· 6 years ago · Sep 05, 2019, 09:14 AM
1#!/bin/bash
2
3#
4# Copyright (c) 2016-2019, mzet
5#
6# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
7# This is free software, and you are welcome to redistribute it
8# under the terms of the GNU General Public License. See LICENSE
9# file for usage of this software.
10#
11
12VERSION=v1.0
13
14# bash colors
15#txtred="\e[0;31m"
16txtred="\e[91;1m"
17txtgrn="\e[1;32m"
18txtgray="\e[0;37m"
19txtblu="\e[0;36m"
20txtrst="\e[0m"
21bldwht='\e[1;37m'
22wht='\e[0;36m'
23bldblu='\e[1;34m'
24yellow='\e[1;93m'
25lightyellow='\e[0;93m'
26
27# input data
28UNAME_A=""
29
30# parsed data for current OS
31KERNEL=""
32OS=""
33DISTRO=""
34ARCH=""
35PKG_LIST=""
36
37# kernel config
38KCONFIG=""
39
40CVELIST_FILE=""
41
42opt_fetch_bins=false
43opt_fetch_srcs=false
44opt_kernel_version=false
45opt_uname_string=false
46opt_pkglist_file=false
47opt_cvelist_file=false
48opt_checksec_mode=false
49opt_full=false
50opt_summary=false
51opt_kernel_only=false
52opt_userspace_only=false
53opt_show_dos=false
54opt_skip_more_checks=false
55opt_skip_pkg_versions=false
56
57ARGS=
58SHORTOPTS="hVfbsu:k:dp:g"
59LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec"
60
61## exploits database
62declare -a EXPLOITS
63declare -a EXPLOITS_USERSPACE
64
65## temporary array for purpose of sorting exploits (based on exploits' rank)
66declare -a exploits_to_sort
67declare -a SORTED_EXPLOITS
68
69############ LINUX KERNELSPACE EXPLOITS ####################
70n=0
71
72EXPLOITS[((n++))]=$(cat <<EOF
73Name: ${txtgrn}[CVE-2004-1235]${txtrst} elflbl
74Reqs: pkg=linux-kernel,ver=2.4.29
75Tags:
76Rank: 1
77analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
78bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/elflbl
79exploit-db: 744
80EOF
81)
82
83EXPLOITS[((n++))]=$(cat <<EOF
84Name: ${txtgrn}[CVE-2004-1235]${txtrst} uselib()
85Reqs: pkg=linux-kernel,ver=2.4.29
86Tags:
87Rank: 1
88analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
89exploit-db: 778
90Comments: Known to work only for 2.4 series (even though 2.6 is also vulnerable)
91EOF
92)
93
94EXPLOITS[((n++))]=$(cat <<EOF
95Name: ${txtgrn}[CVE-2004-1235]${txtrst} krad3
96Reqs: pkg=linux-kernel,ver>=2.6.5,ver<=2.6.11
97Tags:
98Rank: 1
99exploit-db: 1397
100EOF
101)
102
103EXPLOITS[((n++))]=$(cat <<EOF
104Name: ${txtgrn}[CVE-2004-0077]${txtrst} mremap_pte
105Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.2
106Tags:
107Rank: 1
108exploit-db: 160
109EOF
110)
111
112EXPLOITS[((n++))]=$(cat <<EOF
113Name: ${txtgrn}[CVE-2006-2451]${txtrst} raptor_prctl
114Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
115Tags:
116Rank: 1
117exploit-db: 2031
118EOF
119)
120
121EXPLOITS[((n++))]=$(cat <<EOF
122Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl
123Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
124Tags:
125Rank: 1
126exploit-db: 2004
127EOF
128)
129
130EXPLOITS[((n++))]=$(cat <<EOF
131Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl2
132Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
133Tags:
134Rank: 1
135exploit-db: 2005
136EOF
137)
138
139EXPLOITS[((n++))]=$(cat <<EOF
140Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl3
141Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
142Tags:
143Rank: 1
144exploit-db: 2006
145EOF
146)
147
148EXPLOITS[((n++))]=$(cat <<EOF
149Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl4
150Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
151Tags:
152Rank: 1
153exploit-db: 2011
154EOF
155)
156
157EXPLOITS[((n++))]=$(cat <<EOF
158Name: ${txtgrn}[CVE-2006-3626]${txtrst} h00lyshit
159Reqs: pkg=linux-kernel,ver>=2.6.8,ver<=2.6.16
160Tags:
161Rank: 1
162bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit
163exploit-db: 2013
164EOF
165)
166
167EXPLOITS[((n++))]=$(cat <<EOF
168Name: ${txtgrn}[CVE-2008-0600]${txtrst} vmsplice1
169Reqs: pkg=linux-kernel,ver>=2.6.17,ver<=2.6.24
170Tags:
171Rank: 1
172exploit-db: 5092
173EOF
174)
175
176EXPLOITS[((n++))]=$(cat <<EOF
177Name: ${txtgrn}[CVE-2008-0600]${txtrst} vmsplice2
178Reqs: pkg=linux-kernel,ver>=2.6.23,ver<=2.6.24
179Tags:
180Rank: 1
181exploit-db: 5093
182EOF
183)
184
185EXPLOITS[((n++))]=$(cat <<EOF
186Name: ${txtgrn}[CVE-2008-4210]${txtrst} ftrex
187Reqs: pkg=linux-kernel,ver>=2.6.11,ver<=2.6.22
188Tags:
189Rank: 1
190exploit-db: 6851
191Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required
192EOF
193)
194
195EXPLOITS[((n++))]=$(cat <<EOF
196Name: ${txtgrn}[CVE-2008-4210]${txtrst} exit_notify
197Reqs: pkg=linux-kernel,ver>=2.6.25,ver<=2.6.29
198Tags:
199Rank: 1
200exploit-db: 8369
201EOF
202)
203
204EXPLOITS[((n++))]=$(cat <<EOF
205Name: ${txtgrn}[CVE-2009-2692]${txtrst} sock_sendpage (simple version)
206Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
207Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11
208Rank: 1
209exploit-db: 9479
210Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
211EOF
212)
213
214EXPLOITS[((n++))]=$(cat <<EOF
215Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage
216Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
217Tags: ubuntu=9.04
218Rank: 1
219analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
220src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz
221exploit-db: 9435
222Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
223EOF
224)
225
226EXPLOITS[((n++))]=$(cat <<EOF
227Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage2
228Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
229Tags:
230Rank: 1
231src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz
232exploit-db: 9436
233Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
234EOF
235)
236
237EXPLOITS[((n++))]=$(cat <<EOF
238Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage3
239Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
240Tags:
241Rank: 1
242src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz
243exploit-db: 9641
244Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
245EOF
246)
247
248EXPLOITS[((n++))]=$(cat <<EOF
249Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage (ppc)
250Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
251Tags: ubuntu=8.10,RHEL=4|5
252Rank: 1
253exploit-db: 9545
254Comments: /proc/sys/vm/mmap_min_addr needs to equal 0
255EOF
256)
257
258EXPLOITS[((n++))]=$(cat <<EOF
259Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg (by spender)
260Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
261Tags:
262Rank: 1
263src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz
264exploit-db: 9574
265EOF
266)
267
268EXPLOITS[((n++))]=$(cat <<EOF
269Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg
270Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
271Tags: debian=4
272Rank: 1
273exploit-db: 9575
274EOF
275)
276
277EXPLOITS[((n++))]=$(cat <<EOF
278Name: ${txtgrn}[CVE-2009-2698]${txtrst} ip_append_data
279Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86
280Tags: fedora=4|5|6,RHEL=4
281Rank: 1
282exploit-db: 9542
283EOF
284)
285
286EXPLOITS[((n++))]=$(cat <<EOF
287Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 1
288Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
289Tags:
290Rank: 1
291exploit-db: 33321
292EOF
293)
294
295EXPLOITS[((n++))]=$(cat <<EOF
296Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 2
297Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
298Tags:
299Rank: 1
300exploit-db: 33322
301EOF
302)
303
304EXPLOITS[((n++))]=$(cat <<EOF
305Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 3
306Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
307Tags:
308Rank: 1
309exploit-db: 10018
310EOF
311)
312
313EXPLOITS[((n++))]=$(cat <<EOF
314Name: ${txtgrn}[CVE-2010-3301]${txtrst} ptrace_kmod2
315Reqs: pkg=linux-kernel,ver>=2.6.26,ver<=2.6.34
316Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server}
317Rank: 1
318bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2
319bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod
320bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace_kmod2-64
321exploit-db: 15023
322EOF
323)
324
325EXPLOITS[((n++))]=$(cat <<EOF
326Name: ${txtgrn}[CVE-2010-1146]${txtrst} reiserfs
327Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.34
328Tags: ubuntu=9.10
329Rank: 1
330exploit-db: 12130
331EOF
332)
333
334EXPLOITS[((n++))]=$(cat <<EOF
335Name: ${txtgrn}[CVE-2010-2959]${txtrst} can_bcm
336Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.36
337Tags: ubuntu=10.04{kernel:2.6.32-24-generic}
338Rank: 1
339bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can_bcm
340exploit-db: 14814
341EOF
342)
343
344EXPLOITS[((n++))]=$(cat <<EOF
345Name: ${txtgrn}[CVE-2010-3904]${txtrst} rds
346Reqs: pkg=linux-kernel,ver>=2.6.30,ver<2.6.37
347Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic}
348Rank: 1
349analysis-url: http://www.securityfocus.com/archive/1/514379
350src-url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c
351bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds
352bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64
353exploit-db: 15285
354EOF
355)
356
357EXPLOITS[((n++))]=$(cat <<EOF
358Name: ${txtgrn}[CVE-2010-3848,CVE-2010-3850,CVE-2010-4073]${txtrst} half_nelson
359Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
360Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server}
361Rank: 1
362bin-url: http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3
363exploit-db: 17787
364EOF
365)
366
367EXPLOITS[((n++))]=$(cat <<EOF
368Name: ${txtgrn}[N/A]${txtrst} caps_to_root
369Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36,x86
370Tags: ubuntu=10.10
371Rank: 1
372exploit-db: 15916
373EOF
374)
375
376EXPLOITS[((n++))]=$(cat <<EOF
377Name: ${txtgrn}[N/A]${txtrst} caps_to_root 2
378Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36
379Tags: ubuntu=10.10
380Rank: 1
381exploit-db: 15944
382EOF
383)
384
385EXPLOITS[((n++))]=$(cat <<EOF
386Name: ${txtgrn}[CVE-2010-4347]${txtrst} american-sign-language
387Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
388Tags:
389Rank: 1
390exploit-db: 15774
391EOF
392)
393
394EXPLOITS[((n++))]=$(cat <<EOF
395Name: ${txtgrn}[CVE-2010-3437]${txtrst} pktcdvd
396Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
397Tags: ubuntu=10.04
398Rank: 1
399exploit-db: 15150
400EOF
401)
402
403EXPLOITS[((n++))]=$(cat <<EOF
404Name: ${txtgrn}[CVE-2010-3081]${txtrst} video4linux
405Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.33
406Tags: RHEL=5
407Rank: 1
408exploit-db: 15024
409EOF
410)
411
412EXPLOITS[((n++))]=$(cat <<EOF
413Name: ${txtgrn}[CVE-2012-0056]${txtrst} memodipper
414Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=3.1.0
415Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)}
416Rank: 1
417analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/
418src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
419bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper
420bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64
421exploit-db: 18411
422EOF
423)
424
425EXPLOITS[((n++))]=$(cat <<EOF
426Name: ${txtgrn}[CVE-2012-0056,CVE-2010-3849,CVE-2010-3850]${txtrst} full-nelson
427Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
428Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server}
429Rank: 1
430src-url: http://vulnfactory.org/exploits/full-nelson.c
431bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson
432bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64
433exploit-db: 15704
434EOF
435)
436
437EXPLOITS[((n++))]=$(cat <<EOF
438Name: ${txtgrn}[CVE-2013-1858]${txtrst} CLONE_NEWUSER|CLONE_FS
439Reqs: pkg=linux-kernel,ver=3.8,CONFIG_USER_NS=y
440Tags:
441Rank: 1
442src-url: http://stealth.openwall.net/xSports/clown-newuser.c
443analysis-url: https://lwn.net/Articles/543273/
444exploit-db: 38390
445author: Sebastian Krahmer
446Comments: CONFIG_USER_NS needs to be enabled
447EOF
448)
449
450EXPLOITS[((n++))]=$(cat <<EOF
451Name: ${txtgrn}[CVE-2013-2094]${txtrst} perf_swevent
452Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86_64
453Tags: RHEL=6,ubuntu=12.04{kernel:3.2.0-(23|29)-generic},fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64}
454Rank: 1
455analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
456bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent
457bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent64
458exploit-db: 26131
459author: Andrea 'sorbo' Bittau
460Comments: No SMEP/SMAP bypass
461EOF
462)
463
464EXPLOITS[((n++))]=$(cat <<EOF
465Name: ${txtgrn}[CVE-2013-2094]${txtrst} perf_swevent 2
466Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86_64
467Tags: ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic}
468Rank: 1
469analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
470src-url: https://cyseclabs.com/exploits/vnik_v1.c
471exploit-db: 33589
472author: Vitaly 'vnik' Nikolenko
473Comments: No SMEP/SMAP bypass
474EOF
475)
476
477EXPLOITS[((n++))]=$(cat <<EOF
478Name: ${txtgrn}[CVE-2013-0268]${txtrst} msr
479Reqs: pkg=linux-kernel,ver>=2.6.18,ver<3.7.6
480Tags:
481Rank: 1
482exploit-db: 27297
483EOF
484)
485
486EXPLOITS[((n++))]=$(cat <<EOF
487Name: ${txtgrn}[CVE-2013-1959]${txtrst} userns_root_sploit
488Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.8.9
489Tags:
490Rank: 1
491analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1
492exploit-db: 25450
493EOF
494)
495
496EXPLOITS[((n++))]=$(cat <<EOF
497Name: ${txtgrn}[CVE-2013-2094]${txtrst} semtex
498Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9
499Tags: RHEL=6
500Rank: 1
501analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
502exploit-db: 25444
503EOF
504)
505
506EXPLOITS[((n++))]=$(cat <<EOF
507Name: ${txtgrn}[CVE-2014-0038]${txtrst} timeoutpwn
508Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y
509Tags: ubuntu=13.10
510Rank: 1
511analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
512bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64
513exploit-db: 31346
514Comments: CONFIG_X86_X32 needs to be enabled
515EOF
516)
517
518EXPLOITS[((n++))]=$(cat <<EOF
519Name: ${txtgrn}[CVE-2014-0038]${txtrst} timeoutpwn 2
520Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y
521Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic}
522Rank: 1
523analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
524exploit-db: 31347
525Comments: CONFIG_X86_X32 needs to be enabled
526EOF
527)
528
529EXPLOITS[((n++))]=$(cat <<EOF
530Name: ${txtgrn}[CVE-2014-0196]${txtrst} rawmodePTY
531Reqs: pkg=linux-kernel,ver>=2.6.31,ver<=3.14.3
532Tags:
533Rank: 1
534analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
535exploit-db: 33516
536EOF
537)
538
539EXPLOITS[((n++))]=$(cat <<EOF
540Name: ${txtgrn}[CVE-2014-2851]${txtrst} use-after-free in ping_init_sock() ${bldblu}(DoS)${txtrst}
541Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.14
542Tags:
543Rank: 0
544analysis-url: https://cyseclabs.com/page?n=02012016
545exploit-db: 32926
546EOF
547)
548
549EXPLOITS[((n++))]=$(cat <<EOF
550Name: ${txtgrn}[CVE-2014-4014]${txtrst} inode_capable
551Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.13
552Tags: ubuntu=12.04
553Rank: 1
554analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4
555exploit-db: 33824
556EOF
557)
558
559EXPLOITS[((n++))]=$(cat <<EOF
560Name: ${txtgrn}[CVE-2014-4699]${txtrst} ptrace/sysret
561Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.8
562Tags: ubuntu=12.04
563Rank: 1
564analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16
565exploit-db: 34134
566EOF
567)
568
569EXPLOITS[((n++))]=$(cat <<EOF
570Name: ${txtgrn}[CVE-2014-4943]${txtrst} PPPoL2TP ${bldblu}(DoS)${txtrst}
571Reqs: pkg=linux-kernel,ver>=3.2,ver<=3.15.6
572Tags:
573Rank: 1
574analysis-url: https://cyseclabs.com/page?n=01102015
575exploit-db: 36267
576EOF
577)
578
579EXPLOITS[((n++))]=$(cat <<EOF
580Name: ${txtgrn}[CVE-2014-5207]${txtrst} fuse_suid
581Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.16.1
582Tags:
583Rank: 1
584exploit-db: 34923
585EOF
586)
587
588EXPLOITS[((n++))]=$(cat <<EOF
589Name: ${txtgrn}[CVE-2015-9322]${txtrst} BadIRET
590Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.17.5,x86_64
591Tags: RHEL<=7,fedora=20
592Rank: 1
593analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
594src-url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz
595exploit-db:
596author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki
597EOF
598)
599
600EXPLOITS[((n++))]=$(cat <<EOF
601Name: ${txtgrn}[CVE-2015-3290]${txtrst} espfix64_NMI
602Reqs: pkg=linux-kernel,ver>=3.13,ver<4.1.6,x86_64
603Tags:
604Rank: 1
605analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8
606exploit-db: 37722
607EOF
608)
609
610EXPLOITS[((n++))]=$(cat <<EOF
611Name: ${txtgrn}[N/A]${txtrst} bluetooth
612Reqs: pkg=linux-kernel,ver<=2.6.11
613Tags:
614Rank: 1
615exploit-db: 4756
616EOF
617)
618
619EXPLOITS[((n++))]=$(cat <<EOF
620Name: ${txtgrn}[CVE-2015-1328]${txtrst} overlayfs
621Reqs: pkg=linux-kernel,ver>=3.13.0,ver<=3.19.0
622Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
623Rank: 1
624analysis-url: http://seclists.org/oss-sec/2015/q2/717
625bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_32
626bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_64
627exploit-db: 37292
628EOF
629)
630
631EXPLOITS[((n++))]=$(cat <<EOF
632Name: ${txtgrn}[CVE-2015-8660]${txtrst} overlayfs (ovl_setattr)
633Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3
634Tags:
635Rank: 1
636analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
637exploit-db: 39230
638EOF
639)
640
641EXPLOITS[((n++))]=$(cat <<EOF
642Name: ${txtgrn}[CVE-2015-8660]${txtrst} overlayfs (ovl_setattr)
643Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3
644Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
645Rank: 1
646analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
647exploit-db: 39166
648EOF
649)
650
651EXPLOITS[((n++))]=$(cat <<EOF
652Name: ${txtgrn}[CVE-2016-0728]${txtrst} keyring
653Reqs: pkg=linux-kernel,ver>=3.10,ver<4.4.1
654Tags:
655Rank: 0
656analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
657exploit-db: 40003
658Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
659EOF
660)
661
662EXPLOITS[((n++))]=$(cat <<EOF
663Name: ${txtgrn}[CVE-2016-2384]${txtrst} usb-midi
664Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.4.8
665Tags: ubuntu=14.04,fedora=22
666Rank: 1
667analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384
668src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
669exploit-db: 41999
670Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
671author: Andrey 'xairy' Konovalov
672EOF
673)
674
675EXPLOITS[((n++))]=$(cat <<EOF
676Name: ${txtgrn}[CVE-2016-4997]${txtrst} target_offset
677Reqs: pkg=linux-kernel,ver>=4.4.0,ver<=4.4.0,cmd:grep -qi ip_tables /proc/modules
678Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
679Rank: 1
680src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip
681Comments: ip_tables.ko needs to be loaded
682exploit-db: 40049
683author: Vitaly 'vnik' Nikolenko
684EOF
685)
686
687EXPLOITS[((n++))]=$(cat <<EOF
688Name: ${txtgrn}[CVE-2016-4557]${txtrst} double-fdput()
689Reqs: pkg=linux-kernel,ver>=4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
690Tags: ubuntu=16.04{kernel:4.4.0-(21|38|42|98|140)-generic}
691Rank: 1
692analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
693src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
694Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
695exploit-db: 40759
696author: Jann Horn
697EOF
698)
699
700EXPLOITS[((n++))]=$(cat <<EOF
701Name: ${txtgrn}[CVE-2016-5195]${txtrst} dirtycow
702Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3
703Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
704Rank: 4
705analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
706Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
707exploit-db: 40611
708author: Phil Oester
709EOF
710)
711
712EXPLOITS[((n++))]=$(cat <<EOF
713Name: ${txtgrn}[CVE-2016-5195]${txtrst} dirtycow 2
714Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3
715Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
716Rank: 4
717analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
718ext-url: https://www.exploit-db.com/download/40847.cpp
719Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
720exploit-db: 40839
721author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url')
722EOF
723)
724
725EXPLOITS[((n++))]=$(cat <<EOF
726Name: ${txtgrn}[CVE-2016-8655]${txtrst} chocobo_root
727Reqs: pkg=linux-kernel,ver>=4.4.0,ver<4.9,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
728Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
729Rank: 1
730analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1
731Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
732bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo_root
733exploit-db: 40871
734author: rebel
735EOF
736)
737
738EXPLOITS[((n++))]=$(cat <<EOF
739Name: ${txtgrn}[CVE-2016-9793]${txtrst} SO_{SND|RCV}BUFFORCE
740Reqs: pkg=linux-kernel,ver>=3.11,ver<4.8.14,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
741Tags:
742Rank: 1
743analysis-url: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
744src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
745Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
746exploit-db: 41995
747author: Andrey 'xairy' Konovalov
748EOF
749)
750
751EXPLOITS[((n++))]=$(cat <<EOF
752Name: ${txtgrn}[CVE-2017-6074]${txtrst} dccp
753Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my]
754Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
755Rank: 1
756analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3
757Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
758exploit-db: 41458
759author: Andrey 'xairy' Konovalov
760EOF
761)
762
763EXPLOITS[((n++))]=$(cat <<EOF
764Name: ${txtgrn}[CVE-2017-7308]${txtrst} af_packet
765Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
766Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
767Rank: 1
768analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
769src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
770ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-7308/CVE-2017-7308/poc.c
771Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
772bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploit
773exploit-db: 41994
774author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
775EOF
776)
777
778EXPLOITS[((n++))]=$(cat <<EOF
779Name: ${txtgrn}[CVE-2017-16995]${txtrst} eBPF_verifier
780Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
781Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
782Rank: 5
783analysis-url: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
784Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
785bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.out
786exploit-db: 45010
787author: Rick Larabee
788EOF
789)
790
791EXPLOITS[((n++))]=$(cat <<EOF
792Name: ${txtgrn}[CVE-2017-1000112]${txtrst} NETIF_F_UFO
793Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.13,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
794Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*}
795Rank: 1
796analysis-url: http://www.openwall.com/lists/oss-security/2017/08/13/1
797src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
798ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.c
799Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
800bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.out
801exploit-db:
802author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
803EOF
804)
805
806EXPLOITS[((n++))]=$(cat <<EOF
807Name: ${txtgrn}[CVE-2017-1000253]${txtrst} PIE_stack_corruption
808Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86_64
809Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
810Rank: 1
811analysis-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
812src-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
813exploit-db: 42887
814author: Qualys
815Comments:
816EOF
817)
818
819EXPLOITS[((n++))]=$(cat <<EOF
820Name: ${txtgrn}[CVE-2018-18955]${txtrst} subuid_shell
821Reqs: pkg=linux-kernel,ver>=4.15,ver<=4.19.2,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,cmd:[ -u /usr/bin/newuidmap ],cmd:[ -u /usr/bin/newgidmap ]
822Tags: ubuntu=18.04{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
823Rank: 1
824analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
825src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
826exploit-db: 45886
827author: Jann Horn
828Comments: CONFIG_USER_NS needs to be enabled
829EOF
830)
831
832############ USERSPACE EXPLOITS ###########################
833n=0
834
835EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
836Name: ${txtgrn}[CVE-2004-0186]${txtrst} samba
837Reqs: pkg=samba,ver<=2.2.8
838Tags:
839Rank: 1
840exploit-db: 23674
841EOF
842)
843
844EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
845Name: ${txtgrn}[CVE-2009-1185]${txtrst} udev
846Reqs: pkg=udev,ver<141,cmd:[[ -f /etc/udev/rules.d/95-udev-late.rules || -f /lib/udev/rules.d/95-udev-late.rules ]]
847Tags: ubuntu=8.10|9.04
848Rank: 1
849exploit-db: 8572
850Comments: Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
851EOF
852)
853
854EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
855Name: ${txtgrn}[CVE-2009-1185]${txtrst} udev 2
856Reqs: pkg=udev,ver<141
857Tags:
858Rank: 1
859exploit-db: 8478
860Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
861EOF
862)
863
864EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
865Name: ${txtgrn}[CVE-2010-0832]${txtrst} PAM MOTD
866Reqs: pkg=libpam-modules,ver<=1.1.1
867Tags: ubuntu=9.10|10.04
868Rank: 1
869exploit-db: 14339
870Comments: SSH access to non privileged user is needed
871EOF
872)
873
874EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
875Name: ${txtgrn}[CVE-2010-4170]${txtrst} SystemTap
876Reqs: pkg=systemtap,ver<=1.3
877Tags: RHEL=5{systemtap:1.1-3.el5},fedora=13{systemtap:1.2-1.fc13}
878Rank: 1
879author: Tavis Ormandy
880exploit-db: 15620
881EOF
882)
883
884EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
885Name: ${txtgrn}[CVE-2011-1485]${txtrst} pkexec
886Reqs: pkg=polkit,ver=0.96
887Tags: RHEL=6,ubuntu=10.04|10.10
888Rank: 1
889exploit-db: 17942
890EOF
891)
892
893EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
894Name: ${txtgrn}[CVE-2012-0809]${txtrst} death_star (sudo)
895Reqs: pkg=sudo,ver>=1.8.0,ver<=1.8.3
896Tags: fedora=16
897Rank: 1
898analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
899exploit-db: 18436
900EOF
901)
902
903EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
904Name: ${txtgrn}[CVE-2014-0476]${txtrst} chkrootkit
905Reqs: pkg=chkrootkit,ver<0.50
906Tags:
907Rank: 1
908analysis-url: http://seclists.org/oss-sec/2014/q2/430
909exploit-db: 33899
910Comments: Rooting depends on the crontab (up to one day of delay)
911EOF
912)
913
914EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
915Name: ${txtgrn}[CVE-2014-5119]${txtrst} __gconv_translit_find
916Reqs: pkg=glibc|libc6,x86
917Tags: debian=6
918Rank: 1
919analysis-url: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
920src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/34421.tar.gz
921exploit-db: 34421
922EOF
923)
924
925EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
926Name: ${txtgrn}[CVE-2015-1862]${txtrst} newpid (abrt)
927Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
928Tags: fedora=20
929Rank: 1
930analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
931src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
932exploit-db: 36746
933EOF
934)
935
936EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
937Name: ${txtgrn}[CVE-2015-3315]${txtrst} raceabrt
938Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
939Tags: fedora=19{abrt:2.1.5-1.fc19},fedora=20{abrt:2.2.2-2.fc20},fedora=21{abrt:2.3.0-3.fc21},RHEL=7{abrt:2.1.11-12.el7}
940Rank: 1
941analysis-url: http://seclists.org/oss-sec/2015/q2/130
942src-url: https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c
943exploit-db: 36747
944author: Tavis Ormandy
945EOF
946)
947
948EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
949Name: ${txtgrn}[CVE-2015-1318]${txtrst} newpid (apport)
950Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern
951Tags: ubuntu=14.04
952Rank: 1
953analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
954src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
955exploit-db: 36746
956EOF
957)
958
959EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
960Name: ${txtgrn}[CVE-2015-1318]${txtrst} newpid (apport) 2
961Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern
962Tags: ubuntu=14.04.2
963Rank: 1
964analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
965exploit-db: 36782
966EOF
967)
968
969EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
970Name: ${txtgrn}[CVE-2015-3202]${txtrst} fuse (fusermount)
971Reqs: pkg=fuse,ver<2.9.3
972Tags: debian=7.0|8.0,ubuntu=*
973Rank: 1
974analysis-url: http://seclists.org/oss-sec/2015/q2/520
975exploit-db: 37089
976Comments: Needs cron or system admin interaction
977EOF
978)
979
980EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
981Name: ${txtgrn}[CVE-2015-1815]${txtrst} setroubleshoot
982Reqs: pkg=setroubleshoot,ver<3.2.22
983Tags: fedora=21
984Rank: 1
985exploit-db: 36564
986EOF
987)
988
989EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
990Name: ${txtgrn}[CVE-2015-3246]${txtrst} userhelper
991Reqs: pkg=libuser,ver<=0.60
992Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22
993Rank: 1
994analysis-url: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
995exploit-db: 37706
996Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c
997EOF
998)
999
1000EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1001Name: ${txtgrn}[CVE-2015-5287]${txtrst} abrt/sosreport-rhel7
1002Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core_pattern
1003Tags: RHEL=7{abrt:2.1.11-12.el7}
1004Rank: 1
1005analysis-url: https://www.openwall.com/lists/oss-security/2015/12/01/1
1006src-url: https://www.openwall.com/lists/oss-security/2015/12/01/1/1
1007exploit-db: 38832
1008author: rebel
1009EOF
1010)
1011
1012EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1013Name: ${txtgrn}[CVE-2015-6565]${txtrst} not_an_sshnuke
1014Reqs: pkg=openssh-server,ver>=6.8,ver<=6.9
1015Tags:
1016Rank: 1
1017analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2
1018exploit-db: 41173
1019author: Federico Bento
1020Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation)
1021EOF
1022)
1023
1024EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1025Name: ${txtgrn}[CVE-2015-8612]${txtrst} blueman set_dhcp_handler d-bus privesc
1026Reqs: pkg=blueman,ver<2.0.3
1027Tags: debian=8{blueman:1.23}
1028Rank: 1
1029analysis-url: https://twitter.com/thegrugq/status/677809527882813440
1030exploit-db: 46186
1031author: Sebastian Krahmer
1032Comments: Distros use own versioning scheme. Manual verification needed.
1033EOF
1034)
1035
1036EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1037Name: ${txtgrn}[CVE-2016-1240]${txtrst} tomcat-rootprivesc-deb.sh
1038Reqs: pkg=tomcat
1039Tags: debian=8,ubuntu=16.04
1040Rank: 1
1041analysis-url: https://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
1042src-url: http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
1043exploit-db: 40450
1044author: Dawid Golunski
1045Comments: Affects only Debian-based distros
1046EOF
1047)
1048
1049EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1050Name: ${txtgrn}[CVE-2016-1247]${txtrst} nginxed-root.sh
1051Reqs: pkg=nginx|nginx-full,ver<1.10.3
1052Tags: debian=8,ubuntu=14.04|16.04|16.10
1053Rank: 1
1054analysis-url: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
1055src-url: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
1056exploit-db: 40768
1057author: Dawid Golunski
1058Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3
1059EOF
1060)
1061
1062EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1063Name: ${txtgrn}[CVE-2016-1531]${txtrst} perl_startup (exim)
1064Reqs: pkg=exim,ver<4.86.2
1065Tags:
1066Rank: 1
1067analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
1068exploit-db: 39549
1069EOF
1070)
1071
1072EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1073Name: ${txtgrn}[CVE-2016-1531]${txtrst} perl_startup (exim) 2
1074Reqs: pkg=exim,ver<4.86.2
1075Tags:
1076Rank: 1
1077analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
1078exploit-db: 39535
1079EOF
1080)
1081
1082EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1083Name: ${txtgrn}[CVE-2016-4989]${txtrst} setroubleshoot 2
1084Reqs: pkg=setroubleshoot
1085Tags: RHEL=6|7
1086Rank: 1
1087analysis-url: https://c-skills.blogspot.com/2016/06/lets-feed-attacker-input-to-sh-c-to-see.html
1088src-url: https://github.com/stealth/troubleshooter/raw/master/straight-shooter.c
1089exploit-db:
1090EOF
1091)
1092
1093EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1094Name: ${txtgrn}[CVE-2016-5425]${txtrst} tomcat-RH-root.sh
1095Reqs: pkg=tomcat
1096Tags: RHEL=7
1097Rank: 1
1098analysis-url: http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
1099src-url: http://legalhackers.com/exploits/tomcat-RH-root.sh
1100exploit-db: 40488
1101author: Dawid Golunski
1102Comments: Affects only RedHat-based distros
1103EOF
1104)
1105
1106EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1107Name: ${txtgrn}[CVE-2016-6663,CVE-2016-6664|CVE-2016-6662]${txtrst} mysql-exploit-chain
1108Reqs: pkg=mysql-server|mariadb-server,ver<5.5.52
1109Tags: ubuntu=16.04.1
1110Rank: 1
1111analysis-url: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
1112src-url: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
1113exploit-db: 40678
1114author: Dawid Golunski
1115Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
1116EOF
1117)
1118
1119EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1120Name: ${txtgrn}[CVE-2016-9566]${txtrst} nagios-root-privesc
1121Reqs: pkg=nagios,ver<4.2.4
1122Tags:
1123Rank: 1
1124analysis-url: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
1125src-url: https://legalhackers.com/exploits/CVE-2016-9566/nagios-root-privesc.sh
1126exploit-db: 40921
1127author: Dawid Golunski
1128Comments: Allows priv escalation from nagios user or nagios group
1129EOF
1130)
1131
1132EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1133Name: ${txtgrn}[CVE-2017-0358]${txtrst} ntfs-3g-modprobe
1134Reqs: pkg=ntfs-3g,ver<2017.4
1135Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
1136Rank: 1
1137analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
1138src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
1139exploit-db: 41356
1140author: Jann Horn
1141Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.
1142EOF
1143)
1144
1145EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1146Name: ${txtgrn}[CVE-2017-5899]${txtrst} s-nail-privget
1147Reqs: pkg=s-nail,ver<14.8.16
1148Tags: ubuntu=16.04,manjaro=16.10
1149Rank: 1
1150analysis-url: https://www.openwall.com/lists/oss-security/2017/01/27/7
1151src-url: https://www.openwall.com/lists/oss-security/2017/01/27/7/1
1152ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh
1153author: wapiflapi (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
1154Comments: Distros use own versioning scheme. Manual verification needed.
1155EOF
1156)
1157
1158EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1159Name: ${txtgrn}[CVE-2017-1000367]${txtrst} Sudoer-to-root
1160Reqs: pkg=sudo,ver<=1.8.20,cmd:[ -f /usr/sbin/getenforce ]
1161Tags: RHEL=7{sudo:1.8.6p7}
1162Rank: 1
1163analysis-url: https://www.sudo.ws/alerts/linux_tty.html
1164src-url: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
1165exploit-db: 42183
1166author: Qualys
1167Comments: Needs to be sudoer. Works only on SELinux enabled systems
1168EOF
1169)
1170
1171EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1172Name: ${txtgrn}[CVE-2017-1000367]${txtrst} sudopwn
1173Reqs: pkg=sudo,ver<=1.8.20,cmd:[ -f /usr/sbin/getenforce ]
1174Tags:
1175Rank: 1
1176analysis-url: https://www.sudo.ws/alerts/linux_tty.html
1177src-url: https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c
1178exploit-db:
1179author: c0d3z3r0
1180Comments: Needs to be sudoer. Works only on SELinux enabled systems
1181EOF
1182)
1183
1184EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1185Name: ${txtgrn}[CVE-2017-1000366,CVE-2017-1000370]${txtrst} linux_ldso_hwcap
1186Reqs: pkg=glibc|libc6,ver<=2.25,x86
1187Tags:
1188Rank: 1
1189analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1190src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap.c
1191exploit-db: 42274
1192author: Qualys
1193Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
1194EOF
1195)
1196
1197EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1198Name: ${txtgrn}[CVE-2017-1000366,CVE-2017-1000371]${txtrst} linux_ldso_dynamic
1199Reqs: pkg=glibc|libc6,ver<=2.25,x86
1200Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25
1201Rank: 1
1202analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1203src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_dynamic.c
1204exploit-db: 42276
1205author: Qualys
1206Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs
1207EOF
1208)
1209
1210EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1211Name: ${txtgrn}[CVE-2017-1000366,CVE-2017-1000379]${txtrst} linux_ldso_hwcap_64
1212Reqs: pkg=glibc|libc6,ver<=2.25,x86_64
1213Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
1214Rank: 1
1215analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1216src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
1217exploit-db: 42275
1218author: Qualys
1219Comments: Uses "Stack Clash" technique, works against most SUID-root binaries
1220EOF
1221)
1222
1223EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1224Name: ${txtgrn}[CVE-2017-1000370,CVE-2017-1000371]${txtrst} linux_offset2lib
1225Reqs: pkg=glibc|libc6,ver<=2.25,x86
1226Tags:
1227Rank: 1
1228analysis-url: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
1229src-url: https://www.qualys.com/2017/06/19/stack-clash/linux_offset2lib.c
1230exploit-db: 42273
1231author: Qualys
1232Comments: Uses "Stack Clash" technique
1233EOF
1234)
1235
1236EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1237Name: ${txtgrn}[CVE-2018-1000001]${txtrst} RationalLove
1238Reqs: pkg=glibc|libc6,ver<2.27,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,x86_64
1239Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
1240Rank: 1
1241analysis-url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
1242src-url: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
1243Comments: kernel.unprivileged_userns_clone=1 required
1244bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2018-1000001/RationalLove
1245exploit-db: 43775
1246author: halfdog
1247EOF
1248)
1249
1250EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1251Name: ${txtgrn}[CVE-2018-10900]${txtrst} vpnc_privesc.py
1252Reqs: pkg=networkmanager-vpnc|network-manager-vpnc,ver<1.2.6
1253Tags: ubuntu=16.04{network-manager-vpnc:1.1.93-1},debian=9.0{network-manager-vpnc:1.2.4-4},manjaro=17
1254Rank: 1
1255analysis-url: https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
1256src-url: https://bugzilla.novell.com/attachment.cgi?id=779110
1257exploit-db: 45313
1258author: Denis Andzakovic
1259Comments: Distros use own versioning scheme. Manual verification needed.
1260EOF
1261)
1262
1263EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1264Name: ${txtgrn}[CVE-2018-14665]${txtrst} raptor_xorgy
1265Reqs: pkg=xorg-x11-server-Xorg,cmd:[ -u /usr/bin/Xorg ]
1266Tags: centos=7.4
1267Rank: 1
1268analysis-url: https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
1269exploit-db: 45922
1270author: raptor
1271Comments: X.Org Server before 1.20.3 is vulnerable. Distros use own versioning scheme. Manual verification needed.
1272EOF
1273)
1274
1275EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1276Name: ${txtgrn}[CVE-2019-7304]${txtrst} dirty_sock
1277Reqs: pkg=snapd,ver<2.37,cmd:[ -S /run/snapd.socket ]
1278Tags: ubuntu=18.10,mint=19
1279Rank: 1
1280analysis-url: https://initblog.com/2019/dirty-sock/
1281exploit-db: 46361
1282exploit-db: 46362
1283src-url: https://github.com/initstring/dirty_sock/archive/master.zip
1284author: InitString
1285Comments: Distros use own versioning scheme. Manual verification needed.
1286EOF
1287)
1288
1289EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1290Name: ${txtgrn}[CVE-2019-10149]${txtrst} raptor_exim_wiz
1291Reqs: pkg=exim|exim4,ver>=4.87,ver<=4.91
1292Tags:
1293Rank: 1
1294analysis-url: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
1295exploit-db: 46996
1296author: raptor
1297EOF
1298)
1299
1300EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
1301Name: ${txtgrn}[CVE-2019-12181]${txtrst} Serv-U FTP Server
1302Reqs: cmd:[ -u /usr/local/Serv-U/Serv-U ]
1303Tags: debian=9
1304Rank: 1
1305analysis-url: https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html
1306exploit-db: 47009
1307src-url: https://raw.githubusercontent.com/guywhataguy/CVE-2019-12181/master/servu-pe-cve-2019-12181.c
1308ext-url: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-12181/SUroot
1309author: Guy Levin (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')
1310Comments: Modified version at 'ext-url' uses bash exec technique, rather than compiling with gcc.
1311EOF
1312)
1313
1314###########################################################
1315## security related HW/kernel features
1316###########################################################
1317n=0
1318
1319FEATURES[((n++))]=$(cat <<EOF
1320section: Mainline kernel protection mechanisms:
1321EOF
1322)
1323
1324FEATURES[((n++))]=$(cat <<EOF
1325feature: Kernel Page Table Isolation (PTI) support
1326available: ver>=4.15
1327enabled: cmd:grep -Eqi '\spti' /proc/cpuinfo
1328analysis-url: https://github.com/mzet-/les-res/blob/master/features/pti.md
1329EOF
1330)
1331
1332FEATURES[((n++))]=$(cat <<EOF
1333feature: GCC stack protector support
1334available: CONFIG_HAVE_STACKPROTECTOR=y
1335analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md
1336EOF
1337)
1338
1339FEATURES[((n++))]=$(cat <<EOF
1340feature: GCC stack protector STRONG support
1341available: CONFIG_STACKPROTECTOR_STRONG=y,ver>=3.14
1342analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md
1343EOF
1344)
1345
1346FEATURES[((n++))]=$(cat <<EOF
1347feature: Low address space to protect from user allocation
1348available: CONFIG_DEFAULT_MMAP_MIN_ADDR=[0-9]+
1349enabled: sysctl:vm.mmap_min_addr!=0
1350analysis-url: https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md
1351EOF
1352)
1353
1354FEATURES[((n++))]=$(cat <<EOF
1355feature: Prevent users from using ptrace to examine the memory and state of their processes
1356available: CONFIG_SECURITY_YAMA=y
1357enabled: sysctl:kernel.yama.ptrace_scope!=0
1358analysis-url: https://github.com/mzet-/les-res/blob/master/features/yama_ptrace_scope.md
1359EOF
1360)
1361
1362FEATURES[((n++))]=$(cat <<EOF
1363feature: Restrict unprivileged access to kernel syslog
1364available: CONFIG_SECURITY_DMESG_RESTRICT=y,ver>=2.6.37
1365enabled: sysctl:kernel.dmesg_restrict!=0
1366analysis-url: https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md
1367EOF
1368)
1369
1370FEATURES[((n++))]=$(cat <<EOF
1371feature: Randomize the address of the kernel image (KASLR)
1372available: CONFIG_RANDOMIZE_BASE=y
1373analysis-url: https://github.com/mzet-/les-res/blob/master/features/kaslr.md
1374EOF
1375)
1376
1377FEATURES[((n++))]=$(cat <<EOF
1378feature: Hardened user copy support
1379available: CONFIG_HARDENED_USERCOPY=y
1380analysis-url: https://github.com/mzet-/les-res/blob/master/features/hardened_usercopy.md
1381EOF
1382)
1383
1384FEATURES[((n++))]=$(cat <<EOF
1385feature: Make kernel text and rodata read-only
1386available: CONFIG_STRICT_KERNEL_RWX=y
1387analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_kernel_rwx.md
1388EOF
1389)
1390
1391FEATURES[((n++))]=$(cat <<EOF
1392feature: Set loadable kernel module data as NX and text as RO
1393available: CONFIG_STRICT_MODULE_RWX=y
1394analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_module_rwx.md
1395EOF
1396)
1397
1398FEATURES[((n++))]=$(cat <<EOF
1399feature: BUG() conditions reporting
1400available: CONFIG_BUG=y
1401analysis-url: https://github.com/mzet-/les-res/blob/master/features/bug.md
1402EOF
1403)
1404
1405FEATURES[((n++))]=$(cat <<EOF
1406feature: Additional 'cred' struct checks
1407available: CONFIG_DEBUG_CREDENTIALS=y
1408analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_credentials.md
1409EOF
1410)
1411
1412FEATURES[((n++))]=$(cat <<EOF
1413feature: Sanity checks for notifier call chains
1414available: CONFIG_DEBUG_NOTIFIERS=y
1415analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_notifiers.md
1416EOF
1417)
1418
1419FEATURES[((n++))]=$(cat <<EOF
1420feature: Extended checks for linked-lists walking
1421available: CONFIG_DEBUG_LIST=y
1422analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_list.md
1423EOF
1424)
1425
1426FEATURES[((n++))]=$(cat <<EOF
1427feature: Checks on scatter-gather tables
1428available: CONFIG_DEBUG_SG=y
1429analysis-url: https://github.com/mzet-/les-res/blob/master/features/debug_sg.md
1430EOF
1431)
1432
1433FEATURES[((n++))]=$(cat <<EOF
1434feature: Checks for data structure corruptions
1435available: CONFIG_BUG_ON_DATA_CORRUPTION=y
1436analysis-url: https://github.com/mzet-/les-res/blob/master/features/bug_on_data_corruption.md
1437EOF
1438)
1439
1440FEATURES[((n++))]=$(cat <<EOF
1441feature: Checks for a stack overrun on calls to 'schedule'
1442available: CONFIG_SCHED_STACK_END_CHECK=y
1443analysis-url: https://github.com/mzet-/les-res/blob/master/features/sched_stack_end_check.md
1444EOF
1445)
1446
1447FEATURES[((n++))]=$(cat <<EOF
1448feature: Freelist order randomization on new pages creation
1449available: CONFIG_SLAB_FREELIST_RANDOM=y
1450analysis-url: https://github.com/mzet-/les-res/blob/master/features/slab_freelist_random.md
1451EOF
1452)
1453
1454FEATURES[((n++))]=$(cat <<EOF
1455feature: Freelist metadata hardening
1456available: CONFIG_SLAB_FREELIST_HARDENED=y
1457analysis-url: https://github.com/mzet-/les-res/blob/master/features/slab_freelist_hardened.md
1458EOF
1459)
1460
1461FEATURES[((n++))]=$(cat <<EOF
1462feature: Allocator validation checking
1463available: CONFIG_SLUB_DEBUG_ON=y,cmd:! grep 'slub_debug=-' /proc/cmdline
1464analysis-url: https://github.com/mzet-/les-res/blob/master/features/slub_debug.md
1465EOF
1466)
1467
1468FEATURES[((n++))]=$(cat <<EOF
1469feature: Virtually-mapped kernel stacks with guard pages
1470available: CONFIG_VMAP_STACK=y
1471analysis-url: https://github.com/mzet-/les-res/blob/master/features/vmap_stack.md
1472EOF
1473)
1474
1475FEATURES[((n++))]=$(cat <<EOF
1476feature: Pages poisoning after free_pages() call
1477available: CONFIG_PAGE_POISONING=y
1478enabled: cmd: grep 'page_poison=1' /proc/cmdline
1479analysis-url: https://github.com/mzet-/les-res/blob/master/features/page_poisoning.md
1480EOF
1481)
1482
1483FEATURES[((n++))]=$(cat <<EOF
1484feature: Using 'refcount_t' instead of 'atomic_t'
1485available: CONFIG_REFCOUNT_FULL=y
1486analysis-url: https://github.com/mzet-/les-res/blob/master/features/refcount_full.md
1487EOF
1488)
1489
1490FEATURES[((n++))]=$(cat <<EOF
1491feature: Hardening common str/mem functions against buffer overflows
1492available: CONFIG_FORTIFY_SOURCE=y
1493analysis-url: https://github.com/mzet-/les-res/blob/master/features/fortify_source.md
1494EOF
1495)
1496
1497FEATURES[((n++))]=$(cat <<EOF
1498feature: Restrict /dev/mem access
1499available: CONFIG_STRICT_DEVMEM=y
1500analysis-url: https://github.com/mzet-/les-res/blob/master/features/strict_devmem.md
1501EOF
1502)
1503
1504FEATURES[((n++))]=$(cat <<EOF
1505feature: Restrict I/O access to /dev/mem
1506available: CONFIG_IO_STRICT_DEVMEM=y
1507analysis-url: https://github.com/mzet-/les-res/blob/master/features/io_strict_devmem.md
1508EOF
1509)
1510
1511FEATURES[((n++))]=$(cat <<EOF
1512section: Hardware-based protection features:
1513EOF
1514)
1515
1516FEATURES[((n++))]=$(cat <<EOF
1517feature: Supervisor Mode Execution Protection (SMEP) support
1518available: ver>=3.0
1519enabled: cmd:grep -qi smep /proc/cpuinfo
1520analysis-url: https://github.com/mzet-/les-res/blob/master/features/smep.md
1521EOF
1522)
1523
1524FEATURES[((n++))]=$(cat <<EOF
1525feature: Supervisor Mode Access Prevention (SMAP) support
1526available: ver>=3.7
1527enabled: cmd:grep -qi smap /proc/cpuinfo
1528analysis-url: https://github.com/mzet-/les-res/blob/master/features/smap.md
1529EOF
1530)
1531
1532FEATURES[((n++))]=$(cat <<EOF
1533section: 3rd party kernel protection mechanisms:
1534EOF
1535)
1536
1537FEATURES[((n++))]=$(cat <<EOF
1538feature: Grsecurity
1539available: CONFIG_GRKERNSEC=y
1540enabled: cmd:test -c /dev/grsec
1541EOF
1542)
1543
1544FEATURES[((n++))]=$(cat <<EOF
1545feature: PaX
1546available: CONFIG_PAX=y
1547enabled: cmd:test -x /sbin/paxctl
1548EOF
1549)
1550
1551FEATURES[((n++))]=$(cat <<EOF
1552feature: Linux Kernel Runtime Guard (LKRG) kernel module
1553enabled: cmd:test -d /proc/sys/lkrg
1554analysis-url: https://github.com/mzet-/les-res/blob/master/features/lkrg.md
1555EOF
1556)
1557
1558FEATURES[((n++))]=$(cat <<EOF
1559section: Attack Surface:
1560EOF
1561)
1562
1563FEATURES[((n++))]=$(cat <<EOF
1564feature: User namespaces for unprivileged accounts
1565available: CONFIG_USER_NS=y
1566enabled: sysctl:kernel.unprivileged_userns_clone==1
1567analysis-url: https://github.com/mzet-/les-res/blob/master/features/user_ns.md
1568EOF
1569)
1570
1571FEATURES[((n++))]=$(cat <<EOF
1572feature: Unprivileged access to bpf() system call
1573available: CONFIG_BPF_SYSCALL=y
1574enabled: sysctl:kernel.unprivileged_bpf_disabled!=1
1575analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
1576EOF
1577)
1578
1579FEATURES[((n++))]=$(cat <<EOF
1580feature: Syscalls filtering
1581available: CONFIG_SECCOMP=y
1582enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print \$2}'
1583analysis-url: https://github.com/mzet-/les-res/blob/master/features/bpf_syscall.md
1584EOF
1585)
1586
1587FEATURES[((n++))]=$(cat <<EOF
1588feature: Support for /dev/mem access
1589available: CONFIG_DEVMEM=y
1590analysis-url: https://github.com/mzet-/les-res/blob/master/features/devmem.md
1591EOF
1592)
1593
1594FEATURES[((n++))]=$(cat <<EOF
1595feature: Support for /dev/kmem access
1596available: CONFIG_DEVKMEM=y
1597analysis-url: https://github.com/mzet-/les-res/blob/master/features/devkmem.md
1598EOF
1599)
1600
1601
1602version() {
1603 echo "linux-exploit-suggester "$VERSION", mzet, https://z-labs.eu, March 2019"
1604}
1605
1606usage() {
1607 echo "Usage: linux-exploit-suggester.sh [OPTIONS]"
1608 echo
1609 echo " -V | --version - print version of this script"
1610 echo " -h | --help - print this help"
1611 echo " -k | --kernel <version> - provide kernel version"
1612 echo " -u | --uname <string> - provide 'uname -a' string"
1613 echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable"
1614 echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)"
1615 echo " -p | --pkglist-file <file> - provide file with 'dpkg -l' or 'rpm -qa' command output"
1616 echo " --cvelist-file <file> - provide file with Linux kernel CVEs list"
1617 echo " --checksec - list security related features for your HW/kernel"
1618 echo " -s | --fetch-sources - automatically downloads source for matched exploit"
1619 echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available"
1620 echo " -f | --full - show full info about matched exploit"
1621 echo " -g | --short - show shorten info about matched exploit"
1622 echo " --kernelspace-only - show only kernel vulnerabilities"
1623 echo " --userspace-only - show only userspace vulnerabilities"
1624 echo " -d | --show-dos - show also DoSes in results"
1625}
1626
1627exitWithErrMsg() {
1628 echo "$1" 1>&2
1629 exit 1
1630}
1631
1632# extracts all information from output of 'uname -a' command
1633parseUname() {
1634 local uname=$1
1635
1636 KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1)
1637 KERNEL_ALL=$(echo "$uname" | awk '{print $3}')
1638 ARCH=$(echo "$uname" | awk '{print $(NF-1)}')
1639
1640 OS=""
1641 echo "$uname" | grep -q -i 'deb' && OS="debian"
1642 echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu"
1643 echo "$uname" | grep -q -i '\-ARCH' && OS="arch"
1644 echo "$uname" | grep -q -i '\-deepin' && OS="deepin"
1645 echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro"
1646 echo "$uname" | grep -q -i '\.fc' && OS="fedora"
1647 echo "$uname" | grep -q -i '\.el' && OS="RHEL"
1648 echo "$uname" | grep -q -i '\.mga' && OS="mageia"
1649
1650 # 'uname -a' output doesn't contain distribution number (at least not in case of all distros)
1651}
1652
1653getPkgList() {
1654 local distro=$1
1655 local pkglist_file=$2
1656
1657 # take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' or 'pacman -Q' listing of not recognized listing
1658 if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then
1659
1660 # ubuntu/debian package listing file
1661 if [ $(head -1 "$pkglist_file" | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then
1662 PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g')
1663
1664 OS="debian"
1665 [ "$(grep ubuntu "$pkglist_file")" ] && OS="ubuntu"
1666 # redhat package listing file
1667 elif [ "$(grep -E '\.el[1-9]+[\._]' "$pkglist_file" | head -1)" ]; then
1668 PKG_LIST=$(cat "$pkglist_file")
1669 OS="RHEL"
1670 # fedora package listing file
1671 elif [ "$(grep -E '\.fc[1-9]+'i "$pkglist_file" | head -1)" ]; then
1672 PKG_LIST=$(cat "$pkglist_file")
1673 OS="fedora"
1674 # mageia package listing file
1675 elif [ "$(grep -E '\.mga[1-9]+' "$pkglist_file" | head -1)" ]; then
1676 PKG_LIST=$(cat "$pkglist_file")
1677 OS="mageia"
1678 # pacman package listing file
1679 elif [ "$(grep -E '\ [0-9]+\.' "$pkglist_file" | head -1)" ]; then
1680 PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}')
1681 OS="arch"
1682 # file not recognized - skipping
1683 else
1684 PKG_LIST=""
1685 fi
1686
1687 elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then
1688 PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g')
1689 elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then
1690 PKG_LIST=$(rpm -qa)
1691 elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then
1692 PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}')
1693 elif [ -x /usr/bin/equery ]; then
1694 PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}')
1695 else
1696 # packages listing not available
1697 PKG_LIST=""
1698 fi
1699}
1700
1701# from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash
1702verComparision() {
1703
1704 if [[ $1 == $2 ]]
1705 then
1706 return 0
1707 fi
1708
1709 local IFS=.
1710 local i ver1=($1) ver2=($2)
1711
1712 # fill empty fields in ver1 with zeros
1713 for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
1714 do
1715 ver1[i]=0
1716 done
1717
1718 for ((i=0; i<${#ver1[@]}; i++))
1719 do
1720 if [[ -z ${ver2[i]} ]]
1721 then
1722 # fill empty fields in ver2 with zeros
1723 ver2[i]=0
1724 fi
1725 if ((10#${ver1[i]} > 10#${ver2[i]}))
1726 then
1727 return 1
1728 fi
1729 if ((10#${ver1[i]} < 10#${ver2[i]}))
1730 then
1731 return 2
1732 fi
1733 done
1734
1735 return 0
1736}
1737
1738doVersionComparision() {
1739 local reqVersion="$1"
1740 local reqRelation="$2"
1741 local currentVersion="$3"
1742
1743 verComparision $currentVersion $reqVersion
1744 case $? in
1745 0) currentRelation='=';;
1746 1) currentRelation='>';;
1747 2) currentRelation='<';;
1748 esac
1749
1750 if [ "$reqRelation" == "=" ]; then
1751 [ $currentRelation == "=" ] && return 0
1752 elif [ "$reqRelation" == ">" ]; then
1753 [ $currentRelation == ">" ] && return 0
1754 elif [ "$reqRelation" == "<" ]; then
1755 [ $currentRelation == "<" ] && return 0
1756 elif [ "$reqRelation" == ">=" ]; then
1757 [ $currentRelation == "=" ] && return 0
1758 [ $currentRelation == ">" ] && return 0
1759 elif [ "$reqRelation" == "<=" ]; then
1760 [ $currentRelation == "=" ] && return 0
1761 [ $currentRelation == "<" ] && return 0
1762 fi
1763}
1764
1765compareValues() {
1766 curVal=$1
1767 val=$2
1768 sign=$3
1769
1770 if [ "$sign" == "==" ]; then
1771 [ "$val" == "$curVal" ] && return 0
1772 elif [ "$sign" == "!=" ]; then
1773 [ "$val" != "$curVal" ] && return 0
1774 fi
1775
1776 return 1
1777}
1778
1779checkRequirement() {
1780 #echo "Checking requirement: $1"
1781 local IN="$1"
1782 local pkgName="${2:4}"
1783
1784 if [[ "$IN" =~ ^pkg=.*$ ]]; then
1785
1786 # always true for Linux OS
1787 [ ${pkgName} == "linux-kernel" ] && return 0
1788
1789 # verify if package is present
1790 pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
1791 if [ -n "$pkg" ]; then
1792 return 0
1793 fi
1794
1795 elif [[ "$IN" =~ ^ver.*$ ]]; then
1796 version="${IN//[^0-9.]/}"
1797 rest="${IN#ver}"
1798 operator=${rest%$version}
1799
1800 if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then
1801
1802 # for --cvelist-file mode skip kernel version comparision
1803 [ "$opt_cvelist_file" = "true" ] && return 0
1804
1805 doVersionComparision $version $operator $KERNEL && return 0
1806 else
1807 # extract package version and check if requiremnt is true
1808 pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
1809
1810 # skip (if run with --skip-pkg-versions) version checking if package with given name is installed
1811 [ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return 0
1812
1813 # versioning:
1814 #echo "pkg: $pkg"
1815 pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
1816 #echo "version: $pkgVersion"
1817 #echo "operator: $operator"
1818 #echo "required version: $version"
1819 #echo
1820 doVersionComparision $version $operator $pkgVersion && return 0
1821 fi
1822 elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then
1823 return 0
1824 elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then
1825 return 0
1826 elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then
1827
1828 # skip if check is not applicable (-k or --uname or -p set) or if user said so (--skip-more-checks)
1829 [ "$opt_skip_more_checks" = "true" ] && return 0
1830
1831 # if kernel config IS available:
1832 if [ -n "$KCONFIG" ]; then
1833 if $KCONFIG | grep -E -qi $IN; then
1834 return 0;
1835 # required option wasn't found, exploit is not applicable
1836 else
1837 return 1;
1838 fi
1839 # config is not available
1840 else
1841 return 0;
1842 fi
1843 elif [[ "$IN" =~ ^sysctl:.*$ ]]; then
1844
1845 # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
1846 [ "$opt_skip_more_checks" = "true" ] && return 0
1847
1848 sysctlCondition="${IN:7}"
1849
1850 # extract sysctl entry, relation sign and required value
1851 if echo $sysctlCondition | grep -qi "!="; then
1852 sign="!="
1853 elif echo $sysctlCondition | grep -qi "=="; then
1854 sign="=="
1855 else
1856 exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting."
1857 fi
1858 val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}')
1859 entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}')
1860
1861 # get current setting of sysctl entry
1862 curVal=$(/sbin/sysctl -a 2> /dev/null | grep "$entry" | awk -F'=' '{print $2}')
1863
1864 # special case for --checksec mode: return 2 if there is no such switch in sysctl
1865 [ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return 2
1866
1867 # for other modes: skip if there is no such switch in sysctl
1868 [ -z "$curVal" ] && return 0
1869
1870 # compare & return result
1871 compareValues $curVal $val $sign && return 0
1872
1873 elif [[ "$IN" =~ ^cmd:.*$ ]]; then
1874
1875 # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
1876 [ "$opt_skip_more_checks" = "true" ] && return 0
1877
1878 cmd="${IN:4}"
1879 if eval "${cmd}"; then
1880 return 0
1881 fi
1882 fi
1883
1884 return 1
1885}
1886
1887getKernelConfig() {
1888
1889 if [ -f /proc/config.gz ] ; then
1890 KCONFIG="zcat /proc/config.gz"
1891 elif [ -f /boot/config-`uname -r` ] ; then
1892 KCONFIG="cat /boot/config-`uname -r`"
1893 elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then
1894 KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"
1895 else
1896 KCONFIG=""
1897 fi
1898}
1899
1900checksecMode() {
1901
1902 MODE=0
1903
1904 # start analysis
1905for FEATURE in "${FEATURES[@]}"; do
1906
1907 # create array from current exploit here doc and fetch needed lines
1908 i=0
1909 # ('-r' is used to not interpret backslash used for bash colors)
1910 while read -r line
1911 do
1912 arr[i]="$line"
1913 i=$((i + 1))
1914 done <<< "$FEATURE"
1915
1916 # modes: kernel-feature (1) | hw-feature (2) | 3rdparty-feature (3) | attack-surface (4)
1917 NAME="${arr[0]}"
1918 PRE_NAME="${NAME:0:8}"
1919 NAME="${NAME:9}"
1920 if [ "${PRE_NAME}" = "section:" ]; then
1921 # advance to next MODE
1922 MODE=$(($MODE + 1))
1923
1924 echo
1925 echo -e "${bldwht}${NAME}${txtrst}"
1926 echo
1927 continue
1928 fi
1929
1930 AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}"
1931 ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}')
1932 analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}')
1933
1934 # split line with availability requirements & loop thru all availability reqs one by one & check whether it is met
1935 IFS=',' read -r -a array <<< "$AVAILABLE"
1936 AVAILABLE_REQS_NUM=${#array[@]}
1937 AVAILABLE_PASSED_REQ=0
1938 CONFIG=""
1939 for REQ in "${array[@]}"; do
1940
1941 # find CONFIG_ name (if present) for current feature (only for display purposes)
1942 if [ -z "$CONFIG" ]; then
1943 config=$(echo "$REQ" | grep "CONFIG_")
1944 [ -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))"
1945 fi
1946
1947 if (checkRequirement "$REQ"); then
1948 AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + 1))
1949 else
1950 break
1951 fi
1952 done
1953
1954 # split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met
1955 ENABLE_PASSED_REQ=0
1956 ENABLE_REQS_NUM=0
1957 noSysctl=0
1958 if [ -n "$ENABLE" ]; then
1959 IFS=',' read -r -a array <<< "$ENABLE"
1960 ENABLE_REQS_NUM=${#array[@]}
1961 for REQ in "${array[@]}"; do
1962 cmdStdout=$(checkRequirement "$REQ")
1963 retVal=$?
1964 if [ $retVal -eq 0 ]; then
1965 ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + 1))
1966 elif [ $retVal -eq 2 ]; then
1967 # special case: sysctl entry is not present on given system: signal it as: N/A
1968 noSysctl=1
1969 break
1970 else
1971 break
1972 fi
1973 done
1974 fi
1975
1976 feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)
1977
1978 if [ -n "$cmdStdout" ]; then
1979 if [ "$cmdStdout" -eq 0 ]; then
1980 state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
1981 cmdStdout=""
1982 else
1983 state="[ ${txtgrn}Set to $cmdStdout${txtrst} ]"
1984 cmdStdout=""
1985 fi
1986 else
1987
1988 unknown="[ ${txtgray}Unknown${txtrst} ]"
1989
1990 # for 3rd party (3) mode display "N/A" or "Enabled"
1991 if [ $MODE -eq 3 ]; then
1992 enabled="[ ${txtgrn}Enabled${txtrst} ]"
1993 disabled="[ ${txtgray}N/A${txtrst} ]"
1994
1995 # for attack-surface (4) mode display "Locked" or "Exposed"
1996 elif [ $MODE -eq 4 ]; then
1997 enabled="[ ${txtred}Exposed${txtrst} ]"
1998 disabled="[ ${txtgrn}Locked${txtrst} ]"
1999
2000 #other modes" "Disabled" / "Enabled"
2001 else
2002 enabled="[ ${txtgrn}Enabled${txtrst} ]"
2003 disabled="[ ${txtred}Disabled${txtrst} ]"
2004 fi
2005
2006 if [ -z "$KCONFIG" -a "$ENABLE_REQS_NUM" = 0 ]; then
2007 state=$unknown
2008 elif [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then
2009 state=$enabled
2010 else
2011 state=$disabled
2012 fi
2013
2014 fi
2015
2016 echo -e " $state $feature ${wht}${CONFIG}${txtrst}"
2017 [ -n "$analysis_url" ] && echo -e " $analysis_url"
2018 echo
2019
2020done
2021
2022}
2023
2024displayExposure() {
2025 RANK=$1
2026
2027 if [ "$RANK" -ge 6 ]; then
2028 echo "highly probable"
2029 elif [ "$RANK" -ge 3 ]; then
2030 echo "probable"
2031 else
2032 echo "less probable"
2033 fi
2034}
2035
2036# parse command line parameters
2037ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
2038[ $? != 0 ] && exitWithErrMsg "Aborting."
2039
2040eval set -- "$ARGS"
2041
2042while true; do
2043 case "$1" in
2044 -u|--uname)
2045 shift
2046 UNAME_A="$1"
2047 opt_uname_string=true
2048 ;;
2049 -V|--version)
2050 version
2051 exit 0
2052 ;;
2053 -h|--help)
2054 usage
2055 exit 0
2056 ;;
2057 -f|--full)
2058 opt_full=true
2059 ;;
2060 -g|--short)
2061 opt_summary=true
2062 ;;
2063 -b|--fetch-binaries)
2064 opt_fetch_bins=true
2065 ;;
2066 -s|--fetch-sources)
2067 opt_fetch_srcs=true
2068 ;;
2069 -k|--kernel)
2070 shift
2071 KERNEL="$1"
2072 opt_kernel_version=true
2073 ;;
2074 -d|--show-dos)
2075 opt_show_dos=true
2076 ;;
2077 -p|--pkglist-file)
2078 shift
2079 PKGLIST_FILE="$1"
2080 opt_pkglist_file=true
2081 ;;
2082 --cvelist-file)
2083 shift
2084 CVELIST_FILE="$1"
2085 opt_cvelist_file=true
2086 ;;
2087 --checksec)
2088 opt_checksec_mode=true
2089 ;;
2090 --kernelspace-only)
2091 opt_kernel_only=true
2092 ;;
2093 --userspace-only)
2094 opt_userspace_only=true
2095 ;;
2096 --skip-more-checks)
2097 opt_skip_more_checks=true
2098 ;;
2099 --skip-pkg-versions)
2100 opt_skip_pkg_versions=true
2101 ;;
2102 *)
2103 shift
2104 if [ "$#" != "0" ]; then
2105 exitWithErrMsg "Unknown option '$1'. Aborting."
2106 fi
2107 break
2108 ;;
2109 esac
2110 shift
2111done
2112
2113# check Bash version (associative arrays need Bash in version 4.0+)
2114if ((BASH_VERSINFO[0] < 4)); then
2115 exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting."
2116fi
2117
2118# exit if both --kernel and --uname are set
2119[ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting."
2120
2121# exit if both --full and --short are set
2122[ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting."
2123
2124# --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are set
2125if [ "$opt_cvelist_file" = "true" ]; then
2126 [ ! -e "$CVELIST_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting."
2127 [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting."
2128 [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting."
2129 [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting."
2130fi
2131
2132# --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are set
2133if [ "$opt_checksec_mode" = "true" ]; then
2134 [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting."
2135 [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting."
2136 [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting."
2137fi
2138
2139# extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here:
2140# case 1: --kernel set
2141if [ "$opt_kernel_version" == "true" ]; then
2142 # TODO: add kernel version number validation
2143 [ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting."
2144 ARCH=""
2145 OS=""
2146
2147 # do not perform additional checks on current machine
2148 opt_skip_more_checks=true
2149
2150 # do not consider current OS
2151 getPkgList "" "$PKGLIST_FILE"
2152
2153# case 2: --uname set
2154elif [ "$opt_uname_string" == "true" ]; then
2155 [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
2156 parseUname "$UNAME_A"
2157
2158 # do not perform additional checks on current machine
2159 opt_skip_more_checks=true
2160
2161 # do not consider current OS
2162 getPkgList "" "$PKGLIST_FILE"
2163
2164# case 3: --cvelist-file mode
2165elif [ "$opt_cvelist_file" = "true" ]; then
2166
2167 # get kernel configuration in this mode
2168 [ "$opt_skip_more_checks" = "false" ] && getKernelConfig
2169
2170# case 4: --checksec mode
2171elif [ "$opt_checksec_mode" = "true" ]; then
2172
2173 # this switch is not applicable in this mode
2174 opt_skip_more_checks=false
2175
2176 # get kernel configuration in this mode
2177 getKernelConfig
2178 [ -z "$KCONFIG" ] && echo "WARNING. Kernel Config not found on the system results won't be complete."
2179
2180 # launch checksec mode
2181 checksecMode
2182
2183 exit 0
2184
2185# case 5: no --uname | --kernel | --cvelist-file | --checksec set
2186else
2187
2188 # --pkglist-file NOT provided: take all info from current machine
2189 # case for vanilla execution: ./linux-exploit-suggester.sh
2190 if [ "$opt_pkglist_file" == "false" ]; then
2191 UNAME_A=$(uname -a)
2192 [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
2193 parseUname "$UNAME_A"
2194
2195 # get kernel configuration in this mode
2196 [ "$opt_skip_more_checks" = "false" ] && getKernelConfig
2197
2198 # extract distribution version from /etc/os-release OR /etc/lsb-release
2199 [ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(grep -s -E '^DISTRIB_RELEASE=|^VERSION_ID=' /etc/*-release | cut -d'=' -f2 | head -1 | tr -d '"')
2200
2201 # extract package listing from current OS
2202 getPkgList "$OS" ""
2203
2204 # --pkglist-file provided: only consider userspace exploits against provided package listing
2205 else
2206 KERNEL=""
2207 #TODO: extract machine arch from package listing
2208 ARCH=""
2209 unset EXPLOITS
2210 declare -A EXPLOITS
2211 getPkgList "" "$PKGLIST_FILE"
2212
2213 # additional checks are not applicable for this mode
2214 opt_skip_more_checks=true
2215 fi
2216fi
2217
2218echo
2219echo -e "${bldwht}Available information:${txtrst}"
2220echo
2221[ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}"
2222echo "Architecture: $([ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2223echo "Distribution: $([ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2224echo -e "Distribution version: $([ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2225
2226echo "Additional checks (CONFIG_*, sysctl entries, custom Bash commands): $([ "$opt_skip_more_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")"
2227
2228if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then
2229 pkgListFile="${txtgrn}$PKGLIST_FILE${txtrst}"
2230elif [ -n "$PKGLIST_FILE" ]; then
2231 pkgListFile="${txtred}unrecognized file provided${txtrst}"
2232elif [ -n "$PKG_LIST" ]; then
2233 pkgListFile="${txtgrn}from current OS${txtrst}"
2234fi
2235
2236echo -e "Package listing: $([ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")"
2237
2238# handle --kernelspacy-only & --userspace-only filter options
2239if [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then
2240 unset EXPLOITS_USERSPACE
2241 declare -A EXPLOITS_USERSPACE
2242fi
2243
2244if [ "$opt_userspace_only" = "true" ]; then
2245 unset EXPLOITS
2246 declare -A EXPLOITS
2247fi
2248
2249echo
2250echo -e "${bldwht}Searching among:${txtrst}"
2251echo
2252echo "${#EXPLOITS[@]} kernel space exploits"
2253echo "${#EXPLOITS_USERSPACE[@]} user space exploits"
2254echo
2255
2256echo -e "${bldwht}Possible Exploits:${txtrst}"
2257echo
2258
2259# start analysis
2260j=0
2261for EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do
2262
2263 # create array from current exploit here doc and fetch needed lines
2264 i=0
2265 # ('-r' is used to not interpret backslash used for bash colors)
2266 while read -r line
2267 do
2268 arr[i]="$line"
2269 i=$((i + 1))
2270 done <<< "$EXP"
2271
2272 NAME="${arr[0]}" && NAME="${NAME:6}"
2273 REQS="${arr[1]}" && REQS="${REQS:6}"
2274 TAGS="${arr[2]}" && TAGS="${TAGS:6}"
2275 RANK="${arr[3]}" && RANK="${RANK:6}"
2276
2277 # split line with requirements & loop thru all reqs one by one & check whether it is met
2278 IFS=',' read -r -a array <<< "$REQS"
2279 REQS_NUM=${#array[@]}
2280 PASSED_REQ=0
2281 for REQ in "${array[@]}"; do
2282 if (checkRequirement "$REQ" "${array[0]}"); then
2283 PASSED_REQ=$(($PASSED_REQ + 1))
2284 else
2285 break
2286 fi
2287 done
2288
2289 # execute for exploits with all requirements met
2290 if [ $PASSED_REQ -eq $REQS_NUM ]; then
2291
2292 # additional requirement for --cvelist-file mode: check if CVE associated with the exploit is on the CVELIST_FILE
2293 if [ "$opt_cvelist_file" = "true" ]; then
2294
2295 # extract CVE(s) associated with given exploit (also translates ',' to '|' for easy handling multiple CVEs case - via extended regex)
2296 cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|")
2297 #echo "CVE: $cve"
2298
2299 # check if it's on CVELIST_FILE list, if no move to next exploit
2300 [ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue
2301 fi
2302
2303 # process tags and highlight those that match current OS (only for deb|ubuntu|RHEL and if we know distro version - direct mode)
2304 tags=""
2305 if [ -n "$TAGS" -a -n "$OS" ]; then
2306 IFS=',' read -r -a tags_array <<< "$TAGS"
2307 TAGS_NUM=${#tags_array[@]}
2308
2309 # bump RANK slightly (+1) if we're in '--uname' mode and there's a TAG for OS from uname string
2310 [ "$(echo "${tags_array[@]}" | grep "$OS")" -a "$opt_uname_string" == "true" ] && RANK=$(($RANK + 1))
2311
2312 for TAG in "${tags_array[@]}"; do
2313 tag_distro=$(echo "$TAG" | cut -d'=' -f1)
2314 tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2)
2315 # in case of tag of form: 'ubuntu=16.04{kernel:4.4.0-21} remove kernel versioning part for comparision
2316 tag_distro_num="${tag_distro_num_all%{*}"
2317
2318 # we're in '--uname' mode OR (for normal mode) if there is distro version match
2319 if [ "$opt_uname_string" == "true" -o \( "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" \) ]; then
2320
2321 # bump current exploit's rank by 2 for distro match (and not in '--uname' mode)
2322 [ "$opt_uname_string" == "false" ] && RANK=$(($RANK + 2))
2323
2324 # get name (kernel or package name) and version of kernel/pkg if provided:
2325 tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 1)
2326 tag_pkg_num=""
2327 [ $(echo "$tag_distro_num_all" | grep '{') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 2)
2328
2329 #[ -n "$tag_pkg_num" ] && echo "tag_pkg_num: $tag_pkg_num; kernel: $KERNEL_ALL"
2330
2331 # if pkg/kernel version is not provided:
2332 if [ -z "$tag_pkg_num" ]; then
2333 [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ ${TAG} ]${txtrst}"
2334
2335 # kernel version provided, check for match:
2336 elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then
2337 if [ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ]; then
2338 # kernel version matched - bold highlight
2339 TAG="${yellow}[ ${TAG} ]${txtrst}"
2340
2341 # bump current exploit's rank additionally by 3 for kernel version regex match
2342 RANK=$(($RANK + 3))
2343 else
2344 [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}"
2345 fi
2346
2347 # pkg version provided, check for match (TBD):
2348 elif [ -n "$tag_pkg_num" -a -n "$tag_pkg" ]; then
2349 TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}"
2350 fi
2351
2352 fi
2353
2354 # append current tag to tags list
2355 tags="${tags}${TAG},"
2356 done
2357 # trim ',' added by above loop
2358 [ -n "$tags" ] && tags="${tags%?}"
2359 else
2360 tags="$TAGS"
2361 fi
2362
2363 # insert the matched exploit (with calculated Rank and highlighted tags) to arrary that will be sorted
2364 EXP=$(echo "$EXP" | sed -e '/^Name:/d' -e '/^Reqs:/d' -e '/^Tags:/d')
2365 exploits_to_sort[j]="${RANK}Name: ${NAME}D3L1mReqs: ${REQS}D3L1mTags: ${tags}D3L1m$(echo "$EXP" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/D3L1m/g')"
2366 ((j++))
2367 fi
2368done
2369
2370# sort exploits based on calculated Rank
2371IFS=$'\n'
2372SORTED_EXPLOITS=($(sort -r <<<"${exploits_to_sort[*]}"))
2373unset IFS
2374
2375# display sorted exploits
2376for EXP_TEMP in "${SORTED_EXPLOITS[@]}"; do
2377
2378 RANK=$(echo "$EXP_TEMP" | awk -F'Name:' '{print $1}')
2379
2380 # convert entry back to canonical form
2381 EXP=$(echo "$EXP_TEMP" | sed 's/^[0-9]//g' | sed 's/D3L1m/\n/g')
2382
2383 # create array from current exploit here doc and fetch needed lines
2384 i=0
2385 # ('-r' is used to not interpret backslash used for bash colors)
2386 while read -r line
2387 do
2388 arr[i]="$line"
2389 i=$((i + 1))
2390 done <<< "$EXP"
2391
2392 NAME="${arr[0]}" && NAME="${NAME:6}"
2393 REQS="${arr[1]}" && REQS="${REQS:6}"
2394 TAGS="${arr[2]}" && tags="${TAGS:6}"
2395
2396 EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}')
2397 analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}')
2398 ext_url=$(echo "$EXP" | grep "ext-url: " | awk '{print $2}')
2399 comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f 2-)
2400 reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f 2)
2401
2402 # exploit name without CVE number and without commonly used special chars
2403 name=$(echo "$NAME" | cut -d' ' -f 2- | tr -d ' ()/')
2404
2405 src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}')
2406 [ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB"
2407 [ -z "$src_url" ] && exitWithErrMsg "Both 'src-url' and 'exploit-db' entries are empty for '$NAME' exploit - fix that. Aborting."
2408
2409 if [ -n "$analysis_url" ]; then
2410 details="$analysis_url"
2411 elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then
2412 details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
2413 elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then
2414 details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
2415 else
2416 details="$src_url"
2417 fi
2418
2419 # skip DoS by default
2420 dos=$(echo "$EXP" | grep -o -i "(dos")
2421 [ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue
2422
2423 # handles --fetch-binaries option
2424 if [ $opt_fetch_bins = "true" ]; then
2425 for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do
2426 [ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)"
2427 wget -q -k "$i" -O "${name}_$(basename $i)"
2428 done
2429 fi
2430
2431 # handles --fetch-sources option
2432 if [ $opt_fetch_srcs = "true" ]; then
2433 [ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)"
2434 wget -q -k "$src_url" -O "${name}_$(basename $src_url)" &
2435 fi
2436
2437 # display result (short)
2438 if [ "$opt_summary" = "true" ]; then
2439 [ -z "$tags" ] && tags="-"
2440 echo -e "$NAME || $tags || $src_url"
2441 continue
2442 fi
2443
2444# display result (standard)
2445 echo -e "[+] $NAME"
2446 echo -e "\n Details: $details"
2447 echo -e " Exposure: $(displayExposure $RANK)"
2448 [ -n "$tags" ] && echo -e " Tags: $tags"
2449 echo -e " Download URL: $src_url"
2450 [ -n "$ext_url" ] && echo -e " ext-url: $ext_url"
2451 [ -n "$comments" ] && echo -e " Comments: $comments"
2452
2453 # handles --full filter option
2454 if [ "$opt_full" = "true" ]; then
2455 [ -n "$reqs" ] && echo -e " Requirements: $reqs"
2456
2457 [ -n "$EXPLOIT_DB" ] && echo -e " exploit-db: $EXPLOIT_DB"
2458
2459 author=$(echo "$EXP" | grep "author: " | cut -d' ' -f 2-)
2460 [ -n "$author" ] && echo -e " author: $author"
2461 fi
2462
2463 echo
2464
2465done