├── README ├── linux_privcheck.py └── privinfo.txt /README: -------------------------------------------------------------------------------- 1 | ##### Linux privilege checker ##### 2 | 3 | Searches for privileges, service settings, sensitive information, running 4 | processes, installed programs, network statistics, logs, permissions and various other information about the system. 5 | 6 | Suggests exploits based on the detected kernel version. 7 | 8 | Inspired from g0tm1lk's cheatsheet, available at http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html 9 | 10 | 11 | NOTES 12 | 13 | Full output may be excessive, I tried to break it down in specific functions to make it easy to check for relevant information only by commenting out the unnecessary bits. 14 | 15 | It's using the subprocess module for running commands. 16 | 17 | Running time may vary, with all checks enabled it took ~1min on a freshly installed Debian and ~4min on a custom Kali system. 18 | 19 | Regarding the exploit finding functionality: 20 | 21 | - in the vulnerable kernels, I prioritized the versions given in the respective CVE, unless specified otherwise in the 22 | exploit source code 23 | 24 | - there is some redundancy in the exploit dictionaries, because I wanted to keep them classified in 25 | kernel versions (2.4, 2.6, etc.) 26 | 27 | - some CVEs have multiple exploits available, I tried getting the verified ones, and those which were stable and up-to-date 28 | 29 | - some false positives / negatives are inevitable 30 | 31 | CODE BREAKDOWN 32 | 33 | The checks are split into functions for each information category: 34 | 35 | searchOS - gets information about the system, its version, SELinux status, uptime, and more 36 | chkSrvc - lists running processes 37 | chkApps - looks at what is installed on the system 38 | chkSrvcSettings - reads configuration files for various services, like apache, syslog and others 39 | lsJobs - checks what jobs are scheduled 40 | netInfo - various info about the network configuration 41 | currNetStats - current status of network connections 42 | chkUsers - information about user accounts on the system 43 | chkIntrstFiles - attempts to access files with potentially sensitive information, SSH config files, MySQL, and others 44 | chkLogs - looks at different log categories, in conjunction with the tail command 45 | chkWebSettings - what web concent is being served on the system 46 | chkFS - filesystem information 47 | findTools - looks for tools that might aid in further exploitation, like nmap, netcat, python, etc. 48 | findPerm - permissions check 49 | findExploits - suggests suitable exploits from ExploitDB based on the detected kernel version 50 | 51 | DEMO 52 | 53 | See text file for output. 54 | 55 | Sample output for the exploit finder: 56 | 57 | Kernel version is 3.10.0-514.21.1.el7.x86_64 58 | 59 | ########################################### 60 | POTENTIALLY VULNERABLE TO 61 | Name: Double-free usb-midi SMEP Local Privilege Escalation 62 | CVE: CVE-2016-2384 63 | Source code: https://www.exploit-db.com/exploits/41999/ 64 | ########################################### 65 | ########################################### 66 | POTENTIALLY VULNERABLE TO 67 | Name: overlayfs Privilege Escalation 68 | CVE: CVE-2015-1328 69 | Source code: https://www.exploit-db.com/exploits/37292/ 70 | ########################################### 71 | ########################################### 72 | POTENTIALLY VULNERABLE TO 73 | Name: ptrace/sysret Privilege Escalation 74 | CVE: CVE-2014-4699 75 | Source code: https://www.exploit-db.com/exploits/34134/ 76 | ########################################### 77 | ########################################### 78 | POTENTIALLY VULNERABLE TO 79 | Name: CLONE_NEWUSER|CLONE_FS Privilege Escalation 80 | CVE: N/A 81 | Source code: https://www.exploit-db.com/exploits/38390/ 82 | ########################################### 83 | ########################################### 84 | POTENTIALLY VULNERABLE TO 85 | Name: b43 Wireless Driver Privilege Escalation 86 | CVE: CVE-2013-2852 87 | Source code: https://www.exploit-db.com/exploits/38559/ 88 | ########################################### 89 | ########################################### 90 | POTENTIALLY VULNERABLE TO 91 | Name: open-time Capability file_ns_capable() Privilege Escalation 92 | CVE: CVE-2013-1959 93 | Source code: https://www.exploit-db.com/exploits/25450/ 94 | ########################################### 95 | 96 | -------------------------------------------------------------------------------- /linux_privcheck.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import subprocess 4 | import sys 5 | import glob 6 | import os.path 7 | 8 | # global var for the no. of lines tail will use 9 | TAIL_LINES = '20' 10 | 11 | 12 | # helper functions 13 | 14 | def writeInfo(data): 15 | try: 16 | with open('privinfo.txt', 'a') as f: 17 | f.write(data + '\n') 18 | return 19 | except IOError, e: 20 | print e 21 | sys.exit(1) 22 | 23 | 24 | def runCmd(cmd): 25 | proc = subprocess.Popen(cmd, stdout = subprocess.PIPE, \ 26 | stderr = subprocess.STDOUT) 27 | stdout, stderr = proc.communicate() 28 | if stderr != None: 29 | print stderr 30 | return 31 | return stdout 32 | 33 | 34 | def runCmdShell(cmd): 35 | """ 36 | For the cmds that required shell=True 37 | """ 38 | proc = subprocess.Popen(cmd, stdout = subprocess.PIPE, \ 39 | stderr = subprocess.STDOUT, shell = True) 40 | stdout, stderr = proc.communicate() 41 | if stderr != None: 42 | print stderr 43 | return 44 | return stdout 45 | 46 | 47 | 48 | 49 | def readFile(f): 50 | with open(os.path.expanduser(f), 'r') as fd: 51 | return fd.read() 52 | 53 | 54 | def pipeCmd(cmd1, cmd2): 55 | """ 56 | The args are lists of commands that will be passed to Popen 57 | """ 58 | p1 = subprocess.Popen(cmd1, stdout = subprocess.PIPE) 59 | p2 = subprocess.Popen(cmd2, stdin = p1.stdout, stdout = subprocess.PIPE) 60 | p1.stdout.close() 61 | out = p2.communicate()[0] 62 | p1.wait() 63 | return out 64 | 65 | 66 | def fileMsg(f): 67 | msg = '####### Trying to read ' + f + '... #######\n' 68 | print msg 69 | return msg 70 | 71 | 72 | 73 | def cmdMsg(cmd): 74 | msg = '#######Trying to run ' + str(cmd) + ':#######\n\n' 75 | print msg 76 | return msg 77 | 78 | def pipeCmdMsg(cmd1, cmd2): 79 | msg = '#######Trying to run ' + str(cmd1) + ' | ' + str(cmd2) + ':#######\n\n' 80 | print msg 81 | return msg 82 | 83 | def glbMsg(cmd, g): 84 | msg = '#######Trying to run ' + str(cmd) + ' on ' + g + ' :#######\n\n' 85 | print msg 86 | return msg 87 | 88 | def foundMsg(name, cve, src): 89 | print '###########################################' 90 | print 'POTENTIALLY VULNERABLE TO' 91 | print 'Name: ' + name 92 | print 'CVE: ' + cve 93 | print 'Source code: ' + src 94 | print '###########################################' 95 | 96 | # functions that perform different checks 97 | 98 | def searchOS(): 99 | """ 100 | Gathers information about the OS 101 | """ 102 | files = ['/etc/issue', 103 | '/etc/os-release', 104 | '/proc/version', 105 | '/etc/lsb-release', 106 | '/etc/redhat-release', 107 | '/etc/profile', 108 | '/etc/bashrc', 109 | '~/.bash_profile', 110 | '~/.bashrc', 111 | '~/.bash_logout', 112 | '/etc/timezone'] 113 | for f in files: 114 | try: 115 | fmsg = fileMsg(f) 116 | writeInfo(fmsg) 117 | out = readFile(f) 118 | print out 119 | writeInfo(out) 120 | except IOError, e: 121 | # print e 122 | writeInfo('FAILED: ' + str(e)+ '\n') 123 | continue 124 | 125 | 126 | commands = {'uname': ['uname', '-a'], 127 | 'lpstat': ['lpstat', '-a'], 128 | 'env': ['env'], 129 | 'uptime': ['uptime'], 130 | 'getenforce': ['getenforce']} # check SELinux status 131 | 132 | for c in commands: 133 | try: 134 | cmsg = cmdMsg(commands[c]) 135 | writeInfo(cmsg) 136 | stdout = runCmd(commands[c]) 137 | print stdout 138 | writeInfo(stdout) 139 | except (OSError, IOError), e: 140 | # print e, commands[c] 141 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 142 | continue 143 | 144 | 145 | 146 | pipecmds = {'bootimg': (['ls', '/boot'], ['grep', 'vmlinuz'])} 147 | for c in pipecmds: 148 | try: 149 | arg1 = pipecmds[c][0] 150 | arg2 = pipecmds[c][1] 151 | pmsg = pipeCmdMsg(arg1, arg2) 152 | writeInfo(pmsg) 153 | out = pipeCmd(arg1, arg2) 154 | print out 155 | writeInfo(out) 156 | except (OSError, IOError), e: 157 | # print e, str(pipecmds[c]) 158 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(pipecmds[c]) + '\n') 159 | continue 160 | 161 | 162 | def chkSrvc(): 163 | """ 164 | Lists running processes 165 | """ 166 | commands = {'top': ['top', 'bn', '1'], 167 | 'ps': ['ps', '-ef']} 168 | for c in commands: 169 | try: 170 | cmsg = cmdMsg(commands[c]) 171 | writeInfo(cmsg) 172 | stdout = runCmd(commands[c]) 173 | print stdout 174 | writeInfo(stdout) 175 | except (OSError, IOError), e: 176 | # print e, commands[c] 177 | # writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 178 | continue 179 | 180 | 181 | pipecmds = {'rootsrvc': (['ps', '-ef'], ['grep', 'root'])} 182 | for c in pipecmds: 183 | try: 184 | arg1 = pipecmds[c][0] 185 | arg2 = pipecmds[c][1] 186 | pmsg = pipeCmdMsg(arg1, arg2) 187 | writeInfo(pmsg) 188 | out = pipeCmd(arg1, arg2) 189 | print out 190 | writeInfo(out) 191 | except (OSError, IOError), e: 192 | # print e, str(pipecmds[c]) 193 | # writeInfo('FAILED: ' + str(e)+ ' : ' + str(pipecmds[c]) + '\n') 194 | continue 195 | 196 | 197 | 198 | def chkApps(): 199 | """ 200 | Looks at installed applications 201 | """ 202 | commands = {'ls bin': ['ls', '-alh', '/usr/bin/'], 203 | 'ls sbin': ['ls', '-alh', '/sbin/'], 204 | 'dpkg': ['dpkg', '-l'], 205 | 'rpm': ['rpm', '-qa'], 206 | 'ls apt': ['ls', '-alh', '/var/cache/apt/archives'], 207 | 'ls yum': ['ls', '-alh', '/var/cache/yum/ ']} 208 | for c in commands: 209 | try: 210 | cmsg = cmdMsg(commands[c]) 211 | writeInfo(cmsg) 212 | stdout = runCmd(commands[c]) 213 | print stdout 214 | writeInfo(stdout) 215 | except (OSError, IOError), e: 216 | print e, commands[c] 217 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 218 | continue 219 | 220 | def chkSrvcSettings(): 221 | """ 222 | Reads configuration files for various services 223 | """ 224 | files = ['/etc/syslog.conf ', 225 | '/etc/chttp.conf', 226 | '/etc/lighttpd.conf', 227 | '/etc/cups/cupsd.conf', 228 | '/etc/inetd.conf', 229 | '/etc/apache2/apache2.conf', 230 | '/etc/my.cnf', 231 | '/etc/httpd/conf/httpd.conf', 232 | '/opt/lampp/etc/httpd.conf'] 233 | for f in files: 234 | try: 235 | fmsg = fileMsg(f) 236 | writeInfo(fmsg) 237 | out = readFile(f) 238 | print out 239 | writeInfo(out) 240 | except IOError, e: 241 | print e 242 | writeInfo('FAILED: ' + str(e)+ '\n') 243 | continue 244 | 245 | 246 | def lsJobs(): 247 | """ 248 | Checks scheduled jobs 249 | """ 250 | commands = {'cron': ['crontab', '-l'], 251 | 'ls spool': ['ls', '-alh', '/var/spool/cron']} 252 | for c in commands: 253 | try: 254 | cmsg = cmdMsg(commands[c]) 255 | writeInfo(cmsg) 256 | stdout = runCmd(commands[c]) 257 | print stdout 258 | writeInfo(stdout) 259 | except (OSError, IOError), e: 260 | print e, commands[c] 261 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 262 | continue 263 | 264 | 265 | files = ['/etc/at.allow', 266 | '/etc/at.deny', 267 | '/etc/cron.allow', 268 | '/etc/cron.deny', 269 | '/etc/crontab', 270 | '/etc/anacrontab', 271 | '/var/spool/cron/crontabs/root'] 272 | for f in files: 273 | try: 274 | fmsg = fileMsg(f) 275 | writeInfo(fmsg) 276 | out = readFile(f) 277 | print out 278 | writeInfo(out) 279 | except IOError, e: 280 | print e 281 | writeInfo('FAILED: ' + str(e)+ '\n') 282 | continue 283 | 284 | globbed_cron = glob.glob('/etc/cron*') 285 | lscron = ['ls', '-al'] 286 | for g in globbed_cron: 287 | try: 288 | cmsg = glbMsg(lscron, g) 289 | print cmsg 290 | writeInfo(cmsg) 291 | stdout = runCmd(lscron) 292 | print stdout 293 | writeInfo(stdout) 294 | except (OSError, IOError), e: 295 | print e, lscron 296 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(lscron) + '\n') 297 | continue 298 | 299 | 300 | 301 | def netInfo(): 302 | """ 303 | Looks at network configuration 304 | """ 305 | commands = {'ifconfig': ['ifconfig', '-a'], 306 | 'iptables': ['iptables', '-L'], 307 | 'ip6tables': ['ip6tables', '-L'], 308 | 'hostname': ['hostname'], 309 | 'dnsdomainname': ['dnsdomainname'], 310 | 'arp': ['arp'], 311 | 'route': ['route']} 312 | for c in commands: 313 | try: 314 | cmsg = cmdMsg(commands[c]) 315 | writeInfo(cmsg) 316 | stdout = runCmd(commands[c]) 317 | print stdout 318 | writeInfo(stdout) 319 | except (OSError, IOError), e: 320 | print e, commands[c] 321 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 322 | continue 323 | 324 | 325 | files = ['/etc/network/interfaces', 326 | '/etc/sysconfig/network', 327 | '/etc/resolv.conf', 328 | '/etc/sysconfig/network', 329 | '/etc/networks', 330 | '/etc/hosts', 331 | '/etc/nsswitch.conf'] 332 | for f in files: 333 | try: 334 | fmsg = fileMsg(f) 335 | writeInfo(fmsg) 336 | out = readFile(f) 337 | print out 338 | writeInfo(out) 339 | except IOError, e: 340 | print e 341 | writeInfo('FAILED: ' + str(e)+ '\n') 342 | continue 343 | 344 | 345 | def currNetStats(): 346 | """ 347 | Checks current network activity 348 | """ 349 | commands = {'lsof': ['lsof', '-i'], 350 | 'netstat antup': ['netstat', '-antup'], 351 | 'netstat tulpn': ['netstat', '-tulpn'], 352 | 'chkconfig': ['chkconfig', '--list']} 353 | 354 | for c in commands: 355 | try: 356 | cmsg = cmdMsg(commands[c]) 357 | writeInfo(cmsg) 358 | stdout = runCmd(commands[c]) 359 | print stdout 360 | writeInfo(stdout) 361 | except (OSError, IOError), e: 362 | print e, commands[c] 363 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 364 | continue 365 | 366 | 367 | 368 | def chkUsers(): 369 | """ 370 | Looks at user accounts 371 | """ 372 | commands = {'id': ['id'], 373 | 'w': ['w'], 374 | 'last': ['last', '-n', TAIL_LINES], 375 | 'ls root': ['ls', '-ahl', '/root/'], 376 | 'ls home': ['ls', '-ahl', '/home/'], 377 | 'ls mail': ['ls', '-alh', '/var/mail/'], 378 | 'sudo': ['sudo', '-l']} 379 | for c in commands: 380 | try: 381 | cmsg = cmdMsg(commands[c]) 382 | writeInfo(cmsg) 383 | stdout = runCmd(commands[c]) 384 | print stdout 385 | writeInfo(stdout) 386 | except (OSError, IOError), e: 387 | print e, commands[c] 388 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 389 | continue 390 | 391 | 392 | files = ['/etc/sudoers', 393 | '/var/mail/root', 394 | '/var/spool/mail/root', 395 | '~/.bash_history', 396 | '~/.nano_history', 397 | '~/.atftp_history', 398 | '~/.mysql_history ', 399 | '~/.php_history', 400 | '/etc/aliases'] 401 | for f in files: 402 | try: 403 | fmsg = fileMsg(f) 404 | writeInfo(fmsg) 405 | out = readFile(f) 406 | print out 407 | writeInfo(out) 408 | except IOError, e: 409 | print e 410 | writeInfo('FAILED: ' + str(e)+ '\n') 411 | continue 412 | 413 | def chkIntrstFiles(): 414 | """ 415 | Reads files with potentially sensitive information 416 | """ 417 | files = ['/etc/passwd', 418 | '/etc/group', 419 | '/etc/shadow', 420 | '/var/apache2/config.inc', 421 | '/root/anaconda-ks.cfg', 422 | '~/.ssh/authorized_keys', 423 | '~/.ssh/identity.pub', 424 | '~/.ssh/identity', 425 | '~/.ssh/id_rsa.pub', 426 | '~/.ssh/id_rsa', 427 | '~/.ssh/id_dsa.pub', 428 | '~/.ssh/id_dsa', 429 | '/etc/ssh/ssh_config', 430 | '/etc/ssh/sshd_config', # also look for AllowTcpForwarding 431 | '/etc/ssh/ssh_host_dsa_key.pub', 432 | '/etc/ssh/ssh_host_dsa_key', 433 | '/etc/ssh/ssh_host_rsa_key.pub', 434 | '/etc/ssh/ssh_host_rsa_key', 435 | '/etc/ssh/ssh_host_key.pub', 436 | '/etc/ssh/ssh_host_key', 437 | '/var/lib/dhcp3/dhclient.leases', 438 | '/etc/mysql/my.cnf', 439 | '/etc/mysql/debian.cnf'] 440 | for f in files: 441 | try: 442 | fmsg = fileMsg(f) 443 | writeInfo(fmsg) 444 | out = readFile(f) 445 | print out 446 | writeInfo(out) 447 | except IOError, e: 448 | print e 449 | writeInfo('FAILED: ' + str(e)+ '\n') 450 | continue 451 | 452 | commands = {'strings': ['strings', '/var/lib/mysql/mysql/user.MYD']} 453 | for c in commands: 454 | try: 455 | cmsg = cmdMsg(commands[c]) 456 | writeInfo(cmsg) 457 | stdout = runCmd(commands[c]) 458 | print stdout 459 | writeInfo(stdout) 460 | except (OSError, IOError), e: 461 | print e, commands[c] 462 | writeInfo('FAILED: ' + str(e) + ' : ' + str(commands[c]) + '\n') 463 | continue 464 | 465 | 466 | def chkLogs(): 467 | """ 468 | Checks logs for various categories 469 | """ 470 | commands = {'ls log': ['ls', '-alh', '/var/log'], 471 | 'ls mail': ['ls', '-alh', '/var/mail'], 472 | 'ls spool': ['ls', '-alh', '/var/spool'], 473 | 'ls lpd': ['ls', '-alh', '/var/spool/lpd'], 474 | 'ls pgsql': ['ls', '-alh', '/var/lib/pgsql'], 475 | 'ls mysql': ['ls', '-alh', '/var/lib/mysql'], 476 | 'ls dhcp': ['ls', '-alh', '/var/lib/dhcp3/'], 477 | 'ls posgresql': ['ls', '-alh', '/var/log/postgresql/'], 478 | 'ls proftpd': ['ls', '-alh', '/var/log/proftpd/'], 479 | 'ls samba': ['ls', '-alh', '/var/log/samba/'], 480 | 'tail msgs': ['tail', '-n', TAIL_LINES, '/var/log/messages'], #global sys msgs 481 | 'tail dmesg': ['tail', '-n', TAIL_LINES, '/var/log/dmesg'], #kern ring buffer 482 | 'tail auth': ['tail', '-n', TAIL_LINES, '/var/log/auth.log'], #auth info 483 | 'tail booth': ['tail', '-n', TAIL_LINES, '/var/log/boot.log'], #boot info 484 | 'tail daemon': ['tail', '-n', TAIL_LINES, '/var/log/daemon.log'], #daemon info 485 | 'tail dpkg': ['tail', '-n', TAIL_LINES, '/var/log/dpkg.log'], #apt package info 486 | 'tail kern': ['tail', '-n', TAIL_LINES, '/var/log/kern.log'], #kern info 487 | 'tail user.log': ['tail', '-n', TAIL_LINES, '/var/log/user.log'], #user level info 488 | 'tail alts': ['tail', '-n', TAIL_LINES, '/var/log/alternatives.log'], #update alts 489 | 'tail cups': ['tail', '-n', TAIL_LINES, '/var/log/cups'], #print info 490 | 'tail anaconda': ['tail', '-n', TAIL_LINES, '/var/log/anaconda.log'], #installation info 491 | 'tail yum': ['tail', '-n', TAIL_LINES, '/var/log/yum.log'], #rpm pacakge info 492 | 'tail cron': ['tail', '-n', TAIL_LINES, '/var/log/cron'], #cron info 493 | 'tail secure': ['tail', '-n', TAIL_LINES, '/var/log/secure']} #auth msgs 494 | 495 | for c in commands: 496 | try: 497 | cmsg = cmdMsg(commands[c]) 498 | writeInfo(cmsg) 499 | stdout = runCmd(commands[c]) 500 | print stdout 501 | writeInfo(stdout) 502 | except (OSError, IOError), e: 503 | print e, commands[c] 504 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 505 | continue 506 | 507 | 508 | def chkWebSettings(): 509 | """ 510 | Looks at web configuration 511 | """ 512 | commands = {'ls www': ['ls', '-alhR', '/var/www/'], 513 | 'ls htdocs': ['ls', '-alhR', '/srv/www/htdocs/'], 514 | 'ls lamp': ['ls', '-alhR', '/opt/lampp/htdocs/'], 515 | 'ls html': ['ls', '-alhR', '/var/www/html/']} 516 | for c in commands: 517 | try: 518 | cmsg = cmdMsg(commands[c]) 519 | writeInfo(cmsg) 520 | stdout = runCmd(commands[c]) 521 | print stdout 522 | writeInfo(stdout) 523 | except (OSError, IOError), e: 524 | print e, commands[c] 525 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 526 | continue 527 | 528 | 529 | def chkFS(): 530 | """ 531 | Gathers info about the filesystem 532 | """ 533 | commands = {'mount': ['mount'], 534 | 'df' : ['df', '-h']} 535 | for c in commands: 536 | try: 537 | cmsg = cmdMsg(commands[c]) 538 | writeInfo(cmsg) 539 | stdout = runCmd(commands[c]) 540 | print stdout 541 | writeInfo(stdout) 542 | except (OSError, IOError), e: 543 | print e, commands[c] 544 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 545 | continue 546 | 547 | files = ['/etc/fstab'] 548 | # check if noatime is present, which prevents update of inode access time 549 | for f in files: 550 | try: 551 | fmsg = fileMsg(f) 552 | writeInfo(fmsg) 553 | out = readFile(f) 554 | print out 555 | writeInfo(out) 556 | except IOError, e: 557 | print e 558 | writeInfo('FAILED: ' + str(e)+ '\n') 559 | continue 560 | 561 | 562 | def findTools(): 563 | """ 564 | Looks for useful tools preinstalled on the system 565 | """ 566 | commands = {'find perl': ['perl', '-v'], 567 | 'find python': ['python --version'], 568 | 'find wget': ['which wget'], 569 | 'find nc': ['which nc'], 570 | 'find ruby': ['ruby -v'], 571 | 'find netcat': ['which netcat'], 572 | 'find nmap': ['which nmap'], 573 | 'find java': ['java -version']} 574 | for c in commands: 575 | try: 576 | cmsg = cmdMsg(commands[c]) 577 | writeInfo(cmsg) 578 | stdout = runCmdShell(commands[c]) 579 | print stdout 580 | writeInfo(stdout) 581 | except (OSError, IOError), e: 582 | print e, commands[c] 583 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 584 | continue 585 | pipecmds = {'find gcc': (['gcc', '--version'], ['grep', '-m', '1', 'gcc']), 586 | 'find cc': (['cc', '--version'], ['grep', '-m', '1', 'cc']), 587 | 'find perl': (['perl', '-v'], ['grep', '-m', '1', 'This'])} 588 | for c in pipecmds: 589 | try: 590 | arg1 = pipecmds[c][0] 591 | arg2 = pipecmds[c][1] 592 | pmsg = pipeCmdMsg(arg1, arg2) 593 | writeInfo(pmsg) 594 | out = pipeCmd(arg1, arg2) 595 | print out 596 | writeInfo(out) 597 | except (OSError, IOError), e: 598 | print e, str(pipecmds[c]) 599 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(pipecmds[c]) + '\n') 600 | continue 601 | 602 | def findPerm(): 603 | """ 604 | Finds loose permissions 605 | """ 606 | commands = {'find suid/sgid': ['find / -type f \( -perm +4000 -o -perm +2000 \) -print 2> /dev/null'], 607 | 'find ww dir': ['find / -perm -0002 -type d -print 2> /dev/null']} 608 | for c in commands: 609 | try: 610 | cmsg = cmdMsg(commands[c]) 611 | writeInfo(cmsg) 612 | stdout = runCmdShell(commands[c]) 613 | print stdout 614 | writeInfo(stdout) 615 | except (OSError, IOError), e: 616 | print e, commands[c] 617 | writeInfo('FAILED: ' + str(e)+ ' : ' + str(commands[c]) + '\n') 618 | continue 619 | 620 | 621 | def findExploits(): 622 | """ 623 | The title says it all :) 624 | """ 625 | kernel = runCmd(['uname', '-r']) 626 | # kernel = '4.2.0' 627 | print 'Kernel version is ' + str(kernel) 628 | startno = 119 629 | 630 | exploits_2_0 = { 631 | 'Segment Limit Privilege Escalation': {'min': '2.0.37', 'max': '2.0.38', 'cve': ' CVE-1999-1166', 'src': 'https://www.exploit-db.com/exploits/19419/'} 632 | } 633 | 634 | exploits_2_2 = { 635 | 'ptrace kmod Privilege Escalation': {'min': '2.2.0', 'max': '2.2.25', 'cve': 'CVE-2003-0127', 'src': 'https://www.exploit-db.com/exploits/3/'}, 636 | 'mremap Privilege Escalation': {'min': '2.2.0', 'max': '2.2.26', 'cve': 'CVE-2004-0077', 'src': 'https://www.exploit-db.com/exploits/160/'}, 637 | 'ptrace setuid Privilege Escalation': {'min': '2.2.0', 'max': '2.2.20', 'cve': 'CVE-2001-1384', 'src': 'https://www.exploit-db.com/exploits/21124/'}, 638 | 'procfs Stream redirection to Process Memory Privilege Escalation': {'min': '2.2.0', 'max': '2.2.20', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/20979/'}, 639 | 'Privileged Process Hijacking Privilege Escalation': {'min': '2.2.0', 'max': '2.2.25', 'cve': 'CVE-2003-0127', 'src': 'https://www.exploit-db.com/exploits/22362/'}, 640 | 'Sendmail Capabilities Privilege Escalation': {'min': '2.2.0', 'max': '2.2.16', 'cve': 'CVE-2000-0506', 'src': 'https://www.exploit-db.com/exploits/20001/'} 641 | } 642 | 643 | exploits_2_4 = { 644 | 'ptrace kmod Privilege Escalation': {'min': '2.4.0', 'max': '2.4.21', 'cve': 'CVE-2003-0127', 'src': 'https://www.exploit-db.com/exploits/3/'}, 645 | 'do_brk Privilege Escalation': {'min': '2.4.0', 'max': '2.4.23', 'cve': 'CVE-2003-0961', 'src': 'https://www.exploit-db.com/exploits/131/'}, 646 | 'do_mremap Privilege Escalation': {'min': '2.4.0', 'max': '2.4.24', 'cve': ' CVE-2003-0985', 'src': 'https://www.exploit-db.com/exploits/145/'}, 647 | 'mremap Privilege Escalation': {'min': '2.4.0', 'max': '2.4.25', 'cve': 'CVE-2004-0077', 'src': 'https://www.exploit-db.com/exploits/160/'}, 648 | 'uselib Privilege Escalation': {'min': '2.4.0', 'max': '2.4.29-rc2', 'cve': 'CVE-2004-1235', 'src': 'https://www.exploit-db.com/exploits/895/'}, 649 | 'bluez Privilege Escalation': {'min': '2.4.6', 'max': '2.4.30-rc2', 'cve': 'CVE-2005-0750', 'src': 'https://www.exploit-db.com/exploits/926/'}, 650 | 'System Call Emulation Privilege Escalation': {'min': '2.4.0', 'max': '2.4.37.10', 'cve': 'CVE-2007-4573', 'src': 'https://www.exploit-db.com/exploits/4460/'}, 651 | 'ptrace setuid Privilege Escalation': {'min': '2.4.0', 'max': '2.4.10', 'cve': 'CVE-2001-1384', 'src': 'https://www.exploit-db.com/exploits/21124/'}, 652 | 'procfs Stream redirection to Process Memory Privilege Escalation': {'min': '2.4.0', 'max': '2.4.4', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/20979/'}, 653 | 'Privileged Process Hijacking Privilege Escalation': {'min': '2.4.0', 'max': '2.4.21', 'cve': 'CVE-2003-0127', 'src': 'https://www.exploit-db.com/exploits/22362/'}, 654 | 'sock_sendpage Privilege Escalation': {'min': '2.4.4', 'max': '2.4.37.4', 'cve': ' CVE-2009-2692', 'src': 'https://www.exploit-db.com/exploits/9641/'}, 655 | 'pipe.c Privilege Escalation': {'min': '2.4.1', 'max': '2.4.37', 'cve': 'CVE-2009-3547', 'src': 'https://www.exploit-db.com/exploits/9844/'}, 656 | 'Ptrace Privilege Escalation': {'min': '2.4.0', 'max': '2.4.35.3', 'cve': 'CVE-2007-4573', 'src': 'https://www.exploit-db.com/exploits/30604/'} 657 | 658 | } 659 | 660 | exploits_2_6 = { 661 | 'mremap Privilege Escalation': {'min': '2.6.0', 'max': '2.6.2', 'cve': 'CVE-2004-0077', 'src': 'https://www.exploit-db.com/exploits/160/'}, 662 | 'uselib Privilege Escalation': {'min': '2.6.0', 'max': '2.6.11', 'cve': 'CVE-2004-1235', 'src': 'https://www.exploit-db.com/exploits/895/'}, 663 | 'bluez Privilege Escalation': {'min': '2.6.0', 'max': '2.6.11.5', 'cve': 'CVE-2005-0750', 'src': 'https://www.exploit-db.com/exploits/926/'}, 664 | 'SYS_EPoll_Wait Privilege Escalation': {'min': '2.6.0', 'max': '2.6.12', 'cve': 'CVE-2005-0736', 'src': 'https://www.exploit-db.com/exploits/1397/'}, 665 | 'logrotate prctl Privilege Escalation': {'min': '2.6.13', 'max': '2.6.17.4', 'cve': ' CVE-2006-2451', 'src': 'https://www.exploit-db.com/exploits/2031/'}, 666 | 'proc Privilege Escalation': {'min': '2.6.13', 'max': '2.6.17.4', 'cve': ' CVE-2006-2451', 'src': 'https://www.exploit-db.com/exploits/2013/'}, 667 | 'System Call Emulation Privilege Escalation': {'min': '2.6.0', 'max': '2.6.22.7', 'cve': 'CVE-2007-4573', 'src': 'https://www.exploit-db.com/exploits/4460/'}, 668 | 'BlueTooth Stack Privilege Escalation': {'min': '2.6.0', 'max': '2.6.11.5', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/4756/'}, 669 | 'vmsplice Privilege Escalation': {'min': '2.6.17', 'max': '2.6.24.1', 'cve': 'CVE-2008-0600', 'src': 'https://www.exploit-db.com/exploits/5092/'}, 670 | 'ftruncate()/open() Privilege Escalation': {'min': '2.6.0', 'max': '2.6.22', 'cve': 'CVE-2008-4210', 'src': 'https://www.exploit-db.com/exploits/6851/'}, 671 | 'exit_notify() Privilege Escalation': {'min': '2.6.0', 'max': '2.6.30-rc1', 'cve': 'CVE-2009-1337', 'src': 'https://www.exploit-db.com/exploits/8369/'}, 672 | 'UDEV Privilege Escalation': {'min': '2.6.0', 'max': '2.6.40', 'cve': 'CVE-2009-1185', 'src': 'https://www.exploit-db.com/exploits/8478/'}, 673 | 'ptrace_attach() Race Condition': {'min': '2.6.0', 'max': '2.6.30-rc4', 'cve': 'CVE-2009-1527', 'src': 'https://www.exploit-db.com/exploits/8673/'}, 674 | 'Samba Share Privilege Escalation': {'min': '2.6.0', 'max': '2.6.39', 'cve': 'CVE-2004-0186', 'src': 'https://www.exploit-db.com/exploits/23674/'}, 675 | 'ReiserFS xattr Privilege Escalation': {'min': '2.6.0', 'max': '2.6.35', 'cve': 'CVE-2010-1146', 'src': 'https://www.exploit-db.com/exploits/12130/'}, 676 | 'sock_sendpage Privilege Escalation': {'min': '2.6.6', 'max': '2.6.30.5', 'cve': ' CVE-2009-2692', 'src': 'https://www.exploit-db.com/exploits/9641/'}, 677 | 'pipe.c Privilege Escalation': {'min': '2.6.0', 'max': '2.6.32-rc6', 'cve': 'CVE-2009-3547', 'src': 'https://www.exploit-db.com/exploits/33322/'}, 678 | 'Sys_Tee Privilege Escalation': {'min': '2.6.0', 'max': '2.6.17.6', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/29714/'}, 679 | 'Linux Kernel Privilege Escalation': {'min': '2.6.18', 'max': '2.6.18-20', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/10613/'}, 680 | 'Dirty COW': {'min': '2.6.22', 'max': '4.8.3', 'cve': 'CVE-2016-5195', 'src': 'https://www.exploit-db.com/exploits/40616/'}, 681 | 'compat Privilege Escalation': {'min': '2.6.0', 'max': '2.6.36', 'cve': 'CVE-2010-3081', 'src': 'https://www.exploit-db.com/exploits/15024/'}, 682 | 'DEC Alpha Linux - Privilege Escalation': {'min': '2.6.28', 'max': '3.0', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/17391/'}, 683 | 'SELinux (RHEL 5) - Privilege Escalation': {'min': '2.6.30', 'max': '2.6.31', 'cve': 'CVE-2009-1897', 'src': 'https://www.exploit-db.com/exploits/9191/'}, 684 | 'proc Handling SUID Privilege Escalation': {'min': '2.6.0', 'max': '2.6.38', 'cve': 'CVE-2011-1020', 'src': 'https://www.exploit-db.com/exploits/41770/'}, 685 | 'PERF_EVENTS Privilege Escalation': {'min': '2.6.32', 'max': '3.8.9', 'cve': 'CVE-2013-2094', 'src': 'https://www.exploit-db.com/exploits/25444/'}, 686 | 'RDS Protocol Privilege Escalation': {'min': '2.6.0', 'max': '2.6.36-rc8', 'cve': 'CVE-2010-3904', 'src': 'https://www.exploit-db.com/exploits/15285/'}, 687 | 'Full-Nelson.c Privilege Escalation': {'min': '2.6.0', 'max': '2.6.37', 'cve': 'CVE-2010-4258', 'src': 'https://www.exploit-db.com/exploits/15704/'}, 688 | 'Mempodipper Privilege Escalation': {'min': '2.6.39', 'max': '3.2.2', 'cve': 'CVE-2012-0056', 'src': 'https://www.exploit-db.com/exploits/35161/'}, 689 | 'Ext4 move extents ioctl Privilege Escalation': {'min': '2.6.0', 'max': '2.6.32-git6', 'cve': 'CVE-2009-4131', 'src': 'https://www.exploit-db.com/exploits/33395/'}, 690 | 'Ptrace Privilege Escalation': {'min': '2.6.0', 'max': '2.6.22.7', 'cve': 'CVE-2007-4573', 'src': 'https://www.exploit-db.com/exploits/30604/'}, 691 | 'udp_sendmsg Privilege Escalation': {'min': '2.6.0', 'max': '2.6.19', 'cve': 'CVE-2009-2698', 'src': 'https://www.exploit-db.com/exploits/9575/'}, 692 | 'fasync_helper() Privilege Escalation': {'min': '2.6.28', 'max': '2.6.33-rc4-git1', 'cve': 'CVE-2009-4141', 'src': 'https://www.exploit-db.com/exploits/33523/'}, 693 | 'CAP_SYS_ADMIN Privilege Escalation': {'min': '2.6.34', 'max': '2.6.40', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/15916/'}, 694 | 'CAN BCM Privilege Escalation': {'min': '2.6.0', 'max': '2.6.36-rc1', 'cve': 'CVE-2010-2959', 'src': 'https://www.exploit-db.com/exploits/14814/'}, 695 | 'ia32syscall Emulation Privilege Escalation': {'min': '2.6.0', 'max': '2.6.36-rc4-git2', 'cve': 'CVE-2010-3301', 'src': 'https://www.exploit-db.com/exploits/15023/'}, 696 | 'Half-Nelson.c Econet Privilege Escalation': {'min': '2.6.0', 'max': '2.6.36.2', 'cve': 'CVE-2010-3848', 'src': 'https://www.exploit-db.com/exploits/17787/'}, 697 | 'ACPI custom_method Privilege Escalation': {'min': '2.6.0', 'max': '2.6.37-rc2', 'cve': 'CVE-2010-4347', 'src': 'https://www.exploit-db.com/exploits/15774/'}, 698 | 'SGID Privilege Escalation': {'min': '2.6.32.62', 'max': '3.14.8', 'cve': 'CVE-2014-4014', 'src': 'https://www.exploit-db.com/exploits/33824/'}, 699 | 'libfutex Privilege Escalation': {'min': '2.6.4', 'max': '3.14.6', 'cve': 'CVE-2014-3153', 'src': 'https://www.exploit-db.com/exploits/35370/'}, 700 | 'perf_swevent_init Privilege Escalation': {'min': '2.6.37', 'max': '3.8.9', 'cve': 'CVE-2013-2094', 'src': 'https://www.exploit-db.com/exploits/26131/'}, 701 | 'MSR Driver Privilege Escalation': {'min': '2.6', 'max': '3.7.6', 'cve': 'CVE-2013-0268', 'src': 'https://www.exploit-db.com/exploits/27297/'} 702 | } 703 | 704 | exploits_3 = { 705 | 'overlayfs Privilege Escalation': {'min': '3.0.0', 'max': '3.19.0', 'cve': 'CVE-2015-1328', 'src': 'https://www.exploit-db.com/exploits/37292/'}, 706 | 'CLONE_NEWUSER|CLONE_FS Privilege Escalation': {'min': '3.0', 'max': '3.3.6', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/38390/'}, 707 | 'SO_SNDBUFFORCE & SO_RCVBUFFORCE Local Privilege Escalation': {'min': '3.5', 'max': '4.8.14', 'cve': 'CVE-2016-9793', 'src': 'https://www.exploit-db.com/exploits/41995/'}, 708 | 'Raw Mode PTY Echo Race Condition Privilege Escalation': {'min': '3.14-rc1', 'max': '3.16', 'cve': 'CVE-2014-0196', 'src': 'https://www.exploit-db.com/exploits/33516/'}, 709 | 'sock_diag_handlers() Privilege Escalation': {'min': '3.3.0', 'max': '3.7.10', 'cve': 'CVE-2013-1763', 'src': 'https://www.exploit-db.com/exploits/24555/'}, 710 | 'b43 Wireless Driver Privilege Escalation': {'min': '3.0', 'max': '3.9.4', 'cve': 'CVE-2013-2852', 'src': 'https://www.exploit-db.com/exploits/38559/'}, 711 | 'CONFIG_X86_X32=y Privilege Escalation': {'min': '3.4', 'max': '3.13.2', 'cve': 'CVE-2014-0038', 'src': 'https://www.exploit-db.com/exploits/31347/'}, 712 | 'Double-free usb-midi SMEP Local Privilege Escalation': {'min': '3.0', 'max': '4.5', 'cve': 'CVE-2016-2384', 'src': 'https://www.exploit-db.com/exploits/41999/'}, 713 | 'Remount FUSE Privilege Escalation': {'min': '3.2', 'max': '3.16.1', 'cve': 'CVE-2014-5207', 'src': 'https://www.exploit-db.com/exploits/34923/'}, 714 | 'ptrace/sysret Privilege Escalation': {'min': '3.0', 'max': '3.15.4', 'cve': 'CVE-2014-4699', 'src': 'https://www.exploit-db.com/exploits/34134/'}, 715 | 'open-time Capability file_ns_capable() Privilege Escalation': {'min': '3.0', 'max': '3.8.9', 'cve': 'CVE-2013-1959', 'src': 'https://www.exploit-db.com/exploits/25450/'}, 716 | 'REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation': {'min': '3.8.0', 'max': '4.4.1', 'cve': 'CVE-2016-0728', 'src': 'https://www.exploit-db.com/exploits/39277/'} 717 | 718 | } 719 | 720 | exploits_4 = { 721 | 'overlayfs Privilege Escalation': {'min': '4.0', 'max': '4.3.3', 'cve': 'CVE-2015-8660', 'src': 'https://www.exploit-db.com/exploits/39166/'}, 722 | 'BPF Privilege Escalation': {'min': '4.4.0', 'max': '4.5.5', 'cve': 'CVE-2016-4557', 'src': 'https://www.exploit-db.com/exploits/39772/'}, 723 | 'AF_PACKET Race Condition Privilege Escalation': {'min': '4.2.0', 'max': '4.9.0-2', 'cve': 'CVE-2016-8655', 'src': 'https://www.exploit-db.com/exploits/40871/'}, 724 | 'DCCP Double-Free Privilege Escalation': {'min': '4.4.0', 'max': '4.9.11', 'cve': 'CVE-2017-6074', 'src': 'https://www.exploit-db.com/exploits/41458/'}, 725 | 'Netfilter target_offset Out-of-Bounds Privilege Escalation': {'min': '4.4.0-21-generic', 'max': '4.4.0-31-generic', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/40049/'}, 726 | 'IP6T_SO_SET_REPLACE Privilege Escalation': {'min': '4.6.2', 'max': '4.6.3', 'cve': 'CVE-2016-4997', 'src': 'https://www.exploit-db.com/exploits/40489/'}, 727 | 'Packet Socket Local Privilege Escalation': {'min': '4.8.0', 'max': '4.10.6', 'cve': 'CVE-2017-7308', 'src': 'https://www.exploit-db.com/exploits/41994/'}, 728 | 'UDEV < 232 - Privilege Escalation': {'min': '4.8.0', 'max': '4.9.0', 'cve': 'N/A', 'src': 'https://www.exploit-db.com/exploits/41886/'} 729 | } 730 | 731 | if kernel.startswith('2.2'): 732 | for name, exploit in exploits_2_2.iteritems(): # iterate over exploits dict 733 | if kernel >= exploit['min'] and kernel < exploit['max']: 734 | foundMsg(name, exploit['cve'], exploit['src']) 735 | else: 736 | continue 737 | elif kernel.startswith('2.4'): 738 | for name, exploit in exploits_2_4.iteritems(): 739 | if kernel >= exploit['min'] and kernel < exploit['max']: 740 | foundMsg(name, exploit['cve'], exploit['src']) 741 | else: 742 | continue 743 | elif kernel.startswith('2.6'): 744 | for name, exploit in exploits_2_6.iteritems(): 745 | if kernel >= exploit['min'] and kernel < exploit['max']: 746 | foundMsg(name, exploit['cve'], exploit['src']) 747 | else: 748 | continue 749 | 750 | elif kernel.startswith('2.0'): 751 | for name, exploit in exploits_2_0.iteritems(): 752 | if kernel >= exploit['min'] and kernel < exploit['max']: 753 | foundMsg(name, exploit['cve'], exploit['src']) 754 | else: 755 | continue 756 | 757 | elif kernel.startswith('3'): 758 | for name, exploit in exploits_3.iteritems(): 759 | if kernel >= exploit['min'] and kernel < exploit['max']: 760 | foundMsg(name, exploit['cve'], exploit['src']) 761 | else: 762 | continue 763 | 764 | elif kernel.startswith('4'): 765 | for name, exploit in exploits_4.iteritems(): 766 | if kernel >= exploit['min'] and kernel < exploit['max']: 767 | foundMsg(name, exploit['cve'], exploit['src']) 768 | else: 769 | continue 770 | else: 771 | print 'No exploits found for this kernel version' 772 | 773 | ########### comment / uncomment below for desired output 774 | 775 | 776 | # searchOS() 777 | # chkSrvc() 778 | # chkApps() 779 | # chkSrvcSettings() 780 | # lsJobs() 781 | # netInfo() 782 | # currNetStats() 783 | # chkUsers() 784 | # chkIntrstFiles() 785 | # chkLogs() 786 | # chkWebSettings() 787 | # chkFS() 788 | # findTools() 789 | # findPerm() 790 | findExploits() 791 | --------------------------------------------------------------------------------