├── README.md ├── old-linuxprivchecker.py └── linuxprivchecker3.py /README.md: -------------------------------------------------------------------------------- 1 | # linuxprivcheck 2 | Python script for privilege escalation for Linux 3 | 4 | Original author is Mike Czumak (T_v3rn1x) -- @SecuritySift. 5 | 6 | ## Scripts 7 | 8 | * old-linuxprivchecker.py: Famous linuxprivchecker.py (Python) with updates - I'll not update it anymore. 9 | * linuxprivchecker3.py: Famous linuxprivchecker.py, compatible both Python 2 & 3 with updates. 10 | 11 | ## Options 12 | 13 | The *--fast* does not perform check for passwords in .sh files. 14 | 15 | ## What's new 16 | 17 | * Support both Python 2 and 3 in one script 18 | * Add tips (jail escape) and ressources (links) 19 | * Correction for broken links 20 | * Support *ip* and *ss* for new Linux versions 21 | * Add a fast options (avoid check for passwords in .sh files) 22 | * New check for: 23 | * Capabilities 24 | * Systemd timers 25 | * Screen and Tmux opened shells 26 | * Current user is member of docker group (https://fosterelli.co/privilege-escalation-via-docker.html) or lxc/lxd (https://github.com/initstring/lxd_root) 27 | * Check for passwords: 28 | * grub passwords or hashes 29 | * passwords in .sh scripts 30 | * /etc/security/opasswd 31 | * Check for SSH agent connexion in /tmp (https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/) 32 | * Improve exploits part: 33 | * New exploits added (however I recommand to use a more complete tool for this part) 34 | * Correct versions for previous exploit to avoid false positives 35 | 36 | ## Known issues 37 | * No real Licence is defined (https://github.com/cervoise/linuxprivcheck/issues/1). 38 | 39 | ## What if Python is not on the target? 40 | 41 | On Kali (or other Linux) install pyinstaller: 42 | 43 | ```bash 44 | $ pip install pyinstaller 45 | $ pip3 install pyinstaller 46 | ``` 47 | 48 | Then compile the script: 49 | 50 | ```bash 51 | $ python -m PyInstaller --onefile linuxprivchecker.py 52 | $ python3 -m PyInstaller --onefile linuxprivchecker3.py 53 | ``` 54 | 55 | Standalone ELF will be in *./dist/* 56 | 57 | ### Known issues 58 | * Will not work if the libc version needed is not on your target 59 | 60 | ## Help 61 | 62 | If you need help with SUID and cronjob lists check this repo: https://github.com/cervoise/suid-bin/ or this project: https://github.com/TH3xACE/SUDO_KILLER. 63 | 64 | If you need to find passwords you can look on https://github.com/AlessandroZ/LaZagne or https://github.com/0xmitsurugi/gimmecredz. 65 | -------------------------------------------------------------------------------- /old-linuxprivchecker.py: -------------------------------------------------------------------------------- 1 | #!/usr/env python 2 | 3 | ### Initial "licence" 4 | 5 | ############################################################################################################### 6 | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script 7 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 8 | ##------------------------------------------------------------------------------------------------------------- 9 | ## [Details]: 10 | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 11 | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 12 | ## passwords and applicable exploits. 13 | ##------------------------------------------------------------------------------------------------------------- 14 | ## [Warning]: 15 | ## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates, 16 | ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired 17 | ## results. For example, the function that links packages to running processes is based on keywords and will 18 | ## not always be accurate. Also, the exploit list included in this function will need to be updated over time. 19 | ## Feel free to change or improve it any way you see fit. 20 | ##------------------------------------------------------------------------------------------------------------- 21 | ## [Modification, Distribution, and Attribution]: 22 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 23 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 24 | ## worth anything anyway :) 25 | ############################################################################################################### 26 | 27 | ### [Updates]: Antoine Cervoise -- @acervoise 28 | 29 | # conditional import for older versions of python not compatible with subprocess 30 | try: 31 | import subprocess as sub 32 | compatmode = 0 # newer version of python, no need for compatibility mode 33 | except ImportError: 34 | import os # older version of python, need to use os instead 35 | compatmode = 1 36 | 37 | # title / formatting 38 | bigline = "=================================================================================================" 39 | smlline = "-------------------------------------------------------------------------------------------------" 40 | 41 | print bigline 42 | print "LINUX PRIVILEGE ESCALATION CHECKER" 43 | print bigline 44 | print 45 | 46 | # loop through dictionary, execute the commands, store the results, return updated dict 47 | def execCmd(cmdDict): 48 | for item in cmdDict: 49 | cmd = cmdDict[item]["cmd"] 50 | if compatmode == 0: # newer version of python, use preferred subprocess 51 | out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() 52 | results = out.split('\n') 53 | else: # older version of python, use os.popen 54 | echo_stdout = os.popen(cmd, 'r') 55 | results = echo_stdout.read().split('\n') 56 | cmdDict[item]["results"]=results 57 | return cmdDict 58 | 59 | # print results for each previously executed command, no return value 60 | def printResults(cmdDict): 61 | for item in cmdDict: 62 | msg = cmdDict[item]["msg"] 63 | results = cmdDict[item]["results"] 64 | print "[+] " + msg 65 | for result in results: 66 | if result.strip() != "": 67 | print " " + result.strip() 68 | print 69 | return 70 | 71 | def writeResults(msg, results): 72 | f = open("privcheckout.txt", "a"); 73 | f.write("[+] " + str(len(results)-1) + " " + msg) 74 | for result in results: 75 | if result.strip() != "": 76 | f.write(" " + result.strip()) 77 | f.close() 78 | return 79 | 80 | def checkVer(version, min_ver, max_ver): 81 | version = version.split('.') 82 | min_ver = min_ver.split('.') 83 | for i in range(min(len(version), len(min_ver))): 84 | if int(version[i]) < int(min_ver[i]): 85 | return False 86 | max_ver = max_ver.split('.') 87 | for i in range(min(len(version), len(max_ver))): 88 | if int(version[i]) > int(max_ver[i]): 89 | return False 90 | return True 91 | 92 | # Basic system info 93 | print "[*] GETTING BASIC SYSTEM INFO...\n" 94 | 95 | results=[] 96 | 97 | sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results}, 98 | "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results}, 99 | "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results} 100 | } 101 | 102 | sysInfo = execCmd(sysInfo) 103 | printResults(sysInfo) 104 | 105 | # Networking Info 106 | 107 | print "[*] GETTING NETWORKING INFO...\n" 108 | 109 | netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results}, 110 | "ROUTE":{"cmd":"route", "msg":"Route", "results":results}, 111 | "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results} 112 | } 113 | 114 | netInfo = execCmd(netInfo) 115 | printResults(netInfo) 116 | 117 | # File System Info 118 | print "[*] GETTING FILESYSTEM INFO...\n" 119 | 120 | driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results}, 121 | "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results} 122 | } 123 | 124 | driveInfo = execCmd(driveInfo) 125 | printResults(driveInfo) 126 | 127 | # Scheduled Cron Jobs 128 | cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results}, 129 | "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results} 130 | } 131 | 132 | cronInfo = execCmd(cronInfo) 133 | printResults(cronInfo) 134 | 135 | # User Info 136 | print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n" 137 | 138 | userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results}, 139 | "ID":{"cmd":"id","msg":"Current User ID", "results":results}, 140 | "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results}, 141 | "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results}, 142 | "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results}, 143 | "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results}, 144 | "GROUPS":{"cmd":"cat /etc/group |grep docker", "msg":"Users in docker group (https://fosterelli.co/privilege-escalation-via-docker.html)", "results":results}, 145 | "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results}, 146 | "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results}, 147 | "SSHSESSION":{"cmd":"ls /tmp/ssh* 2>/dev/null", "msg":"SSH Agent Connexion (https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/)", "results":results}, 148 | } 149 | 150 | userInfo = execCmd(userInfo) 151 | printResults(userInfo) 152 | 153 | if "root" in userInfo["ID"]["results"][0]: 154 | print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n" 155 | 156 | # File/Directory Privs 157 | print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n" 158 | 159 | fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results}, 160 | "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results}, 161 | "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results}, 162 | "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results}, 163 | "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results} 164 | } 165 | 166 | fdPerms = execCmd(fdPerms) 167 | printResults(fdPerms) 168 | 169 | pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results}, 170 | "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results}, 171 | "SCRIPTPWDS":{"cmd":"find / -name '*.sh' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Sh scripts containing keyword 'password'", "results":results}, 172 | "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results} 173 | } 174 | 175 | pwdFiles = execCmd(pwdFiles) 176 | printResults(pwdFiles) 177 | 178 | # Processes and Applications 179 | print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n" 180 | 181 | if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]: 182 | getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian 183 | else: 184 | getPkgs = "rpm -qa | sort -u" # RH/other 185 | 186 | getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results}, 187 | "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results} 188 | } 189 | 190 | getAppProc = execCmd(getAppProc) 191 | printResults(getAppProc) # comment to reduce output 192 | 193 | otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out https://www.exploit-db.com/search?q=sudo&type=local)", "results":results}, 194 | "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results}, 195 | "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results} 196 | } 197 | 198 | otherApps = execCmd(otherApps) 199 | printResults(otherApps) 200 | 201 | print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n" 202 | 203 | # find the package information for the processes currently running 204 | # under root or another super user 205 | 206 | procs = getAppProc["PROCS"]["results"] 207 | pkgs = getAppProc["PKGS"]["results"] 208 | supusers = userInfo["SUPUSERS"]["results"] 209 | procdict = {} # dictionary to hold the processes running as super users 210 | 211 | for proc in procs: # loop through each process 212 | relatedpkgs = [] # list to hold the packages related to a process 213 | try: 214 | for user in supusers: # loop through the known super users 215 | if (user != "") and (user in proc): # if the process is being run by a super user 216 | procname = proc.split(" ")[4] # grab the process name 217 | if "/" in procname: 218 | splitname = procname.split("/") 219 | procname = splitname[len(splitname)-1] 220 | for pkg in pkgs: # loop through the packages 221 | if not len(procname) < 3: # name too short to get reliable package results 222 | if procname in pkg: 223 | if procname in procdict: 224 | relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list 225 | if pkg not in relatedpkgs: 226 | relatedpkgs.append(pkg) # add pkg to the list 227 | procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry 228 | except: 229 | pass 230 | 231 | for key in procdict: 232 | print " " + key # print the process name 233 | try: 234 | if not procdict[key][0] == "": # only print the rest if related packages were found 235 | print " Possible Related Packages: " 236 | for entry in procdict[key]: 237 | print " " + entry # print each related package 238 | except: 239 | pass 240 | 241 | # EXPLOIT ENUMERATION 242 | 243 | # First discover the avaialable tools 244 | print 245 | print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n" 246 | 247 | devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}} 248 | devTools = execCmd(devTools) 249 | printResults(devTools) 250 | 251 | print "[+] Related Shell Escape Sequences...\n" 252 | escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "python":["python -c \"import os; os.system('/bin/bash');\""], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]} 253 | for cmd in escapeCmd: 254 | for result in devTools["TOOLS"]["results"]: 255 | if cmd in result: 256 | for item in escapeCmd[cmd]: 257 | print " " + cmd + "-->\t" + item 258 | print 259 | print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n" 260 | 261 | # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB) 262 | # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os' 263 | sploits= { "Linux BPF Sign Extension Local Privilege Escalation":{"minver":"4.4.0", "maxver":"4.14.18", "exploitdb":"45058", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 264 | "Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - SUID Method":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40616", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 265 | "Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - Firefart":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40839", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 266 | "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"3", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 267 | "< 2.4.20 Module Loader Local Root Exploit":{"minver":"0", "maxver":"2.4.20", "exploitdb":"12", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 268 | "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"129", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}}, 269 | "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"0", "maxver":"2.4.22", "exploitdb":"131", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 270 | "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"145", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 271 | "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"0", "maxver":"2.4.29", "exploitdb":"744", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 272 | "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"778", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 273 | "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"895", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 274 | "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"926", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}}, 275 | "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"0", "maxver":"2.6.11", "exploitdb":"1397", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 276 | "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"0", "maxver":"99", "exploitdb":"1518", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}}, 277 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2004", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 278 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2005", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 279 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2006", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 280 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2011", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 281 | "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"0", "maxver":"2.6.17.4", "exploitdb":"2013", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 282 | "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"2031", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 283 | "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"3384", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 284 | "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"4460", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 285 | "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"0", "maxver":"2.6.11.5", "exploitdb":"4756", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}}, 286 | "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"5092", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 287 | "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"5093", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}}, 288 | "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"0", "maxver":"99", "exploitdb":"5720", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}}, 289 | "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"0", "maxver":"2.6.22", "exploitdb":"6851", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 290 | "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.29", "exploitdb":"8369", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 291 | "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8478", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 292 | "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8572", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}}, 293 | "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"8673", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 294 | "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"8678", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 295 | "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 296 | "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"9191", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 297 | "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"9208", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}}, 298 | "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"2", "maxver":"2.99", "exploitdb":"9435", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 299 | "2.x sock_sendpage() Local Root Exploit 2":{"minver":"2", "maxver":"2.99", "exploitdb":"9436", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 300 | "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9479", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 301 | "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"9542", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 302 | "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9545", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 303 | "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9574", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 304 | "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"0", "maxver":"2.6.19", "exploitdb":"9575", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 305 | "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 306 | "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"9641", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 307 | "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"9844", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}}, 308 | "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"10018", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}}, 309 | "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"10613", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 310 | "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"0", "maxver":"99", "exploitdb":"11662", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}}, 311 | "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"0", "maxver":"2.6.34", "exploitdb":"12130", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}}, 312 | "Ubuntu PAM MOTD local root":{"minver":"7", "maxver":"10.04", "exploitdb":"14339", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}}, 313 | "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36", "exploitdb":"14814", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 314 | "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15023", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 315 | "Linux RDS Protocol Local Privilege Escalation":{"minver":"0", "maxver":"2.6.36", "exploitdb":"15285", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 316 | "<= 2.6.37 Local Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15704", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 317 | "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"0", "maxver":"2.6.37", "exploitdb":"15774", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 318 | "CAP_SYS_ADMIN to root Exploit":{"minver":"0", "maxver":"99", "exploitdb":"15916", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 319 | "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"0", "maxver":"99", "exploitdb":"15944", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 320 | "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"0", "maxver":"2.6.36.2", "exploitdb":"17787", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 321 | "Sendpage Local Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"19933", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}}, 322 | "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"21598", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 323 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22362", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 324 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"22363", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 325 | "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"23674", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}}, 326 | "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"0", "maxver":"99", "exploitdb":"25307", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 327 | "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"0", "maxver":"99", "exploitdb":"25450", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 328 | } 329 | 330 | # variable declaration 331 | os = sysInfo["OS"]["results"][0] 332 | version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0] 333 | langs = devTools["TOOLS"]["results"] 334 | procs = getAppProc["PROCS"]["results"] 335 | kernel = str(sysInfo["KERNEL"]["results"][0]) 336 | mount = driveInfo["MOUNT"]["results"] 337 | #pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future 338 | 339 | 340 | # lists to hold ranked, applicable sploits 341 | # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks 342 | # all applicable exploits should be checked and this function could probably use some improvement 343 | avgprob = [] 344 | highprob = [] 345 | 346 | for sploit in sploits: 347 | lang = 0 # use to rank applicability of sploits 348 | keyword = sploits[sploit]["keywords"]["val"] 349 | sploitout = sploit + " || " + "https://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"] 350 | # first check for kernel applicability 351 | #This is not more working because for Python 4.4 > 4.14 352 | #if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]): 353 | if checkVer(version, sploits[sploit]["minver"], sploits[sploit]["maxver"]): 354 | # next check language applicability 355 | if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))): 356 | lang = 1 # language found, increase applicability score 357 | elif sploits[sploit]["lang"] == "sh": 358 | lang = 1 # language found, increase applicability score 359 | elif (sploits[sploit]["lang"] in str(langs)): 360 | lang = 1 # language found, increase applicability score 361 | if lang == 0: 362 | sploitout = sploitout + "**" # added mark if language not detected on system 363 | # next check keyword matches to determine if some sploits have a higher probability of success 364 | for loc in sploits[sploit]["keywords"]["loc"]: 365 | if loc == "proc": 366 | for proc in procs: 367 | if keyword in proc: 368 | highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability 369 | break 370 | break 371 | elif loc == "os": 372 | if (keyword in os) or (keyword in kernel): 373 | highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability 374 | break 375 | elif loc == "mnt": 376 | if keyword in mount: 377 | highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability 378 | break 379 | else: 380 | avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version 381 | 382 | print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!" 383 | print 384 | 385 | print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system" 386 | for exploit in highprob: 387 | print " - " + exploit 388 | print 389 | 390 | print " The following exploits are applicable to this kernel version and should be investigated as well" 391 | for exploit in avgprob: 392 | print " - " + exploit 393 | 394 | print 395 | print "Finished" 396 | print bigline 397 | -------------------------------------------------------------------------------- /linuxprivchecker3.py: -------------------------------------------------------------------------------- 1 | #!/usr/env python3 2 | 3 | ### Initial "licence" 4 | 5 | ############################################################################################################### 6 | ## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script 7 | ## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift 8 | ##------------------------------------------------------------------------------------------------------------- 9 | ## [Details]: 10 | ## This script is intended to be executed locally on a Linux box to enumerate basic system info and 11 | ## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text 12 | ## passwords and applicable exploits. 13 | ##------------------------------------------------------------------------------------------------------------- 14 | ## [Warning]: 15 | ## This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates, 16 | ## I did not write it to be efficient and in some cases you may find the functions may not produce the desired 17 | ## results. For example, the function that links packages to running processes is based on keywords and will 18 | ## not always be accurate. Also, the exploit list included in this function will need to be updated over time. 19 | ## Feel free to change or improve it any way you see fit. 20 | ##------------------------------------------------------------------------------------------------------------- 21 | ## [Modification, Distribution, and Attribution]: 22 | ## You are free to modify and/or distribute this script as you wish. I only ask that you maintain original 23 | ## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's 24 | ## worth anything anyway :) 25 | ############################################################################################################### 26 | 27 | ### [Updates]: Antoine Cervoise -- @acervoise 28 | 29 | # conditional import for older versions of python not compatible with subprocess 30 | try: 31 | import subprocess as sub 32 | compatmode = 0 # newer version of python, no need for compatibility mode 33 | except ImportError: 34 | import os # older version of python, need to use os instead 35 | compatmode = 1 36 | 37 | import sys 38 | 39 | # title / formatting 40 | bigline = "=================================================================================================" 41 | smlline = "-------------------------------------------------------------------------------------------------" 42 | 43 | print(bigline) 44 | print("LINUX PRIVILEGE ESCALATION CHECKER") 45 | print(bigline) 46 | print("") 47 | 48 | fast = False 49 | if len(sys.argv) > 1: 50 | if sys.argv[1] == "--fast": 51 | fast = True 52 | 53 | # loop through dictionary, execute the commands, store the results, return updated dict 54 | 55 | def execCmd(cmdDict): 56 | for item in cmdDict: 57 | cmd = cmdDict[item]["cmd"] 58 | if compatmode == 0: # newer version of python, use preferred subprocess 59 | out, error = sub.Popen( 60 | [cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() 61 | if (sys.version_info > (3, 0)): 62 | out = out.decode('utf-8') 63 | results = out.split('\n') 64 | else: # older version of python, use os.popen 65 | echo_stdout = os.popen(cmd, 'r') 66 | results = echo_stdout.read().split('\n') 67 | cmdDict[item]["results"] = results 68 | return cmdDict 69 | 70 | # print(results for each previously executed command, no return value) 71 | 72 | def printResults(cmdDict): 73 | for item in cmdDict: 74 | msg = cmdDict[item]["msg"] 75 | results = cmdDict[item]["results"] 76 | print("[+] " + msg) 77 | for result in results: 78 | if result.strip() != "": 79 | print(" " + result.strip()) 80 | print("") 81 | return 82 | 83 | def writeResults(msg, results): 84 | f = open("privcheckout.txt", "a") 85 | f.write("[+] " + str(len(results)-1) + " " + msg) 86 | for result in results: 87 | if result.strip() != "": 88 | f.write(" " + result.strip()) 89 | f.close() 90 | return 91 | 92 | def checkVer(version, min_ver, max_ver): 93 | version = version.split('.') 94 | min_ver = min_ver.split('.') 95 | for i in range(min(len(version), len(min_ver))): 96 | if int(version[i]) < int(min_ver[i]): 97 | return False 98 | max_ver = max_ver.split('.') 99 | for i in range(min(len(version), len(max_ver))): 100 | if int(version[i]) > int(max_ver[i]): 101 | return False 102 | return True 103 | 104 | # Basic system info 105 | print("[*] GETTING BASIC SYSTEM INFO...\n") 106 | 107 | results = [] 108 | 109 | sysInfo = {"OS": {"cmd": "hostnamectl |grep 'Operating System' |cut -d : -f 2", "msg": "Operating System", "results": results}, 110 | "KERNEL": {"cmd": "cat /proc/version", "msg": "Kernel", "results": results}, 111 | "HOSTNAME": {"cmd": "hostname", "msg": "Hostname", "results": results} 112 | } 113 | 114 | sysInfo = execCmd(sysInfo) 115 | printResults(sysInfo) 116 | 117 | # Networking Info 118 | 119 | print("[*] GETTING NETWORKING INFO...\n") 120 | 121 | netInfo = {"NETINFO": {"cmd": "/sbin/ifconfig -a", "msg": "Interfaces", "results": results}, 122 | "ROUTE": {"cmd": "route", "msg": "Route", "results": results}, 123 | "NETSTAT": {"cmd": "netstat -antup | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results} 124 | } 125 | 126 | netInfo = execCmd(netInfo) 127 | 128 | if netInfo['NETINFO']['results'] == ['']: 129 | netInfo = {"NETINFO": {"cmd": "ip address show", "msg": "Interfaces", "results": results}, 130 | "ROUTE": {"cmd": "ip route", "msg": "Route", "results": results}, 131 | "NETSTAT": {"cmd": "ss -lut | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results} 132 | } 133 | netInfo = execCmd(netInfo) 134 | 135 | 136 | printResults(netInfo) 137 | 138 | # File System Info 139 | print("[*] GETTING FILESYSTEM INFO...\n") 140 | 141 | driveInfo = {"MOUNT": {"cmd": "mount", "msg": "Mount results", "results": results}, 142 | "FSTAB": {"cmd": "cat /etc/fstab 2>/dev/null", "msg": "fstab entries", "results": results} 143 | } 144 | 145 | driveInfo = execCmd(driveInfo) 146 | printResults(driveInfo) 147 | 148 | # Scheduled Cron Jobs 149 | cronInfo = {"CRON": {"cmd": "ls -la /etc/cron* 2>/dev/null", "msg": "Scheduled cron jobs", "results": results}, 150 | "CRONW": {"cmd": "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg": "Writable cron dirs", "results": results}, 151 | "SYSTEMDTIMERS": {"cmd": "systemctl list-timers --all 2>/dev/null", "msg": "Systemd timers", "results": results} 152 | } 153 | 154 | cronInfo = execCmd(cronInfo) 155 | printResults(cronInfo) 156 | 157 | # User Info 158 | print("\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n") 159 | 160 | userInfo = {"WHOAMI": {"cmd": "whoami", "msg": "Current User", "results": results}, 161 | "ID": {"cmd": "id", "msg": "Current User ID", "results": results}, 162 | "ALLUSERS": {"cmd": "cat /etc/passwd", "msg": "All users", "results": results}, 163 | "SUPUSERS": {"cmd": "grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg": "Super Users Found:", "results": results}, 164 | "HISTORY": {"cmd": "ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg": "Root and current user history (depends on privs)", "results": results}, 165 | "ENV": {"cmd": "env 2>/dev/null | grep -v 'LS_COLORS'", "msg": "Environment", "results": results}, 166 | "GROUPS":{"cmd":"grep 'docker\|lxd' /etc/group", "msg":"Users in docker group (https://fosterelli.co/privilege-escalation-via-docker.html) or lxc/lxd (https://github.com/initstring/lxd_root)", "results":results}, 167 | "SUDOERS": {"cmd": "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg": "Sudoers (privileged)", "results": results}, 168 | "LOGGEDIN": {"cmd": "w 2>/dev/null", "msg": "Logged in User Activity", "results": results}, 169 | "SSHSESSION":{"cmd":"ls /tmp/ssh* 2>/dev/null", "msg":"SSH Agent Connexion (https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/)", "results":results}, 170 | "MULTIPLEX":{"cmd":"screen -ls 2> /dev/null || true && tmux ls 2> /dev/null", "msg":"Screen and Tmux socket (another user session may be open)", "results": results} 171 | } 172 | 173 | userInfo = execCmd(userInfo) 174 | printResults(userInfo) 175 | 176 | if "root" in userInfo["ID"]["results"][0]: 177 | print("[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n") 178 | 179 | # File/Directory Privs 180 | print("[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n") 181 | 182 | fdPerms = {"WWDIRSROOT": {"cmd": "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg": "World Writeable Directories for User/Group 'Root'", "results": results}, 183 | "WWDIRS": {"cmd": "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg": "World Writeable Directories for Users other than Root", "results": results}, 184 | "WWFILES": {"cmd": "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg": "World Writable Files", "results": results}, 185 | "SUID": {"cmd": "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg": "SUID/SGID Files and Directories", "results": results}, 186 | "ROOTHOME": {"cmd": "ls -ahlR /root 2>/dev/null", "msg": "Checking if root's home folder is accessible", "results": results}, 187 | "CAPABILITIES": {"cmd": "getcap -r / 2> /dev/null", "msg": "Checking for capabilities in /", "results": results} 188 | } 189 | 190 | fdPerms = execCmd(fdPerms) 191 | printResults(fdPerms) 192 | 193 | if fast: 194 | pwdFiles = {"LOGPWDS": {"cmd": "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg": "Logs containing keyword 'password'", "results": results}, 195 | "CONFPWDS": {"cmd": "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg": "Config files containing keyword 'password'", "results": results}, 196 | "SHADOW": {"cmd": "cat /etc/shadow 2>/dev/null", "msg": "Shadow File (Privileged)", "results": results}, 197 | "OPASSWD": {"cmd": "cat /etc/security/opasswd 2>/dev/null", "msg": "Old passwords used by pam_cracklib", "results": results}, 198 | "GRUBPASS": {"cmd": "grep password /boot/grub/* 2>/dev/null", "msg": "Grub passwords or hashes", "results": results} 199 | } 200 | else: 201 | pwdFiles = {"LOGPWDS": {"cmd": "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg": "Logs containing keyword 'password'", "results": results}, 202 | "CONFPWDS": {"cmd": "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg": "Config files containing keyword 'password'", "results": results}, 203 | "SHADOW": {"cmd": "cat /etc/shadow 2>/dev/null", "msg": "Shadow File (Privileged)", "results": results}, 204 | "OPASSWD": {"cmd": "cat /etc/security/opasswd 2>/dev/null", "msg": "Old passwords used by pam_cracklib", "results": results}, 205 | "GRUBPASS": {"cmd": "grep password /boot/grub/* 2>/dev/null", "msg": "Grub passwords or hashes", "results": results}, 206 | "SCRIPTPWDS":{"cmd":"find / -name '*.sh' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Sh scripts containing keyword 'password'", "results":results} 207 | } 208 | 209 | pwdFiles = execCmd(pwdFiles) 210 | printResults(pwdFiles) 211 | 212 | # Processes and Applications 213 | print("[*] ENUMERATING PROCESSES AND APPLICATIONS...\n") 214 | 215 | if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]: 216 | getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian) 217 | else: 218 | getPkgs = "rpm -qa | sort -u" # RH/other 219 | 220 | getAppProc = {"PROCS": {"cmd": "ps aux | awk '{print($1,$2,$9,$10,$11)}'", "msg": "Current processes", "results": results}, 221 | "PKGS": {"cmd": getPkgs, "msg": "Installed Packages", "results": results} 222 | } 223 | 224 | getAppProc = execCmd(getAppProc) 225 | printResults(getAppProc) # comment to reduce output 226 | 227 | otherApps = {"SUDO": {"cmd": "sudo -V | grep version 2>/dev/null", "msg": "Sudo Version (Check out https://www.exploit-db.com/search?q=sudo&type=local)", "results": results}, 228 | "APACHE": {"cmd": "apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg": "Apache Version and Modules", "results": results}, 229 | "APACHECONF": {"cmd": "cat /etc/apache2/apache2.conf 2>/dev/null", "msg": "Apache Config File", "results": results} 230 | } 231 | 232 | otherApps = execCmd(otherApps) 233 | printResults(otherApps) 234 | 235 | print("[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n") 236 | 237 | # find the package information for the processes currently running 238 | # under root or another super user 239 | 240 | procs = getAppProc["PROCS"]["results"] 241 | pkgs = getAppProc["PKGS"]["results"] 242 | supusers = userInfo["SUPUSERS"]["results"] 243 | procdict = {} # dictionary to hold the processes running as super users 244 | 245 | for proc in procs: # loop through each process 246 | relatedpkgs = [] # list to hold the packages related to a process 247 | try: 248 | for user in supusers: # loop through the known super users 249 | if (user != "") and (user in proc): # if the process is being run by a super user 250 | procname = proc.split(" ")[4] # grab the process name 251 | if "/" in procname: 252 | splitname = procname.split("/") 253 | procname = splitname[len(splitname)-1] 254 | for pkg in pkgs: # loop through the packages 255 | if not len(procname) < 3: # name too short to get reliable package results 256 | if procname in pkg: 257 | if procname in procdict: 258 | # if already in the dict, grab its pkg list 259 | relatedpkgs = procdict[proc] 260 | if pkg not in relatedpkgs: 261 | relatedpkgs.append(pkg) # add pkg to the list 262 | # add any found related packages to the process dictionary entry 263 | procdict[proc] = relatedpkgs 264 | except: 265 | pass 266 | 267 | for key in procdict: 268 | print(" " + key) # print the process name) 269 | try: 270 | # only print(the rest if related packages were found) 271 | if not procdict[key][0] == "": 272 | print(" Possible Related Packages: ") 273 | for entry in procdict[key]: 274 | print(" " + entry) # print each related package) 275 | except: 276 | pass 277 | 278 | # EXPLOIT ENUMERATION 279 | 280 | # First discover the avaialable tools 281 | print("") 282 | print("[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n") 283 | 284 | devTools = {"TOOLS": {"cmd": "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", 285 | "msg": "Installed Tools", "results": results}} 286 | devTools = execCmd(devTools) 287 | printResults(devTools) 288 | 289 | print("[+] Related Shell Escape Sequences (check https://gtfobins.github.io/)...\n") 290 | escapeCmd = {"vi": [":!bash", ":set shell=/bin/bash:shell"], "awk": ["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl": [ 291 | "perl -e 'exec \"/bin/bash\";'"], "python":["python -c \"import os; os.system('/bin/bash');\""], "find": ["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap": ["--interactive"]} 292 | for cmd in escapeCmd: 293 | for result in devTools["TOOLS"]["results"]: 294 | if cmd in result: 295 | for item in escapeCmd[cmd]: 296 | print(" " + cmd + "-->\t" + item) 297 | print("") 298 | print("[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n") 299 | 300 | # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB) 301 | # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os' 302 | sploits = {"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds":{"minver":"4.4.0", "maxver":"4.14.18", "exploitdb":"47779", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}}, 303 | "OpenSMTPD - OOB Read Local Privilege Escalation": {"minver": "6.4.0", "maxver": "6.6.4", "exploitdb": "48185", "lang": "ruby", "keywords": {"loc": ["proc", "pkg"], "val": "opensmtpd"}}, 304 | "Linux BPF Sign Extension Local Privilege Escalation":{"minver":"5.3", "maxver":"5.4.2", "exploitdb":"45058", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 305 | "Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - SUID Method":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40616", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 306 | "Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - Firefart":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40839", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 307 | "Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation":{"minver":"2.6.39", "maxver":"3.2.2", "exploitdb":"18411", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, 308 | "2.2.x-2.4.x ptrace kmod local exploit": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "3", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 309 | "< 2.4.20 Module Loader Local Root Exploit": {"minver": "0", "maxver": "2.4.20", "exploitdb": "12", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 310 | "2.4.22 "'do_brk()'" local Root Exploit (PoC)": {"minver": "2.4.22", "maxver": "2.4.22", "exploitdb": "129", "lang": "asm", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 311 | "<= 2.4.22 (do_brk) Local Root Exploit (working)": {"minver": "0", "maxver": "2.4.22", "exploitdb": "131", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 312 | "2.4.x mremap() bound checking Root Exploit": {"minver": "2.4", "maxver": "2.4.99", "exploitdb": "145", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 313 | "<= 2.4.29-rc2 uselib() Privilege Elevation": {"minver": "0", "maxver": "2.4.29", "exploitdb": "744", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 314 | "2.4 uselib() Privilege Elevation Exploit": {"minver": "2.4", "maxver": "2.4", "exploitdb": "778", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 315 | "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "895", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 316 | "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "926", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluez"}}, 317 | "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)": {"minver": "0", "maxver": "2.6.11", "exploitdb": "1397", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 318 | "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit": {"minver": "0", "maxver": "99", "exploitdb": "1518", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "mysql"}}, 319 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2004", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 320 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2005", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 321 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2006", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 322 | "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2011", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 323 | "<= 2.6.17.4 (proc) Local Root Exploit": {"minver": "0", "maxver": "2.6.17.4", "exploitdb": "2013", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 324 | "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2031", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 325 | "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit": {"minver": "4.10", "maxver": "7.04", "exploitdb": "3384", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}}, 326 | "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit": {"minver": "2.4", "maxver": "2.6", "exploitdb": "4460", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 327 | "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit": {"minver": "0", "maxver": "2.6.11.5", "exploitdb": "4756", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluetooth"}}, 328 | "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit": {"minver": "2.6.17", "maxver": "2.6.24.1", "exploitdb": "5092", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 329 | "2.6.23 - 2.6.24 vmsplice Local Root Exploit": {"minver": "2.6.23", "maxver": "2.6.24", "exploitdb": "5093", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}}, 330 | "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit": {"minver": "0", "maxver": "99", "exploitdb": "5720", "lang": "python", "keywords": {"loc": ["os"], "val": "debian"}}, 331 | "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit": {"minver": "0", "maxver": "2.6.22", "exploitdb": "6851", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 332 | "< 2.6.29 exit_notify() Local Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.29", "exploitdb": "8369", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 333 | "2.6 UDEV Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8478", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}}, 334 | "2.6 UDEV < 141 Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8572", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}}, 335 | "2.6.x ptrace_attach Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8673", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 336 | "2.6.29 ptrace_attach() Local Root Race Condition Exploit": {"minver": "2.6.29", "maxver": "2.6.29", "exploitdb": "8678", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 337 | "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit": {"minver": "0", "maxver": "2.6.28.3", "exploitdb": "9083", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 338 | "Test Kernel Local Root Exploit 0day": {"minver": "2.6.18", "maxver": "2.6.30", "exploitdb": "9191", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 339 | "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)": {"minver": "2.6.9", "maxver": "2.6.30", "exploitdb": "9208", "lang": "c", "keywords": {"loc": ["pkg"], "val": "pulse"}}, 340 | "2.x sock_sendpage() Local Ring0 Root Exploit": {"minver": "2", "maxver": "2.99", "exploitdb": "9435", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 341 | "2.x sock_sendpage() Local Root Exploit 2": {"minver": "2", "maxver": "2.99", "exploitdb": "9436", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 342 | "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9479", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 343 | "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit": {"minver": "2.6", "maxver": "2.6.19", "exploitdb": "9542", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 344 | "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9545", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 345 | "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9574", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 346 | "< 2.6.19 udp_sendmsg Local Root Exploit": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9575", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 347 | "2.4/2.6 sock_sendpage() Local Root Exploit [2]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 348 | "2.4/2.6 sock_sendpage() Local Root Exploit [3]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9641", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 349 | "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "9844", "lang": "python", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 350 | "'pipe.c' Local Privilege Escalation Vulnerability": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "10018", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 351 | "2.6.18-20 2009 Local Root Exploit": {"minver": "2.6.18", "maxver": "2.6.20", "exploitdb": "10613", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 352 | "Apache Spamassassin Milter Plugin Remote Root Command Execution": {"minver": "0", "maxver": "99", "exploitdb": "11662", "lang": "sh", "keywords": {"loc": ["proc"], "val": "spamass-milter"}}, 353 | "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation": {"minver": "0", "maxver": "2.6.34", "exploitdb": "12130", "lang": "python", "keywords": {"loc": ["mnt"], "val": "reiser"}}, 354 | "Ubuntu PAM MOTD local root": {"minver": "7", "maxver": "10.04", "exploitdb": "14339", "lang": "sh", "keywords": {"loc": ["os"], "val": "ubuntu"}}, 355 | "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36", "exploitdb": "14814", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 356 | "Kernel ia32syscall Emulation Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15023", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 357 | "Linux RDS Protocol Local Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15285", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 358 | "<= 2.6.37 Local Privilege Escalation (Full Nelson)": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15704", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 359 | "< 2.6.37-rc2 ACPI custom_method Privilege Escalation": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15774", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 360 | "CAP_SYS_ADMIN to root Exploit": {"minver": "0", "maxver": "99", "exploitdb": "15916", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 361 | "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)": {"minver": "0", "maxver": "99", "exploitdb": "15944", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 362 | "< 2.6.36.2 Econet Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36.2", "exploitdb": "17787", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 363 | "Sendpage Local Privilege Escalation": {"minver": "2.4.4", "maxver": "2.4.37.4", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 364 | "Sendpage Local Privilege Escalation": {"minver": "2.6.0", "maxver": "2.6.30.4", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 365 | "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability": {"minver": "2.4.18", "maxver": "2.4.19", "exploitdb": "21598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 366 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22362", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 367 | "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22363", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 368 | "Samba 2.2.8 Share Local Privilege Elevation Vulnerability": {"minver": "2.2.8", "maxver": "2.2.8", "exploitdb": "23674", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "samba"}}, 369 | "open-time Capability file_ns_capable() Privilege Escalation": {"minver": "0", "maxver": "3.8.9", "exploitdb": "25450", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, 370 | } 371 | 372 | # variable declaration 373 | os = sysInfo["OS"]["results"][0] 374 | version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0] 375 | langs = devTools["TOOLS"]["results"] 376 | procs = getAppProc["PROCS"]["results"] 377 | kernel = str(sysInfo["KERNEL"]["results"][0]) 378 | mount = driveInfo["MOUNT"]["results"] 379 | # pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future 380 | 381 | 382 | # lists to hold ranked, applicable sploits 383 | # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks 384 | # all applicable exploits should be checked and this function could probably use some improvement 385 | avgprob = [] 386 | highprob = [] 387 | 388 | for sploit in sploits: 389 | lang = 0 # use to rank applicability of sploits 390 | keyword = sploits[sploit]["keywords"]["val"] 391 | sploitout = sploit + " || " + "https://www.exploit-db.com/exploits/" + \ 392 | sploits[sploit]["exploitdb"] + " || " + \ 393 | "Language=" + sploits[sploit]["lang"] 394 | # first check for kernel applicability 395 | #This is not more working because for Python 4.4 > 4.14 396 | #if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]): 397 | if checkVer(version, sploits[sploit]["minver"], sploits[sploit]["maxver"]): 398 | # next check language applicability 399 | if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))): 400 | lang = 1 # language found, increase applicability score 401 | elif sploits[sploit]["lang"] == "sh": 402 | lang = 1 # language found, increase applicability score 403 | elif (sploits[sploit]["lang"] in str(langs)): 404 | lang = 1 # language found, increase applicability score 405 | if lang == 0: 406 | sploitout = sploitout + "**" # added mark if language not detected on system 407 | # next check keyword matches to determine if some sploits have a higher probability of success 408 | for loc in sploits[sploit]["keywords"]["loc"]: 409 | if loc == "proc": 410 | for proc in procs: 411 | if keyword in proc: 412 | # if sploit is associated with a running process consider it a higher probability/applicability 413 | highprob.append(sploitout) 414 | break 415 | break 416 | elif loc == "os": 417 | if (keyword in os) or (keyword in kernel): 418 | # if sploit is specifically applicable to this OS consider it a higher probability/applicability 419 | highprob.append(sploitout) 420 | break 421 | elif loc == "mnt": 422 | if keyword in mount: 423 | # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability 424 | highprob.append(sploitout) 425 | break 426 | else: 427 | # otherwise, consider average probability/applicability based only on kernel version 428 | avgprob.append(sploitout) 429 | 430 | print(" Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!") 431 | print("") 432 | 433 | print(" The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system") 434 | for exploit in highprob: 435 | print(" - " + exploit) 436 | print("") 437 | 438 | print(" The following exploits are applicable to this kernel version and should be investigated as well") 439 | for exploit in avgprob: 440 | print(" - " + exploit) 441 | 442 | print("") 443 | print("Finished") 444 | print(bigline) 445 | --------------------------------------------------------------------------------