
  55. # print results for each previously executed command, no return value
  56. def printResults(cmdDict):
  57.     for item in cmdDict:
  58.     msg = cmdDict[item]["msg"]
  59.     results = cmdDict[item]["results"]
  60.         print "[+] " + msg
  61.         for result in results:
  62.         if result.strip() != "":
  63.             print "    " + result.strip()
  64.     print
  65.     return
  66.  
  67. def writeResults(msg, results):
  68.     f = open("privcheckout.txt", "a");
  69.     f.write("[+] " + str(len(results)-1) + " " + msg)
  70.     for result in results:
  71.         if result.strip() != "":
  72.             f.write("    " + result.strip())
  73.     f.close()
  74.     return
  75.  
  76. # Basic system info
  77. print "[*] GETTING BASIC SYSTEM INFO...\n"
  78.  
  79. results=[]
  80.  
  81. sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results},
  82.        "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results},
  83.        "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results}
  84.       }
  85.  
  86. sysInfo = execCmd(sysInfo)
  87. printResults(sysInfo)
  88.  
  89. # Networking Info
  90.  
  91. print "[*] GETTING NETWORKING INFO...\n"
  92.  
  93. netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results},
  94.        "ROUTE":{"cmd":"route", "msg":"Route", "results":results},
  95.        "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results}
  96.       }
  97.  
  98. netInfo = execCmd(netInfo)
  99. printResults(netInfo)
  100.  
  101. # File System Info
  102. print "[*] GETTING FILESYSTEM INFO...\n"
  103.  
  104. driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results},
  105.          "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results}
  106.         }
  107.  
  108. driveInfo = execCmd(driveInfo)
  109. printResults(driveInfo)
  110.  
  111. # Scheduled Cron Jobs
  112. cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results},
  113.         "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results}
  114.        }
  115.  
  116. cronInfo = execCmd(cronInfo)
  117. printResults(cronInfo)
  118.  
  119. # User Info
  120. print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"
  121.  
  122. userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results},
  123.         "ID":{"cmd":"id","msg":"Current User ID", "results":results},
  124.         "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results},
  125.         "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results},
  126.         "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results},
  127.         "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results},
  128.         "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results},
  129.         "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results}
  130.        }
  131.  
  132. userInfo = execCmd(userInfo)
  133. printResults(userInfo)
  134.  
  135. if "root" in userInfo["ID"]["results"][0]:
  136.     print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n"
  137.  
  138. # File/Directory Privs
  139. print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"
  140.  
  141. fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},
  142.        "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},
  143.        "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},
  144.        "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},
  145.        "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results}
  146.       }
  147.  
  148. fdPerms = execCmd(fdPerms)
  149. printResults(fdPerms)
  150.  
  151. pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results},
  152.         "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results},
  153.         "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results}
  154.        }
  155.  
  156. pwdFiles = execCmd(pwdFiles)
  157. printResults(pwdFiles)
  158.  
  159. # Processes and Applications
  160. print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"
  161.  
  162. if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:
  163.     getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian
  164. else:
  165.     getPkgs = "rpm -qa | sort -u" # RH/other
  166.  
  167. getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results},
  168.               "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results}
  169.          }
  170.  
  171. getAppProc = execCmd(getAppProc)
  172. printResults(getAppProc) # comment to reduce output
  173.  
  174. otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results},
  175.           "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results},
  176.           "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results}
  177.         }
  178.  
  179. otherApps = execCmd(otherApps)
  180. printResults(otherApps)
  181.  
  182. print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n"
  183.  
  184. # find the package information for the processes currently running
  185. # under root or another super user
  186.  
  187. procs = getAppProc["PROCS"]["results"]
  188. pkgs = getAppProc["PKGS"]["results"]
  189. supusers = userInfo["SUPUSERS"]["results"]
  190. procdict = {} # dictionary to hold the processes running as super users
  191.  
  192. for proc in procs: # loop through each process
  193.     relatedpkgs = [] # list to hold the packages related to a process    
  194.     try:
  195.     for user in supusers: # loop through the known super users
  196.         if (user != "") and (user in proc): # if the process is being run by a super user
  197.             procname = proc.split(" ")[4] # grab the process name
  198.         if "/" in procname:
  199.             splitname = procname.split("/")
  200.             procname = splitname[len(splitname)-1]
  201.             for pkg in pkgs: # loop through the packages
  202.             if not len(procname) < 3: # name too short to get reliable package results
  203.                     if procname in pkg:
  204.                 if procname in procdict:
  205.                     relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list
  206.                 if pkg not in relatedpkgs:
  207.                     relatedpkgs.append(pkg) # add pkg to the list
  208.                 procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry
  209.     except:
  210.     pass
  211.  
  212. for key in procdict:
  213.     print "    " + key # print the process name
  214.     try:
  215.         if not procdict[key][0] == "": # only print the rest if related packages were found
  216.             print "        Possible Related Packages: "
  217.             for entry in procdict[key]:
  218.                 print "            " + entry # print each related package
  219.     except:
  220.     pass
  221.  
  222. # EXPLOIT ENUMERATION
  223.  
  224. # First discover the avaialable tools
  225. print
  226. print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n"
  227.  
  228. devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}}
  229. devTools = execCmd(devTools)
  230. printResults(devTools)
  231.  
  232. print "[+] Related Shell Escape Sequences...\n"
  233. escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]}
  234. for cmd in escapeCmd:
  235.     for result in devTools["TOOLS"]["results"]:
  236.         if cmd in result:
  237.         for item in escapeCmd[cmd]:
  238.             print "    " + cmd + "-->\t" + item
  239. print
  240. print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n"
  241.  
  242. # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
  243. # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
  244. sploits= {      "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  245.         "< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  246.         "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}},
  247.         "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  248.         "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  249.         "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  250.         "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  251.         "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  252.         "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}},
  253.         "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  254.         "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}},
  255.         "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  256.         "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  257.         "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  258.         "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
  259.         "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  260.         "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  261.         "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
  262.         "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  263.         "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}},
  264.         "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  265.         "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},
  266.         "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}},
  267.         "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  268.         "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  269.         "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
  270.         "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},
  271.         "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  272.         "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  273.         "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  274.         "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  275.         "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}},
  276.         "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  277.         "2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  278.         "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  279.         "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  280.         "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  281.         "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  282.         "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  283.         "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  284.         "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  285.         "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}},
  286.         "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},
  287.         "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  288.         "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}},
  289.         "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}},
  290.         "Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}},
  291.         "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  292.         "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  293.         "Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  294.         "<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  295.         "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  296.         "CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  297.         "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  298.         "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  299.         "Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},
  300.         "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  301.         "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  302.         "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  303.         "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}},
  304.         "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  305.         "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
  306. }
  307.  
  308. # variable declaration
  309. os = sysInfo["OS"]["results"][0]
  310. version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]
  311. langs = devTools["TOOLS"]["results"]
  312. procs = getAppProc["PROCS"]["results"]
  313. kernel = str(sysInfo["KERNEL"]["results"][0])
  314. mount = driveInfo["MOUNT"]["results"]
  315. #pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future
  316.  
  317.  
  318. # lists to hold ranked, applicable sploits
  319. # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks
  320. # all applicable exploits should be checked and this function could probably use some improvement
  321. avgprob = []
  322. highprob = []
  323.  
  324. for sploit in sploits:
  325.     lang = 0 # use to rank applicability of sploits
  326.     keyword = sploits[sploit]["keywords"]["val"]
  327.     sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"]
  328.     # first check for kernell applicability
  329.     if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
  330.     # next check language applicability
  331.     if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
  332.         lang = 1 # language found, increase applicability score
  333.     elif sploits[sploit]["lang"] == "sh":
  334.         lang = 1 # language found, increase applicability score
  335.     elif (sploits[sploit]["lang"] in str(langs)):
  336.         lang = 1 # language found, increase applicability score
  337.     if lang == 0:
  338.         sploitout = sploitout + "**" # added mark if language not detected on system
  339.     # next check keyword matches to determine if some sploits have a higher probability of success
  340.     for loc in sploits[sploit]["keywords"]["loc"]:
  341.         if loc == "proc":
  342.         for proc in procs:
  343.             if keyword in proc:
  344.             highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
  345.             break
  346.             break
  347.         elif loc == "os":
  348.         if (keyword in os) or (keyword in kernel):
  349.             highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
  350.             break  
  351.         elif loc == "mnt":
  352.         if keyword in mount:
  353.             highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
  354.             break
  355.         else:
  356.         avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
  357.  
  358. print "    Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"
  359. print
  360.  
  361. print "    The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"
  362. for exploit in highprob:
  363.     print "    - " + exploit
  364. print
  365.  
  366. print "    The following exploits are applicable to this kernel version and should be investigated as well"
  367. for exploit in avgprob:
  368.     print "    - " + exploit
  369.  
  370. print  
  371. print "Finished"
  372. print bigline
Add Comment
Please, Sign In to add comment