Linux soft Exploit Suggester – Busca software explotable en linux

0
1561
views

linux soft exploit suggester encuentra exploits para todo el software vulnerable en un sistema que ayuda con la escalacion de privilegios. Se centra en paquetes de software en lugar de vulnerabilidades Kernel.

Ejecutar script

> python linux-soft-exploit-suggester.py -h

  |  _         __ _  _ |    _    _ | _  |    __    __  __  _  __ |   _  _
  |·| || |\/  (_ | ||_ |-  /_)\/| \|| |·|-  (_ | ||  )|  )/_)(_  |- /_)|
  ||| ||_|/\  __)|_||  |_  \_ /\|_/||_|||_  __)|_||_/ |_/ \_ __) |_ \_ |
                                |                 _/  _/

linux-soft-exploit-suggester:
  Search for Exploitable Software from package list.

optional arguments:
  -h, --help            Show this help message and exit
  -f FILE, --file FILE  Package list file
  --clean               Use clean package list, if used 'dpkg-query -W'
  --duplicates          Show duplicate exploits
  --db DB               Exploits csv file [default: file.csv]
  --update              Download latest version of exploits db
  -d debian|redhat, --distro debian|redhat
                        Linux flavor, debian or redhat [default: debian]
  --dos                 Include DoS exploits
  --intense             Include intense package name search,
                        when software name doesn't match package name (experimental)
  -l 1-5, --level 1-5   Software version search variation [default: 1]                        
                          level 1: Same version                        
                          level 2: Micro and Patch version                        
                          level 3: Minor version                        
                          level 4: Major version                        
                          level 5: All versions
  --type TYPE           Exploit type; local, remote, webapps, dos.
                          e.g. --type local
                         --type remote
  --filter FILTER       Filter exploits by string
                          e.g. --filter "escalation"

usage examples:     
  Get Package List:
 debian/ubuntu: dpkg -l > package_list
 redhat/centos: rpm -qa > package_list

  Update exploit database:
 python linux-soft-exploit-suggester.py --update

  Basic usage:
 python linux-soft-exploit-suggester.py --file package_list

  Specify exploit db:
 python linux-soft-exploit-suggester.py --file package_list --db file.cve

  Use Redhat/Centos format file:
 python linux-soft-exploit-suggester.py --file package_list --distro redhat

  Search exploit for major version:
 python linux-soft-exploit-suggester.py --file package_list --level 4

  Filter by remote exploits:
 python linux-soft-exploit-suggester.py --file package_list --type remote

  Search specific words in exploit title:
 python linux-soft-exploit-suggester.py --file package_list --filter Overflow

  Advanced usage:
 python linux-soft-exploit-suggester.py --file package_list --level 3 --type local --filter escalation

Resultado de ejecución

> python linux-soft-exploit-suggester.py --file packages --db file.csv

  |  _         __ _  _ |    _    _ | _  |    __    __  __  _  __ |   _  _
  |·| || |\/  (_ | ||_ |-  /_)\/| \|| |·|-  (_ | ||  )|  )/_)(_  |- /_)|
  ||| ||_|/\  __)|_||  |_  \_ /\|_/||_|||_  __)|_||_/ |_/ \_ __) |_ \_ |
                                |                 _/  _/

[+] DNSTracer 1.9 - Buffer Overflow - local
  From: dnstracer 1.9
  File: /usr/share/exploitdb/platforms/linux/local/42424.py
  Url: https://www.exploit-db.com/exploits/42424
[+] GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution - remote
  From: wget 1.17.1
  File: /usr/share/exploitdb/platforms/linux/remote/40064.txt
  Url: https://www.exploit-db.com/exploits/40064
[+] GNU Screen 4.5.0 - Privilege Escalation (PoC) - local
  From: screen 4.3.1
  File: /usr/share/exploitdb/platforms/linux/local/41152.txt
  Url: https://www.exploit-db.com/exploits/41152
[+] Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) - local
  From: ghostscript 9.21
  File: /usr/share/exploitdb/platforms/linux/local/41955.rb
  Url: https://www.exploit-db.com/exploits/41955
[+] KeepNote 0.7.8 - Command Execution - local
  From: keepnote 0.7.8
  File: /usr/share/exploitdb/platforms/multiple/local/40440.py
  Url: https://www.exploit-db.com/exploits/40440
[+] MAWK 1.3.3-17 - Local Buffer Overflow - local
  From: mawk 1.3.3
  File: /usr/share/exploitdb/platforms/linux/local/42357.py
  Url: https://www.exploit-db.com/exploits/42357
[+] Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation - local
  From: sudo 1.8.20
  File: /usr/share/exploitdb/platforms/linux/local/42183.c
  Url: https://www.exploit-db.com/exploits/42183

...

Generar lista de paquetes

Debian
dpkg -l> package_list

sombrero rojo
rpm -qa> package_list

Consejos, Paquetes de procesos en ejecución y binarios SETUID

Paquetes en ejecución

> for i in $(ps auex|sed -e ':l;s/  / /g;t l'|cut -d' ' -f11|grep -v '\['|grep '/'|sort -u); \
  do \
  dpkg -l | grep "^ii  `dpkg -S $i 2>&1|cut -d':' -f1`" |tee -a potentials; \
  done

SETUID Binaries

> for i in $(find / -perm -4000 -o -perm -2000 -type f 2>/dev/null); \
  do \
  dpkg -l | grep "^ii  `dpkg -S $i 2>&1|cut -d':' -f1`"|tee -a potentials; \
  done

Elimina los duplicados y ejecuta

> sort -u potentials > potentials_no_duplicates
> python linux-soft-exploit-suggester.py --file potentials_no_duplicates --level 2 --type local

  |  _         __ _  _ |    _    _ | _  |    __    __  __  _  __ |   _  _
  |·| || |\/  (_ | ||_ |-  /_)\/| \|| |·|-  (_ | ||  )|  )/_)(_  |- /_)|
  ||| ||_|/\  __)|_||  |_  \_ /\|_/||_|||_  __)|_||_/ |_/ \_ __) |_ \_ |
                                |                 _/  _/

[+] Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation - local
  From: sudo 1.8.20
  File: /usr/share/exploitdb/platforms/linux/local/42183.c
  Url: https://www.exploit-db.com/exploits/42183
[+] Fuse 2.9.3-15 - Privilege Escalation - local
  From: fuse 2.9.7
  File: /usr/share/exploitdb/platforms/linux/local/37089.txt
  Url: https://www.exploit-db.com/exploits/37089

Descarga Linux Soft exploit suggester

Toda la información proporcionada en este medio es para fines educativos, en ningún caso alguno se hace responsable e cualquier mal uso de la información. Toda la información es para el desarrollo e investigación de métodos de seguridad informática.

No olvides visitar nuestra hacking shop

shop