├── auto_priv_exploit.sh ├── auto_searchsploit.py └── README.md /auto_priv_exploit.sh: -------------------------------------------------------------------------------- 1 | #/bin/bash 2 | 3 | usage(){ 4 | echo "[*] Usage: $0 VERSION_OF_KERNEL"; 5 | echo "[*] Example: root~> $0 2.6"; 6 | exit 1; 7 | } 8 | 9 | download(){ 10 | 11 | base="/usr/share/exploitdb/platforms" 12 | echo "[*] The base directory is $base" 13 | 14 | [ -d "linux_$version" ] || mkdir linux_$version # make directory if not exist 15 | 16 | for file in $file_list; do 17 | # TODO get rid of the first . if exist in file path 18 | # TODO if not exist then do the way it did 19 | echo "[*] Copying $base$file to $PWD/linux_$version/$file" 20 | cp $base$file linux_$version/ # copy the file from exploitdb to the current directory with linux_$version 21 | 22 | file_extension=$(echo $file | cut -d '.' -f 2) # extract the file extension 23 | 24 | # Count the file for summary 25 | case $file_extension in 26 | "c" ) c_file_count=$((c_file_count+1));; 27 | "rb" ) rb_file_count=$((rb_file_count+1));; 28 | "txt" ) txt_file_count=$((txt_file_count+1));; 29 | "py" ) py_file_count=$((py_file_count+1));; 30 | "pl" ) pl_file_count=$((pl_file_count+1));; 31 | esac 32 | done 33 | } 34 | 35 | compile(){ 36 | for file in $file_list; do 37 | file_extension=$(echo $file | cut -d '.' -f 2) # extract the file extension 38 | file_name=$(echo $file | cut -d '/' -f 4) #extrac the file name 39 | if [ "$file_extension" == "c" ]; then 40 | gcc linux_$version/$file_name -o linux_$version/"$file_name.exe" 2>/dev/null 41 | fi 42 | done 43 | } 44 | 45 | version=$1 46 | file_list=$(searchsploit $version linux| grep local | grep -i privilege | cut -d '|' -f 2 | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//') 47 | 48 | py_file_count=0 49 | txt_file_count=0 50 | rb_file_count=0 51 | c_file_count=0 52 | pl_file_count=0 53 | 54 | main(){ 55 | echo -e "[*] Possible Exploit\n" 56 | searchsploit $version linux | grep local | grep -i privilege 57 | if [ -z $file_list ]; then 58 | echo "No possible exploit. Please use another version." 59 | exit 1 60 | fi 61 | 62 | echo "[*] Do you wish to download all the exploit script to current directory and compile if possible?" 63 | select yn in "Yes" "No"; do 64 | case $yn in 65 | Yes ) download;break;; 66 | No ) exit 1;; 67 | esac 68 | done 69 | echo "[*] Do you wish to compile all the exploit script written in C?" 70 | select yn in "Yes" "No"; do 71 | case $yn in 72 | Yes ) compile;break;; 73 | No ) break;; 74 | esac 75 | done 76 | exe_file_count=$(ls linux_$version | grep .exe -c) 77 | 78 | echo "[*] Do you want to make a tar ball of the linux_$version? (For convinient file transfer)" 79 | select yn in "Yes" "No"; do 80 | case $yn in 81 | Yes ) tar -cf linux_$version.tar linux_$version;break;; 82 | No ) break;; 83 | esac 84 | done 85 | 86 | echo "[*] Auto Privilege Exploit Summary" 87 | echo "C file in $PWD/linux_$version has $c_file_count files" 88 | echo "Python file in $PWD/linux_$version has $py_file_count files" 89 | echo "Perl file in $PWD/linux_$version has $pl_file_count files" 90 | echo "Ruby file in $PWD/linux_$version has $rb_file_count files" 91 | echo "TXT file in $PWD/linux_$version has $txt_file_count files" 92 | echo "" 93 | echo "[*] Successfully Compiled $exe_file_count executable located in linux_$version" 94 | 95 | } 96 | 97 | 98 | if [ $# -ne 1 ]; then 99 | usage 100 | fi 101 | main 102 | -------------------------------------------------------------------------------- /auto_searchsploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import subprocess 3 | import argparse 4 | import os 5 | import sys 6 | 7 | # Python 2 and 3 compatibility 8 | try: 9 | input = raw_input 10 | except NameError: 11 | pass 12 | 13 | parser = argparse.ArgumentParser(description='Process some integers.') 14 | parser.add_argument('kernel_version', 15 | metavar='kernel_version', 16 | type=str, 17 | help='Kernel Version') 18 | 19 | args = parser.parse_args() 20 | kern_ver = args.kernel_version 21 | 22 | # You can tellThis search is very specific to Linux Local Privelege Escalation 23 | SEARCH = "searchsploit linux %s | grep local | grep -i privilege" % kern_ver 24 | try: 25 | search_results = subprocess.check_output(SEARCH, shell=True) 26 | except subprocess.CalledProcessError as grepexc: 27 | print("[-] No potential exploit found. Aborting...") 28 | exit(1) 29 | 30 | base_dir = "/usr/share/exploitdb/platforms/linux/local" 31 | dir_location = "%s/linux_%s/" % (os.environ['PWD'], kern_ver) 32 | 33 | print("[*]Potential Exploit :") 34 | 35 | print(search_results.decode()) 36 | 37 | search_results = search_results.strip().split(b"\n") 38 | 39 | # try to copy to local directory first 40 | file_list = [result.split(b"/")[-1] for result in search_results] 41 | 42 | print("[*] File destination directory name: %s/linux_%s" % 43 | (os.environ["PWD"], kern_ver)) 44 | 45 | download_ans = input("[*] Do you want to download exploit file to " 46 | "directory described above? [y/n]") 47 | if download_ans.lower() == "y": 48 | new_dir = "mkdir %s" % (dir_location) 49 | # Make dir if not exist 50 | if not (os.path.isdir(dir_location)): 51 | subprocess.call(new_dir, shell=True) 52 | for _file in file_list: 53 | DOWNLOAD = "cp %s/%s %s" % (base_dir, _file, dir_location) 54 | subprocess.call(DOWNLOAD, shell=True) 55 | print("[+] All file downloaded in", dir_location) 56 | else: 57 | print("[-] Exiting...") 58 | sys.exit(0) 59 | 60 | # Now try to compile them if it is C 61 | if 'c' in [file.split(b".")[1].lower() for file in file_list]: 62 | print("[*] C script found") 63 | print("[*] Compile format: gcc C_SCRIPT -o C_SCRIPT.exe") 64 | compile_ans = input( 65 | "[*] Do you want to compile the downloaded C script?" 66 | "(No Gurantee Success) [y/n]") 67 | if compile_ans.lower() == "y": 68 | success_exe = 0 69 | c_file_count = 0 70 | for _file in file_list: 71 | file_extension = _file.split(b".")[1] 72 | if file_extension == "c": 73 | c_file_count += 1 74 | # noinspection PyUnboundLocalVariable 75 | COMPILE = ("gcc %s%s -o %s%s.exe 2>/dev/null" % 76 | (dir_location, _file, dir_location, _file)) 77 | try: 78 | subprocess.check_call(COMPILE, shell=True) 79 | success_exe += 1 80 | except: 81 | continue 82 | 83 | print("[+] Among %d C file[s], successfully compiled %d file[s]" % 84 | (c_file_count, success_exe)) 85 | print("[+] Compiled file placed inside %s" % dir_location) 86 | else: 87 | print("[-] Exiting...") 88 | sys.exit(0) 89 | 90 | # TODO!!! Make tar ball, too tired now 91 | # print("[*] In order to transfer the script conveniently to target box") 92 | # tar_answer = input("[*] Do you want to make a tar ball of the file? [y/n]") 93 | # if tar_answer.lower() == "y": 94 | # TAR = 'tar -cvf %s.tar %s' % (dir_location, dir_location) 95 | # subprocess.call(TAR, shell=True) 96 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AutoLocalPrivilegeEscalation 2 | An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically 3 | 4 | This script is created due to Hackademics, there are so much possible exploit for that version of kernel, as a rookie OSCP student, I am not able to find out the correct exploit, also I am too lazy to test them one by one. So I hope this script can help me in the future. 5 | 6 | First, it search for linux pirvilege escalation from the exploitdb in local directory by searchsploit. 7 | 8 | Pass in the kernel version as first parameter, it lists potential exploit, and ask if you want to copy them from the local directory. 9 | 10 | After that, it asks if you want to compile the downloaded C file. 11 | 12 | Then, it will ask if you want to make a tar ball of the directory. 13 | 14 | And it will show the summary of the downloaded files. 15 | 16 | Script Environment: Kali 3.18.0 kali2 17 | 18 | Test result in Kali 4.0 is negative for this script, need to redesign the architecture, maybe python is more suitable to do this automation, need to think again. 19 | 20 | 16 Mar 25 Updated with Python version of this idea, more adaptable to different kali environment and more easy to change the code in this way. 21 | 22 | 16 Apr 30 After almost finishes with all the boxes in OSCP, I have to admit I have not use this script at all during my lab times. There is one thing I learnt from the labs, do not run exploit blindly, as exploits might cause the system to crash, or leaves your footprint in a way you cannot imagine etc. Always enumerate more and gather all the information you have to escalate. DO NOT run the exploit blindly without knowing what the exploit does. 23 | 24 | ``` 25 | root@workstation:~/utilities# ./auto_priv_exploit.sh 26 | [*] Usage: ./auto_priv_exploit.sh VERSION_OF_KERNEL 27 | root@workstation:~/utilities# ls 28 | auto_priv_exploit.sh 29 | root@workstation:~/utilities# ./auto_priv_exploit.sh 2.6 30 | [*] Possible Exploit 31 | 32 | Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit | /linux/local/895.c 33 | Linux Kernel 2.4 / 2.6 - bluez Local Root Privilege Escalation Exploit (3) | /linux/local/926.c 34 | Postfix <= 2.6-20080814 - (symlink) Local Privilege Escalation Exploit | /linux/local/6337.sh 35 | Linux Kernel < 2.6.29 - exit_notify() Local Privilege Escalation Exploit | /linux/local/8369.sh 36 | Linux Kernel 2.6 - UDEV Local Privilege Escalation Exploit | /linux/local/8478.sh 37 | Linux Kernel 2.6 UDEV < 141 - Local Privilege Escalation Exploit | /linux/local/8572.c 38 | Linux Kernel 2.6.x - ptrace_attach Local Privilege Escalation Exploit | /linux/local/8673.c 39 | Linux Kernel <= 2.6.34-rc3 ReiserFS xattr - Privilege Escalation | /linux/local/12130.py 40 | Linux Kernel < 2.6.36-rc1 CAN BCM - Privilege Escalation Exploit | /linux/local/14814.c 41 | Linux Kernel < 2.6.36-rc4-git2 - x86_64 ia32syscall Emulation Privilege Escalation | /linux/local/15023.c 42 | Linux Kernel <= 2.6.36-rc8 - RDS Protocol Local Privilege Escalation | /linux/local/15285.c 43 | Linux Kernel <= 2.6.37 - Local Privilege Escalation | /linux/local/15704.c 44 | Linux Kernel < 2.6.37-rc2 - ACPI custom_method Privilege Escalation | /linux/local/15774.c 45 | Linux Kernel 2.6.34 - CAP_SYS_ADMIN x86 - Local Privilege Escalation Exploit | /linux/local/15916.c 46 | Linux Kernel < 2.6.34 - CAP_SYS_ADMIN x86 & x64 - Local Privilege Escalation Exploit (2) | /linux/local/15944.c 47 | Linux Kernel < 2.6.36.2 - Econet Privilege Escalation Exploit | /linux/local/17787.c 48 | Linux Kernel 2.6.17 - Sys_Tee Local Privilege Escalation Vulnerability | /linux/local/29714.txt 49 | Linux Kernel 2.6.x - Ptrace Local Privilege Escalation Vulnerability | /linux/local/30604.c 50 | Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation Vulnerability (1) | /linux/local/33321.c 51 | Linux Kernel 2.6.x - pipe.c Local Privilege Escalation Vulnerability (2) | /linux/local/33322.c 52 | Linux Kernel 2.6.x - Ext4 - 'move extents' ioctl Local Privilege Escalation Vulnerability | /linux/local/33395.txt 53 | Linux Kernel 2.6.x - 'fasync_helper()' Local Privilege Escalation Vulnerability | /linux/local/33523.c 54 | [*] Do you wish to download all the exploit script to current directory and compile if possible? 55 | 1) Yes 56 | 2) No 57 | #? 1 58 | [*] The base directory is /usr/share/exploitdb/platforms 59 | [*] Do you wish to compile all the exploit script written in C? 60 | 1) Yes 61 | 2) No 62 | #? 1 63 | ************************************************** 64 | 65 | [*] Successfully Compiled 9 executable located in linux_2.6 66 | [*] Do you want to make a tar ball of the linux_2.6? (For convinient file transfer) 67 | 1) Yes 68 | 2) No 69 | #? 1 70 | [*] Auto Privilege Exploit Summary 71 | C file in /root/utilities/linux_2.6 has 16 files 72 | Python file in /root/utilities/linux_2.6 has 1 files 73 | Perl file in /root/utilities/linux_2.6 has 0 files 74 | Ruby file in /root/utilities/linux_2.6 has 0 files 75 | TXT file in /root/utilities/linux_2.6 has 2 files 76 | 77 | ``` 78 | --------------------------------------------------------------------------------