linux提权辅助工具（一）：linux-exploit-suggester.sh-白红宇

linux提权辅助工具（一）：linux-exploit-suggester.sh
阅读量：5140 次
发布时间：2019-06-13
本文共 42057 字，大约阅读时间需要 140 分钟。
来自：https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
#!/bin/bash## Copyright (c) 2016-2018, mzet## linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.# This is free software, and you are welcome to redistribute it# under the terms of the GNU General Public License. See LICENSE# file for usage of this software.#VERSION=v0.9# bash colors#txtred="\e[0;31m"txtred="\e[91;1m"txtgrn="\e[1;32m"txtgray="\e[1;30m"txtblu="\e[0;36m"txtrst="\e[0m"bldwht='\e[1;37m'wht='\e[0;36m'bldblu='\e[1;34m'yellow='\e[1;93m'lightyellow='\e[0;93m'# input dataUNAME_A=""# parsed data for current OSKERNEL=""OS=""DISTRO=""ARCH=""PKG_LIST=""# kernel configKCONFIG=""CVELIST_FILE=""opt_fetch_bins=falseopt_fetch_srcs=falseopt_kernel_version=falseopt_uname_string=falseopt_pkglist_file=falseopt_cvelist_file=falseopt_checksec_mode=falseopt_full=falseopt_summary=falseopt_kernel_only=falseopt_userspace_only=falseopt_show_dos=falseopt_skip_more_checks=falseopt_skip_pkg_versions=falseARGS=SHORTOPTS="hVfbsu:k:dp:g"LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec"## exploits databasedeclare -a EXPLOITSdeclare -a EXPLOITS_USERSPACE############ LINUX KERNELSPACE EXPLOITS ####################n=0EXPLOITS[((n++))]=$(cat <
     
      <
      
       <
       
        =2.6.5,ver<=2.6.11Tags:exploit-db: 1397EOF)EXPLOITS[((n++))]=$(cat <
        
         =2.6.0,ver<=2.6.2Tags:exploit-db: 160EOF)EXPLOITS[((n++))]=$(cat <
         
          =2.6.13,ver<=2.6.17Tags:exploit-db: 2031EOF)EXPLOITS[((n++))]=$(cat <
          
           =2.6.13,ver<=2.6.17Tags:exploit-db: 2004EOF)EXPLOITS[((n++))]=$(cat <
           
            =2.6.13,ver<=2.6.17Tags:exploit-db: 2005EOF)EXPLOITS[((n++))]=$(cat <
            
             =2.6.13,ver<=2.6.17Tags:exploit-db: 2006EOF)EXPLOITS[((n++))]=$(cat <
             
              =2.6.13,ver<=2.6.17Tags:exploit-db: 2011EOF)EXPLOITS[((n++))]=$(cat <
              
               =2.6.8,ver<=2.6.16Tags:bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshitexploit-db: 2013EOF)EXPLOITS[((n++))]=$(cat <
               
                =2.6.17,ver<=2.6.24Tags:exploit-db: 5092EOF)EXPLOITS[((n++))]=$(cat <
                
                 =2.6.23,ver<=2.6.24Tags:exploit-db: 5093EOF)EXPLOITS[((n++))]=$(cat <
                 
                  =2.6.11,ver<=2.6.22Tags:exploit-db: 6851Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are requiredEOF)EXPLOITS[((n++))]=$(cat <
                  
                   =2.6.25,ver<=2.6.29Tags:exploit-db: 8369EOF)EXPLOITS[((n++))]=$(cat <
                   
                    =2.6.0,ver<=2.6.30Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11exploit-db: 9479Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0EOF)EXPLOITS[((n++))]=$(cat <
                    
                     =2.6.0,ver<=2.6.30Tags: ubuntu=9.04analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgzexploit-db: 9435Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installedEOF)EXPLOITS[((n++))]=$(cat <
                     
                      =2.6.0,ver<=2.6.30Tags: src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgzexploit-db: 9436Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0EOF)EXPLOITS[((n++))]=$(cat <
                      
                       =2.6.0,ver<=2.6.30Tags: src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gzexploit-db: 9641Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installedEOF)EXPLOITS[((n++))]=$(cat <
                       
                        =2.6.0,ver<=2.6.30Tags: ubuntu=8.10,RHEL=4|5exploit-db: 9545Comments: /proc/sys/vm/mmap_min_addr needs to equal 0EOF)EXPLOITS[((n++))]=$(cat <
                        
                         =2.6.1,ver<=2.6.19Tags:src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgzexploit-db: 9574EOF)EXPLOITS[((n++))]=$(cat <
                         
                          =2.6.1,ver<=2.6.19Tags: debian=4exploit-db: 9575EOF)EXPLOITS[((n++))]=$(cat <
                          
                           =2.6.1,ver<=2.6.19,x86Tags: fedora=4|5|6,RHEL=4exploit-db: 9542EOF)EXPLOITS[((n++))]=$(cat <
                           
                            =2.6.0,ver<=2.6.31Tags:exploit-db: 33321EOF)EXPLOITS[((n++))]=$(cat <
                            
                             =2.6.0,ver<=2.6.31Tags:exploit-db: 33322EOF)EXPLOITS[((n++))]=$(cat <
                             
                              =2.6.0,ver<=2.6.31Tags:exploit-db: 10018EOF)EXPLOITS[((n++))]=$(cat <
                              
                               =2.6.26,ver<=2.6.34Tags: debian=6,ubuntu=10.04|10.10bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmodbin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace_kmod2-64exploit-db: 15023EOF)EXPLOITS[((n++))]=$(cat <
                               
                                =2.6.18,ver<=2.6.34Tags: ubuntu=9.10exploit-db: 12130EOF)EXPLOITS[((n++))]=$(cat <
                                
                                 =2.6.18,ver<=2.6.36Tags: ubuntu=10.04bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can_bcmexploit-db: 14814EOF)EXPLOITS[((n++))]=$(cat <
                                 
                                  =2.6.30,ver<2.6.37Tags: debian=6,ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-21-generic}analysis-url: http://www.securityfocus.com/archive/1/514379src-url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.cbin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rdsbin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64exploit-db: 15285EOF)EXPLOITS[((n++))]=$(cat <
                                  
                                   =2.6.0,ver<=2.6.36Tags: ubuntu=10.04|9.10bin-url: http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3exploit-db: 17787EOF)EXPLOITS[((n++))]=$(cat <
                                   
                                    =2.6.34,ver<=2.6.36,x86Tags: ubuntu=10.10exploit-db: 15916EOF)EXPLOITS[((n++))]=$(cat <
                                    
                                     =2.6.34,ver<=2.6.36Tags: ubuntu=10.10exploit-db: 15944EOF)EXPLOITS[((n++))]=$(cat <
                                     
                                      =2.6.0,ver<=2.6.36Tags:exploit-db: 15774EOF)EXPLOITS[((n++))]=$(cat <
                                      
                                       =2.6.0,ver<=2.6.36Tags: ubuntu=10.04exploit-db: 15150EOF)EXPLOITS[((n++))]=$(cat <
                                       
                                        =2.6.0,ver<=2.6.33Tags: RHEL=5exploit-db: 15024EOF)EXPLOITS[((n++))]=$(cat <
                                        
                                         =3.0.0,ver<=3.1.0Tags: ubuntu=10.04|11.10analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.cbin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipperbin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64exploit-db: 18411EOF)EXPLOITS[((n++))]=$(cat <
                                         
                                          =2.6.0,ver<=2.6.36Tags: ubuntu=9.10|10.04|10.10,ubuntu=10.04.1src-url: http://vulnfactory.org/exploits/full-nelson.cbin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelsonbin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64exploit-db: 15704EOF)EXPLOITS[((n++))]=$(cat <
                                          
                                           <
                                           
                                            =2.6.32,ver<3.8.9Tags: RHEL=6,ubuntu=12.04analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_sweventbin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent64exploit-db: 26131EOF)EXPLOITS[((n++))]=$(cat <
                                            
                                             =2.6.32,ver<3.8.9,x86_64Tags: ubuntu=12.04analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/src-url: https://cyseclabs.com/exploits/vnik_v1.cexploit-db: 33589EOF)EXPLOITS[((n++))]=$(cat <
                                             
                                              =2.6.18,ver<3.7.6Tags: exploit-db: 27297EOF)EXPLOITS[((n++))]=$(cat <
                                              
                                               =3.0.1,ver<3.8.9Tags: analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1exploit-db: 25450EOF)EXPLOITS[((n++))]=$(cat <
                                               
                                                =2.6.32,ver<3.8.9Tags: RHEL=6analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/exploit-db: 25444EOF)EXPLOITS[((n++))]=$(cat <
                                                
                                                 =3.4.0,ver<=3.13.1,CONFIG_X86_X32=yTags: ubuntu=13.10analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.htmlbin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64exploit-db: 31346Comments: CONFIG_X86_X32 needs to be enabledEOF)EXPLOITS[((n++))]=$(cat <
                                                 
                                                  =3.4.0,ver<=3.13.1,CONFIG_X86_X32=yTags: ubuntu=13.10|13.04analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.htmlexploit-db: 31347Comments: CONFIG_X86_X32 needs to be enabledEOF)EXPLOITS[((n++))]=$(cat <
                                                  
                                                   =2.6.31,ver<=3.14.3Tags:analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.htmlexploit-db: 33516EOF)EXPLOITS[((n++))]=$(cat <
                                                   
                                                    =3.0.1,ver<=3.14Tags: analysis-url: https://cyseclabs.com/page?n=02012016exploit-db: 32926EOF)EXPLOITS[((n++))]=$(cat <
                                                    
                                                     =3.0.1,ver<=3.13Tags: ubuntu=12.04analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4exploit-db: 33824EOF)EXPLOITS[((n++))]=$(cat <
                                                     
                                                      =3.0.1,ver<=3.8Tags: ubuntu=12.04analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16exploit-db: 34134EOF)EXPLOITS[((n++))]=$(cat <
                                                      
                                                       =3.2,ver<=3.15.6Tags: analysis-url: https://cyseclabs.com/page?n=01102015exploit-db: 36267EOF)EXPLOITS[((n++))]=$(cat <
                                                       
                                                        =3.0.1,ver<=3.16.1Tags: exploit-db: 34923EOF)EXPLOITS[((n++))]=$(cat <
                                                        
                                                         =3.0.1,ver<3.17.5,x86_64Tags: RHEL<=7,fedora=20analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/src-url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gzexploit-db:author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' ZabrockiEOF)EXPLOITS[((n++))]=$(cat <
                                                         
                                                          =3.13,ver<4.1.6,x86_64Tags: analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8exploit-db: 37722EOF)EXPLOITS[((n++))]=$(cat <
                                                          
                                                           <
                                                           
                                                            =3.13.0,ver<=3.19.0Tags: ubuntu=12.04|14.04|14.10|15.04analysis-url: http://seclists.org/oss-sec/2015/q2/717bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_32bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_64exploit-db: 37292EOF)EXPLOITS[((n++))]=$(cat <
                                                            
                                                             =3.0.0,ver<=4.3.3Tags:analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/exploit-db: 39230EOF)EXPLOITS[((n++))]=$(cat <
                                                             
                                                              =3.0.0,ver<=4.3.3Tags: ubuntu=14.04|15.10analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/exploit-db: 39166EOF)EXPLOITS[((n++))]=$(cat <
                                                              
                                                               =3.10,ver<4.4.1Tags:analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/exploit-db: 40003Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-workingEOF)EXPLOITS[((n++))]=$(cat <
                                                               
                                                                =3.0.0,ver<=4.4.8Tags: ubuntu=14.04,fedora=22analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.cexploit-db: 41999Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged userauthor: Andrey 'xairy' KonovalovEOF)EXPLOITS[((n++))]=$(cat <
                                                                
                                                                 =4.4.0,ver<=4.4.0,cmd:grep -qi ip_tables /proc/modulesTags: ubuntu=16.04{kernel:4.4.0-21}src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zipComments: ip_tables.ko needs to be loadedexploit-db: 40049author: Vitaly Nikolenko (vnik)EOF)EXPLOITS[((n++))]=$(cat <
                                                                 
                                                                  =4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1Tags: ubuntu=16.04{kernel:4.4.0-21-generic}analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zipComments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1exploit-db: 40759author: Jann HornEOF)EXPLOITS[((n++))]=$(cat <
                                                                  
                                                                   =2.6.22,ver<=4.8.3Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsComments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.shexploit-db: 40611author: Phil OesterEOF)EXPLOITS[((n++))]=$(cat <
                                                                   
                                                                    =2.6.22,ver<=4.8.3Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetailsext-url: https://www.exploit-db.com/download/40847.cppComments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.shexploit-db: 40839author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url')EOF)EXPLOITS[((n++))]=$(cat <
                                                                    
                                                                     =4.4.0,ver<4.9,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabledbin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo_rootexploit-db: 40871author: rebelEOF)EXPLOITS[((n++))]=$(cat <
                                                                     
                                                                      =3.11,ver<4.8.14,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1Tags:analysis-url: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.cComments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU onlyexploit-db: 41995author: Andrey 'xairy' KonovalovEOF)EXPLOITS[((n++))]=$(cat <
                                                                      
                                                                       =2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my]Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypassexploit-db: 41458author: Andrey 'xairy' KonovalovEOF)EXPLOITS[((n++))]=$(cat <
                                                                       
                                                                        =3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.htmlsrc-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.cext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-7308/CVE-2017-7308/poc.cComments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernelsbin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploitexploit-db: 41994author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')EOF)EXPLOITS[((n++))]=$(cat <
                                                                        
                                                                         =4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1Tags: debian=9,fedora=25|26|27,ubuntu=14.04|16.04|17.04analysis-url: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.htmlComments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.outexploit-db: 45010author: Rick LarabeeEOF)EXPLOITS[((n++))]=$(cat <
                                                                         
                                                                          =4.4,ver<=4.13,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*}analysis-url: http://www.openwall.com/lists/oss-security/2017/08/13/1src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.cext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.cComments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernelsbin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.outexploit-db:author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url')EOF)EXPLOITS[((n++))]=$(cat <
                                                                          
                                                                           =3.2,ver<=4.13,x86_64Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}analysis-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txtsrc-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.cexploit-db: 42887author: QualysComments:EOF)EXPLOITS[((n++))]=$(cat <
                                                                           
                                                                            =4.15,ver<=4.19.2,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,cmd:[ -u /usr/bin/newuidmap ],cmd:[ -u /usr/bin/newgidmap ]Tags: ubuntu=18analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zipexploit-db: 45886author: Jann HornComments: CONFIG_USER_NS needs to be enabledEOF)############ USERSPACE EXPLOITS ###########################n=0EXPLOITS_USERSPACE[((n++))]=$(cat <
                                                                            
                                                                             <
                                                                             
                                                                              <
                                                                              
                                                                               <
                                                                               
                                                                                <
                                                                                
                                                                                 <
                                                                                 
                                                                                  =1.8.0,ver<=1.8.3Tags: fedora=16 analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txtexploit-db: 18436EOF)EXPLOITS_USERSPACE[((n++))]=$(cat <
                                                                                  
                                                                                   <
                                                                                   
                                                                                    <
                                                                                    
                                                                                     <
                                                                                     
                                                                                      <
                                                                                      
                                                                                       =2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_patternTags: ubuntu=14.04analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.cexploit-db: 36746EOF)EXPLOITS_USERSPACE[((n++))]=$(cat <
                                                                                       
                                                                                        =2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_patternTags: ubuntu=14.04.2analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4exploit-db: 36782EOF)EXPLOITS_USERSPACE[((n++))]=$(cat <
                                                                                        
                                                                                         <
                                                                                         
                                                                                          <
                                                                                          
                                                                                           <
                                                                                           
                                                                                            =6.8,ver<=6.9Tags:analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2exploit-db: 41173author: Federico BentoComments: Needs admin interaction (root user needs to login via ssh to trigger exploitation)EOF)EXPLOITS_USERSPACE[((n++))]=$(cat <
                                                                                            
                                                                                             <
                                                                                             
                                                                                              <
                                                                                              
                                                                                               <
                                                                                               
                                                                                                <
                                                                                                
                                                                                                 <
                                                                                                 
                                                                                                  <
                                                                                                  
                                                                                                   <
                                                                                                   
                                                                                                    <
                                                                                                    
                                                                                                     <
                                                                                                     
                                                                                                      <
                                                                                                      
                                                                                                       <
                                                                                                       
                                                                                                        <
                                                                                                        
                                                                                                         <
                                                                                                         
                                                                                                          <
                                                                                                          
                                                                                                           <
                                                                                                           
                                                                                                            <
                                                                                                            
                                                                                                             <
                                                                                                             
                                                                                                              <
                                                                                                              
                                                                                                               <
                                                                                                               
                                                                                                                <
                                                                                                                
                                                                                                                 <
                                                                                                                 
                                                                                                                  =3.14analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.mdEOF)FEATURES[((n++))]=$(cat <
                                                                                                                  
                                                                                                                   <
                                                                                                                   
                                                                                                                    =2.6.37enabled: sysctl:kernel.dmesg_restrict!=0analysis-url: https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.mdEOF)FEATURES[((n++))]=$(cat <
                                                                                                                    
                                                                                                                     <
                                                                                                                     
                                                                                                                      <
                                                                                                                      
                                                                                                                       <
                                                                                                                       
                                                                                                                        <
                                                                                                                        
                                                                                                                         <
                                                                                                                         
                                                                                                                          <
                                                                                                                          
                                                                                                                           <
                                                                                                                           
                                                                                                                            =3.0,cmd:grep -qi smep /proc/cpuinfoenabled: cmd:grep -qi smep /proc/cpuinfoanalysis-url: https://github.com/mzet-/les-res/blob/master/features/smep.mdEOF)FEATURES[((n++))]=$(cat <
                                                                                                                            
                                                                                                                             =3.7,cmd:grep -qi smap /proc/cpuinfoenabled: cmd:grep -qi smap /proc/cpuinfoanalysis-url: https://github.com/mzet-/les-res/blob/master/features/smap.mdEOF)FEATURES[((n++))]=$(cat <
                                                                                                                             
                                                                                                                              <
                                                                                                                              
                                                                                                                               <
                                                                                                                               
                                                                                                                                <
                                                                                                                                
                                                                                                                                 <
                                                                                                                                 
                                                                                                                                  <
                                                                                                                                  
                                                                                                                                   <
                                                                                                                                   
                                                                                                                                    <
                                                                                                                                    
                                                                                                                                     <
                                                                                                                                     
                                                                                                                                       - provide kernel version" echo " -u | --uname 
                                                                                                                                      
                                                                                                                                        - provide 'uname -a' string" echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable" echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)" echo " -p | --pkglist-file 
                                                                                                                                       
                                                                                                                                         - provide file with 'dpkg -l' or 'rpm -qa' command output" echo " --cvelist-file 
                                                                                                                                        
                                                                                                                                          - provide file with Linux kernel CVEs list" echo " --checksec - list security related features for your HW/kernel" echo " -s | --fetch-sources - automatically downloads source for matched exploit" echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available" echo " -f | --full - show full info about matched exploit" echo " -g | --short - show shorten info about matched exploit" echo " --kernelspace-only - show only kernel vulnerabilities" echo " --userspace-only - show only userspace vulnerabilities" echo " -d | --show-dos - show also DoSes in results"}exitWithErrMsg() { echo "$1" 1>&2 exit 1}# extracts all information from output of 'uname -a' commandparseUname() { local uname=$1 KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1) KERNEL_ALL=$(echo "$uname" | awk '{print $3}') ARCH=$(echo "$uname" | awk '{print $(NF-1)}') OS="" echo "$uname" | grep -q -i 'deb' && OS="debian" echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu" echo "$uname" | grep -q -i '\-ARCH' && OS="arch" echo "$uname" | grep -q -i '\-deepin' && OS="deepin" echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro" echo "$uname" | grep -q -i '\.fc' && OS="fedora" echo "$uname" | grep -q -i '\.el' && OS="RHEL" echo "$uname" | grep -q -i '\.mga' && OS="mageia" # 'uname -a' output doesn't contain distribution number (at least not in case of all distros)}getPkgList() { local distro=$1 local pkglist_file=$2 # take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' or 'pacman -Q' listing of not recognized listing if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then # ubuntu/debian package listing file if [ $(cat "$pkglist_file" | head -1 | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g') OS="debian" [ "$(cat "$pkglist_file" | grep "ubuntu")" ] && OS="ubuntu" # redhat package listing file elif [ $(cat "$pkglist_file" | head -1 | grep -E '\.el[1-9]+\.') ]; then PKG_LIST=$(cat "$pkglist_file") OS="RHEL" # fedora package listing file elif [ $(cat "$pkglist_file" | head -1 | grep -E '\.fc[1-9]+') ]; then PKG_LIST=$(cat "$pkglist_file") OS="fedora" # mageia package listing file elif [ $(cat "$pkglist_file" | head -1 | grep -E '\.mga[1-9]+') ]; then PKG_LIST=$(cat "$pkglist_file") OS="mageia" # pacman package listing file elif [ "$(head -1 $pkglist_file | grep -E '\ [0-9]+\.')" ]; then PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}') OS="arch" # file not recognized - skipping else PKG_LIST="" fi elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g') elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then PKG_LIST=$(rpm -qa) elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}') elif [ -x /usr/bin/equery ]; then PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}') else # packages listing not available PKG_LIST="" fi}# from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bashverComparision() { if [[ $1 == $2 ]] then return 0 fi local IFS=. local i ver1=($1) ver2=($2) # fill empty fields in ver1 with zeros for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)) do ver1[i]=0 done for ((i=0; i<${#ver1[@]}; i++)) do if [[ -z ${ver2[i]} ]] then # fill empty fields in ver2 with zeros ver2[i]=0 fi if ((10#${ver1[i]} > 10#${ver2[i]})) then return 1 fi if ((10#${ver1[i]} < 10#${ver2[i]})) then return 2 fi done return 0}doVersionComparision() { local reqVersion="$1" local reqRelation="$2" local currentVersion="$3" verComparision $currentVersion $reqVersion case $? in 0) currentRelation='=';; 1) currentRelation='>';; 2) currentRelation='<';; esac if [ "$reqRelation" == "=" ]; then [ $currentRelation == "=" ] && return 0 elif [ "$reqRelation" == ">" ]; then [ $currentRelation == ">" ] && return 0 elif [ "$reqRelation" == "<" ]; then [ $currentRelation == "<" ] && return 0 elif [ "$reqRelation" == ">=" ]; then [ $currentRelation == "=" ] && return 0 [ $currentRelation == ">" ] && return 0 elif [ "$reqRelation" == "<=" ]; then [ $currentRelation == "=" ] && return 0 [ $currentRelation == "<" ] && return 0 fi}compareValues() { curVal=$1 val=$2 sign=$3 if [ "$sign" == "==" ]; then [ "$val" == "$curVal" ] && return 0 elif [ "$sign" == "!=" ]; then [ "$val" != "$curVal" ] && return 0 fi return 1}checkRequirement() { #echo "Checking requirement: $1" local IN="$1" local pkgName="${2:4}" if [[ "$IN" =~ ^pkg=.*$ ]]; then # always true for Linux OS [ ${pkgName} == "linux-kernel" ] && return 0 # verify if package is present pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1) if [ -n "$pkg" ]; then return 0 fi elif [[ "$IN" =~ ^ver.*$ ]]; then version="${IN//[^0-9.]/}" rest="${IN#ver}" operator=${rest%$version} if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then # for --cvelist-file mode skip kernel version comparision [ "$opt_cvelist_file" = "true" ] && return 0 doVersionComparision $version $operator $KERNEL && return 0 else # extract package version and check if requiremnt is true pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1) # skip (if run with --skip-pkg-versions) version checking if package with given name is installed [ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return 0 # versioning: #echo "pkg: $pkg" pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g') #echo "version: $pkgVersion" #echo "operator: $operator" #echo "required version: $version" #echo doVersionComparision $version $operator $pkgVersion && return 0 fi elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then return 0 elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then return 0 elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then # skip if check is not applicable (-k or --uname or -p set) or if user said so (--skip-more-checks) [ "$opt_skip_more_checks" = "true" ] && return 0 # if kernel config IS available: if [ -n "$KCONFIG" ]; then if $KCONFIG | grep -E -qi $IN; then return 0; # required option wasn't found, exploit is not applicable else return 1; fi # config is not available else return 0; fi elif [[ "$IN" =~ ^sysctl:.*$ ]]; then # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks) [ "$opt_skip_more_checks" = "true" ] && return 0 sysctlCondition="${IN:7}" # extract sysctl entry, relation sign and required value if echo $sysctlCondition | grep -qi "!="; then sign="!=" elif echo $sysctlCondition | grep -qi "=="; then sign="==" else exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting." fi val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}') entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}') # get current setting of sysctl entry curVal=$(/sbin/sysctl -a 2> /dev/null | grep "$entry" | awk -F'=' '{print $2}') # special case for --checksec mode: return 2 if there is no such switch in sysctl [ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return 2 # for other modes: skip if there is no such switch in sysctl [ -z "$curVal" ] && return 0 # compare & return result compareValues $curVal $val $sign && return 0 elif [[ "$IN" =~ ^cmd:.*$ ]]; then # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks) [ "$opt_skip_more_checks" = "true" ] && return 0 cmd="${IN:4}" if eval "${cmd}"; then return 0 fi fi return 1}getKernelConfig() { if [ -f /proc/config.gz ] ; then KCONFIG="zcat /proc/config.gz" elif [ -f /boot/config-`uname -r` ] ; then KCONFIG="cat /boot/config-`uname -r`" elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" else KCONFIG="" fi}checksecMode() { MODE=0 # start analysisfor FEATURE in "${FEATURES[@]}"; do # create array from current exploit here doc and fetch needed lines i=0 # ('-r' is used to not interpret backslash used for bash colors) while read -r line do arr[i]="$line" i=$((i + 1)) done <<< "$FEATURE" # modes: kernel-feature (1) | hw-feature (2) | 3rdparty-feature (3) | attack-surface (4) NAME="${arr[0]}" PRE_NAME="${NAME:0:8}" NAME="${NAME:9}" if [ "${PRE_NAME}" = "section:" ]; then # advance to next MODE MODE=$(($MODE + 1)) echo echo -e "${bldwht}${NAME}${txtrst}" echo continue fi AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}" ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}') analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}') # split line with availability requirements & loop thru all availability reqs one by one & check whether it is met IFS=',' read -r -a array <<< "$AVAILABLE" AVAILABLE_REQS_NUM=${#array[@]} AVAILABLE_PASSED_REQ=0 CONFIG="" for REQ in "${array[@]}"; do # find CONFIG_ (if present) for current feature if [ -z "$CONFIG" ]; then config=$(echo "$REQ" | grep "CONFIG_") [ -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))" fi if (checkRequirement "$REQ"); then AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + 1)) else break fi done # split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met ENABLE_PASSED_REQ=0 ENABLE_REQS_NUM=0 noSysctl=0 if [ -n "$ENABLE" ]; then IFS=',' read -r -a array <<< "$ENABLE" ENABLE_REQS_NUM=${#array[@]} for REQ in "${array[@]}"; do checkRequirement "$REQ" retVal=$? if [ $retVal -eq 0 ]; then ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + 1)) elif [ $retVal -eq 2 ]; then # special case: sysctl entry is not present on given system: signal it as: N/A noSysctl=1 break else break fi done fi feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-) # for 4rd party (3) mode display "N/A" or "Enabled" if [ $MODE -eq 3 ]; then enabled="[ ${txtgrn}Enabled${txtrst} ]" disabled="[ ${txtgray}N/A${txtrst} ]" # for attack-surface (4) mode display "Locked" or "Exposed" elif [ $MODE -eq 4 ]; then enabled="[ ${txtred}Exposed${txtrst} ]" disabled="[ ${txtgrn}Locked${txtrst} ]" #other modes" "Disabled" / "Enabled" else enabled="[ ${txtgrn}Enabled${txtrst} ]" disabled="[ ${txtred}Disabled${txtrst} ]" fi state=$disabled if [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then state=$enabled fi echo -e " $state $feature ${wht}${CONFIG}${txtrst}" [ -n "$analysis_url" ] && echo -e " $analysis_url" echodone}# parse command line parametersARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")[ $? != 0 ] && exitWithErrMsg "Aborting."eval set -- "$ARGS"while true; do case "$1" in -u|--uname) shift UNAME_A="$1" opt_uname_string=true ;; -V|--version) version exit 0 ;; -h|--help) usage exit 0 ;; -f|--full) opt_full=true ;; -g|--short) opt_summary=true ;; -b|--fetch-binaries) opt_fetch_bins=true ;; -s|--fetch-sources) opt_fetch_srcs=true ;; -k|--kernel) shift KERNEL="$1" opt_kernel_version=true ;; -d|--show-dos) opt_show_dos=true ;; -p|--pkglist-file) shift PKGLIST_FILE="$1" opt_pkglist_file=true ;; --cvelist-file) shift CVELIST_FILE="$1" opt_cvelist_file=true ;; --checksec) opt_checksec_mode=true ;; --kernelspace-only) opt_kernel_only=true ;; --userspace-only) opt_userspace_only=true ;; --skip-more-checks) opt_skip_more_checks=true ;; --skip-pkg-versions) opt_skip_pkg_versions=true ;; *) shift if [ "$#" != "0" ]; then exitWithErrMsg "Unknown option '$1'. Aborting." fi break ;; esac shiftdone# check Bash version (associative arrays need Bash in version 4.0+)if ((BASH_VERSINFO[0] < 4)); then exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting."fi# exit if both --kernel and --uname are set[ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting."# exit if both --full and --short are set[ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting."# --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are setif [ "$opt_cvelist_file" = "true" ]; then [ ! -e "$CVELIST_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting." [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting." [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting." [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting."fi# --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are setif [ "$opt_checksec_mode" = "true" ]; then [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting." [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting." [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting."fi# extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here:# case 1: --kernel setif [ "$opt_kernel_version" == "true" ]; then # TODO: add kernel version number validation [ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting." ARCH="" OS="" # do not perform additional checks on current machine opt_skip_more_checks=true # do not consider current OS getPkgList "" "$PKGLIST_FILE"# case 2: --uname setelif [ "$opt_uname_string" == "true" ]; then [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting." parseUname "$UNAME_A" # do not perform additional checks on current machine opt_skip_more_checks=true # do not consider current OS getPkgList "" "$PKGLIST_FILE"# case 3: --cvelist-file modeelif [ "$opt_cvelist_file" = "true" ]; then # get kernel configuration in this mode [ "$opt_skip_more_checks" = "false" ] && getKernelConfig# case 4: --checksec modeelif [ "$opt_checksec_mode" = "true" ]; then # this switch is not applicable in this mode opt_skip_more_checks=false # get kernel configuration in this mode getKernelConfig [ -z "$KCONFIG" ] && exitWithErrMsg "Kernel configuration file not available. Aborting." # launch checksec mode checksecMode exit 0# case 5: no --uname | --kernel | --cvelist-file | --checksec setelse # --pkglist-file NOT provided: take all info from current machine # case for vanilla execution: ./linux-exploit-suggester.sh if [ "$opt_pkglist_file" == "false" ]; then UNAME_A=$(uname -a) [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting." parseUname "$UNAME_A" # get kernel configuration in this mode [ "$opt_skip_more_checks" = "false" ] && getKernelConfig # extract distribution version from /etc/issue [ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(cat /etc/issue | grep -E -o '[0-9\.]+' | head -1) # extract package listing from current OS getPkgList "$OS" "" # --pkglist-file provided: only consider userspace exploits against provided package listing else KERNEL="" #TODO: extract machine arch from package listing ARCH="" unset EXPLOITS declare -A EXPLOITS getPkgList "" "$PKGLIST_FILE" # additional checks are not applicable for this mode opt_skip_more_checks=true fifiechoecho -e "${bldwht}Available information:${txtrst}"echo[ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}"echo "Architecture: $([ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")"echo "Distribution: $([ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")"echo -e "Distribution version: $([ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")"echo "Additional checks (CONFIG_*, sysctl entries, custom Bash commands): $([ "$opt_skip_more_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")"if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then pkgListFile="${txtgrn}$PKGLIST_FILE${txtrst}"elif [ -n "$PKGLIST_FILE" ]; then pkgListFile="${txtred}unrecognized file provided${txtrst}"elif [ -n "$PKG_LIST" ]; then pkgListFile="${txtgrn}from current OS${txtrst}"fiecho -e "Package listing: $([ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")"# handle --kernelspacy-only & --userspace-only filter optionsif [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then unset EXPLOITS_USERSPACE declare -A EXPLOITS_USERSPACEfiif [ "$opt_userspace_only" = "true" ]; then unset EXPLOITS declare -A EXPLOITSfiechoecho -e "${bldwht}Searching among:${txtrst}"echoecho "${#EXPLOITS[@]} kernel space exploits"echo "${#EXPLOITS_USERSPACE[@]} user space exploits"echoecho -e "${bldwht}Possible Exploits:${txtrst}"echo# start analysisfor EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do # create array from current exploit here doc and fetch needed lines i=0 # ('-r' is used to not interpret backslash used for bash colors) while read -r line do arr[i]="$line" i=$((i + 1)) done <<< "$EXP" REQS="${arr[1]}" && REQS="${REQS:6}" NAME="${arr[0]}" && NAME="${NAME:6}" TAGS="${arr[2]}" && TAGS="${TAGS:6}" # split line with requirements & loop thru all reqs one by one & check whether it is met IFS=',' read -r -a array <<< "$REQS" REQS_NUM=${#array[@]} PASSED_REQ=0 for REQ in "${array[@]}"; do if (checkRequirement "$REQ" "${array[0]}"); then PASSED_REQ=$(($PASSED_REQ + 1)) else break fi done # execute for exploits with all requirements met if [ $PASSED_REQ -eq $REQS_NUM ]; then # additional requirement for --cvelist-file mode: check if CVE associated with the exploit is on the CVELIST_FILE if [ "$opt_cvelist_file" = "true" ]; then # extract CVE(s) associated with given exploit (also translates ',' to '|' for easy handling multiple CVEs case - via extended regex) cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|") #echo "CVE: $cve" # check if it's on CVELIST_FILE list, if no move to next exploit [ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue fi # process tags and highlight those that match current OS (only for deb|ubuntu|RHEL and if we know distro version - direct mode) tags="" if [ -n "$TAGS" -a -n "$OS" -a -n "$DISTRO" ]; then IFS=',' read -r -a tags_array <<< "$TAGS" TAGS_NUM=${#tags_array[@]} for TAG in "${tags_array[@]}"; do tag_distro=$(echo "$TAG" | cut -d'=' -f1) tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2) # in case of tag of form: 'ubuntu=16.04{kernel:4.4.0-21} remove kernel versioning part for comparision tag_distro_num="${tag_distro_num_all%{*}" # if distro matches: if [ "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" ]; then # get name (kernel or package name) and version of kernel/pkg if provided: tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{ ' -f 2 | tr -d '}' | cut -d':' -f 1) tag_pkg_num="" [ $(echo "$tag_distro_num_all" | grep '{ ') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{ ' -f 2 | tr -d '}' | cut -d':' -f 2) #[ -n "$tag_pkg_num" ] && echo "tag_pkg_num: $tag_pkg_num; kernel: $KERNEL_ALL" # if pkg/kernel version is not provided: if [ -z "$tag_pkg_num" ]; then TAG="${lightyellow}[ ${TAG} ]${txtrst}" # kernel version provided, check for match: elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then [ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ] && TAG="${yellow}[ ${TAG} ]${txtrst}" || TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}" # pkg version provided, check for match (TBD): elif [ -n "$tag_pkg_num" -a -n "$tag_pkg" ]; then TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}" fi fi # append current tag to tags list tags="${tags}${TAG}," done # trim ',' added by above loop [ -n "$tags" ] && tags="${tags%?}" else tags="$TAGS" fi EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}') analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}') ext_url=$(echo "$EXP" | grep "ext-url: " | awk '{print $2}') comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f 2-) reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f 2) # exploit name without CVE number and without commonly used special chars name=$(echo "$NAME" | cut -d' ' -f 2- | tr -d ' ()/') src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}') [ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB" [ -z "$src_url" ] && exitWithErrMsg "Both 'src-url' and 'exploit-db' entries are empty for '$NAME' exploit - fix that. Aborting." if [ -n "$analysis_url" ]; then details="$analysis_url" elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/" elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/" else details="$src_url" fi # skip DoS by default dos=$(echo "$EXP" | grep -o -i "(dos") [ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue # handles --fetch-binaries option if [ $opt_fetch_bins = "true" ]; then for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do [ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)" wget -q -k "$i" -O "${name}_$(basename $i)" done fi # handles --fetch-sources option if [ $opt_fetch_srcs = "true" ]; then [ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)" wget -q -k "$src_url" -O "${name}_$(basename $src_url)" & fi # display result (short) if [ "$opt_summary" = "true" ]; then [ -z "$tags" ] && tags="-" echo -e "$NAME || $tags || $src_url" continue fi # display result (standard) echo -e "[+] $NAME" echo -e "\n Details: $details" [ -n "$tags" ] && echo -e " Tags: $tags" echo -e " Download URL: $src_url" [ -n "$ext_url" ] && echo -e " ext-url: $ext_url" [ -n "$comments" ] && echo -e " Comments: $comments" # handles --full filter option if [ "$opt_full" = "true" ]; then [ -n "$reqs" ] && echo -e " Requirements: $reqs" [ -n "$EXPLOIT_DB" ] && echo -e " exploit-db: $EXPLOIT_DB" author=$(echo "$EXP" | grep "author: " | cut -d' ' -f 2-) [ -n "$author" ] && echo -e " author: $author" fi echo fidone