#!/usr/bin python3##########################################################

1. #!/usr/bin python3
2.  
3. ###############################################################################################################
4. # [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
5. # [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
6. # -------------------------------------------------------------------------------------------------------------
7. # [Details]:
8. # This script is intended to be executed locally on a Linux box to enumerate basic system info and
9. # search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
10. # passwords and applicable exploits.
11. # -------------------------------------------------------------------------------------------------------------
12. # [Warning]:
13. # This script comes as-is with no promise of functionality or accuracy. I have no plans to maintain updates,
14. # I did not write it to be efficient and in some cases you may find the functions may not produce the desired
15. # results. For example, the function that links packages to running processes is based on keywords and will
16. # not always be accurate. Also, the exploit list included in this function will need to be updated over time.
17. # Feel free to change or improve it any way you see fit.
18. # -------------------------------------------------------------------------------------------------------------
19. # [Modification, Distribution, and Attribution]:
20. # You are free to modify and/or distribute this script as you wish. I only ask that you maintain original
21. # author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's
22. # worth anything anyway :)
23. ###############################################################################################################
24.  
25. # conditional import for older versions of python not compatible with subprocess
26. try:
27. import subprocess as sub
28. compatmode = 0 # newer version of python, no need for compatibility mode
29. except ImportError:
30. import os # older version of python, need to use os instead
31. compatmode = 1
32.  
33. # title / formatting
34. bigline = "================================================================================================="
35. smlline = "-------------------------------------------------------------------------------------------------"
36.  
37. print(bigline)
38. print("LINUX PRIVILEGE ESCALATION CHECKER")
39. print(bigline)
40. print()
41.  
42. # loop through dictionary, execute the commands, store the results, return updated dict
43.  
44.  
45. def execCmd(cmdDict):
46. for item in cmdDict:
47. cmd = cmdDict[item]["cmd"]
48. if compatmode == 0: # newer version of python, use preferred subprocess
49. out, error = sub.Popen(
50. [cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
51. out = f"{out.decode('utf-8')}"
52. results = out.split('\n')
53. else: # older version of python, use os.popen
54. echo_stdout = os.popen(cmd, 'r')
55. results = echo_stdout.read().split('\n')
56. cmdDict[item]["results"] = results
57. return cmdDict
58.  
59. # print(results for each previously executed command, no return value)
60.  
61.  
62. def printResults(cmdDict):
63. for item in cmdDict:
64. msg = cmdDict[item]["msg"]
65. results = cmdDict[item]["results"]
66. print(f"[+] {msg}")
67. for result in results:
68. if result.strip() != "":
69. print(f" {result.strip()}")
70. print()
71. return
72.  
73.  
74. def writeResults(msg, results):
75. f = open("privcheckout.txt", "a")
76. f.write("[+] " + str(len(results)-1) + " " + msg)
77. for result in results:
78. if result.strip() != "":
79. f.write(" " + result.strip())
80. f.close()
81. return
82.  
83.  
84. # Basic system info
85. print("[*] GETTING BASIC SYSTEM INFO...\n")
86.  
87. results = []
88.  
89. sysInfo = {"OS": {"cmd": "cat /etc/issue", "msg": "Operating System", "results": results},
90. "KERNEL": {"cmd": "cat /proc/version", "msg": "Kernel", "results": results},
91. "HOSTNAME": {"cmd": "hostname", "msg": "Hostname", "results": results}
92. }
93.  
94. sysInfo = execCmd(sysInfo)
95. printResults(sysInfo)
96.  
97. # Networking Info
98.  
99. print("[*] GETTING NETWORKING INFO...\n")
100.  
101. netInfo = {"NETINFO": {"cmd": "/sbin/ifconfig -a", "msg": "Interfaces", "results": results},
102. "ROUTE": {"cmd": "route", "msg": "Route", "results": results},
103. "NETSTAT": {"cmd": "netstat -antup | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results}
104. }
105.  
106. netInfo = execCmd(netInfo)
107. printResults(netInfo)
108.  
109. # File System Info
110. print("[*] GETTING FILESYSTEM INFO...\n")
111.  
112. driveInfo = {"MOUNT": {"cmd": "mount", "msg": "Mount results", "results": results},
113. "FSTAB": {"cmd": "cat /etc/fstab 2>/dev/null", "msg": "fstab entries", "results": results}
114. }
115.  
116. driveInfo = execCmd(driveInfo)
117. printResults(driveInfo)
118.  
119. # Scheduled Cron Jobs
120. cronInfo = {"CRON": {"cmd": "ls -la /etc/cron* 2>/dev/null", "msg": "Scheduled cron jobs", "results": results},
121. "CRONW": {"cmd": "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg": "Writable cron dirs", "results": results}
122. }
123.  
124. cronInfo = execCmd(cronInfo)
125. printResults(cronInfo)
126.  
127. # User Info
128. print("\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n")
129.  
130. userInfo = {"WHOAMI": {"cmd": "whoami", "msg": "Current User", "results": results},
131. "ID": {"cmd": "id", "msg": "Current User ID", "results": results},
132. "ALLUSERS": {"cmd": "cat /etc/passwd", "msg": "All users", "results": results},
133. "SUPUSERS": {"cmd": "grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg": "Super Users Found:", "results": results},
134. "HISTORY": {"cmd": "ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg": "Root and current user history (depends on privs)", "results": results},
135. "ENV": {"cmd": "env 2>/dev/null | grep -v 'LS_COLORS'", "msg": "Environment", "results": results},
136. "SUDOERS": {"cmd": "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg": "Sudoers (privileged)", "results": results},
137. "LOGGEDIN": {"cmd": "w 2>/dev/null", "msg": "Logged in User Activity", "results": results}
138. }
139.  
140. userInfo = execCmd(userInfo)
141. printResults(userInfo)
142.  
143. if "root" in userInfo["ID"]["results"][0]:
144. print("[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n")
145.  
146. # File/Directory Privs
147. print("[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n")
148.  
149. fdPerms = {"WWDIRSROOT": {"cmd": "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg": "World Writeable Directories for User/Group 'Root'", "results": results},
150. "WWDIRS": {"cmd": "find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg": "World Writeable Directories for Users other than Root", "results": results},
151. "WWFILES": {"cmd": "find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg": "World Writable Files", "results": results},
152. "SUID": {"cmd": "find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg": "SUID/SGID Files and Directories", "results": results},
153. "ROOTHOME": {"cmd": "ls -ahlR /root 2>/dev/null", "msg": "Checking if root's home folder is accessible", "results": results}
154. }
155.  
156. fdPerms = execCmd(fdPerms)
157. printResults(fdPerms)
158.  
159. pwdFiles = {"LOGPWDS": {"cmd": "find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg": "Logs containing keyword 'password'", "results": results},
160. "CONFPWDS": {"cmd": "find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg": "Config files containing keyword 'password'", "results": results},
161. "SHADOW": {"cmd": "cat /etc/shadow 2>/dev/null", "msg": "Shadow File (Privileged)", "results": results}
162. }
163.  
164. pwdFiles = execCmd(pwdFiles)
165. printResults(pwdFiles)
166.  
167. # Processes and Applications
168. print("[*] ENUMERATING PROCESSES AND APPLICATIONS...\n")
169.  
170. if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:
171. getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print($0}'" # debian)
172. else:
173. getPkgs = "rpm -qa | sort -u" # RH/other
174.  
175. getAppProc = {"PROCS": {"cmd": "ps aux | awk '{print($1,$2,$9,$10,$11)}'", "msg": "Current processes", "results": results},
176. "PKGS": {"cmd": getPkgs, "msg": "Installed Packages", "results": results}
177. }
178.  
179. getAppProc = execCmd(getAppProc)
180. printResults(getAppProc) # comment to reduce output
181.  
182. otherApps = {"SUDO": {"cmd": "sudo -V | grep version 2>/dev/null", "msg": "Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results": results},
183. "APACHE": {"cmd": "apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg": "Apache Version and Modules", "results": results},
184. "APACHECONF": {"cmd": "cat /etc/apache2/apache2.conf 2>/dev/null", "msg": "Apache Config File", "results": results}
185. }
186.  
187. otherApps = execCmd(otherApps)
188. printResults(otherApps)
189.  
190. print("[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n")
191.  
192. # find the package information for the processes currently running
193. # under root or another super user
194.  
195. procs = getAppProc["PROCS"]["results"]
196. pkgs = getAppProc["PKGS"]["results"]
197. supusers = userInfo["SUPUSERS"]["results"]
198. procdict = {} # dictionary to hold the processes running as super users
199.  
200. for proc in procs: # loop through each process
201. relatedpkgs = [] # list to hold the packages related to a process
202. try:
203. for user in supusers: # loop through the known super users
204. if (user != "") and (user in proc): # if the process is being run by a super user
205. procname = proc.split(" ")[4] # grab the process name
206. if "/" in procname:
207. splitname = procname.split("/")
208. procname = splitname[len(splitname)-1]
209. for pkg in pkgs: # loop through the packages
210. if not len(procname) < 3: # name too short to get reliable package results
211. if procname in pkg:
212. if procname in procdict:
213. # if already in the dict, grab its pkg list
214. relatedpkgs = procdict[proc]
215. if pkg not in relatedpkgs:
216. relatedpkgs.append(pkg) # add pkg to the list
217. # add any found related packages to the process dictionary entry
218. procdict[proc] = relatedpkgs
219. except:
220. pass
221.  
222. for key in procdict:
223. print(" " + key) # print the process name)
224. try:
225. # only print(the rest if related packages were found)
226. if not procdict[key][0] == "":
227. print(" Possible Related Packages: ")
228. for entry in procdict[key]:
229. print(" " + entry) # print each related package)
230. except:
231. pass
232.  
233. # EXPLOIT ENUMERATION
234.  
235. # First discover the avaialable tools
236. print()
237. print("[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n")
238.  
239. devTools = {"TOOLS": {"cmd": "which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null",
240. "msg": "Installed Tools", "results": results}}
241. devTools = execCmd(devTools)
242. printResults(devTools)
243.  
244. print("[+] Related Shell Escape Sequences...\n")
245. escapeCmd = {"vi": [":!bash", ":set shell=/bin/bash:shell"], "awk": ["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl": [
246. "perl -e 'exec \"/bin/bash\";'"], "find": ["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap": ["--interactive"]}
247. for cmd in escapeCmd:
248. for result in devTools["TOOLS"]["results"]:
249. if cmd in result:
250. for item in escapeCmd[cmd]:
251. print(" " + cmd + "-->\t" + item)
252. print()
253. print("[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n")
254.  
255. # Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
256. # sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
257. sploits = {"2.2.x-2.4.x ptrace kmod local exploit": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "3", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
258. "< 2.4.20 Module Loader Local Root Exploit": {"minver": "0", "maxver": "2.4.20", "exploitdb": "12", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
259. "2.4.22 "'do_brk()'" local Root Exploit (PoC)": {"minver": "2.4.22", "maxver": "2.4.22", "exploitdb": "129", "lang": "asm", "keywords": {"loc": ["kernel"], "val": "kernel"}},
260. "<= 2.4.22 (do_brk) Local Root Exploit (working)": {"minver": "0", "maxver": "2.4.22", "exploitdb": "131", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
261. "2.4.x mremap() bound checking Root Exploit": {"minver": "2.4", "maxver": "2.4.99", "exploitdb": "145", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
262. "<= 2.4.29-rc2 uselib() Privilege Elevation": {"minver": "0", "maxver": "2.4.29", "exploitdb": "744", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
263. "2.4 uselib() Privilege Elevation Exploit": {"minver": "2.4", "maxver": "2.4", "exploitdb": "778", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
264. "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "895", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
265. "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "926", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluez"}},
266. "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)": {"minver": "0", "maxver": "2.6.11", "exploitdb": "1397", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
267. "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit": {"minver": "0", "maxver": "99", "exploitdb": "1518", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "mysql"}},
268. "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2004", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
269. "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2005", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
270. "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2006", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
271. "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2011", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}},
272. "<= 2.6.17.4 (proc) Local Root Exploit": {"minver": "0", "maxver": "2.6.17.4", "exploitdb": "2013", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
273. "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2031", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
274. "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit": {"minver": "4.10", "maxver": "7.04", "exploitdb": "3384", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}},
275. "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit": {"minver": "2.4", "maxver": "2.6", "exploitdb": "4460", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
276. "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit": {"minver": "0", "maxver": "2.6.11.5", "exploitdb": "4756", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluetooth"}},
277. "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit": {"minver": "2.6.17", "maxver": "2.6.24.1", "exploitdb": "5092", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
278. "2.6.23 - 2.6.24 vmsplice Local Root Exploit": {"minver": "2.6.23", "maxver": "2.6.24", "exploitdb": "5093", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}},
279. "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit": {"minver": "0", "maxver": "99", "exploitdb": "5720", "lang": "python", "keywords": {"loc": ["os"], "val": "debian"}},
280. "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit": {"minver": "0", "maxver": "2.6.22", "exploitdb": "6851", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
281. "< 2.6.29 exit_notify() Local Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.29", "exploitdb": "8369", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
282. "2.6 UDEV Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8478", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}},
283. "2.6 UDEV < 141 Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8572", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}},
284. "2.6.x ptrace_attach Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8673", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
285. "2.6.29 ptrace_attach() Local Root Race Condition Exploit": {"minver": "2.6.29", "maxver": "2.6.29", "exploitdb": "8678", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
286. "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit": {"minver": "0", "maxver": "2.6.28.3", "exploitdb": "9083", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
287. "Test Kernel Local Root Exploit 0day": {"minver": "2.6.18", "maxver": "2.6.30", "exploitdb": "9191", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
288. "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)": {"minver": "2.6.9", "maxver": "2.6.30", "exploitdb": "9208", "lang": "c", "keywords": {"loc": ["pkg"], "val": "pulse"}},
289. "2.x sock_sendpage() Local Ring0 Root Exploit": {"minver": "2", "maxver": "2.99", "exploitdb": "9435", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
290. "2.x sock_sendpage() Local Root Exploit 2": {"minver": "2", "maxver": "2.99", "exploitdb": "9436", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
291. "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9479", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
292. "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit": {"minver": "2.6", "maxver": "2.6.19", "exploitdb": "9542", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
293. "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9545", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
294. "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9574", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
295. "< 2.6.19 udp_sendmsg Local Root Exploit": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9575", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
296. "2.4/2.6 sock_sendpage() Local Root Exploit [2]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
297. "2.4/2.6 sock_sendpage() Local Root Exploit [3]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9641", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
298. "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "9844", "lang": "python", "keywords": {"loc": ["kernel"], "val": "kernel"}},
299. "'pipe.c' Local Privilege Escalation Vulnerability": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "10018", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}},
300. "2.6.18-20 2009 Local Root Exploit": {"minver": "2.6.18", "maxver": "2.6.20", "exploitdb": "10613", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
301. "Apache Spamassassin Milter Plugin Remote Root Command Execution": {"minver": "0", "maxver": "99", "exploitdb": "11662", "lang": "sh", "keywords": {"loc": ["proc"], "val": "spamass-milter"}},
302. "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation": {"minver": "0", "maxver": "2.6.34", "exploitdb": "12130", "lang": "python", "keywords": {"loc": ["mnt"], "val": "reiser"}},
303. "Ubuntu PAM MOTD local root": {"minver": "7", "maxver": "10.04", "exploitdb": "14339", "lang": "sh", "keywords": {"loc": ["os"], "val": "ubuntu"}},
304. "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36", "exploitdb": "14814", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
305. "Kernel ia32syscall Emulation Privilege Escalation": {"minver": "0", "maxver": "99", "exploitdb": "15023", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
306. "Linux RDS Protocol Local Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15285", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
307. "<= 2.6.37 Local Privilege Escalation": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15704", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
308. "< 2.6.37-rc2 ACPI custom_method Privilege Escalation": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15774", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
309. "CAP_SYS_ADMIN to root Exploit": {"minver": "0", "maxver": "99", "exploitdb": "15916", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
310. "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)": {"minver": "0", "maxver": "99", "exploitdb": "15944", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
311. "< 2.6.36.2 Econet Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36.2", "exploitdb": "17787", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
312. "Sendpage Local Privilege Escalation": {"minver": "0", "maxver": "99", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}},
313. "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability": {"minver": "2.4.18", "maxver": "2.4.19", "exploitdb": "21598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
314. "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22362", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
315. "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22363", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
316. "Samba 2.2.8 Share Local Privilege Elevation Vulnerability": {"minver": "2.2.8", "maxver": "2.2.8", "exploitdb": "23674", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "samba"}},
317. "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability": {"minver": "0", "maxver": "99", "exploitdb": "25307", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
318. "open-time Capability file_ns_capable() Privilege Escalation": {"minver": "0", "maxver": "99", "exploitdb": "25450", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
319. }
320.  
321. # variable declaration
322. os = sysInfo["OS"]["results"][0]
323. version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]
324. langs = devTools["TOOLS"]["results"]
325. procs = getAppProc["PROCS"]["results"]
326. kernel = str(sysInfo["KERNEL"]["results"][0])
327. mount = driveInfo["MOUNT"]["results"]
328. # pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future
329.  
330.  
331. # lists to hold ranked, applicable sploits
332. # note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks
333. # all applicable exploits should be checked and this function could probably use some improvement
334. avgprob = []
335. highprob = []
336.  
337. for sploit in sploits:
338. lang = 0 # use to rank applicability of sploits
339. keyword = sploits[sploit]["keywords"]["val"]
340. sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + \
341. sploits[sploit]["exploitdb"] + " || " + \
342. "Language=" + sploits[sploit]["lang"]
343. # first check for kernell applicability
344. if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
345. # next check language applicability
346. if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
347. lang = 1 # language found, increase applicability score
348. elif sploits[sploit]["lang"] == "sh":
349. lang = 1 # language found, increase applicability score
350. elif (sploits[sploit]["lang"] in str(langs)):
351. lang = 1 # language found, increase applicability score
352. if lang == 0:
353. sploitout = sploitout + "**" # added mark if language not detected on system
354. # next check keyword matches to determine if some sploits have a higher probability of success
355. for loc in sploits[sploit]["keywords"]["loc"]:
356. if loc == "proc":
357. for proc in procs:
358. if keyword in proc:
359. # if sploit is associated with a running process consider it a higher probability/applicability
360. highprob.append(sploitout)
361. break
362. break
363. elif loc == "os":
364. if (keyword in os) or (keyword in kernel):
365. # if sploit is specifically applicable to this OS consider it a higher probability/applicability
366. highprob.append(sploitout)
367. break
368. elif loc == "mnt":
369. if keyword in mount:
370. # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
371. highprob.append(sploitout)
372. break
373. else:
374. # otherwise, consider average probability/applicability based only on kernel version
375. avgprob.append(sploitout)
376.  
377. print(" Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!")
378. print()
379.  
380. print(" The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system")
381. for exploit in highprob:
382. print(" - " + exploit)
383. print()
384.  
385. print(" The following exploits are applicable to this kernel version and should be investigated as well")
386. for exploit in avgprob:
387. print(" - " + exploit)
388.  
389. print()
390. print("Finished")
391. print(bigline)