· 6 years ago · Dec 25, 2019, 06:26 PM
1#!/bin/bash
2
3#
4# Copyright (c) 2016-2019, mzet
5#
6# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
7# This is free software, and you are welcome to redistribute it
8# under the terms of the GNU General Public License. See LICENSE
9# file for usage of this software.
10#
11
12VERSION=v1.0
13
14# bash colors
15#txtred="\e[0;31m"
16txtred="\e[91;1m"
17txtgrn="\e[1;32m"
18txtgray="\e[0;37m"
19txtblu="\e[0;36m"
20txtrst="\e[0m"
21bldwht='\e[1;37m'
22wht='\e[0;36m'
23bldblu='\e[1;34m'
24yellow='\e[1;93m'
25lightyellow='\e[0;93m'
26
27# input data
28UNAME_A=""
29
30# parsed data for current OS
31KERNEL=""
32OS=""
33DISTRO=""
34ARCH=""
35PKG_LIST=""
36
37# kernel config
38KCONFIG=""
39
40CVELIST_FILE=""
41
42opt_fetch_bins=false
43opt_fetch_srcs=false
44opt_kernel_version=false
45opt_uname_string=false
46opt_pkglist_file=false
47opt_cvelist_file=false
48opt_checksec_mode=false
49opt_full=false
50opt_summary=false
51opt_kernel_only=false
52opt_userspace_only=false
53opt_show_dos=false
54opt_skip_more_checks=false
55opt_skip_pkg_versions=false
56
57ARGS=
58SHORTOPTS="hVfbsu:k:dp:g"
59LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec"
60
61## exploits database
62declare -a EXPLOITS
63declare -a EXPLOITS_USERSPACE
64
65## temporary array for purpose of sorting exploits (based on exploits' rank)
66declare -a exploits_to_sort
67declare -a SORTED_EXPLOITS
68
69############ LINUX KERNELSPACE EXPLOITS ####################
70n=0
71
72EXPLOITS[((n++))]=$(cat <<EOF
73Name: ${txtgrn}[CVE-2004-1235]${txtrst} elflbl
74Reqs: pkg=linux-kernel,ver=2.4.29
75Tags:
76Rank: 1
77analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
78bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/elflbl
79exploit-db: 744
80EOF
81)
82
83EXPLOITS[((n++))]=$(cat <<EOF
84Name: ${txtgrn}[CVE-2004-1235]${txtrst} uselib()
85Reqs: pkg=linux-kernel,ver=2.4.29
86Tags:
87Rank: 1
88analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
89exploit-db: 778
90Comments: Known to work only for 2.4 series (even though 2.6 is also vulnerable)
91EOF
92)
93
94EXPLOITS[((n++))]=$(cat <<EOF
95Name: ${txtgrn}[CVE-2004-1235]${txtrst} krad3
96Reqs: pkg=linux-kernel,ver>=2.6.5,ver<=2.6.11
97Tags:
98Rank: 1
99exploit-db: 1397
100EOF
101)
102
103EXPLOITS[((n++))]=$(cat <<EOF
104Name: ${txtgrn}[CVE-2004-0077]${txtrst} mremap_pte
105Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.2
106Tags:
107Rank: 1
108exploit-db: 160
109EOF
110)
111
112EXPLOITS[((n++))]=$(cat <<EOF
113Name: ${txtgrn}[CVE-2006-2451]${txtrst} raptor_prctl
114Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
115Tags:
116Rank: 1
117exploit-db: 2031
118EOF
119)
120
121EXPLOITS[((n++))]=$(cat <<EOF
122Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl
123Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
124Tags:
125Rank: 1
126exploit-db: 2004
127EOF
128)
129
130EXPLOITS[((n++))]=$(cat <<EOF
131Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl2
132Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
133Tags:
134Rank: 1
135exploit-db: 2005
136EOF
137)
138
139EXPLOITS[((n++))]=$(cat <<EOF
140Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl3
141Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
142Tags:
143Rank: 1
144exploit-db: 2006
145EOF
146)
147
148EXPLOITS[((n++))]=$(cat <<EOF
149Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl4
150Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
151Tags:
152Rank: 1
153exploit-db: 2011
154EOF
155)
156
157EXPLOITS[((n++))]=$(cat <<EOF
158Name: ${txtgrn}[CVE-2006-3626]${txtrst} h00lyshit
159Reqs: pkg=linux-kernel,ver>=2.6.8,ver<=2.6.16
160Tags:
161Rank: 1
162bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit
163exploit-db: 2013
164EOF
165)
166
167EXPLOITS[((n++))]=$(cat <<EOF
168Name: ${txtgrn}[CVE-2008-0600]${txtrst} vmsplice1
169Reqs: pkg=linux-kernel,ver>=2.6.17,ver<=2.6.24
170Tags:
171Rank: 1
172exploit-db: 5092
173EOF
174)
175
176EXPLOITS[((n++))]=$(cat <<EOF
177Name: ${txtgrn}[CVE-2008-0600]${txtrst} vmsplice2
178Reqs: pkg=linux-kernel,ver>=2.6.23,ver<=2.6.24
179Tags:
180Rank: 1
181exploit-db: 5093
182EOF
183)
184
185EXPLOITS[((n++))]=$(cat <<EOF
186Name: ${txtgrn}[CVE-2008-4210]${txtrst} ftrex
187Reqs: pkg=linux-kernel,ver>=2.6.11,ver<=2.6.22
188Tags:
189Rank: 1
190exploit-db: 6851
191Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required
192EOF
193)
194
195EXPLOITS[((n++))]=$(cat <<EOF
196Name: ${txtgrn}[CVE-2008-4210]${txtrst} exit_notify
197Reqs: pkg=linux-kernel,ver>=2.6.25,ver<=2.6.29
198Tags:
199Rank: 1
200exploit-db: 8369
201EOF
202)
203
204EXPLOITS[((n++))]=$(cat <<EOF
205Name: ${txtgrn}[CVE-2009-2692]${txtrst} sock_sendpage (simple version)
206Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
207Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11
208Rank: 1
209exploit-db: 9479
210Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
211EOF
212)
213
214EXPLOITS[((n++))]=$(cat <<EOF
215Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage
216Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
217Tags: ubuntu=9.04
218Rank: 1
219analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
220src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz
221exploit-db: 9435
222Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
223EOF
224)
225
226EXPLOITS[((n++))]=$(cat <<EOF
227Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage2
228Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
229Tags:
230Rank: 1
231src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz
232exploit-db: 9436
233Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
234EOF
235)
236
237EXPLOITS[((n++))]=$(cat <<EOF
238Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage3
239Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
240Tags:
241Rank: 1
242src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz
243exploit-db: 9641
244Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
245EOF
246)
247
248EXPLOITS[((n++))]=$(cat <<EOF
249Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage (ppc)
250Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
251Tags: ubuntu=8.10,RHEL=4|5
252Rank: 1
253exploit-db: 9545
254Comments: /proc/sys/vm/mmap_min_addr needs to equal 0
255EOF
256)
257
258EXPLOITS[((n++))]=$(cat <<EOF
259Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg (by spender)
260Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
261Tags:
262Rank: 1
263src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz
264exploit-db: 9574
265EOF
266)
267
268EXPLOITS[((n++))]=$(cat <<EOF
269Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg
270Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
271Tags: debian=4
272Rank: 1
273exploit-db: 9575
274EOF
275)
276
277EXPLOITS[((n++))]=$(cat <<EOF
278Name: ${txtgrn}[CVE-2009-2698]${txtrst} ip_append_data
279Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86
280Tags: fedora=4|5|6,RHEL=4
281Rank: 1
282exploit-db: 9542
283EOF
284)
285
286EXPLOITS[((n++))]=$(cat <<EOF
287Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 1
288Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
289Tags:
290Rank: 1
291exploit-db: 33321
292EOF
293)
294
295EXPLOITS[((n++))]=$(cat <<EOF
296Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 2
297Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
298Tags:
299Rank: 1
300exploit-db: 33322
301EOF
302)
303
304EXPLOITS[((n++))]=$(cat <<EOF
305Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 3
306Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
307Tags:
308Rank: 1
309exploit-db: 10018
310EOF
311)
312
313EXPLOITS[((n++))]=$(cat <<EOF
314Name: ${txtgrn}[CVE-2010-3301]${txtrst} ptrace_kmod2
315Reqs: pkg=linux-kernel,ver>=2.6.26,ver<=2.6.34
316Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server}
317Rank: 1
318bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2
319bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod
320bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace_kmod2-64
321exploit-db: 15023
322EOF
323)
324
325EXPLOITS[((n++))]=$(cat <<EOF
326Name: ${txtgrn}[CVE-2010-1146]${txtrst} reiserfs
327Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.34
328Tags: ubuntu=9.10
329Rank: 1
330exploit-db: 12130
331EOF
332)
333
334EXPLOITS[((n++))]=$(cat <<EOF
335Name: ${txtgrn}[CVE-2010-2959]${txtrst} can_bcm
336Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.36
337Tags: ubuntu=10.04{kernel:2.6.32-24-generic}
338Rank: 1
339bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can_bcm
340exploit-db: 14814
341EOF
342)
343
344EXPLOITS[((n++))]=$(cat <<EOF
345Name: ${txtgrn}[CVE-2010-3904]${txtrst} rds
346Reqs: pkg=linux-kernel,ver>=2.6.30,ver<2.6.37
347Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic}
348Rank: 1
349analysis-url: http://www.securityfocus.com/archive/1/514379
350src-url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
351bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds
352bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64
353exploit-db: 15285
354EOF
355)
356
357EXPLOITS[((n++))]=$(cat <<EOF
358Name: ${txtgrn}[CVE-2010-3848,CVE-2010-3850,CVE-2010-4073]${txtrst} half_nelson
359Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
360Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server}
361Rank: 1
362bin-url: http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3
363exploit-db: 17787
364EOF
365)
366
367EXPLOITS[((n++))]=$(cat <<EOF
368Name: ${txtgrn}[N/A]${txtrst} caps_to_root
369Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36,x86
370Tags: ubuntu=10.10
371Rank: 1
372exploit-db: 15916
373EOF
374)
375
376EXPLOITS[((n++))]=$(cat <<EOF
377Name: ${txtgrn}[N/A]${txtrst} caps_to_root 2
378Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36
379Tags: ubuntu=10.10
380Rank: 1
381exploit-db: 15944
382EOF
383)
384
385EXPLOITS[((n++))]=$(cat <<EOF
386Name: ${txtgrn}[CVE-2010-4347]${txtrst} american-sign-language
387Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
388Tags:
389Rank: 1
390exploit-db: 15774
391EOF
392)
393
394EXPLOITS[((n++))]=$(cat <<EOF
395Name: ${txtgrn}[CVE-2010-3437]${txtrst} pktcdvd
396Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
397Tags: ubuntu=10.04
398Rank: 1
399exploit-db: 15150
400EOF
401)
402
403EXPLOITS[((n++))]=$(cat <<EOF
404Name: ${txtgrn}[CVE-2010-3081]${txtrst} video4linux
405Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.33
406Tags: RHEL=5
407Rank: 1
408exploit-db: 15024
409EOF
410)
411
412EXPLOITS[((n++))]=$(cat <<EOF
413Name: ${txtgrn}[CVE-2012-0056]${txtrst} memodipper
414Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=3.1.0
415Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)}
416Rank: 1
417analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/
418src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
419bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper
420bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64
421exploit-db: 18411
422EOF
423)
424
425EXPLOITS[((n++))]=$(cat <<EOF
426Name: ${txtgrn}[CVE-2012-0056,CVE-2010-3849,CVE-2010-3850]${txtrst} full-nelson
427Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
428Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server}
429Rank: 1
430src-url: http://vulnfactory.org/exploits/full-nelson.c
431bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson
432bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64
433exploit-db: 15704
434EOF
435)
436
437EXPLOITS[((n++))]=$(cat <<EOF
438Name: ${txtgrn}[CVE-2013-1858]${txtrst} CLONE_NEWUSER|CLONE_FS
439Reqs: pkg=linux-kernel,ver=3.8,CONFIG_USER_NS=y
440Tags:
441Rank: 1
442src-url: http://stealth.openwall.net/xSports/clown-newuser.c
443analysis-url: https://lwn.net/Articles/543273/
444exploit-db: 38390
445author: Sebastian Krahmer
446Comments: CONFIG_USER_NS needs to be enabled
447EOF
448)
449
450EXPLOITS[((n++))]=$(cat <<EOF
451Name: ${txtgrn}[CVE-2013-2094]${txtrst} perf_swevent
452Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86_64
453Tags: RHEL=6,ubuntu=12.04{kernel:3.2.0-(23|29)-generic},fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
454Rank: 1
455analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
456bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent
457bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent64
458exploit-db: 26131
459author: Andrea 'sorbo' Bittau
460Comments: No SMEP/SMAP bypass
461EOF
462)
463
464EXPLOITS[((n++))]=$(cat <<EOF
465Name: ${txtgrn}[CVE-2013-2094]${txtrst} perf_swevent 2
466Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86_64
467Tags: ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic}
468Rank: 1
469analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
470src-url: https://cyseclabs.com/exploits/vnik_v1.c
471exploit-db: 33589
472author: Vitaly 'vnik' Nikolenko
473Comments: No SMEP/SMAP bypass
474EOF
475)
476
477EXPLOITS[((n++))]=$(cat <<EOF
478Name: ${txtgrn}[CVE-2013-0268]${txtrst} msr
479Reqs: pkg=linux-kernel,ver>=2.6.18,ver<3.7.6
480Tags:
481Rank: 1
482exploit-db: 27297
483EOF
484)
485
486EXPLOITS[((n++))]=$(cat <<EOF
487Name: ${txtgrn}[CVE-2013-1959]${txtrst} userns_root_sploit
488Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.8.9
489Tags:
490Rank: 1
491analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1
492exploit-db: 25450
493EOF
494)
495
496EXPLOITS[((n++))]=$(cat <<EOF
497Name: ${txtgrn}[CVE-2013-2094]${txtrst} semtex
498Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9
499Tags: RHEL=6
500Rank: 1
501analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
502exploit-db: 25444
503EOF
504)
505
506EXPLOITS[((n++))]=$(cat <<EOF
507Name: ${txtgrn}[CVE-2014-0038]${txtrst} timeoutpwn
508Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y
509Tags: ubuntu=13.10
510Rank: 1
511analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
512bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64
513exploit-db: 31346
514Comments: CONFIG_X86_X32 needs to be enabled
515EOF
516)
517
518EXPLOITS[((n++))]=$(cat <<EOF
519Name: ${txtgrn}[CVE-2014-0038]${txtrst} timeoutpwn 2
520Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y
521Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic}
522Rank: 1
523analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
524exploit-db: 31347
525Comments: CONFIG_X86_X32 needs to be enabled
526EOF
527)
528
529EXPLOITS[((n++))]=$(cat <<EOF
530Name: ${txtgrn}[CVE-2014-0196]${txtrst} rawmodePTY
531Reqs: pkg=linux-kernel,ver>=2.6.31,ver<=3.14.3
532Tags:
533Rank: 1
534analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
535exploit-db: 33516
536EOF
537)
538
539EXPLOITS[((n++))]=$(cat <<EOF
540Name: ${txtgrn}[CVE-2014-2851]${txtrst} use-after-free in ping_init_sock() ${bldblu}(DoS)${txtrst}
541Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.14
542Tags:
543Rank: 0
544analysis-url: https://cyseclabs.com/page?n=02012016
545exploit-db: 32926
546EOF
547)
548
549EXPLOITS[((n++))]=$(cat <<EOF
550Name: ${txtgrn}[CVE-2014-4014]${txtrst} inode_capable
551Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.13
552Tags: ubuntu=12.04
553Rank: 1
554analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4
555exploit-db: 33824
556EOF
557)
558
559EXPLOITS[((n++))]=$(cat <<EOF
560Name: ${txtgrn}[CVE-2014-4699]${txtrst} ptrace/sysret
561Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.8
562Tags: ubuntu=12.04
563Rank: 1
564analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16
565exploit-db: 34134
566EOF
567)
568
569EXPLOITS[((n++))]=$(cat <<EOF
570Name: ${txtgrn}[CVE-2014-4943]${txtrst} PPPoL2TP ${bldblu}(DoS)${txtrst}
571Reqs: pkg=linux-kernel,ver>=3.2,ver<=3.15.6
572Tags:
573Rank: 1
574analysis-url: https://cyseclabs.com/page?n=01102015
575exploit-db: 36267
576EOF
577)
578
579EXPLOITS[((n++))]=$(cat <<EOF
580Name: ${txtgrn}[CVE-2014-5207]${txtrst} fuse_suid
581Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.16.1
582Tags:
583Rank: 1
584exploit-db: 34923
585EOF
586)
587
588EXPLOITS[((n++))]=$(cat <<EOF
589Name: ${txtgrn}[CVE-2015-9322]${txtrst} BadIRET
590Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.17.5,x86_64
591Tags: RHEL<=7,fedora=20
592Rank: 1
593analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
594src-url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
595exploit-db:
596author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki
597EOF
598)
599
600EXPLOITS[((n++))]=$(cat <<EOF
601Name: ${txtgrn}[CVE-2015-3290]${txtrst} espfix64_NMI
602Reqs: pkg=linux-kernel,ver>=3.13,ver<4.1.6,x86_64
603Tags:
604Rank: 1
605analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8
606exploit-db: 37722
607EOF
608)
609
610EXPLOITS[((n++))]=$(cat <<EOF
611Name: ${txtgrn}[N/A]${txtrst} bluetooth
612Reqs: pkg=linux-kernel,ver<=2.6.11
613Tags:
614Rank: 1
615exploit-db: 4756
616EOF
617)
618
619EXPLOITS[((n++))]=$(cat <<EOF
620Name: ${txtgrn}[CVE-2015-1328]${txtrst} overlayfs
621Reqs: pkg=linux-kernel,ver>=3.13.0,ver<=3.19.0
622Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
623Rank: 1
624analysis-url: http://seclists.org/oss-sec/2015/q2/717
625bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_32
626bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_64
627exploit-db: 37292
628EOF
629)
630
631EXPLOITS[((n++))]=$(cat <<EOF
632Name: ${txtgrn}[CVE-2015-8660]${txtrst} overlayfs (ovl_setattr)
633Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3
634Tags:
635Rank: 1
636analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
637exploit-db: 39230
638EOF
639)
640
641EXPLOITS[((n++))]=$(cat <<EOF
642Name: ${txtgrn}[CVE-2015-8660]${txtrst} overlayfs (ovl_setattr)
643Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3
644Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
645Rank: 1
646analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
647exploit-db: 39166
648EOF
649)
650
651EXPLOITS[((n++))]=$(cat <<EOF
652Name: ${txtgrn}[CVE-2016-0728]${txtrst} keyring
653Reqs: pkg=linux-kernel,ver>=3.10,ver<4.4.1
654Tags:
655Rank: 0
656analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
657exploit-db: 40003
658Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
659EOF
660)
661
662EXPLOITS[((n++))]=$(cat <<EOF
663Name: ${txtgrn}[CVE-2016-2384]${txtrst} usb-midi
664Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.4.8
665Tags: ubuntu=14.04,fedora=22
666Rank: 1
667analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384
668src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
669exploit-db: 41999
670Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
671author: Andrey 'xairy' Konovalov
672EOF
673)
674
675EXPLOITS[((n++))]=$(cat <<EOF
676Name: ${txtgrn}[CVE-2016-4997]${txtrst} target_offset
677Reqs: pkg=linux-kernel,ver>=4.4.0,ver<=4.4.0,cmd:grep -qi ip_tables /proc/modules
678Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
679Rank: 1
680src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip
681Comments: ip_tables.ko needs to be loaded
682exploit-db: 40049
683author: Vitaly 'vnik' Nikolenko
684EOF
685)
686
687EXPLOITS[((n++))]=$(cat <<EOF
688Name: ${txtgrn}[CVE-2016-4557]${txtrst} double-fdput()
689Reqs: pkg=linux-kernel,ver>=4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
690Tags: ubuntu=16.04{kernel:4.4.0-(21|38|42|98|140)-generic}
691Rank: 1
692analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
693src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
694Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
695exploit-db: 40759
696author: Jann Horn
697EOF
698)
699
700EXPLOITS[((n++))]=$(cat <<EOF
701Name: ${txtgrn}[CVE-2016-5195]${txtrst} dirtycow
702Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3
703Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
704Rank: 4
705analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
706Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
707exploit-db: 40611
708author: Phil Oester
709EOF
710)
711
712EXPLOITS[((n++))]=$(cat <<EOF
713Name: ${txtgrn}[CVE-2016-5195]${txtrst} dirtycow 2
714Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3
715Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
716Rank: 4
717analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
718ext-url: https://www.exploit-db.com/download/40847.cpp
719Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
720exploit-db: 40839
721author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url')
722EOF
723)
724
725EXPLOITS[((n++))]=$(cat <<EOF
726Name: ${txtgrn}[CVE-2016-8655]${txtrst} chocobo_root
727Reqs: pkg=linux-kernel,ver>=4.4.0,ver<4.9,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
728Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
729Rank: 1
730analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1
731Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
732bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo_root
733exploit-db: 40871
734author: rebel
735EOF
736)
737
738EXPLOITS[((n++))]=$(cat <<EOF
739Name: ${txtgrn}[CVE-2016-9793]${txtrst} SO_{SND|RCV}BUFFORCE
740Reqs: pkg=linux-kernel,ver>=3.11,ver<4.8.14,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
741Tags:
742Rank: 1
743analysis-url: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
744src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
745Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
746exploit-db: 41995
747author: Andrey 'xairy' Konovalov
748EOF
749)
750
751EXPLOITS[((n++))]=$(cat <<EOF
752Name: ${txtgrn}[CVE-2017-6074]${txtrst} dccp
753Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my]
754Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
755Rank: 1
756analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3
757Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
758exploit-db: 41458
759author: Andrey 'xairy' Konovalov
760EOF
761)
762
763EXPLOITS[((n++))]=$(cat <<EOF
764Name: ${txtgrn}[CVE-2017-7308]${txtrst} af_packet
765Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
766Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
767Rank: 1
768analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
769src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
770ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
771Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
772bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploit
773exploit-db: 41994
774author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
775EOF
776)
777
778EXPLOITS[((n++))]=$(cat <<EOF
779Name: ${txtgrn}[CVE-2017-16995]${txtrst} eBPF_verifier
780Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
781Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
782Rank: 5
783analysis-url: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
784Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
785bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.out
786exploit-db: 45010
787author: Rick Larabee
788EOF
789)
790
791EXPLOITS[((n++))]=$(cat <<EOF
792Name: ${txtgrn}[CVE-2017-1000112]${txtrst} NETIF_F_UFO
793Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.13,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
794Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*}
795Rank: 1
796analysis-url: http://www.openwall.com/lists/oss-security/2017/08/13/1
797src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
798ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
799Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
800bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.out
801exploit-db:
802author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
803EOF
804)
805
806EXPLOITS[((n++))]=$(cat <<EOF
807Name: ${txtgrn}[CVE-2017-1000253]${txtrst} PIE_stack_corruption
808Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64
809Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
810Rank: 1
811analysis-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
812src-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
813exploit-db: 42887
814author: Qualys
815Comments:
816EOF
817)
818
819EXPLOITS[((n++))]=$(cat <<EOF
820Name: ${txtgrn}[CVE-2018-5333]${txtrst} rds_atomic_free_op NULL pointer dereference
821Reqs: pkg=linux-kernel,ver=4.4.0,cmd:grep -qi rds /proc/modules,x86_64
822Tags: ubuntu=16.04{kernel:4.4.0-(112|116)-generic}
823Rank: 1
824src-url: https://gist.githubusercontent.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4/raw/959325819c78248a6437102bb289bb8578a135cd/cve-2018-5333-poc.c
825ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2018-5333/cve-2018-5333.c
826Comments: rds.ko kernel module needs to be loaded. Modified version at 'ext-url' adds support for additional targets and bypassing KASLR.
827author: wbowling (orginal exploit author); bcoles (author of exploit update at 'ext-url')
828EOF
829)
830
831EXPLOITS[((n++))]=$(cat <<EOF
832Name: ${txtgrn}[CVE-2018-18955]${txtrst} subuid_shell
833Reqs: pkg=linux-kernel,ver>=4.15,ver<=4.19.2,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,cmd:[ -u /usr/bin/newuidmap ],cmd:[ -u /usr/bin/newgidmap ]
834Tags: ubuntu=18.04{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
835Rank: 1
836analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
837src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
838exploit-db: 45886
839author: Jann Horn
840Comments: CONFIG_USER_NS needs to be enabled
841EOF
842)
843
844EXPLOITS[((n++))]=$(cat <<EOF
845Name: ${txtgrn}[CVE-2019-13272]${txtrst} PTRACE_TRACEME
846Reqs: pkg=linux-kernel,ver>=4,ver<5.1.17,sysctl:kernel.yama.ptrace_scope==0,x86_64
847Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*}
848Rank: 1
849analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
850src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip
851ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c
852Comments: Requires an active PolKit agent.
853exploit-db: 47133
854exploit-db: 47163
855author: Jann Horn (orginal exploit author); bcoles (author of exploit update at 'ext-url')
856EOF
857)
858
859############ USERSPACE EXPLOITS ###########################
860n=0
861
862EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
863Name: ${txtgrn}[CVE-2004-0186]${txtrst} samba
864Reqs: pkg=samba,ver<=2.2.8
865Tags:
866Rank: 1
867exploit-db: 23674
868EOF
869)
870
871EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
872Name: ${txtgrn}[CVE-2009-1185]${txtrst} udev
873Reqs: pkg=udev,ver<141,cmd:[[ -f /etc/udev/rules.d/95-udev-late.rules || -f /lib/udev/rules.d/95-udev-late.rules ]]
874Tags: ubuntu=8.10|9.04
875Rank: 1
876exploit-db: 8572
877Comments: Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
878EOF
879)
880
881EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
882Name: ${txtgrn}[CVE-2009-1185]${txtrst} udev 2
883Reqs: pkg=udev,ver<141
884Tags:
885Rank: 1
886exploit-db: 8478
887Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
888EOF
889)
890
891EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
892Name: ${txtgrn}[CVE-2010-0832]${txtrst} PAM MOTD
893Reqs: pkg=libpam-modules,ver<=1.1.1
894Tags: ubuntu=9.10|10.04
895Rank: 1
896exploit-db: 14339
897Comments: SSH access to non privileged user is needed
898EOF
899)
900
901EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
902Name: ${txtgrn}[CVE-2010-4170]${txtrst} SystemTap
903Reqs: pkg=systemtap,ver<=1.3
904Tags: RHEL=5{systemtap:1.1-3.el5},fedora=13{systemtap:1.2-1.fc13}
905Rank: 1
906author: Tavis Ormandy
907exploit-db: 15620
908EOF
909)
910
911EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
912Name: ${txtgrn}[CVE-2011-1485]${txtrst} pkexec
913Reqs: pkg=polkit,ver=0.96
914Tags: RHEL=6,ubuntu=10.04|10.10
915Rank: 1
916exploit-db: 17942
917EOF
918)
919
920EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
921Name: ${txtgrn}[CVE-2011-2921]${txtrst} ktsuss
922Reqs: pkg=ktsuss,ver<=1.4
923Tags: sparky=5|6
924Rank: 1
925analysis-url: https://www.openwall.com/lists/oss-security/2011/08/13/2
926src-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2011-2921/ktsuss-lpe.sh
927EOF
928)
929
930EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
931Name: ${txtgrn}[CVE-2012-0809]${txtrst} death_star (sudo)
932Reqs: pkg=sudo,ver>=1.8.0,ver<=1.8.3
933Tags: fedora=16
934Rank: 1
935analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
936exploit-db: 18436
937EOF
938)
939
940EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
941Name: ${txtgrn}[CVE-2014-0476]${txtrst} chkrootkit
942Reqs: pkg=chkrootkit,ver<0.50
943Tags:
944Rank: 1
945analysis-url: http://seclists.org/oss-sec/2014/q2/430
946exploit-db: 33899
947Comments: Rooting depends on the crontab (up to one day of delay)
948EOF
949)
950
951EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
952Name: ${txtgrn}[CVE-2014-5119]${txtrst} __gconv_translit_find
953Reqs: pkg=glibc|libc6,x86
954Tags: debian=6
955Rank: 1
956analysis-url: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
957src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/34421.tar.gz
958exploit-db: 34421
959EOF
960)
961
962EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
963Name: ${txtgrn}[CVE-2015-1862]${txtrst} newpid (abrt)
964Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
965Tags: fedora=20
966Rank: 1
967analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
968src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
969exploit-db: 36746
970EOF
971)
972
973EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
974Name: ${txtgrn}[CVE-2015-3315]${txtrst} raceabrt
975Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
976Tags: fedora=19{abrt:2.1.5-1.fc19},fedora=20{abrt:2.2.2-2.fc20},fedora=21{abrt:2.3.0-3.fc21},RHEL=7{abrt:2.1.11-12.el7}
977Rank: 1
978analysis-url: http://seclists.org/oss-sec/2015/q2/130
979src-url: https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c
980exploit-db: 36747
981author: Tavis Ormandy
982EOF
983)
984
985EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
986Name: ${txtgrn}[CVE-2015-1318]${txtrst} newpid (apport)
987Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern
988Tags: ubuntu=14.04
989Rank: 1
990analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
991src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
992exploit-db: 36746
993EOF
994)
995
996EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
997Name: ${txtgrn}[CVE-2015-1318]${txtrst} newpid (apport) 2
998Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern
999Tags: ubuntu=14.04.2
1000Rank: 1
1001analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
1002exploit-db: 36782
1003EOF
1004)
1005
1006EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1007Name: ${txtgrn}[CVE-2015-3202]${txtrst} fuse (fusermount)
1008Reqs: pkg=fuse,ver<2.9.3
1009Tags: debian=7.0|8.0,ubuntu=*
1010Rank: 1
1011analysis-url: http://seclists.org/oss-sec/2015/q2/520
1012exploit-db: 37089
1013Comments: Needs cron or system admin interaction
1014EOF
1015)
1016
1017EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1018Name: ${txtgrn}[CVE-2015-1815]${txtrst} setroubleshoot
1019Reqs: pkg=setroubleshoot,ver<3.2.22
1020Tags: fedora=21
1021Rank: 1
1022exploit-db: 36564
1023EOF
1024)
1025
1026EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1027Name: ${txtgrn}[CVE-2015-3246]${txtrst} userhelper
1028Reqs: pkg=libuser,ver<=0.60
1029Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22
1030Rank: 1
1031analysis-url: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
1032exploit-db: 37706
1033Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c
1034EOF
1035)
1036
1037EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1038Name: ${txtgrn}[CVE-2015-5287]${txtrst} abrt/sosreport-rhel7
1039Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
1040Tags: RHEL=7{abrt:2.1.11-12.el7}
1041Rank: 1
1042analysis-url: https://www.openwall.com/lists/oss-security/2015/12/01/1
1043src-url: https://www.openwall.com/lists/oss-security/2015/12/01/1/1
1044exploit-db: 38832
1045author: rebel
1046EOF
1047)
1048
1049EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1050Name: ${txtgrn}[CVE-2015-6565]${txtrst} not_an_sshnuke
1051Reqs: pkg=openssh-server,ver>=6.8,ver<=6.9
1052Tags:
1053Rank: 1
1054analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2
1055exploit-db: 41173
1056author: Federico Bento
1057Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation)
1058EOF
1059)
1060
1061EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1062Name: ${txtgrn}[CVE-2015-8612]${txtrst} blueman set_dhcp_handler d-bus privesc
1063Reqs: pkg=blueman,ver<2.0.3
1064Tags: debian=8{blueman:1.23}
1065Rank: 1
1066analysis-url: https://twitter.com/thegrugq/status/677809527882813440
1067exploit-db: 46186
1068author: Sebastian Krahmer
1069Comments: Distros use own versioning scheme. Manual verification needed.
1070EOF
1071)
1072
1073EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1074Name: ${txtgrn}[CVE-2016-1240]${txtrst} tomcat-rootprivesc-deb.sh
1075Reqs: pkg=tomcat
1076Tags: debian=8,ubuntu=16.04
1077Rank: 1
1078analysis-url: https://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
1079src-url: http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
1080exploit-db: 40450
1081author: Dawid Golunski
1082Comments: Affects only Debian-based distros
1083EOF
1084)
1085
1086EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1087Name: ${txtgrn}[CVE-2016-1247]${txtrst} nginxed-root.sh
1088Reqs: pkg=nginx|nginx-full,ver<1.10.3
1089Tags: debian=8,ubuntu=14.04|16.04|16.10
1090Rank: 1
1091analysis-url: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
1092src-url: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
1093exploit-db: 40768
1094author: Dawid Golunski
1095Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3
1096EOF
1097)
1098
1099EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1100Name: ${txtgrn}[CVE-2016-1531]${txtrst} perl_startup (exim)
1101Reqs: pkg=exim,ver<4.86.2
1102Tags:
1103Rank: 1
1104analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
1105exploit-db: 39549
1106EOF
1107)
1108
1109EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1110Name: ${txtgrn}[CVE-2016-1531]${txtrst} perl_startup (exim) 2
1111Reqs: pkg=exim,ver<4.86.2
1112Tags:
1113Rank: 1
1114analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
1115exploit-db: 39535
1116EOF
1117)
1118
1119EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1120Name: ${txtgrn}[CVE-2016-4989]${txtrst} setroubleshoot 2
1121Reqs: pkg=setroubleshoot
1122Tags: RHEL=6|7
1123Rank: 1
1124analysis-url: https://c-skills.blogspot.com/2016/06/lets-feed-attacker-input-to-sh-c-to-see.html
1125src-url: https://github.com/stealth/troubleshooter/raw/master/straight-shooter.c
1126exploit-db:
1127EOF
1128)
1129
1130EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1131Name: ${txtgrn}[CVE-2016-5425]${txtrst} tomcat-RH-root.sh
1132Reqs: pkg=tomcat
1133Tags: RHEL=7
1134Rank: 1
1135analysis-url: http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
1136src-url: http://legalhackers.com/exploits/tomcat-RH-root.sh
1137exploit-db: 40488
1138author: Dawid Golunski
1139Comments: Affects only RedHat-based distros
1140EOF
1141)
1142
1143EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1144Name: ${txtgrn}[CVE-2016-6663,CVE-2016-6664|CVE-2016-6662]${txtrst} mysql-exploit-chain
1145Reqs: pkg=mysql-server|mariadb-server,ver<5.5.52
1146Tags: ubuntu=16.04.1
1147Rank: 1
1148analysis-url: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
1149src-url: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
1150exploit-db: 40678
1151author: Dawid Golunski
1152Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
1153EOF
1154)
1155
1156EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1157Name: ${txtgrn}[CVE-2016-9566]${txtrst} nagios-root-privesc
1158Reqs: pkg=nagios,ver<4.2.4
1159Tags:
1160Rank: 1
1161analysis-url: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
1162src-url: https://legalhackers.com/exploits/CVE-2016-9566/nagios-root-privesc.sh
1163exploit-db: 40921
1164author: Dawid Golunski
1165Comments: Allows priv escalation from nagios user or nagios group
1166EOF
1167)
1168
1169EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1170Name: ${txtgrn}[CVE-2017-0358]${txtrst} ntfs-3g-modprobe
1171Reqs: pkg=ntfs-3g,ver<2017.4
1172Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
1173Rank: 1
1174analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
1175src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
1176exploit-db: 41356
1177author: Jann Horn
1178Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
1179EOF
1180)
1181
1182EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1183Name: ${txtgrn}[CVE-2017-5899]${txtrst} s-nail-privget
1184Reqs: pkg=s-nail,ver<14.8.16
1185Tags: ubuntu=16.04,manjaro=16.10
1186Rank: 1
1187analysis-url: https://www.openwall.com/lists/oss-security/2017/01/27/7
1188src-url: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
1189ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
1190author: wapiflapi (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
1191Comments: Distros use own versioning scheme. Manual verification needed.
1192EOF
1193)
1194
1195EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1196Name: ${txtgrn}[CVE-2017-1000367]${txtrst} Sudoer-to-root
1197Reqs: pkg=sudo,ver<=1.8.20,cmd:[ -f /usr/sbin/getenforce ]
1198Tags: RHEL=7{sudo:1.8.6p7}
1199Rank: 1
1200analysis-url: https://www.sudo.ws/alerts/linux_tty.html
1201src-url: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
1202exploit-db: 42183
1203author: Qualys
1204Comments: Needs to be sudoer. Works only on SELinux enabled systems
1205EOF
1206)
1207
1208EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1209Name: ${txtgrn}[CVE-2017-1000367]${txtrst} sudopwn
1210Reqs: pkg=sudo,ver<=1.8.20,cmd:[ -f /usr/sbin/getenforce ]
1211Tags:
1212Rank: 1
1213analysis-url: https://www.sudo.ws/alerts/linux_tty.html
1214src-url: https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c
1215exploit-db:
1216author: c0d3z3r0
1217Comments: Needs to be sudoer. Works only on SELinux enabled systems
1218EOF
1219)
1220
1221EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1222Name: ${txtgrn}[CVE-2017-1000366,CVE-2017-1000370]${txtrst} linux_ldso_hwcap
1223Reqs: pkg=glibc|libc6,ver<=2.25,x86
1224Tags:
1225Rank: 1
1226analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1227src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
1228exploit-db: 42274
1229author: Qualys
1230Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
1231EOF
1232)
1233
1234EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1235Name: ${txtgrn}[CVE-2017-1000366,CVE-2017-1000371]${txtrst} linux_ldso_dynamic
1236Reqs: pkg=glibc|libc6,ver<=2.25,x86
1237Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
1238Rank: 1
1239analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1240src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
1241exploit-db: 42276
1242author: Qualys
1243Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
1244EOF
1245)
1246
1247EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1248Name: ${txtgrn}[CVE-2017-1000366,CVE-2017-1000379]${txtrst} linux_ldso_hwcap_64
1249Reqs: pkg=glibc|libc6,ver<=2.25,x86_64
1250Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
1251Rank: 1
1252analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1253src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
1254exploit-db: 42275
1255author: Qualys
1256Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
1257EOF
1258)
1259
1260EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1261Name: ${txtgrn}[CVE-2017-1000370,CVE-2017-1000371]${txtrst} linux_offset2lib
1262Reqs: pkg=glibc|libc6,ver<=2.25,x86
1263Tags:
1264Rank: 1
1265analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1266src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
1267exploit-db: 42273
1268author: Qualys
1269Comments: Uses "Stack Clash" technique
1270EOF
1271)
1272
1273EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1274Name: ${txtgrn}[CVE-2018-1000001]${txtrst} RationalLove
1275Reqs: pkg=glibc|libc6,ver<2.27,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,x86_64
1276Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
1277Rank: 1
1278analysis-url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
1279src-url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
1280Comments: kernel.unprivileged_userns_clone=1 required
1281bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2018-1000001/RationalLove
1282exploit-db: 43775
1283author: halfdog
1284EOF
1285)
1286
1287EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1288Name: ${txtgrn}[CVE-2018-10900]${txtrst} vpnc_privesc.py
1289Reqs: pkg=networkmanager-vpnc|network-manager-vpnc,ver<1.2.6
1290Tags: ubuntu=16.04{network-manager-vpnc:1.1.93-1},debian=9.0{network-manager-vpnc:1.2.4-4},manjaro=17
1291Rank: 1
1292analysis-url: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
1293src-url: https://bugzilla.novell.com/attachment.cgi?id=779110
1294exploit-db: 45313
1295author: Denis Andzakovic
1296Comments: Distros use own versioning scheme. Manual verification needed.
1297EOF
1298)
1299
1300EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1301Name: ${txtgrn}[CVE-2018-14665]${txtrst} raptor_xorgy
1302Reqs: pkg=xorg-x11-server-Xorg,cmd:[ -u /usr/bin/Xorg ]
1303Tags: centos=7.4
1304Rank: 1
1305analysis-url: https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
1306exploit-db: 45922
1307author: raptor
1308Comments: X.Org Server before 1.20.3 is vulnerable. Distros use own versioning scheme. Manual verification needed.
1309EOF
1310)
1311
1312EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1313Name: ${txtgrn}[CVE-2019-7304]${txtrst} dirty_sock
1314Reqs: pkg=snapd,ver<2.37,cmd:[ -S /run/snapd.socket ]
1315Tags: ubuntu=18.10,mint=19
1316Rank: 1
1317analysis-url: https://initblog.com/2019/dirty-sock/
1318exploit-db: 46361
1319exploit-db: 46362
1320src-url: https://github.com/initstring/dirty_sock/archive/master.zip
1321author: InitString
1322Comments: Distros use own versioning scheme. Manual verification needed.
1323EOF
1324)
1325
1326EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1327Name: ${txtgrn}[CVE-2019-10149]${txtrst} raptor_exim_wiz
1328Reqs: pkg=exim|exim4,ver>=4.87,ver<=4.91
1329Tags:
1330Rank: 1
1331analysis-url: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
1332exploit-db: 46996
1333author: raptor
1334EOF
1335)
1336
1337EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1338Name: ${txtgrn}[CVE-2019-12181]${txtrst} Serv-U FTP Server
1339Reqs: cmd:[ -u /usr/local/Serv-U/Serv-U ]
1340Tags: debian=9
1341Rank: 1
1342analysis-url: https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html
1343exploit-db: 47009
1344src-url: https://raw.githubusercontent.com/guywhataguy/CVE-2019-12181/master/servu-pe-cve-2019-12181.c
1345ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-12181/SUroot
1346author: Guy Levin (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
1347Comments: Modified version at 'ext-url' uses bash exec technique, rather than compiling with gcc.
1348EOF
1349)
1350
1351###########################################################
1352## security related HW/kernel features
1353###########################################################
1354n=0
1355
1356FEATURES[((n++))]=$(cat <<EOF
1357section: Mainline kernel protection mechanisms:
1358EOF
1359)
1360
1361FEATURES[((n++))]=$(cat <<EOF
1362feature: Kernel Page Table Isolation (PTI) support
1363available: ver>=4.15
1364enabled: cmd:grep -Eqi '\spti' /proc/cpuinfo
1365analysis-url: https://github.com/mzet-/les-res/blob/master/features/pti.md
1366EOF
1367)
1368
1369FEATURES[((n++))]=$(cat <<EOF
1370feature: GCC stack protector support
1371available: CONFIG_HAVE_STACKPROTECTOR=y
1372analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md
1373EOF
1374)
1375
1376FEATURES[((n++))]=$(cat <<EOF
1377feature: GCC stack protector STRONG support
1378available: CONFIG_STACKPROTECTOR_STRONG=y,ver>=3.14
1379analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md
1380EOF
1381)
1382
1383FEATURES[((n++))]=$(cat <<EOF
1384feature: Low address space to protect from user allocation
1385available: CONFIG_DEFAULT_MMAP_MIN_ADDR=[0-9]+
1386enabled: sysctl:vm.mmap_min_addr!=0
1387analysis-url: https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md
1388EOF
1389)
1390
1391FEATURES[((n++))]=$(cat <<EOF
1392feature: Prevent users from using ptrace to examine the memory and state of their processes
1393available: CONFIG_SECURITY_YAMA=y
1394enabled: sysctl:kernel.yama.ptrace_scope!=0
1395analysis-url: https://github.com/mzet-/les-res/blob/master/features/yama_ptrace_scope.md
1396EOF
1397)
1398
1399FEATURES[((n++))]=$(cat <<EOF
1400feature: Restrict unprivileged access to kernel syslog
1401available: CONFIG_SECURITY_DMESG_RESTRICT=y,ver>=2.6.37
1402enabled: sysctl:kernel.dmesg_restrict!=0
1403analysis-url: https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md
1404EOF
1405)
1406
1407FEATURES[((n++))]=$(cat <<EOF
1408feature: Randomize the address of the kernel image (KASLR)
1409available: CONFIG_RANDOMIZE_BASE=y
1410analysis-url: https://github.com/mzet-/les-res/blob/master/features/kaslr.md
1411EOF
1412)
1413
1414FEATURES[((n++))]=$(cat <<EOF
1415feature: Hardened user copy support
1416available: CONFIG_HARDENED_USERCOPY=y
1417analysis-url: https://github.com/mzet-/les-res/blob/master/features/hardened_usercopy.md
1418EOF
1419)
1420
1421FEATURES[((n++))]=$(cat <<EOF
1422feature: Make kernel text and rodata read-only
1423available: CONFIG_STRICT_KERNEL_RWX=y
1424analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_kernel_rwx.md
1425EOF
1426)
1427
1428FEATURES[((n++))]=$(cat <<EOF
1429feature: Set loadable kernel module data as NX and text as RO
1430available: CONFIG_STRICT_MODULE_RWX=y
1431analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_module_rwx.md
1432EOF
1433)
1434
1435FEATURES[((n++))]=$(cat <<EOF
1436feature: BUG() conditions reporting
1437available: CONFIG_BUG=y
1438analysis-url: https://github.com/mzet-/les-res/blob/master/features/bug.md
1439EOF
1440)
1441
1442FEATURES[((n++))]=$(cat <<EOF
1443feature: Additional 'cred' struct checks
1444available: CONFIG_DEBUG_CREDENTIALS=y
1445analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_credentials.md
1446EOF
1447)
1448
1449FEATURES[((n++))]=$(cat <<EOF
1450feature: Sanity checks for notifier call chains
1451available: CONFIG_DEBUG_NOTIFIERS=y
1452analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_notifiers.md
1453EOF
1454)
1455
1456FEATURES[((n++))]=$(cat <<EOF
1457feature: Extended checks for linked-lists walking
1458available: CONFIG_DEBUG_LIST=y
1459analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_list.md
1460EOF
1461)
1462
1463FEATURES[((n++))]=$(cat <<EOF
1464feature: Checks on scatter-gather tables
1465available: CONFIG_DEBUG_SG=y
1466analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_sg.md
1467EOF
1468)
1469
1470FEATURES[((n++))]=$(cat <<EOF
1471feature: Checks for data structure corruptions
1472available: CONFIG_BUG_ON_DATA_CORRUPTION=y
1473analysis-url: https://github.com/mzet-/les-res/blob/master/features/bug_on_data_corruption.md
1474EOF
1475)
1476
1477FEATURES[((n++))]=$(cat <<EOF
1478feature: Checks for a stack overrun on calls to 'schedule'
1479available: CONFIG_SCHED_STACK_END_CHECK=y
1480analysis-url: https://github.com/mzet-/les-res/blob/master/features/sched_stack_end_check.md
1481EOF
1482)
1483
1484FEATURES[((n++))]=$(cat <<EOF
1485feature: Freelist order randomization on new pages creation
1486available: CONFIG_SLAB_FREELIST_RANDOM=y
1487analysis-url: https://github.com/mzet-/les-res/blob/master/features/slab_freelist_random.md
1488EOF
1489)
1490
1491FEATURES[((n++))]=$(cat <<EOF
1492feature: Freelist metadata hardening
1493available: CONFIG_SLAB_FREELIST_HARDENED=y
1494analysis-url: https://github.com/mzet-/les-res/blob/master/features/slab_freelist_hardened.md
1495EOF
1496)
1497
1498FEATURES[((n++))]=$(cat <<EOF
1499feature: Allocator validation checking
1500available: CONFIG_SLUB_DEBUG_ON=y,cmd:! grep 'slub_debug=-' /proc/cmdline
1501analysis-url: https://github.com/mzet-/les-res/blob/master/features/slub_debug.md
1502EOF
1503)
1504
1505FEATURES[((n++))]=$(cat <<EOF
1506feature: Virtually-mapped kernel stacks with guard pages
1507available: CONFIG_VMAP_STACK=y
1508analysis-url: https://github.com/mzet-/les-res/blob/master/features/vmap_stack.md
1509EOF
1510)
1511
1512FEATURES[((n++))]=$(cat <<EOF
1513feature: Pages poisoning after free_pages() call
1514available: CONFIG_PAGE_POISONING=y
1515enabled: cmd: grep 'page_poison=1' /proc/cmdline
1516analysis-url: https://github.com/mzet-/les-res/blob/master/features/page_poisoning.md
1517EOF
1518)
1519
1520FEATURES[((n++))]=$(cat <<EOF
1521feature: Using 'refcount_t' instead of 'atomic_t'
1522available: CONFIG_REFCOUNT_FULL=y
1523analysis-url: https://github.com/mzet-/les-res/blob/master/features/refcount_full.md
1524EOF
1525)
1526
1527FEATURES[((n++))]=$(cat <<EOF
1528feature: Hardening common str/mem functions against buffer overflows
1529available: CONFIG_FORTIFY_SOURCE=y
1530analysis-url: https://github.com/mzet-/les-res/blob/master/features/fortify_source.md
1531EOF
1532)
1533
1534FEATURES[((n++))]=$(cat <<EOF
1535feature: Restrict /dev/mem access
1536available: CONFIG_STRICT_DEVMEM=y
1537analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_devmem.md
1538EOF
1539)
1540
1541FEATURES[((n++))]=$(cat <<EOF
1542feature: Restrict I/O access to /dev/mem
1543available: CONFIG_IO_STRICT_DEVMEM=y
1544analysis-url: https://github.com/mzet-/les-res/blob/master/features/io_strict_devmem.md
1545EOF
1546)
1547
1548FEATURES[((n++))]=$(cat <<EOF
1549section: Hardware-based protection features:
1550EOF
1551)
1552
1553FEATURES[((n++))]=$(cat <<EOF
1554feature: Supervisor Mode Execution Protection (SMEP) support
1555available: ver>=3.0
1556enabled: cmd:grep -qi smep /proc/cpuinfo
1557analysis-url: https://github.com/mzet-/les-res/blob/master/features/smep.md
1558EOF
1559)
1560
1561FEATURES[((n++))]=$(cat <<EOF
1562feature: Supervisor Mode Access Prevention (SMAP) support
1563available: ver>=3.7
1564enabled: cmd:grep -qi smap /proc/cpuinfo
1565analysis-url: https://github.com/mzet-/les-res/blob/master/features/smap.md
1566EOF
1567)
1568
1569FEATURES[((n++))]=$(cat <<EOF
1570section: 3rd party kernel protection mechanisms:
1571EOF
1572)
1573
1574FEATURES[((n++))]=$(cat <<EOF
1575feature: Grsecurity
1576available: CONFIG_GRKERNSEC=y
1577enabled: cmd:test -c /dev/grsec
1578EOF
1579)
1580
1581FEATURES[((n++))]=$(cat <<EOF
1582feature: PaX
1583available: CONFIG_PAX=y
1584enabled: cmd:test -x /sbin/paxctl
1585EOF
1586)
1587
1588FEATURES[((n++))]=$(cat <<EOF
1589feature: Linux Kernel Runtime Guard (LKRG) kernel module
1590enabled: cmd:test -d /proc/sys/lkrg
1591analysis-url: https://github.com/mzet-/les-res/blob/master/features/lkrg.md
1592EOF
1593)
1594
1595FEATURES[((n++))]=$(cat <<EOF
1596section: Attack Surface:
1597EOF
1598)
1599
1600FEATURES[((n++))]=$(cat <<EOF
1601feature: User namespaces for unprivileged accounts
1602available: CONFIG_USER_NS=y
1603enabled: sysctl:kernel.unprivileged_userns_clone==1
1604analysis-url: https://github.com/mzet-/les-res/blob/master/features/user_ns.md
1605EOF
1606)
1607
1608FEATURES[((n++))]=$(cat <<EOF
1609feature: Unprivileged access to bpf() system call
1610available: CONFIG_BPF_SYSCALL=y
1611enabled: sysctl:kernel.unprivileged_bpf_disabled!=1
1612analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
1613EOF
1614)
1615
1616FEATURES[((n++))]=$(cat <<EOF
1617feature: Syscalls filtering
1618available: CONFIG_SECCOMP=y
1619enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print \$2}'
1620analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
1621EOF
1622)
1623
1624FEATURES[((n++))]=$(cat <<EOF
1625feature: Support for /dev/mem access
1626available: CONFIG_DEVMEM=y
1627analysis-url: https://github.com/mzet-/les-res/blob/master/features/devmem.md
1628EOF
1629)
1630
1631FEATURES[((n++))]=$(cat <<EOF
1632feature: Support for /dev/kmem access
1633available: CONFIG_DEVKMEM=y
1634analysis-url: https://github.com/mzet-/les-res/blob/master/features/devkmem.md
1635EOF
1636)
1637
1638
1639version() {
1640 echo "linux-exploit-suggester "$VERSION", mzet, https://z-labs.eu, March 2019"
1641}
1642
1643usage() {
1644 echo "Usage: linux-exploit-suggester.sh [OPTIONS]"
1645 echo
1646 echo " -V | --version - print version of this script"
1647 echo " -h | --help - print this help"
1648 echo " -k | --kernel <version> - provide kernel version"
1649 echo " -u | --uname <string> - provide 'uname -a' string"
1650 echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable"
1651 echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)"
1652 echo " -p | --pkglist-file <file> - provide file with 'dpkg -l' or 'rpm -qa' command output"
1653 echo " --cvelist-file <file> - provide file with Linux kernel CVEs list"
1654 echo " --checksec - list security related features for your HW/kernel"
1655 echo " -s | --fetch-sources - automatically downloads source for matched exploit"
1656 echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available"
1657 echo " -f | --full - show full info about matched exploit"
1658 echo " -g | --short - show shorten info about matched exploit"
1659 echo " --kernelspace-only - show only kernel vulnerabilities"
1660 echo " --userspace-only - show only userspace vulnerabilities"
1661 echo " -d | --show-dos - show also DoSes in results"
1662}
1663
1664exitWithErrMsg() {
1665 echo "$1" 1>&2
1666 exit 1
1667}
1668
1669# extracts all information from output of 'uname -a' command
1670parseUname() {
1671 local uname=$1
1672
1673 KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1)
1674 KERNEL_ALL=$(echo "$uname" | awk '{print $3}')
1675 ARCH=$(echo "$uname" | awk '{print $(NF-1)}')
1676
1677 OS=""
1678 echo "$uname" | grep -q -i 'deb' && OS="debian"
1679 echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu"
1680 echo "$uname" | grep -q -i '\-ARCH' && OS="arch"
1681 echo "$uname" | grep -q -i '\-deepin' && OS="deepin"
1682 echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro"
1683 echo "$uname" | grep -q -i '\.fc' && OS="fedora"
1684 echo "$uname" | grep -q -i '\.el' && OS="RHEL"
1685 echo "$uname" | grep -q -i '\.mga' && OS="mageia"
1686
1687 # 'uname -a' output doesn't contain distribution number (at least not in case of all distros)
1688}
1689
1690getPkgList() {
1691 local distro=$1
1692 local pkglist_file=$2
1693
1694 # take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' or 'pacman -Q' listing of not recognized listing
1695 if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then
1696
1697 # ubuntu/debian package listing file
1698 if [ $(head -1 "$pkglist_file" | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then
1699 PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g')
1700
1701 OS="debian"
1702 [ "$(grep ubuntu "$pkglist_file")" ] && OS="ubuntu"
1703 # redhat package listing file
1704 elif [ "$(grep -E '\.el[1-9]+[\._]' "$pkglist_file" | head -1)" ]; then
1705 PKG_LIST=$(cat "$pkglist_file")
1706 OS="RHEL"
1707 # fedora package listing file
1708 elif [ "$(grep -E '\.fc[1-9]+'i "$pkglist_file" | head -1)" ]; then
1709 PKG_LIST=$(cat "$pkglist_file")
1710 OS="fedora"
1711 # mageia package listing file
1712 elif [ "$(grep -E '\.mga[1-9]+' "$pkglist_file" | head -1)" ]; then
1713 PKG_LIST=$(cat "$pkglist_file")
1714 OS="mageia"
1715 # pacman package listing file
1716 elif [ "$(grep -E '\ [0-9]+\.' "$pkglist_file" | head -1)" ]; then
1717 PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}')
1718 OS="arch"
1719 # file not recognized - skipping
1720 else
1721 PKG_LIST=""
1722 fi
1723
1724 elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then
1725 PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g')
1726 elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then
1727 PKG_LIST=$(rpm -qa)
1728 elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then
1729 PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}')
1730 elif [ -x /usr/bin/equery ]; then
1731 PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}')
1732 else
1733 # packages listing not available
1734 PKG_LIST=""
1735 fi
1736}
1737
1738# from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash
1739verComparision() {
1740
1741 if [[ $1 == $2 ]]
1742 then
1743 return 0
1744 fi
1745
1746 local IFS=.
1747 local i ver1=($1) ver2=($2)
1748
1749 # fill empty fields in ver1 with zeros
1750 for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
1751 do
1752 ver1[i]=0
1753 done
1754
1755 for ((i=0; i<${#ver1[@]}; i++))
1756 do
1757 if [[ -z ${ver2[i]} ]]
1758 then
1759 # fill empty fields in ver2 with zeros
1760 ver2[i]=0
1761 fi
1762 if ((10#${ver1[i]} > 10#${ver2[i]}))
1763 then
1764 return 1
1765 fi
1766 if ((10#${ver1[i]} < 10#${ver2[i]}))
1767 then
1768 return 2
1769 fi
1770 done
1771
1772 return 0
1773}
1774
1775doVersionComparision() {
1776 local reqVersion="$1"
1777 local reqRelation="$2"
1778 local currentVersion="$3"
1779
1780 verComparision $currentVersion $reqVersion
1781 case $? in
1782 0) currentRelation='=';;
1783 1) currentRelation='>';;
1784 2) currentRelation='<';;
1785 esac
1786
1787 if [ "$reqRelation" == "=" ]; then
1788 [ $currentRelation == "=" ] && return 0
1789 elif [ "$reqRelation" == ">" ]; then
1790 [ $currentRelation == ">" ] && return 0
1791 elif [ "$reqRelation" == "<" ]; then
1792 [ $currentRelation == "<" ] && return 0
1793 elif [ "$reqRelation" == ">=" ]; then
1794 [ $currentRelation == "=" ] && return 0
1795 [ $currentRelation == ">" ] && return 0
1796 elif [ "$reqRelation" == "<=" ]; then
1797 [ $currentRelation == "=" ] && return 0
1798 [ $currentRelation == "<" ] && return 0
1799 fi
1800}
1801
1802compareValues() {
1803 curVal=$1
1804 val=$2
1805 sign=$3
1806
1807 if [ "$sign" == "==" ]; then
1808 [ "$val" == "$curVal" ] && return 0
1809 elif [ "$sign" == "!=" ]; then
1810 [ "$val" != "$curVal" ] && return 0
1811 fi
1812
1813 return 1
1814}
1815
1816checkRequirement() {
1817 #echo "Checking requirement: $1"
1818 local IN="$1"
1819 local pkgName="${2:4}"
1820
1821 if [[ "$IN" =~ ^pkg=.*$ ]]; then
1822
1823 # always true for Linux OS
1824 [ ${pkgName} == "linux-kernel" ] && return 0
1825
1826 # verify if package is present
1827 pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
1828 if [ -n "$pkg" ]; then
1829 return 0
1830 fi
1831
1832 elif [[ "$IN" =~ ^ver.*$ ]]; then
1833 version="${IN//[^0-9.]/}"
1834 rest="${IN#ver}"
1835 operator=${rest%$version}
1836
1837 if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then
1838
1839 # for --cvelist-file mode skip kernel version comparision
1840 [ "$opt_cvelist_file" = "true" ] && return 0
1841
1842 doVersionComparision $version $operator $KERNEL && return 0
1843 else
1844 # extract package version and check if requiremnt is true
1845 pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
1846
1847 # skip (if run with --skip-pkg-versions) version checking if package with given name is installed
1848 [ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return 0
1849
1850 # versioning:
1851 #echo "pkg: $pkg"
1852 pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
1853 #echo "version: $pkgVersion"
1854 #echo "operator: $operator"
1855 #echo "required version: $version"
1856 #echo
1857 doVersionComparision $version $operator $pkgVersion && return 0
1858 fi
1859 elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then
1860 return 0
1861 elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then
1862 return 0
1863 elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then
1864
1865 # skip if check is not applicable (-k or --uname or -p set) or if user said so (--skip-more-checks)
1866 [ "$opt_skip_more_checks" = "true" ] && return 0
1867
1868 # if kernel config IS available:
1869 if [ -n "$KCONFIG" ]; then
1870 if $KCONFIG | grep -E -qi $IN; then
1871 return 0;
1872 # required option wasn't found, exploit is not applicable
1873 else
1874 return 1;
1875 fi
1876 # config is not available
1877 else
1878 return 0;
1879 fi
1880 elif [[ "$IN" =~ ^sysctl:.*$ ]]; then
1881
1882 # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
1883 [ "$opt_skip_more_checks" = "true" ] && return 0
1884
1885 sysctlCondition="${IN:7}"
1886
1887 # extract sysctl entry, relation sign and required value
1888 if echo $sysctlCondition | grep -qi "!="; then
1889 sign="!="
1890 elif echo $sysctlCondition | grep -qi "=="; then
1891 sign="=="
1892 else
1893 exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting."
1894 fi
1895 val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}')
1896 entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}')
1897
1898 # get current setting of sysctl entry
1899 curVal=$(/sbin/sysctl -a 2> /dev/null | grep "$entry" | awk -F'=' '{print $2}')
1900
1901 # special case for --checksec mode: return 2 if there is no such switch in sysctl
1902 [ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return 2
1903
1904 # for other modes: skip if there is no such switch in sysctl
1905 [ -z "$curVal" ] && return 0
1906
1907 # compare & return result
1908 compareValues $curVal $val $sign && return 0
1909
1910 elif [[ "$IN" =~ ^cmd:.*$ ]]; then
1911
1912 # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
1913 [ "$opt_skip_more_checks" = "true" ] && return 0
1914
1915 cmd="${IN:4}"
1916 if eval "${cmd}"; then
1917 return 0
1918 fi
1919 fi
1920
1921 return 1
1922}
1923
1924getKernelConfig() {
1925
1926 if [ -f /proc/config.gz ] ; then
1927 KCONFIG="zcat /proc/config.gz"
1928 elif [ -f /boot/config-`uname -r` ] ; then
1929 KCONFIG="cat /boot/config-`uname -r`"
1930 elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then
1931 KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"
1932 else
1933 KCONFIG=""
1934 fi
1935}
1936
1937checksecMode() {
1938
1939 MODE=0
1940
1941 # start analysis
1942for FEATURE in "${FEATURES[@]}"; do
1943
1944 # create array from current exploit here doc and fetch needed lines
1945 i=0
1946 # ('-r' is used to not interpret backslash used for bash colors)
1947 while read -r line
1948 do
1949 arr[i]="$line"
1950 i=$((i + 1))
1951 done <<< "$FEATURE"
1952
1953 # modes: kernel-feature (1) | hw-feature (2) | 3rdparty-feature (3) | attack-surface (4)
1954 NAME="${arr[0]}"
1955 PRE_NAME="${NAME:0:8}"
1956 NAME="${NAME:9}"
1957 if [ "${PRE_NAME}" = "section:" ]; then
1958 # advance to next MODE
1959 MODE=$(($MODE + 1))
1960
1961 echo
1962 echo -e "${bldwht}${NAME}${txtrst}"
1963 echo
1964 continue
1965 fi
1966
1967 AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}"
1968 ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}')
1969 analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}')
1970
1971 # split line with availability requirements & loop thru all availability reqs one by one & check whether it is met
1972 IFS=',' read -r -a array <<< "$AVAILABLE"
1973 AVAILABLE_REQS_NUM=${#array[@]}
1974 AVAILABLE_PASSED_REQ=0
1975 CONFIG=""
1976 for REQ in "${array[@]}"; do
1977
1978 # find CONFIG_ name (if present) for current feature (only for display purposes)
1979 if [ -z "$CONFIG" ]; then
1980 config=$(echo "$REQ" | grep "CONFIG_")
1981 [ -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))"
1982 fi
1983
1984 if (checkRequirement "$REQ"); then
1985 AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + 1))
1986 else
1987 break
1988 fi
1989 done
1990
1991 # split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met
1992 ENABLE_PASSED_REQ=0
1993 ENABLE_REQS_NUM=0
1994 noSysctl=0
1995 if [ -n "$ENABLE" ]; then
1996 IFS=',' read -r -a array <<< "$ENABLE"
1997 ENABLE_REQS_NUM=${#array[@]}
1998 for REQ in "${array[@]}"; do
1999 cmdStdout=$(checkRequirement "$REQ")
2000 retVal=$?
2001 if [ $retVal -eq 0 ]; then
2002 ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + 1))
2003 elif [ $retVal -eq 2 ]; then
2004 # special case: sysctl entry is not present on given system: signal it as: N/A
2005 noSysctl=1
2006 break
2007 else
2008 break
2009 fi
2010 done
2011 fi
2012
2013 feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
2014
2015 if [ -n "$cmdStdout" ]; then
2016 if [ "$cmdStdout" -eq 0 ]; then
2017 state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
2018 cmdStdout=""
2019 else
2020 state="[ ${txtgrn}Set to $cmdStdout${txtrst} ]"
2021 cmdStdout=""
2022 fi
2023 else
2024
2025 unknown="[ ${txtgray}Unknown${txtrst} ]"
2026
2027 # for 3rd party (3) mode display "N/A" or "Enabled"
2028 if [ $MODE -eq 3 ]; then
2029 enabled="[ ${txtgrn}Enabled${txtrst} ]"
2030 disabled="[ ${txtgray}N/A${txtrst} ]"
2031
2032 # for attack-surface (4) mode display "Locked" or "Exposed"
2033 elif [ $MODE -eq 4 ]; then
2034 enabled="[ ${txtred}Exposed${txtrst} ]"
2035 disabled="[ ${txtgrn}Locked${txtrst} ]"
2036
2037 #other modes" "Disabled" / "Enabled"
2038 else
2039 enabled="[ ${txtgrn}Enabled${txtrst} ]"
2040 disabled="[ ${txtred}Disabled${txtrst} ]"
2041 fi
2042
2043 if [ -z "$KCONFIG" -a "$ENABLE_REQS_NUM" = 0 ]; then
2044 state=$unknown
2045 elif [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then
2046 state=$enabled
2047 else
2048 state=$disabled
2049 fi
2050
2051 fi
2052
2053 echo -e " $state $feature ${wht}${CONFIG}${txtrst}"
2054 [ -n "$analysis_url" ] && echo -e " $analysis_url"
2055 echo
2056
2057done
2058
2059}
2060
2061displayExposure() {
2062 RANK=$1
2063
2064 if [ "$RANK" -ge 6 ]; then
2065 echo "highly probable"
2066 elif [ "$RANK" -ge 3 ]; then
2067 echo "probable"
2068 else
2069 echo "less probable"
2070 fi
2071}
2072
2073# parse command line parameters
2074ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
2075[ $? != 0 ] && exitWithErrMsg "Aborting."
2076
2077eval set -- "$ARGS"
2078
2079while true; do
2080 case "$1" in
2081 -u|--uname)
2082 shift
2083 UNAME_A="$1"
2084 opt_uname_string=true
2085 ;;
2086 -V|--version)
2087 version
2088 exit 0
2089 ;;
2090 -h|--help)
2091 usage
2092 exit 0
2093 ;;
2094 -f|--full)
2095 opt_full=true
2096 ;;
2097 -g|--short)
2098 opt_summary=true
2099 ;;
2100 -b|--fetch-binaries)
2101 opt_fetch_bins=true
2102 ;;
2103 -s|--fetch-sources)
2104 opt_fetch_srcs=true
2105 ;;
2106 -k|--kernel)
2107 shift
2108 KERNEL="$1"
2109 opt_kernel_version=true
2110 ;;
2111 -d|--show-dos)
2112 opt_show_dos=true
2113 ;;
2114 -p|--pkglist-file)
2115 shift
2116 PKGLIST_FILE="$1"
2117 opt_pkglist_file=true
2118 ;;
2119 --cvelist-file)
2120 shift
2121 CVELIST_FILE="$1"
2122 opt_cvelist_file=true
2123 ;;
2124 --checksec)
2125 opt_checksec_mode=true
2126 ;;
2127 --kernelspace-only)
2128 opt_kernel_only=true
2129 ;;
2130 --userspace-only)
2131 opt_userspace_only=true
2132 ;;
2133 --skip-more-checks)
2134 opt_skip_more_checks=true
2135 ;;
2136 --skip-pkg-versions)
2137 opt_skip_pkg_versions=true
2138 ;;
2139 *)
2140 shift
2141 if [ "$#" != "0" ]; then
2142 exitWithErrMsg "Unknown option '$1'. Aborting."
2143 fi
2144 break
2145 ;;
2146 esac
2147 shift
2148done
2149
2150# check Bash version (associative arrays need Bash in version 4.0+)
2151if ((BASH_VERSINFO[0] < 4)); then
2152 exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting."
2153fi
2154
2155# exit if both --kernel and --uname are set
2156[ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting."
2157
2158# exit if both --full and --short are set
2159[ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting."
2160
2161# --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are set
2162if [ "$opt_cvelist_file" = "true" ]; then
2163 [ ! -e "$CVELIST_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting."
2164 [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting."
2165 [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting."
2166 [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting."
2167fi
2168
2169# --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are set
2170if [ "$opt_checksec_mode" = "true" ]; then
2171 [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting."
2172 [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting."
2173 [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting."
2174fi
2175
2176# extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here:
2177# case 1: --kernel set
2178if [ "$opt_kernel_version" == "true" ]; then
2179 # TODO: add kernel version number validation
2180 [ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting."
2181 ARCH=""
2182 OS=""
2183
2184 # do not perform additional checks on current machine
2185 opt_skip_more_checks=true
2186
2187 # do not consider current OS
2188 getPkgList "" "$PKGLIST_FILE"
2189
2190# case 2: --uname set
2191elif [ "$opt_uname_string" == "true" ]; then
2192 [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
2193 parseUname "$UNAME_A"
2194
2195 # do not perform additional checks on current machine
2196 opt_skip_more_checks=true
2197
2198 # do not consider current OS
2199 getPkgList "" "$PKGLIST_FILE"
2200
2201# case 3: --cvelist-file mode
2202elif [ "$opt_cvelist_file" = "true" ]; then
2203
2204 # get kernel configuration in this mode
2205 [ "$opt_skip_more_checks" = "false" ] && getKernelConfig
2206
2207# case 4: --checksec mode
2208elif [ "$opt_checksec_mode" = "true" ]; then
2209
2210 # this switch is not applicable in this mode
2211 opt_skip_more_checks=false
2212
2213 # get kernel configuration in this mode
2214 getKernelConfig
2215 [ -z "$KCONFIG" ] && echo "WARNING. Kernel Config not found on the system results won't be complete."
2216
2217 # launch checksec mode
2218 checksecMode
2219
2220 exit 0
2221
2222# case 5: no --uname | --kernel | --cvelist-file | --checksec set
2223else
2224
2225 # --pkglist-file NOT provided: take all info from current machine
2226 # case for vanilla execution: ./linux-exploit-suggester.sh
2227 if [ "$opt_pkglist_file" == "false" ]; then
2228 UNAME_A=$(uname -a)
2229 [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
2230 parseUname "$UNAME_A"
2231
2232 # get kernel configuration in this mode
2233 [ "$opt_skip_more_checks" = "false" ] && getKernelConfig
2234
2235 # extract distribution version from /etc/os-release OR /etc/lsb-release
2236 [ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(grep -s -E '^DISTRIB_RELEASE=|^VERSION_ID=' /etc/*-release | cut -d'=' -f2 | head -1 | tr -d '"')
2237
2238 # extract package listing from current OS
2239 getPkgList "$OS" ""
2240
2241 # --pkglist-file provided: only consider userspace exploits against provided package listing
2242 else
2243 KERNEL=""
2244 #TODO: extract machine arch from package listing
2245 ARCH=""
2246 unset EXPLOITS
2247 declare -A EXPLOITS
2248 getPkgList "" "$PKGLIST_FILE"
2249
2250 # additional checks are not applicable for this mode
2251 opt_skip_more_checks=true
2252 fi
2253fi
2254
2255echo
2256echo -e "${bldwht}Available information:${txtrst}"
2257echo
2258[ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}"
2259echo "Architecture: $([ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2260echo "Distribution: $([ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2261echo -e "Distribution version: $([ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2262
2263echo "Additional checks (CONFIG_*, sysctl entries, custom Bash commands): $([ "$opt_skip_more_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2264
2265if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then
2266 pkgListFile="${txtgrn}$PKGLIST_FILE${txtrst}"
2267elif [ -n "$PKGLIST_FILE" ]; then
2268 pkgListFile="${txtred}unrecognized file provided${txtrst}"
2269elif [ -n "$PKG_LIST" ]; then
2270 pkgListFile="${txtgrn}from current OS${txtrst}"
2271fi
2272
2273echo -e "Package listing: $([ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")"
2274
2275# handle --kernelspacy-only & --userspace-only filter options
2276if [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then
2277 unset EXPLOITS_USERSPACE
2278 declare -A EXPLOITS_USERSPACE
2279fi
2280
2281if [ "$opt_userspace_only" = "true" ]; then
2282 unset EXPLOITS
2283 declare -A EXPLOITS
2284fi
2285
2286echo
2287echo -e "${bldwht}Searching among:${txtrst}"
2288echo
2289echo "${#EXPLOITS[@]} kernel space exploits"
2290echo "${#EXPLOITS_USERSPACE[@]} user space exploits"
2291echo
2292
2293echo -e "${bldwht}Possible Exploits:${txtrst}"
2294echo
2295
2296# start analysis
2297j=0
2298for EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do
2299
2300 # create array from current exploit here doc and fetch needed lines
2301 i=0
2302 # ('-r' is used to not interpret backslash used for bash colors)
2303 while read -r line
2304 do
2305 arr[i]="$line"
2306 i=$((i + 1))
2307 done <<< "$EXP"
2308
2309 NAME="${arr[0]}" && NAME="${NAME:6}"
2310 REQS="${arr[1]}" && REQS="${REQS:6}"
2311 TAGS="${arr[2]}" && TAGS="${TAGS:6}"
2312 RANK="${arr[3]}" && RANK="${RANK:6}"
2313
2314 # split line with requirements & loop thru all reqs one by one & check whether it is met
2315 IFS=',' read -r -a array <<< "$REQS"
2316 REQS_NUM=${#array[@]}
2317 PASSED_REQ=0
2318 for REQ in "${array[@]}"; do
2319 if (checkRequirement "$REQ" "${array[0]}"); then
2320 PASSED_REQ=$(($PASSED_REQ + 1))
2321 else
2322 break
2323 fi
2324 done
2325
2326 # execute for exploits with all requirements met
2327 if [ $PASSED_REQ -eq $REQS_NUM ]; then
2328
2329 # additional requirement for --cvelist-file mode: check if CVE associated with the exploit is on the CVELIST_FILE
2330 if [ "$opt_cvelist_file" = "true" ]; then
2331
2332 # extract CVE(s) associated with given exploit (also translates ',' to '|' for easy handling multiple CVEs case - via extended regex)
2333 cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|")
2334 #echo "CVE: $cve"
2335
2336 # check if it's on CVELIST_FILE list, if no move to next exploit
2337 [ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue
2338 fi
2339
2340 # process tags and highlight those that match current OS (only for deb|ubuntu|RHEL and if we know distro version - direct mode)
2341 tags=""
2342 if [ -n "$TAGS" -a -n "$OS" ]; then
2343 IFS=',' read -r -a tags_array <<< "$TAGS"
2344 TAGS_NUM=${#tags_array[@]}
2345
2346 # bump RANK slightly (+1) if we're in '--uname' mode and there's a TAG for OS from uname string
2347 [ "$(echo "${tags_array[@]}" | grep "$OS")" -a "$opt_uname_string" == "true" ] && RANK=$(($RANK + 1))
2348
2349 for TAG in "${tags_array[@]}"; do
2350 tag_distro=$(echo "$TAG" | cut -d'=' -f1)
2351 tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2)
2352 # in case of tag of form: 'ubuntu=16.04{kernel:4.4.0-21} remove kernel versioning part for comparision
2353 tag_distro_num="${tag_distro_num_all%{*}"
2354
2355 # we're in '--uname' mode OR (for normal mode) if there is distro version match
2356 if [ "$opt_uname_string" == "true" -o \( "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" \) ]; then
2357
2358 # bump current exploit's rank by 2 for distro match (and not in '--uname' mode)
2359 [ "$opt_uname_string" == "false" ] && RANK=$(($RANK + 2))
2360
2361 # get name (kernel or package name) and version of kernel/pkg if provided:
2362 tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 1)
2363 tag_pkg_num=""
2364 [ $(echo "$tag_distro_num_all" | grep '{') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 2)
2365
2366 #[ -n "$tag_pkg_num" ] && echo "tag_pkg_num: $tag_pkg_num; kernel: $KERNEL_ALL"
2367
2368 # if pkg/kernel version is not provided:
2369 if [ -z "$tag_pkg_num" ]; then
2370 [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ ${TAG} ]${txtrst}"
2371
2372 # kernel version provided, check for match:
2373 elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then
2374 if [ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ]; then
2375 # kernel version matched - bold highlight
2376 TAG="${yellow}[ ${TAG} ]${txtrst}"
2377
2378 # bump current exploit's rank additionally by 3 for kernel version regex match
2379 RANK=$(($RANK + 3))
2380 else
2381 [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}"
2382 fi
2383
2384 # pkg version provided, check for match (TBD):
2385 elif [ -n "$tag_pkg_num" -a -n "$tag_pkg" ]; then
2386 TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}"
2387 fi
2388
2389 fi
2390
2391 # append current tag to tags list
2392 tags="${tags}${TAG},"
2393 done
2394 # trim ',' added by above loop
2395 [ -n "$tags" ] && tags="${tags%?}"
2396 else
2397 tags="$TAGS"
2398 fi
2399
2400 # insert the matched exploit (with calculated Rank and highlighted tags) to arrary that will be sorted
2401 EXP=$(echo "$EXP" | sed -e '/^Name:/d' -e '/^Reqs:/d' -e '/^Tags:/d')
2402 exploits_to_sort[j]="${RANK}Name: ${NAME}D3L1mReqs: ${REQS}D3L1mTags: ${tags}D3L1m$(echo "$EXP" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/D3L1m/g')"
2403 ((j++))
2404 fi
2405done
2406
2407# sort exploits based on calculated Rank
2408IFS=$'\n'
2409SORTED_EXPLOITS=($(sort -r <<<"${exploits_to_sort[*]}"))
2410unset IFS
2411
2412# display sorted exploits
2413for EXP_TEMP in "${SORTED_EXPLOITS[@]}"; do
2414
2415 RANK=$(echo "$EXP_TEMP" | awk -F'Name:' '{print $1}')
2416
2417 # convert entry back to canonical form
2418 EXP=$(echo "$EXP_TEMP" | sed 's/^[0-9]//g' | sed 's/D3L1m/\n/g')
2419
2420 # create array from current exploit here doc and fetch needed lines
2421 i=0
2422 # ('-r' is used to not interpret backslash used for bash colors)
2423 while read -r line
2424 do
2425 arr[i]="$line"
2426 i=$((i + 1))
2427 done <<< "$EXP"
2428
2429 NAME="${arr[0]}" && NAME="${NAME:6}"
2430 REQS="${arr[1]}" && REQS="${REQS:6}"
2431 TAGS="${arr[2]}" && tags="${TAGS:6}"
2432
2433 EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}')
2434 analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}')
2435 ext_url=$(echo "$EXP" | grep "ext-url: " | awk '{print $2}')
2436 comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f 2-)
2437 reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f 2)
2438
2439 # exploit name without CVE number and without commonly used special chars
2440 name=$(echo "$NAME" | cut -d' ' -f 2- | tr -d ' ()/')
2441
2442 src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}')
2443 [ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB"
2444 [ -z "$src_url" ] && exitWithErrMsg "Both 'src-url' and 'exploit-db' entries are empty for '$NAME' exploit - fix that. Aborting."
2445
2446 if [ -n "$analysis_url" ]; then
2447 details="$analysis_url"
2448 elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then
2449 details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
2450 elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then
2451 details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
2452 else
2453 details="$src_url"
2454 fi
2455
2456 # skip DoS by default
2457 dos=$(echo "$EXP" | grep -o -i "(dos")
2458 [ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue
2459
2460 # handles --fetch-binaries option
2461 if [ $opt_fetch_bins = "true" ]; then
2462 for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do
2463 [ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)"
2464 wget -q -k "$i" -O "${name}_$(basename $i)"
2465 done
2466 fi
2467
2468 # handles --fetch-sources option
2469 if [ $opt_fetch_srcs = "true" ]; then
2470 [ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)"
2471 wget -q -k "$src_url" -O "${name}_$(basename $src_url)" &
2472 fi
2473
2474 # display result (short)
2475 if [ "$opt_summary" = "true" ]; then
2476 [ -z "$tags" ] && tags="-"
2477 echo -e "$NAME || $tags || $src_url"
2478 continue
2479 fi
2480
2481# display result (standard)
2482 echo -e "[+] $NAME"
2483 echo -e "\n Details: $details"
2484 echo -e " Exposure: $(displayExposure $RANK)"
2485 [ -n "$tags" ] && echo -e " Tags: $tags"
2486 echo -e " Download URL: $src_url"
2487 [ -n "$ext_url" ] && echo -e " ext-url: $ext_url"
2488 [ -n "$comments" ] && echo -e " Comments: $comments"
2489
2490 # handles --full filter option
2491 if [ "$opt_full" = "true" ]; then
2492 [ -n "$reqs" ] && echo -e " Requirements: $reqs"
2493
2494 [ -n "$EXPLOIT_DB" ] && echo -e " exploit-db: $EXPLOIT_DB"
2495
2496 author=$(echo "$EXP" | grep "author: " | cut -d' ' -f 2-)
2497 [ -n "$author" ] && echo -e " author: $author"
2498 fi
2499
2500 echo
2501
2502done