From fad7bb521265aea2a91bc49a768dfd5b8fd3c909 Mon Sep 17 00:00:00 2001 From: neargle Date: Mon, 19 Sep 2022 19:23:08 +0800 Subject: [PATCH 1/5] perf(eva): a nice head 2 of title --- pkg/cli/banner.go | 2 +- pkg/cli/parse.go | 29 ++++++++++++++++------------- pkg/util/output.go | 30 ++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 14 deletions(-) create mode 100644 pkg/util/output.go diff --git a/pkg/cli/banner.go b/pkg/cli/banner.go index 0a46e7f..6c61a98 100644 --- a/pkg/cli/banner.go +++ b/pkg/cli/banner.go @@ -34,7 +34,7 @@ var BannerVersion = fmt.Sprintf("%s %s", "CDK Version(GitCommit):", GitCommit) var BannerHeader = fmt.Sprintf(`%s %s Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle -Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/wiki +Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/ `, util.GreenBold.Sprint(BannerTitle), BannerVersion) var BannerContainerTpl = BannerHeader + ` diff --git a/pkg/cli/parse.go b/pkg/cli/parse.go index be79a8e..e9b5857 100644 --- a/pkg/cli/parse.go +++ b/pkg/cli/parse.go @@ -19,6 +19,7 @@ package cli import ( "fmt" + "github.com/cdk-team/CDK/pkg/util" "github.com/cdk-team/CDK/conf" "github.com/cdk-team/CDK/pkg/evaluate" "github.com/cdk-team/CDK/pkg/plugin" @@ -72,47 +73,49 @@ func ParseCDKMain() bool { // fix #37 https://github.com/cdk-team/CDK/issues/37 if ok.(bool) || fok.(bool) { - fmt.Printf("\n[Information Gathering - System Info]\n") + fmt.Printf(BannerHeader) + + util.PrintH2("Information Gathering - System Info") evaluate.BasicSysInfo() - fmt.Printf("\n[Information Gathering - Services]\n") + util.PrintH2("Information Gathering - Services") evaluate.SearchSensitiveEnv() evaluate.SearchSensitiveService() - fmt.Printf("\n[Information Gathering - Commands and Capabilities]\n") + util.PrintH2("Information Gathering - Commands and Capabilities") evaluate.SearchAvailableCommands() evaluate.GetProcCapabilities() - fmt.Printf("\n[Information Gathering - Mounts]\n") + util.PrintH2("Information Gathering - Mounts") evaluate.MountEscape() - fmt.Printf("\n[Information Gathering - Net Namespace]\n") + util.PrintH2("Information Gathering - Net Namespace") evaluate.CheckNetNamespace() - fmt.Printf("\n[Information Gathering - Sysctl Variables]\n") + util.PrintH2("Information Gathering - Sysctl Variables") evaluate.CheckRouteLocalNetworkValue() - fmt.Printf("\n[Discovery - K8s API Server]\n") + util.PrintH2("Discovery - K8s API Server") evaluate.CheckK8sAnonymousLogin() - fmt.Printf("\n[Discovery - K8s Service Account]\n") + util.PrintH2("Discovery - K8s Service Account") evaluate.CheckPrivilegedK8sServiceAccount(conf.K8sSATokenDefaultPath) - fmt.Printf("\n[Discovery - Cloud Provider Metadata API]\n") + util.PrintH2("Discovery - Cloud Provider Metadata API") evaluate.CheckCloudMetadataAPI() - fmt.Printf("\n[Information Gathering - DNS-Based Service Discovery]\n") + util.PrintH2("Information Gathering - DNS-Based Service Discovery") evaluate.DNSBasedServiceDiscovery() if Args["--full"].(bool) { - fmt.Printf("\n[Information Gathering - Sensitive Files]\n") + util.PrintH2("Information Gathering - Sensitive Files") evaluate.SearchLocalFilePath() - fmt.Printf("\n[Information Gathering - ASLR]\n") + util.PrintH2("Information Gathering - ASLR") evaluate.ASLR() - fmt.Printf("\n[Information Gathering - Cgroups]\n") + util.PrintH2("Information Gathering - Cgroups") evaluate.DumpCgroup() } diff --git a/pkg/util/output.go b/pkg/util/output.go new file mode 100644 index 0000000..efa80b3 --- /dev/null +++ b/pkg/util/output.go @@ -0,0 +1,30 @@ +/* +Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK . + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +import "fmt" + +const Colorful = true + +// fmt.Printf(util.GreenBold.Sprint("\n[Information Gathering - System Info]\n")) +func PrintH2(title string) { + fmt.Printf(BlueBold.Sprint("\n[ ") + GreenBold.Sprint(title) + BlueBold.Sprint(" ]\n")) +} + + + + From f650c3e4824f4a5ae67ce38c0320b0bc828638d0 Mon Sep 17 00:00:00 2001 From: neargle Date: Mon, 19 Sep 2022 23:53:16 +0800 Subject: [PATCH 2/5] feat(evaluate): support check setuid files in path --- conf/evaluate_conf.go | 12 +++++++++++ pkg/evaluate/system_info.go | 43 ++++++++++++++++++++++++++++++++++--- pkg/util/output.go | 22 +++++++++++++++++-- 3 files changed, 72 insertions(+), 5 deletions(-) diff --git a/conf/evaluate_conf.go b/conf/evaluate_conf.go index e0f77fd..59d0c69 100644 --- a/conf/evaluate_conf.go +++ b/conf/evaluate_conf.go @@ -61,6 +61,18 @@ var LinuxCommandChecklist = []string{ "ruby", } +var DefaultPathEnv = []string{ + "/usr/local/sbin", + "/usr/local/bin", + "/usr/sbin", + "/usr/bin", + "/sbin", + "/bin", + "/usr/games", + "/usr/local/games", + "/snap/bin", +} + // match ENV to find useful service var SensitiveEnvRegex = "(?i)\\bssh_|k8s|kubernetes|docker|gopath" diff --git a/pkg/evaluate/system_info.go b/pkg/evaluate/system_info.go index 73b1e00..82f43ae 100644 --- a/pkg/evaluate/system_info.go +++ b/pkg/evaluate/system_info.go @@ -1,4 +1,3 @@ - /* Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK . @@ -18,11 +17,14 @@ limitations under the License. package evaluate import ( - "github.com/shirou/gopsutil/v3/host" + "io/ioutil" "log" "os" "os/user" - "io/ioutil" + + "github.com/cdk-team/CDK/conf" + "github.com/cdk-team/CDK/pkg/util" + "github.com/shirou/gopsutil/v3/host" ) func BasicSysInfo() { @@ -57,6 +59,40 @@ func BasicSysInfo() { } +// FindSidFiles such as run `find /bin/. -perm -4000 -type f ` +func FindSidFiles() { + + var setuidfiles []string + + for _, dir := range conf.DefaultPathEnv { + files, err := ioutil.ReadDir(dir) + if err != nil { + continue + } + + for _, file := range files { + // check setuid bit + if file.Mode() & os.ModeSetuid != 0 { + setuidfiles = append(setuidfiles, dir + "/" + file.Name()) + } + + // check capabilites, like getcap -r /bin + // TODO: check capabilites + } + } + + if len(setuidfiles) > 0 { + util.PrintItemKey("Setuid files found:", false) + for _, file := range setuidfiles { + util.PrintItemValue(file, true) + } + } +} + +// CommandAllow check command allow to run +func CommandAllow() { +} + func ASLR() { // ASLR off: /proc/sys/kernel/randomize_va_space = 0 var ASLRSetting = "/proc/sys/kernel/randomize_va_space" @@ -75,3 +111,4 @@ func ASLR() { } } + diff --git a/pkg/util/output.go b/pkg/util/output.go index efa80b3..c7c22fb 100644 --- a/pkg/util/output.go +++ b/pkg/util/output.go @@ -16,7 +16,10 @@ limitations under the License. package util -import "fmt" +import ( + "fmt" + "log" +) const Colorful = true @@ -25,6 +28,21 @@ func PrintH2(title string) { fmt.Printf(BlueBold.Sprint("\n[ ") + GreenBold.Sprint(title) + BlueBold.Sprint(" ]\n")) } +func PrintItemKey(key string, color bool) { + key = key + "\n" + if color { + log.Printf(YellowBold.Sprint(key)) + } else { + log.Printf(key) + } +} - +func PrintItemValue(value string, color bool) { + value = "\t" + value + "\n" + if color { + fmt.Printf(RedBold.Sprint(value)) + } else { + fmt.Printf(value) + } +} From 9a30c4368302f0d81c271d3fb75dff11a30bba37 Mon Sep 17 00:00:00 2001 From: neargle Date: Mon, 19 Sep 2022 23:54:13 +0800 Subject: [PATCH 3/5] perf(eva): move call function from cli/parse to evaluate/evaluate --- pkg/cli/parse.go | 46 +---------------------- pkg/evaluate/evaluate.go | 69 +++++++++++++++++++++++++++++++++++ pkg/evaluate/evaluate_test.go | 5 +++ 3 files changed, 76 insertions(+), 44 deletions(-) create mode 100644 pkg/evaluate/evaluate.go diff --git a/pkg/cli/parse.go b/pkg/cli/parse.go index e9b5857..aa93d76 100644 --- a/pkg/cli/parse.go +++ b/pkg/cli/parse.go @@ -19,8 +19,6 @@ package cli import ( "fmt" - "github.com/cdk-team/CDK/pkg/util" - "github.com/cdk-team/CDK/conf" "github.com/cdk-team/CDK/pkg/evaluate" "github.com/cdk-team/CDK/pkg/plugin" "github.com/cdk-team/CDK/pkg/tool/dockerd_api" @@ -74,50 +72,10 @@ func ParseCDKMain() bool { if ok.(bool) || fok.(bool) { fmt.Printf(BannerHeader) - - util.PrintH2("Information Gathering - System Info") - evaluate.BasicSysInfo() - - util.PrintH2("Information Gathering - Services") - evaluate.SearchSensitiveEnv() - evaluate.SearchSensitiveService() - - util.PrintH2("Information Gathering - Commands and Capabilities") - evaluate.SearchAvailableCommands() - evaluate.GetProcCapabilities() - - util.PrintH2("Information Gathering - Mounts") - evaluate.MountEscape() - - util.PrintH2("Information Gathering - Net Namespace") - evaluate.CheckNetNamespace() - - util.PrintH2("Information Gathering - Sysctl Variables") - evaluate.CheckRouteLocalNetworkValue() - - util.PrintH2("Discovery - K8s API Server") - evaluate.CheckK8sAnonymousLogin() - - util.PrintH2("Discovery - K8s Service Account") - evaluate.CheckPrivilegedK8sServiceAccount(conf.K8sSATokenDefaultPath) - - util.PrintH2("Discovery - Cloud Provider Metadata API") - evaluate.CheckCloudMetadataAPI() - - util.PrintH2("Information Gathering - DNS-Based Service Discovery") - evaluate.DNSBasedServiceDiscovery() + evaluate.CallBasics() if Args["--full"].(bool) { - - util.PrintH2("Information Gathering - Sensitive Files") - evaluate.SearchLocalFilePath() - - util.PrintH2("Information Gathering - ASLR") - evaluate.ASLR() - - util.PrintH2("Information Gathering - Cgroups") - evaluate.DumpCgroup() - + evaluate.CallAddedFunc() } return true } diff --git a/pkg/evaluate/evaluate.go b/pkg/evaluate/evaluate.go new file mode 100644 index 0000000..a13c9e8 --- /dev/null +++ b/pkg/evaluate/evaluate.go @@ -0,0 +1,69 @@ +/* +Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK . + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package evaluate + +import ( + "github.com/cdk-team/CDK/pkg/util" + "github.com/cdk-team/CDK/conf" +) + +// CallBasics is a function to call basic functions +func CallBasics() { + util.PrintH2("Information Gathering - System Info") + BasicSysInfo() + FindSidFiles() + + util.PrintH2("Information Gathering - Services") + SearchSensitiveEnv() + SearchSensitiveService() + + util.PrintH2("Information Gathering - Commands and Capabilities") + SearchAvailableCommands() + GetProcCapabilities() + + util.PrintH2("Information Gathering - Mounts") + MountEscape() + + util.PrintH2("Information Gathering - Net Namespace") + CheckNetNamespace() + + util.PrintH2("Information Gathering - Sysctl Variables") + CheckRouteLocalNetworkValue() + + util.PrintH2("Discovery - K8s API Server") + CheckK8sAnonymousLogin() + + util.PrintH2("Discovery - K8s Service Account") + CheckPrivilegedK8sServiceAccount(conf.K8sSATokenDefaultPath) + + util.PrintH2("Discovery - Cloud Provider Metadata API") + CheckCloudMetadataAPI() + + util.PrintH2("Information Gathering - DNS-Based Service Discovery") + DNSBasedServiceDiscovery() +} + +func CallAddedFunc() { + util.PrintH2("Information Gathering - Sensitive Files") + SearchLocalFilePath() + + util.PrintH2("Information Gathering - ASLR") + ASLR() + + util.PrintH2("Information Gathering - Cgroups") + DumpCgroup() +} diff --git a/pkg/evaluate/evaluate_test.go b/pkg/evaluate/evaluate_test.go index f268bea..2cf8ede 100644 --- a/pkg/evaluate/evaluate_test.go +++ b/pkg/evaluate/evaluate_test.go @@ -26,3 +26,8 @@ func TestDumpCgroup(t *testing.T) { fmt.Printf("\n[Information Gathering - Cgroups]\n") DumpCgroup() } + +func TestFindSidFiles(t *testing.T) { + fmt.Printf("\n[Information Gathering - SIDs]\n") + FindSidFiles() +} From 950705e6ddc64c835b3c867762b9f3749ecf87b7 Mon Sep 17 00:00:00 2001 From: neargle Date: Sun, 25 Sep 2022 20:55:17 +0800 Subject: [PATCH 4/5] feat(evaluate): check kernel exploit, use mzet-/linux-exploit-suggester --- conf/linux_kernel_exploit.go | 2678 ++++++++++++++++++++++++++++++++++ pkg/evaluate/kernel.go | 56 + 2 files changed, 2734 insertions(+) create mode 100644 conf/linux_kernel_exploit.go create mode 100644 pkg/evaluate/kernel.go diff --git a/conf/linux_kernel_exploit.go b/conf/linux_kernel_exploit.go new file mode 100644 index 0000000..a33aa40 --- /dev/null +++ b/conf/linux_kernel_exploit.go @@ -0,0 +1,2678 @@ +package conf + +// from https://github.com/mzet-/linux-exploit-suggester +// version: 1.1 +// linux-exploit-suggester.sh - a script to suggest possible exploits for a given Linux kernel version +// sourcecode: https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/v1.1/linux-exploit-suggester.sh +var KernelExploitScript = ` +#!/bin/bash + +# +# Copyright (c) 2016-2020, @_mzet_ +# +# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY. +# This is free software, and you are welcome to redistribute it +# under the terms of the GNU General Public License. See LICENSE +# file for usage of this software. +# + +VERSION=v1.1 + +# bash colors +#txtred="\e[0;31m" +txtred="\e[91;1m" +txtgrn="\e[1;32m" +txtgray="\e[0;37m" +txtblu="\e[0;36m" +txtrst="\e[0m" +bldwht='\e[1;37m' +wht='\e[0;36m' +bldblu='\e[1;34m' +yellow='\e[1;93m' +lightyellow='\e[0;93m' + +# input data +UNAME_A="" + +# parsed data for current OS +KERNEL="" +OS="" +DISTRO="" +ARCH="" +PKG_LIST="" + +# kernel config +KCONFIG="" + +CVELIST_FILE="" + +opt_fetch_bins=false +opt_fetch_srcs=false +opt_kernel_version=false +opt_uname_string=false +opt_pkglist_file=false +opt_cvelist_file=false +opt_checksec_mode=false +opt_full=false +opt_summary=false +opt_kernel_only=false +opt_userspace_only=false +opt_show_dos=false +opt_skip_more_checks=false +opt_skip_pkg_versions=false + +ARGS= +SHORTOPTS="hVfbsu:k:dp:g" +LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec" + +## exploits database +declare -a EXPLOITS +declare -a EXPLOITS_USERSPACE + +## temporary array for purpose of sorting exploits (based on exploits' rank) +declare -a exploits_to_sort +declare -a SORTED_EXPLOITS + +############ LINUX KERNELSPACE EXPLOITS #################### +n=0 + +EXPLOITS[((n++))]=$(cat <=2.6.5,ver<=2.6.11 +Tags: +Rank: 1 +exploit-db: 1397 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.2 +Tags: +Rank: 1 +exploit-db: 160 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 +Tags: +Rank: 1 +exploit-db: 2031 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 +Tags: +Rank: 1 +exploit-db: 2004 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 +Tags: +Rank: 1 +exploit-db: 2005 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 +Tags: +Rank: 1 +exploit-db: 2006 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.13,ver<=2.6.17 +Tags: +Rank: 1 +exploit-db: 2011 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.8,ver<=2.6.16 +Tags: +Rank: 1 +bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit +exploit-db: 2013 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.17,ver<=2.6.24 +Tags: +Rank: 1 +exploit-db: 5092 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.23,ver<=2.6.24 +Tags: +Rank: 1 +exploit-db: 5093 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.11,ver<=2.6.22 +Tags: +Rank: 1 +exploit-db: 6851 +Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.25,ver<=2.6.29 +Tags: +Rank: 1 +exploit-db: 8369 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 +Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11 +Rank: 1 +exploit-db: 9479 +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 +Tags: ubuntu=9.04 +Rank: 1 +analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/ +src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz +exploit-db: 9435 +Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 +Tags: +Rank: 1 +src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz +exploit-db: 9436 +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 +Tags: +Rank: 1 +src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz +exploit-db: 9641 +Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.30 +Tags: ubuntu=8.10,RHEL=4|5 +Rank: 1 +exploit-db: 9545 +Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19 +Tags: debian=4 +Rank: 1 +src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz +exploit-db: 9574 +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +author: spender +Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19,x86 +Tags: debian=4 +Rank: 1 +exploit-db: 9575 +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +author: andi +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19,x86 +Tags: debian=4 +Rank: 1 +src-url: https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/raw/master/2009/CVE-2009-2698/katon.c +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +author: VxHell Labs +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.1,ver<=2.6.19,x86 +Tags: fedora=4|5|6,RHEL=4 +Rank: 1 +analysis-url: https://blog.cr0.org/2009/08/cve-2009-2698-udpsendmsg-vulnerability.html +exploit-db: 9542 +author: p0c73n1 +Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.31 +Tags: +Rank: 1 +exploit-db: 33321 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.31 +Tags: +Rank: 1 +exploit-db: 33322 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.31 +Tags: +Rank: 1 +exploit-db: 10018 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.26,ver<=2.6.34 +Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server} +Rank: 1 +bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2 +bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod +bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace_kmod2-64 +exploit-db: 15023 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.18,ver<=2.6.34 +Tags: ubuntu=9.10 +Rank: 1 +analysis-url: https://jon.oberheide.org/blog/2010/04/10/reiserfs-reiserfs_priv-vulnerability/ +src-url: https://jon.oberheide.org/files/team-edward.py +exploit-db: 12130 +comments: Requires a ReiserFS filesystem mounted with extended attributes +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.18,ver<=2.6.36 +Tags: ubuntu=10.04{kernel:2.6.32-24-generic} +Rank: 1 +bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can_bcm +exploit-db: 14814 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.30,ver<2.6.37 +Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic} +Rank: 1 +analysis-url: http://www.securityfocus.com/archive/1/514379 +src-url: http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c +bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds +bin-url: https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64 +exploit-db: 15285 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 +Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server} +Rank: 1 +bin-url: http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3 +exploit-db: 17787 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.34,ver<=2.6.36,x86 +Tags: ubuntu=10.10 +Rank: 1 +exploit-db: 15916 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.34,ver<=2.6.36 +Tags: ubuntu=10.10 +Rank: 1 +exploit-db: 15944 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 +Tags: +Rank: 1 +exploit-db: 15774 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 +Tags: ubuntu=10.04 +Rank: 1 +exploit-db: 15150 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.33 +Tags: RHEL=5 +Rank: 1 +exploit-db: 15024 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=3.1.0 +Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)} +Rank: 1 +analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/ +src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64 +exploit-db: 18411 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.0,ver<=2.6.36 +Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server} +Rank: 1 +src-url: http://vulnfactory.org/exploits/full-nelson.c +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64 +exploit-db: 15704 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.32,ver<3.8.9,x86_64 +Tags: RHEL=6,ubuntu=12.04{kernel:3.2.0-(23|29)-generic},fedora=16{kernel:3.1.0-7.fc16.x86_64},fedora=17{kernel:3.3.4-5.fc17.x86_64},debian=7{kernel:3.2.0-4-amd64} +Rank: 1 +analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf_swevent64 +exploit-db: 26131 +author: Andrea 'sorbo' Bittau +Comments: No SMEP/SMAP bypass +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.32,ver<3.8.9,x86_64 +Tags: ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} +Rank: 1 +analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ +src-url: https://cyseclabs.com/exploits/vnik_v1.c +exploit-db: 33589 +author: Vitaly 'vnik' Nikolenko +Comments: No SMEP/SMAP bypass +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.18,ver<3.7.6 +Tags: +Rank: 1 +exploit-db: 27297 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.1,ver<3.8.9 +Tags: +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1 +exploit-db: 25450 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.32,ver<3.8.9 +Tags: RHEL=6 +Rank: 1 +analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/ +exploit-db: 25444 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y +Tags: ubuntu=13.10 +Rank: 1 +analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64 +exploit-db: 31346 +Comments: CONFIG_X86_X32 needs to be enabled +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.4.0,ver<=3.13.1,CONFIG_X86_X32=y +Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic} +Rank: 1 +analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html +exploit-db: 31347 +Comments: CONFIG_X86_X32 needs to be enabled +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.31,ver<=3.14.3 +Tags: +Rank: 1 +analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html +exploit-db: 33516 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.14 +Tags: +Rank: 0 +analysis-url: https://cyseclabs.com/page?n=02012016 +exploit-db: 32926 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.13 +Tags: ubuntu=12.04 +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4 +exploit-db: 33824 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.8 +Tags: ubuntu=12.04 +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16 +exploit-db: 34134 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.2,ver<=3.15.6 +Tags: +Rank: 1 +analysis-url: https://cyseclabs.com/page?n=01102015 +exploit-db: 36267 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.1,ver<=3.16.1 +Tags: +Rank: 1 +exploit-db: 34923 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.1,ver<3.17.5,x86_64 +Tags: RHEL<=7,fedora=20 +Rank: 1 +analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/ +src-url: http://site.pi3.com.pl/exp/p_cve-2014-9322.tar.gz +exploit-db: +author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.13,ver<4.1.6,x86_64 +Tags: +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8 +exploit-db: 37722 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.13.0,ver<=3.19.0 +Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} +Rank: 1 +analysis-url: http://seclists.org/oss-sec/2015/q2/717 +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_32 +bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs_64 +exploit-db: 37292 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=4.3.3 +Tags: +Rank: 1 +analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ +exploit-db: 39230 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=4.3.3 +Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic} +Rank: 1 +analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ +exploit-db: 39166 +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.10,ver<4.4.1 +Tags: +Rank: 0 +analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ +exploit-db: 40003 +Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.0.0,ver<=4.4.8 +Tags: ubuntu=14.04,fedora=22 +Rank: 1 +analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384 +src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c +exploit-db: 41999 +Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user +author: Andrey 'xairy' Konovalov +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.4.0,ver<=4.4.0,cmd:grep -qi ip_tables /proc/modules +Tags: ubuntu=16.04{kernel:4.4.0-21-generic} +Rank: 1 +src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip +Comments: ip_tables.ko needs to be loaded +exploit-db: 40049 +author: Vitaly 'vnik' Nikolenko +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 +Tags: ubuntu=16.04{kernel:4.4.0-21-generic} +Rank: 1 +analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808 +src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip +Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 +exploit-db: 40759 +author: Jann Horn +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.22,ver<=4.8.3 +Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04 +Rank: 4 +analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails +Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh +exploit-db: 40611 +author: Phil Oester +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.22,ver<=4.8.3 +Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} +Rank: 4 +analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails +ext-url: https://www.exploit-db.com/download/40847 +Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh +exploit-db: 40839 +author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url') +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.4.0,ver<4.9,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 +Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1 +Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled +bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo_root +exploit-db: 40871 +author: rebel +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.11,ver<4.8.14,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 +Tags: +Rank: 1 +analysis-url: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 +src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c +Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only +exploit-db: 41995 +author: Andrey 'xairy' Konovalov +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.18,ver<=4.9.11,CONFIG_IP_DCCP=[my] +Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3 +Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass +exploit-db: 41458 +author: Andrey 'xairy' Konovalov +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 +Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} +Rank: 1 +analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html +src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c +ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c +Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels +bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploit +exploit-db: 41994 +author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 +Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic} +Rank: 5 +analysis-url: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html +Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 +bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.out +exploit-db: 45010 +author: Rick Larabee +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.4,ver<=4.13,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1 +Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*} +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2017/08/13/1 +src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c +ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c +Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels +bin-url: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.out +exploit-db: +author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') +EOF +) + +EXPLOITS[((n++))]=$(cat <=3.2,ver<=4.13,x86_64 +Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} +Rank: 1 +analysis-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt +src-url: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c +exploit-db: 42887 +author: Qualys +Comments: +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.4,ver<=4.14.13,cmd:grep -qi rds /proc/modules,x86_64 +Tags: ubuntu=16.04{kernel:4.4.0|4.8.0} +Rank: 1 +src-url: https://gist.githubusercontent.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4/raw/959325819c78248a6437102bb289bb8578a135cd/cve-2018-5333-poc.c +ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2018-5333/cve-2018-5333.c +Comments: rds.ko kernel module needs to be loaded. Modified version at 'ext-url' adds support for additional targets and bypassing KASLR. +author: wbowling (orginal exploit author); bcoles (author of exploit update at 'ext-url') +EOF +) + +EXPLOITS[((n++))]=$(cat <=4.15,ver<=4.19.2,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,cmd:[ -u /usr/bin/newuidmap ],cmd:[ -u /usr/bin/newgidmap ] +Tags: ubuntu=18.04{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28} +Rank: 1 +analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712 +src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip +exploit-db: 45886 +author: Jann Horn +Comments: CONFIG_USER_NS needs to be enabled +EOF +) + +EXPLOITS[((n++))]=$(cat <=4,ver<5.1.17,sysctl:kernel.yama.ptrace_scope==0,x86_64 +Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-*} +Rank: 1 +analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 +src-url: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip +ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c +Comments: Requires an active PolKit agent. +exploit-db: 47133 +exploit-db: 47163 +author: Jann Horn (orginal exploit author); bcoles (author of exploit update at 'ext-url') +EOF +) + +EXPLOITS[((n++))]=$(cat <=3,ver<5.0.19,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1,CONFIG_XFRM=y +Tags: +Rank: 1 +analysis-url: https://duasynt.com/blog/ubuntu-centos-redhat-privesc +bin-url: https://github.com/duasynt/xfrm_poc/raw/master/lucky0 +Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled +author: Vitaly 'vnik' Nikolenko +EOF +) + +EXPLOITS[((n++))]=$(cat <=5.7,ver<5.12,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1 +Tags: ubuntu=20.04{kernel:5.8.0-(25|26|27|28|29|30|31|32|33|34|35|36|37|38|39|40|41|42|43|44|45|46|47|48|49|50|51|52)-*},ubuntu=21.04{kernel:5.11.0-16-*} +Rank: 5 +analysis-url: https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story +src-url: https://codeload.github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490/zip/main +Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 +author: chompie1337 +EOF +) + +EXPLOITS[((n++))]=$(cat <=2.6.19,ver<=5.12-rc6 +Tags: ubuntu=20.04{kernel:5.8.0-*} +Rank: 1 +analysis-url: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html +src-url: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c +ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c +Comments: ip_tables kernel module must be loaded +exploit-db: 50135 +author: theflow (orginal exploit author); bcoles (author of exploit update at 'ext-url') +EOF +) + +EXPLOITS[((n++))]=$(cat <=5.8,ver<=5.16.11 +Tags: ubuntu=(20.04|21.04),debian=11 +Rank: 1 +analysis-url: https://dirtypipe.cm4all.com/ +src-url: https://haxx.in/files/dirtypipez.c +exploit-db: 50808 +author: blasty (original exploit author: Max Kellermann) +EOF +) + +############ USERSPACE EXPLOITS ########################### +n=0 + +EXPLOITS_USERSPACE[((n++))]=$(cat <=1.8.0,ver<=1.8.3 +Tags: fedora=16 +Rank: 1 +analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt +exploit-db: 18436 +EOF +) + +EXPLOITS_USERSPACE[((n++))]=$(cat <=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern +Tags: ubuntu=14.04 +Rank: 1 +analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4 +src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c +exploit-db: 36746 +EOF +) + +EXPLOITS_USERSPACE[((n++))]=$(cat <=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core_pattern +Tags: ubuntu=14.04.2 +Rank: 1 +analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4 +exploit-db: 36782 +EOF +) + +EXPLOITS_USERSPACE[((n++))]=$(cat <=6.8,ver<=6.9 +Tags: +Rank: 1 +analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2 +exploit-db: 41173 +author: Federico Bento +Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation) +EOF +) + +EXPLOITS_USERSPACE[((n++))]=$(cat <=4.87,ver<=4.91 +Tags: +Rank: 1 +analysis-url: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt +exploit-db: 46996 +author: raptor +EOF +) + +EXPLOITS_USERSPACE[((n++))]=$(cat <=4.15 +enabled: cmd:grep -Eqi '\spti' /proc/cpuinfo +analysis-url: https://github.com/mzet-/les-res/blob/master/features/pti.md +EOF +) + +FEATURES[((n++))]=$(cat <=3.14 +analysis-url: https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md +EOF +) + +FEATURES[((n++))]=$(cat <=2.6.37 +enabled: sysctl:kernel.dmesg_restrict!=0 +analysis-url: https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md +EOF +) + +FEATURES[((n++))]=$(cat <=3.0 +enabled: cmd:grep -qi smep /proc/cpuinfo +analysis-url: https://github.com/mzet-/les-res/blob/master/features/smep.md +EOF +) + +FEATURES[((n++))]=$(cat <=3.7 +enabled: cmd:grep -qi smap /proc/cpuinfo +analysis-url: https://github.com/mzet-/les-res/blob/master/features/smap.md +EOF +) + +FEATURES[((n++))]=$(cat < - provide kernel version" + echo " -u | --uname - provide 'uname -a' string" + echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable" + echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)" + echo " -p | --pkglist-file - provide file with 'dpkg -l' or 'rpm -qa' command output" + echo " --cvelist-file - provide file with Linux kernel CVEs list" + echo " --checksec - list security related features for your HW/kernel" + echo " -s | --fetch-sources - automatically downloads source for matched exploit" + echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available" + echo " -f | --full - show full info about matched exploit" + echo " -g | --short - show shorten info about matched exploit" + echo " --kernelspace-only - show only kernel vulnerabilities" + echo " --userspace-only - show only userspace vulnerabilities" + echo " -d | --show-dos - show also DoSes in results" +} + +exitWithErrMsg() { + echo "$1" 1>&2 + exit 1 +} + +# extracts all information from output of 'uname -a' command +parseUname() { + local uname=$1 + + KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1) + KERNEL_ALL=$(echo "$uname" | awk '{print $3}') + ARCH=$(echo "$uname" | awk '{print $(NF-1)}') + + OS="" + echo "$uname" | grep -q -i 'deb' && OS="debian" + echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu" + echo "$uname" | grep -q -i '\-ARCH' && OS="arch" + echo "$uname" | grep -q -i '\-deepin' && OS="deepin" + echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro" + echo "$uname" | grep -q -i '\.fc' && OS="fedora" + echo "$uname" | grep -q -i '\.el' && OS="RHEL" + echo "$uname" | grep -q -i '\.mga' && OS="mageia" + + # 'uname -a' output doesn't contain distribution number (at least not in case of all distros) +} + +getPkgList() { + local distro=$1 + local pkglist_file=$2 + + # take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' or 'pacman -Q' listing of not recognized listing + if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then + + # ubuntu/debian package listing file + if [ $(head -1 "$pkglist_file" | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then + PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g') + + OS="debian" + [ "$(grep ubuntu "$pkglist_file")" ] && OS="ubuntu" + # redhat package listing file + elif [ "$(grep -E '\.el[1-9]+[\._]' "$pkglist_file" | head -1)" ]; then + PKG_LIST=$(cat "$pkglist_file") + OS="RHEL" + # fedora package listing file + elif [ "$(grep -E '\.fc[1-9]+'i "$pkglist_file" | head -1)" ]; then + PKG_LIST=$(cat "$pkglist_file") + OS="fedora" + # mageia package listing file + elif [ "$(grep -E '\.mga[1-9]+' "$pkglist_file" | head -1)" ]; then + PKG_LIST=$(cat "$pkglist_file") + OS="mageia" + # pacman package listing file + elif [ "$(grep -E '\ [0-9]+\.' "$pkglist_file" | head -1)" ]; then + PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}') + OS="arch" + # file not recognized - skipping + else + PKG_LIST="" + fi + + elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then + PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g') + elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then + PKG_LIST=$(rpm -qa) + elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then + PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}') + elif [ -x /usr/bin/equery ]; then + PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}') + else + # packages listing not available + PKG_LIST="" + fi +} + +# from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash +verComparision() { + + if [[ $1 == $2 ]] + then + return 0 + fi + + local IFS=. + local i ver1=($1) ver2=($2) + + # fill empty fields in ver1 with zeros + for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)) + do + ver1[i]=0 + done + + for ((i=0; i<${#ver1[@]}; i++)) + do + if [[ -z ${ver2[i]} ]] + then + # fill empty fields in ver2 with zeros + ver2[i]=0 + fi + if ((10#${ver1[i]} > 10#${ver2[i]})) + then + return 1 + fi + if ((10#${ver1[i]} < 10#${ver2[i]})) + then + return 2 + fi + done + + return 0 +} + +doVersionComparision() { + local reqVersion="$1" + local reqRelation="$2" + local currentVersion="$3" + + verComparision $currentVersion $reqVersion + case $? in + 0) currentRelation='=';; + 1) currentRelation='>';; + 2) currentRelation='<';; + esac + + if [ "$reqRelation" == "=" ]; then + [ $currentRelation == "=" ] && return 0 + elif [ "$reqRelation" == ">" ]; then + [ $currentRelation == ">" ] && return 0 + elif [ "$reqRelation" == "<" ]; then + [ $currentRelation == "<" ] && return 0 + elif [ "$reqRelation" == ">=" ]; then + [ $currentRelation == "=" ] && return 0 + [ $currentRelation == ">" ] && return 0 + elif [ "$reqRelation" == "<=" ]; then + [ $currentRelation == "=" ] && return 0 + [ $currentRelation == "<" ] && return 0 + fi +} + +compareValues() { + curVal=$1 + val=$2 + sign=$3 + + if [ "$sign" == "==" ]; then + [ "$val" == "$curVal" ] && return 0 + elif [ "$sign" == "!=" ]; then + [ "$val" != "$curVal" ] && return 0 + fi + + return 1 +} + +checkRequirement() { + #echo "Checking requirement: $1" + local IN="$1" + local pkgName="${2:4}" + + if [[ "$IN" =~ ^pkg=.*$ ]]; then + + # always true for Linux OS + [ ${pkgName} == "linux-kernel" ] && return 0 + + # verify if package is present + pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1) + if [ -n "$pkg" ]; then + return 0 + fi + + elif [[ "$IN" =~ ^ver.*$ ]]; then + version="${IN//[^0-9.]/}" + rest="${IN#ver}" + operator=${rest%$version} + + if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then + + # for --cvelist-file mode skip kernel version comparision + [ "$opt_cvelist_file" = "true" ] && return 0 + + doVersionComparision $version $operator $KERNEL && return 0 + else + # extract package version and check if requiremnt is true + pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1) + + # skip (if run with --skip-pkg-versions) version checking if package with given name is installed + [ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return 0 + + # versioning: + #echo "pkg: $pkg" + pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g') + #echo "version: $pkgVersion" + #echo "operator: $operator" + #echo "required version: $version" + #echo + doVersionComparision $version $operator $pkgVersion && return 0 + fi + elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then + return 0 + elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then + return 0 + elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then + + # skip if check is not applicable (-k or --uname or -p set) or if user said so (--skip-more-checks) + [ "$opt_skip_more_checks" = "true" ] && return 0 + + # if kernel config IS available: + if [ -n "$KCONFIG" ]; then + if $KCONFIG | grep -E -qi $IN; then + return 0; + # required option wasn't found, exploit is not applicable + else + return 1; + fi + # config is not available + else + return 0; + fi + elif [[ "$IN" =~ ^sysctl:.*$ ]]; then + + # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks) + [ "$opt_skip_more_checks" = "true" ] && return 0 + + sysctlCondition="${IN:7}" + + # extract sysctl entry, relation sign and required value + if echo $sysctlCondition | grep -qi "!="; then + sign="!=" + elif echo $sysctlCondition | grep -qi "=="; then + sign="==" + else + exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting." + fi + val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}') + entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}') + + # get current setting of sysctl entry + curVal=$(/sbin/sysctl -a 2> /dev/null | grep "$entry" | awk -F'=' '{print $2}') + + # special case for --checksec mode: return 2 if there is no such switch in sysctl + [ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return 2 + + # for other modes: skip if there is no such switch in sysctl + [ -z "$curVal" ] && return 0 + + # compare & return result + compareValues $curVal $val $sign && return 0 + + elif [[ "$IN" =~ ^cmd:.*$ ]]; then + + # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks) + [ "$opt_skip_more_checks" = "true" ] && return 0 + + cmd="${IN:4}" + if eval "${cmd}"; then + return 0 + fi + fi + + return 1 +} + +getKernelConfig() { + + if [ -f /proc/config.gz ] ; then + KCONFIG="zcat /proc/config.gz" + elif [ -f /boot/config-` + "`uname -r`" + ` ] ; then + KCONFIG="cat /boot/config-` + "`uname -r`" + `" + elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then + KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" + else + KCONFIG="" + fi +} + +checksecMode() { + + MODE=0 + + # start analysis +for FEATURE in "${FEATURES[@]}"; do + + # create array from current exploit here doc and fetch needed lines + i=0 + # ('-r' is used to not interpret backslash used for bash colors) + while read -r line + do + arr[i]="$line" + i=$((i + 1)) + done <<< "$FEATURE" + + # modes: kernel-feature (1) | hw-feature (2) | 3rdparty-feature (3) | attack-surface (4) + NAME="${arr[0]}" + PRE_NAME="${NAME:0:8}" + NAME="${NAME:9}" + if [ "${PRE_NAME}" = "section:" ]; then + # advance to next MODE + MODE=$(($MODE + 1)) + + echo + echo -e "${bldwht}${NAME}${txtrst}" + echo + continue + fi + + AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}" + ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}') + analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}') + + # split line with availability requirements & loop thru all availability reqs one by one & check whether it is met + IFS=',' read -r -a array <<< "$AVAILABLE" + AVAILABLE_REQS_NUM=${#array[@]} + AVAILABLE_PASSED_REQ=0 + CONFIG="" + for REQ in "${array[@]}"; do + + # find CONFIG_ name (if present) for current feature (only for display purposes) + if [ -z "$CONFIG" ]; then + config=$(echo "$REQ" | grep "CONFIG_") + [ -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))" + fi + + if (checkRequirement "$REQ"); then + AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + 1)) + else + break + fi + done + + # split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met + ENABLE_PASSED_REQ=0 + ENABLE_REQS_NUM=0 + noSysctl=0 + if [ -n "$ENABLE" ]; then + IFS=',' read -r -a array <<< "$ENABLE" + ENABLE_REQS_NUM=${#array[@]} + for REQ in "${array[@]}"; do + cmdStdout=$(checkRequirement "$REQ") + retVal=$? + if [ $retVal -eq 0 ]; then + ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + 1)) + elif [ $retVal -eq 2 ]; then + # special case: sysctl entry is not present on given system: signal it as: N/A + noSysctl=1 + break + else + break + fi + done + fi + + feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-) + + if [ -n "$cmdStdout" ]; then + if [ $cmdStdout -eq 0 ]; then + state="[ ${txtred}Set to $cmdStdout${txtrst} ]" + cmdStdout="" + else + state="[ ${txtgrn}Set to $cmdStdout${txtrst} ]" + cmdStdout="" + fi + else + + unknown="[ ${txtgray}Unknown${txtrst} ]" + + # for 3rd party (3) mode display "N/A" or "Enabled" + if [ $MODE -eq 3 ]; then + enabled="[ ${txtgrn}Enabled${txtrst} ]" + disabled="[ ${txtgray}N/A${txtrst} ]" + + # for attack-surface (4) mode display "Locked" or "Exposed" + elif [ $MODE -eq 4 ]; then + enabled="[ ${txtred}Exposed${txtrst} ]" + disabled="[ ${txtgrn}Locked${txtrst} ]" + + # other modes" "Disabled" / "Enabled" + else + enabled="[ ${txtgrn}Enabled${txtrst} ]" + disabled="[ ${txtred}Disabled${txtrst} ]" + fi + + if [ -z "$KCONFIG" -a "$ENABLE_REQS_NUM" = 0 ]; then + state=$unknown + elif [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then + state=$enabled + else + state=$disabled + fi + + fi + + echo -e " $state $feature ${wht}${CONFIG}${txtrst}" + [ -n "$analysis_url" ] && echo -e " $analysis_url" + echo + +done + +} + +displayExposure() { + RANK=$1 + + if [ "$RANK" -ge 6 ]; then + echo "highly probable" + elif [ "$RANK" -ge 3 ]; then + echo "probable" + else + echo "less probable" + fi +} + +# parse command line parameters +ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@") +[ $? != 0 ] && exitWithErrMsg "Aborting." + +eval set -- "$ARGS" + +while true; do + case "$1" in + -u|--uname) + shift + UNAME_A="$1" + opt_uname_string=true + ;; + -V|--version) + version + exit 0 + ;; + -h|--help) + usage + exit 0 + ;; + -f|--full) + opt_full=true + ;; + -g|--short) + opt_summary=true + ;; + -b|--fetch-binaries) + opt_fetch_bins=true + ;; + -s|--fetch-sources) + opt_fetch_srcs=true + ;; + -k|--kernel) + shift + KERNEL="$1" + opt_kernel_version=true + ;; + -d|--show-dos) + opt_show_dos=true + ;; + -p|--pkglist-file) + shift + PKGLIST_FILE="$1" + opt_pkglist_file=true + ;; + --cvelist-file) + shift + CVELIST_FILE="$1" + opt_cvelist_file=true + ;; + --checksec) + opt_checksec_mode=true + ;; + --kernelspace-only) + opt_kernel_only=true + ;; + --userspace-only) + opt_userspace_only=true + ;; + --skip-more-checks) + opt_skip_more_checks=true + ;; + --skip-pkg-versions) + opt_skip_pkg_versions=true + ;; + *) + shift + if [ "$#" != "0" ]; then + exitWithErrMsg "Unknown option '$1'. Aborting." + fi + break + ;; + esac + shift +done + +# check Bash version (associative arrays need Bash in version 4.0+) +if ((BASH_VERSINFO[0] < 4)); then + exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting." +fi + +# exit if both --kernel and --uname are set +[ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting." + +# exit if both --full and --short are set +[ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting." + +# --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are set +if [ "$opt_cvelist_file" = "true" ]; then + [ ! -e "$CVELIST_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting." + [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting." + [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting." + [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting." +fi + +# --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are set +if [ "$opt_checksec_mode" = "true" ]; then + [ "$opt_kernel_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting." + [ "$opt_uname_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting." + [ "$opt_pkglist_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting." +fi + +# extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here: +# case 1: --kernel set +if [ "$opt_kernel_version" == "true" ]; then + # TODO: add kernel version number validation + [ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting." + ARCH="" + OS="" + + # do not perform additional checks on current machine + opt_skip_more_checks=true + + # do not consider current OS + getPkgList "" "$PKGLIST_FILE" + +# case 2: --uname set +elif [ "$opt_uname_string" == "true" ]; then + [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting." + parseUname "$UNAME_A" + + # do not perform additional checks on current machine + opt_skip_more_checks=true + + # do not consider current OS + getPkgList "" "$PKGLIST_FILE" + +# case 3: --cvelist-file mode +elif [ "$opt_cvelist_file" = "true" ]; then + + # get kernel configuration in this mode + [ "$opt_skip_more_checks" = "false" ] && getKernelConfig + +# case 4: --checksec mode +elif [ "$opt_checksec_mode" = "true" ]; then + + # this switch is not applicable in this mode + opt_skip_more_checks=false + + # get kernel configuration in this mode + getKernelConfig + [ -z "$KCONFIG" ] && echo "WARNING. Kernel Config not found on the system results won't be complete." + + # launch checksec mode + checksecMode + + exit 0 + +# case 5: no --uname | --kernel | --cvelist-file | --checksec set +else + + # --pkglist-file NOT provided: take all info from current machine + # case for vanilla execution: ./linux-exploit-suggester.sh + if [ "$opt_pkglist_file" == "false" ]; then + UNAME_A=$(uname -a) + [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting." + parseUname "$UNAME_A" + + # get kernel configuration in this mode + [ "$opt_skip_more_checks" = "false" ] && getKernelConfig + + # extract distribution version from /etc/os-release OR /etc/lsb-release + [ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(grep -s -E '^DISTRIB_RELEASE=|^VERSION_ID=' /etc/*-release | cut -d'=' -f2 | head -1 | tr -d '"') + + # extract package listing from current OS + getPkgList "$OS" "" + + # --pkglist-file provided: only consider userspace exploits against provided package listing + else + KERNEL="" + #TODO: extract machine arch from package listing + ARCH="" + unset EXPLOITS + declare -A EXPLOITS + getPkgList "" "$PKGLIST_FILE" + + # additional checks are not applicable for this mode + opt_skip_more_checks=true + fi +fi + +echo +echo -e "${bldwht}Available information:${txtrst}" +echo +[ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}" +echo "Architecture: $([ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")" +echo "Distribution: $([ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")" +echo -e "Distribution version: $([ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")" + +echo "Additional checks (CONFIG_*, sysctl entries, custom Bash commands): $([ "$opt_skip_more_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")" + +if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then + pkgListFile="${txtgrn}$PKGLIST_FILE${txtrst}" +elif [ -n "$PKGLIST_FILE" ]; then + pkgListFile="${txtred}unrecognized file provided${txtrst}" +elif [ -n "$PKG_LIST" ]; then + pkgListFile="${txtgrn}from current OS${txtrst}" +fi + +echo -e "Package listing: $([ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")" + +# handle --kernelspacy-only & --userspace-only filter options +if [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then + unset EXPLOITS_USERSPACE + declare -A EXPLOITS_USERSPACE +fi + +if [ "$opt_userspace_only" = "true" ]; then + unset EXPLOITS + declare -A EXPLOITS +fi + +echo +echo -e "${bldwht}Searching among:${txtrst}" +echo +echo "${#EXPLOITS[@]} kernel space exploits" +echo "${#EXPLOITS_USERSPACE[@]} user space exploits" +echo + +echo -e "${bldwht}Possible Exploits:${txtrst}" +echo + +# start analysis +j=0 +for EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do + + # create array from current exploit here doc and fetch needed lines + i=0 + # ('-r' is used to not interpret backslash used for bash colors) + while read -r line + do + arr[i]="$line" + i=$((i + 1)) + done <<< "$EXP" + + NAME="${arr[0]}" && NAME="${NAME:6}" + REQS="${arr[1]}" && REQS="${REQS:6}" + TAGS="${arr[2]}" && TAGS="${TAGS:6}" + RANK="${arr[3]}" && RANK="${RANK:6}" + + # split line with requirements & loop thru all reqs one by one & check whether it is met + IFS=',' read -r -a array <<< "$REQS" + REQS_NUM=${#array[@]} + PASSED_REQ=0 + for REQ in "${array[@]}"; do + if (checkRequirement "$REQ" "${array[0]}"); then + PASSED_REQ=$(($PASSED_REQ + 1)) + else + break + fi + done + + # execute for exploits with all requirements met + if [ $PASSED_REQ -eq $REQS_NUM ]; then + + # additional requirement for --cvelist-file mode: check if CVE associated with the exploit is on the CVELIST_FILE + if [ "$opt_cvelist_file" = "true" ]; then + + # extract CVE(s) associated with given exploit (also translates ',' to '|' for easy handling multiple CVEs case - via extended regex) + cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|") + #echo "CVE: $cve" + + # check if it's on CVELIST_FILE list, if no move to next exploit + [ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue + fi + + # process tags and highlight those that match current OS (only for deb|ubuntu|RHEL and if we know distro version - direct mode) + tags="" + if [ -n "$TAGS" -a -n "$OS" ]; then + IFS=',' read -r -a tags_array <<< "$TAGS" + TAGS_NUM=${#tags_array[@]} + + # bump RANK slightly (+1) if we're in '--uname' mode and there's a TAG for OS from uname string + [ "$(echo "${tags_array[@]}" | grep "$OS")" -a "$opt_uname_string" == "true" ] && RANK=$(($RANK + 1)) + + for TAG in "${tags_array[@]}"; do + tag_distro=$(echo "$TAG" | cut -d'=' -f1) + tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2) + # in case of tag of form: 'ubuntu=16.04{kernel:4.4.0-21} remove kernel versioning part for comparision + tag_distro_num="${tag_distro_num_all%{*}" + + # we're in '--uname' mode OR (for normal mode) if there is distro version match + if [ "$opt_uname_string" == "true" -o \( "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" \) ]; then + + # bump current exploit's rank by 2 for distro match (and not in '--uname' mode) + [ "$opt_uname_string" == "false" ] && RANK=$(($RANK + 2)) + + # get name (kernel or package name) and version of kernel/pkg if provided: + tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 1) + tag_pkg_num="" + [ $(echo "$tag_distro_num_all" | grep '{') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 2) + + #[ -n "$tag_pkg_num" ] && echo "tag_pkg_num: $tag_pkg_num; kernel: $KERNEL_ALL" + + # if pkg/kernel version is not provided: + if [ -z "$tag_pkg_num" ]; then + [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ ${TAG} ]${txtrst}" + + # kernel version provided, check for match: + elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then + if [ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ]; then + # kernel version matched - bold highlight + TAG="${yellow}[ ${TAG} ]${txtrst}" + + # bump current exploit's rank additionally by 3 for kernel version regex match + RANK=$(($RANK + 3)) + else + [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}" + fi + + # pkg version provided, check for match (TBD): + elif [ -n "$tag_pkg_num" -a -n "$tag_pkg" ]; then + TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}" + fi + + fi + + # append current tag to tags list + tags="${tags}${TAG}," + done + # trim ',' added by above loop + [ -n "$tags" ] && tags="${tags%?}" + else + tags="$TAGS" + fi + + # insert the matched exploit (with calculated Rank and highlighted tags) to arrary that will be sorted + EXP=$(echo "$EXP" | sed -e '/^Name:/d' -e '/^Reqs:/d' -e '/^Tags:/d') + exploits_to_sort[j]="${RANK}Name: ${NAME}D3L1mReqs: ${REQS}D3L1mTags: ${tags}D3L1m$(echo "$EXP" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/D3L1m/g')" + ((j++)) + fi +done + +# sort exploits based on calculated Rank +IFS=$'\n' +SORTED_EXPLOITS=($(sort -r <<<"${exploits_to_sort[*]}")) +unset IFS + +# display sorted exploits +for EXP_TEMP in "${SORTED_EXPLOITS[@]}"; do + + RANK=$(echo "$EXP_TEMP" | awk -F'Name:' '{print $1}') + + # convert entry back to canonical form + EXP=$(echo "$EXP_TEMP" | sed 's/^[0-9]//g' | sed 's/D3L1m/\n/g') + + # create array from current exploit here doc and fetch needed lines + i=0 + # ('-r' is used to not interpret backslash used for bash colors) + while read -r line + do + arr[i]="$line" + i=$((i + 1)) + done <<< "$EXP" + + NAME="${arr[0]}" && NAME="${NAME:6}" + REQS="${arr[1]}" && REQS="${REQS:6}" + TAGS="${arr[2]}" && tags="${TAGS:6}" + + EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}') + analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}') + ext_url=$(echo "$EXP" | grep "ext-url: " | awk '{print $2}') + comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f 2-) + reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f 2) + + # exploit name without CVE number and without commonly used special chars + name=$(echo "$NAME" | cut -d' ' -f 2- | tr -d ' ()/') + + bin_url=$(echo "$EXP" | grep "bin-url: " | awk '{print $2}') + src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}') + [ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB" + [ -z "$src_url" ] && [ -z "$bin_url" ] && exitWithErrMsg "'src-url' / 'bin-url' / 'exploit-db' entries are all empty for '$NAME' exploit - fix that. Aborting." + + if [ -n "$analysis_url" ]; then + details="$analysis_url" + elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then + details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/" + elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then + details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/" + else + details="$src_url" + fi + + # skip DoS by default + dos=$(echo "$EXP" | grep -o -i "(dos") + [ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue + + # handles --fetch-binaries option + if [ $opt_fetch_bins = "true" ]; then + for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do + [ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)" + wget -q -k "$i" -O "${name}_$(basename $i)" + done + fi + + # handles --fetch-sources option + if [ $opt_fetch_srcs = "true" ]; then + [ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)" + wget -q -k "$src_url" -O "${name}_$(basename $src_url)" & + fi + + # display result (short) + if [ "$opt_summary" = "true" ]; then + [ -z "$tags" ] && tags="-" + echo -e "$NAME || $tags || $src_url" + continue + fi + +# display result (standard) + echo -e "[+] $NAME" + echo -e "\n Details: $details" + echo -e " Exposure: $(displayExposure $RANK)" + [ -n "$tags" ] && echo -e " Tags: $tags" + echo -e " Download URL: $src_url" + [ -n "$ext_url" ] && echo -e " ext-url: $ext_url" + [ -n "$comments" ] && echo -e " Comments: $comments" + + # handles --full filter option + if [ "$opt_full" = "true" ]; then + [ -n "$reqs" ] && echo -e " Requirements: $reqs" + + [ -n "$EXPLOIT_DB" ] && echo -e " exploit-db: $EXPLOIT_DB" + + author=$(echo "$EXP" | grep "author: " | cut -d' ' -f 2-) + [ -n "$author" ] && echo -e " author: $author" + fi + + echo + +done +` diff --git a/pkg/evaluate/kernel.go b/pkg/evaluate/kernel.go new file mode 100644 index 0000000..a2c52ca --- /dev/null +++ b/pkg/evaluate/kernel.go @@ -0,0 +1,56 @@ +package evaluate + +import ( + "os/exec" + "strings" + + "github.com/cdk-team/CDK/conf" + "github.com/cdk-team/CDK/pkg/util" +) + +// kernelExploitSuggester +// use https://github.com/mzet-/linux-exploit-suggester to check kernel exploit +// run linux-exploit-suggester bash script to check kernel exploit +func kernelExploitSuggester() { + script := conf.KernelExploitScript + // check bash command available + _, err := exec.LookPath("bash") + if err != nil { + return + } + + // run command get output + util.PrintItemValueWithKeyOneLine("refer", "https://github.com/mzet-/linux-exploit-suggester", false) + output, err := exec.Command("bash", "-c", script).Output() + if err != nil { + return + } + + // get all available exploit + // sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "\[CVE" -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,\[CVE-[0-9]+-[0-9]+\].*,${SED_RED},g" + // ANSI escape code in output, reg can not match it + indexs := make([]int, 0) + lines := strings.Split(string(output), "\n") + for index, line := range lines { + if strings.Contains(line, "[CVE") { + indexs = append(indexs, index) + } + } + + // print all exploit and after 10 lines + for _, index := range indexs { + for i := index; i < index+10; i++ { + if i >= len(lines) { + break + } + + // do not print CVE number twice + if i != index && strings.Contains(lines[i], "[CVE") { + break + } + + util.PrintOrignal(lines[i]) + } + } + +} From 8e5e40dea12dabd5e736aecd2736b223e88c13c9 Mon Sep 17 00:00:00 2001 From: neargle Date: Sun, 25 Sep 2022 20:57:30 +0800 Subject: [PATCH 5/5] perf(evaluate): support two new formatted print func --- pkg/evaluate/evaluate.go | 7 +++++-- pkg/evaluate/evaluate_test.go | 8 +++++++- pkg/util/output.go | 12 ++++++++++++ 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/pkg/evaluate/evaluate.go b/pkg/evaluate/evaluate.go index a13c9e8..b2dd022 100644 --- a/pkg/evaluate/evaluate.go +++ b/pkg/evaluate/evaluate.go @@ -44,6 +44,9 @@ func CallBasics() { util.PrintH2("Information Gathering - Sysctl Variables") CheckRouteLocalNetworkValue() + util.PrintH2("Information Gathering - DNS-Based Service Discovery") + DNSBasedServiceDiscovery() + util.PrintH2("Discovery - K8s API Server") CheckK8sAnonymousLogin() @@ -53,8 +56,8 @@ func CallBasics() { util.PrintH2("Discovery - Cloud Provider Metadata API") CheckCloudMetadataAPI() - util.PrintH2("Information Gathering - DNS-Based Service Discovery") - DNSBasedServiceDiscovery() + util.PrintH2("Exploit Pre - Kernel Exploits") + kernelExploitSuggester() } func CallAddedFunc() { diff --git a/pkg/evaluate/evaluate_test.go b/pkg/evaluate/evaluate_test.go index 2cf8ede..2e7fcc8 100644 --- a/pkg/evaluate/evaluate_test.go +++ b/pkg/evaluate/evaluate_test.go @@ -1,4 +1,3 @@ - /* Copyright 2022 The Authors of https://github.com/CDK-TEAM/CDK . @@ -20,6 +19,8 @@ package evaluate import ( "fmt" "testing" + + "github.com/cdk-team/CDK/pkg/util" ) func TestDumpCgroup(t *testing.T) { @@ -31,3 +32,8 @@ func TestFindSidFiles(t *testing.T) { fmt.Printf("\n[Information Gathering - SIDs]\n") FindSidFiles() } + +func TestKernelExploitSuggester(t *testing.T) { + util.PrintH2("Exploit Pre - Kernel Exploits") + kernelExploitSuggester() +} diff --git a/pkg/util/output.go b/pkg/util/output.go index c7c22fb..260ddab 100644 --- a/pkg/util/output.go +++ b/pkg/util/output.go @@ -46,3 +46,15 @@ func PrintItemValue(value string, color bool) { } } +func PrintItemValueWithKeyOneLine(key, value string, color bool) { + if color { + log.Printf("%s: %s", key, GreenBold.Sprint(value)) + } else { + log.Printf("%s: %s", key, value) + } +} + +func PrintOrignal(out string) { + fmt.Printf("%s\n", out) +} +