Linux Soft Exploit Suggester - Search Exploitable Software On Linux


linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation. It focuses on software packages instead of Kernel vulnerabilities.

> python linux-soft-exploit-suggester.py -h

| _ __ _ _ | _ _ | _ | __ __ __ _ __ | _ _
|·| || |\/ (_ | ||_ |- /_)\/| \|| |·|- (_ | || )| )/_)(_ |- /_)|
||| ||_|/\ __)|_|| |_ \_ /\|_/||_|||_ __)|_||_/ |_/ \_ __) |_ \_ |
| _/ _/

linux-soft-exploit-suggester:
Search for Exploitable Software from package list.

optional arguments:
-h, --help Show this help message and exit
-f FILE, --file FILE Package list file
--clean Use clean package list, if used 'dpkg-query -W'
--duplicates Show duplicate exploits
--db DB Exploits csv file [default: file.csv]
--update Download latest version of exploits db
-d debian|redhat, --distro debian|redhat
Linux flavor, debian or redhat [default: debian]
--dos Include DoS exploits
--intense Include intense package name search,
when software name doesn't match package name (experimental)
-l 1-5, --level 1-5 Software version search variation [default: 1]
level 1: Same version
level 2: Micro and Patch version
level 3: Minor version
level 4: Major version
level 5: All versions
--type TYPE Exploit type; local, remote, webapps, dos.
e.g. --type local
--type remote
--filter FILTER Filter exploits by string
e.g. --filter "escalation"

usage examples:
Get Package List:
debian/ubuntu: dpkg -l > package_list
redhat/centos: rpm -qa > package_list

Update exploit database:
python linux-soft-exploit-suggester.py --update

Basic usage:
python linux-soft-exploit-suggester.py --file package_list

Specify exploit db:
python linux-soft-exploit-suggester.py --file package_list --db file.cve

Use Redhat/Centos format file:
python linux-soft-exploit-suggester.py --file package_list --distro redhat

Search exploit for major version:
python linux-soft-exploit-suggester.py --file package_list --level 4

Filter by remote exploits:
python linux-soft-exploit-suggester.py --file package_list --type remote

Search specific words in exploit title:
python linux-soft-exploit-suggester.py --file package_list --filter Overflow

Advanced usage:
python linux-soft-exploit-suggester.py --file package_list --level 3 --type local --filter escalation

Output
> python linux-soft-exploit-suggester.py --file packages --db file.csv

| _ __ _ _ | _ _ | _ | __ __ __ _ __ | _ _
|·| || |\/ (_ | ||_ |- /_)\/| \|| |·|- (_ | || )| )/_)(_ |- /_)|
||| ||_|/\ __)|_|| |_ \_ /\|_/||_|||_ __)|_||_/ |_/ \_ __) |_ \_ |
| _/ _/

[+] DNSTracer 1.9 - Buffer Overflow - local
From: dnstracer 1.9
File: /usr/share/exploitdb/platforms/linux/local/42424.py
Url: https://www.exploit-db.com/exploits/42424
[+] GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution - remote
From: wget 1.17.1
File: /usr/share/exploitdb/platforms/linux/remote/40064.txt
Url: https://www.exploit-db.com/exploits/40064
[+] GNU Screen 4.5.0 - Privilege Escalation (PoC) - local
From: screen 4.3.1
File: /usr/share/exploitdb/platforms/linux/local/41152.txt
Url: https://www.exploit-db.com/exploits/41152
[+] Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) - local
From: ghostscript 9.21
File: /usr/share/exploitdb/platforms/linux/local/41955.rb
Url: https://www.exploit-db.com/exploits/41955
[+] KeepNote 0.7.8 - Command Execution - local
From: keepnote 0.7.8
File: /usr/share/exploitdb/platforms/multiple/local/40440.py
Url: https://www.exploit-db.com/exploits/40440
[+] MAWK 1.3.3-17 - Local Buffer Overflow - local
From: mawk 1.3.3
File: /usr/share/exploitdb/platforms/linux/local/42357.py
Url: https://www.exploit-db.com/exploits/42357
[+] Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation - local
From: sudo 1.8.20
File: /usr/share/exploitdb/platforms/linux/local/42183.c
Url: https://www.exploit-db.com/exploits/42183

...

Generate package list

Debian
dpkg -l > package_list

Red Hat
rpm -qa > package_list

TIP. Packages from running processes and SETUID binaries

Running packages
> for i in $(ps auex|sed -e ':l;s/  / /g;t l'|cut -d' ' -f11|grep -v '\['|grep '/'|sort -u); \
do \
dpkg -l | grep "^ii `dpkg -S $i 2>&1|cut -d':' -f1`" |tee -a potentials; \
done

SETUID Binaries
> for i in $(find / -perm -4000 -o -perm -2000 -type f 2>/dev/null); \
do \
dpkg -l | grep "^ii `dpkg -S $i 2>&1|cut -d':' -f1`"|tee -a potentials; \
done

Eliminate duplicates and Run
> sort -u potentials > potentials_no_duplicates
> python linux-soft-exploit-suggester.py --file potentials_no_duplicates --level 2 --type local

| _ __ _ _ | _ _ | _ | __ __ __ _ __ | _ _
|·| || |\/ (_ | ||_ |- /_)\/| \|| |·|- (_ | || )| )/_)(_ |- /_)|
||| ||_|/\ __)|_|| |_ \_ /\|_/||_|||_ __)|_||_/ |_/ \_ __) |_ \_ |
| _/ _/

[+] Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation - local
From: sudo 1.8.20
File: /usr/share/exploitdb/platforms/linux/local/42183.c
Url: https://www.exploit-db.com/exploits/42183
[+] Fuse 2.9.3-15 - Privilege Escalation - local
From: fuse 2.9.7
File: /usr/share/exploitdb/platforms/linux/local/37089.txt
Url: https://www.exploit-db.com/exploits/37089


Disqus Comments