Many moons ago I stumbled across a broken script on an incident response job. The Hackers uploaded numerous exploits and scripts in an attempt to compromise a Linux RedHat server. Among these files was a broken script (that did not work) that would suggest possible exploits given the release version ‘uname -r’ of the Linux Operating System.
This gave me an idea; create my own that actually works….
As the name suggests, this is a Linux Exploit Suggester, with no frills and no fancy features; just a simple script to keep track of vulnerabilities and suggest possible exploits to use to gain ‘root‘ on a legitimate penetration test, or governing examining body ?
Demo Time
Actions speak louder than words, so attached is sample output for querying a 2.6.28 Kernel:
$ perl ./Linux_Exploit_Suggester.pl -k 2.6.28 Kernel local: 2.6.28 Possible Exploits: [+] sock_sendpage2 Alt: proto_ops CVE-2009-2692 Source: http://www.exploit-db.com/exploits/9436 [+] half_nelson3 Alt: econet CVE-2010-4073 Source: http://www.exploit-db.com/exploits/17787/ [+] reiserfs CVE-2010-1146 Source: http://www.exploit-db.com/exploits/12130/ [+] pktcdvd CVE-2010-3437 Source: http://www.exploit-db.com/exploits/15150/ [+] american-sign-language CVE-2010-4347 Source: http://www.securityfocus.com/bid/45408/ [+] half_nelson Alt: econet CVE-2010-3848 Source: http://www.exploit-db.com/exploits/6851 [+] udev Alt: udev <1.4.1 CVE-2009-1185 Source: http://www.exploit-db.com/exploits/8478 [+] do_pages_move Alt: sieve CVE-2010-0415 Source: Spenders Enlightenment [+] pipe.c_32bit CVE-2009-3547 Source: http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c [+] exit_notify Source: http://www.exploit-db.com/exploits/8369 [+] can_bcm CVE-2010-2959 Source: http://www.exploit-db.com/exploits/14814/ [+] ptrace_kmod2 Alt: ia32syscall,robert_you_suck CVE-2010-3301 Source: http://www.exploit-db.com/exploits/15023/ [+] half_nelson1 Alt: econet CVE-2010-3848 Source: http://www.exploit-db.com/exploits/17787/ [+] half_nelson2 Alt: econet CVE-2010-3850 Source: http://www.exploit-db.com/exploits/17787/ [+] sock_sendpage Alt: wunderbar_emporium CVE-2009-2692 Source: http://www.exploit-db.com/exploits/9435 [+] video4linux CVE-2010-3081 Source: http://www.exploit-db.com/exploits/15024/
Again, here is similar output for a more modern 3.0.0 Kernel:
$ perl ./Linux_Exploit_Suggester.pl -k 3.0.0 Kernel local: 3.0.0 Possible Exploits: [+] semtex CVE-2013-2094 Source: http://www.exploit-db.com/download/25444/ [+] memodipper CVE-2012-0056 Source: http://www.exploit-db.com/exploits/18411/ [+] perf_swevent CVE-2013-2094 Source: http://www.exploit-db.com/download/26131
Code
Can be found within our GitHub Repository:
Call for Additions/Corrections
It is likely that there are gaps, or errors within this script. Feel free to contribute, as this is released under Opensource GPLv2.
Downside
Unfortunately; in all honesty it can not take into account patches or back ported patches. So may yield false positives.