linux-soft-exploit-suggester
Script to find exploits for all vulnerable software on the system, targeting software packages rather than just kernel vulnerabilities. It uses the exploit database to assess the security of packages and search for exploits to help with privilege escalation.
Usage
Download
wget https://raw.githubusercontent.com/belane/linux-soft-exploit-suggester/master/linux-soft-exploit-suggester.py
Basic use. Downloads the exploit database, generates a list of packages and searches for exploits.
python linux-soft-exploit-suggester.py
Run from a list of packages from another system if you can't run from target.
- Debian/Ubuntu:
dpkg -l > package_list
- RedHat/CentOS:
rpm -qa > package_list
python linux-soft-exploit-suggester.py --file package_list --distro debian
Update exploit database.
python linux-soft-exploit-suggester.py --update
Look for exploits for running processes, setuid binaries and linux capabilities.
python linux-soft-exploit-suggester.py --juicy
Filter exploits by local exploit type and minor versions.
python linux-soft-exploit-suggester.py --level 2 --type local
Example Output
> python linux-soft-exploit-suggester.py --file packages --db files_exploits.csv
| _ __ _ _ | _ _ | _ | __ __ __ _ __ | _ _
|路| || |\/ (_ | ||_ |- /_)\/| \|| |路|- (_ | || )| )/_)(_ |- /_)|
||| ||_|/\ __)|_|| |_ \_ /\|_/||_|||_ __)|_||_/ |_/ \_ __) |_ \_ |
| _/ _/
[!] DNSTracer 1.9 - Buffer Overflow - local
From: dnstracer 1.9
File: /usr/share/exploitdb/platforms/linux/local/42424.py
Url: https://www.exploit-db.com/exploits/42424
[!] GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution - remote
From: wget 1.17.1
File: /usr/share/exploitdb/platforms/linux/remote/40064.txt
Url: https://www.exploit-db.com/exploits/40064
[!] GNU Screen 4.5.0 - Privilege Escalation (PoC) - local
From: screen 4.3.1
File: /usr/share/exploitdb/platforms/linux/local/41152.txt
Url: https://www.exploit-db.com/exploits/41152
[!] Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) - local
From: ghostscript 9.21
File: /usr/share/exploitdb/platforms/linux/local/41955.rb
Url: https://www.exploit-db.com/exploits/41955
[!] MAWK 1.3.3-17 - Local Buffer Overflow - local
From: mawk 1.3.3
File: /usr/share/exploitdb/platforms/linux/local/42357.py
Url: https://www.exploit-db.com/exploits/42357
[!] Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation - local
From: sudo 1.8.20
File: /usr/share/exploitdb/platforms/linux/local/42183.c
Url: https://www.exploit-db.com/exploits/42183
...
Full Help
> python linux-soft-exploit-suggester.py -h
| _ __ _ _ | _ _ | _ | __ __ __ _ __ | _ _
|路| || |\/ (_ | ||_ |- /_)\/| \|| |路|- (_ | || )| )/_)(_ |- /_)|
||| ||_|/\ __)|_|| |_ \_ /\|_/||_|||_ __)|_||_/ |_/ \_ __) |_ \_ |
| _/ _/
linux-soft-exploit-suggester:
Search for Exploitable Software from package list.
optional arguments:
-h, --help Show this help message and exit
-f FILE, --file FILE Package list file
--clean Use clean package list, if used 'dpkg-query -W'
--duplicates Show duplicate exploits
--db DB Exploits csv file [default: files_exploits.csv]
-j, --juicy Search packages of running processes, setuid binaries and linux capabilities
--update Download latest version of exploits db
-d debian|redhat, --distro debian|redhat
Linux flavor, debian or redhat [default: debian]
--dos Include DoS exploits
--intense Include intense package name search,
when software name doesn't match package name (experimental)
-l 1-5, --level 1-5 Software version search variation [default: 1]
level 1: Same version
level 2: Micro and Patch version
level 3: Minor version
level 4: Major version
level 5: All versions
--type TYPE Exploit type; local, remote, webapps, dos.
e.g. --type local
--type remote
--filter FILTER Filter exploits by string
e.g. --filter "escalation"
usage examples:
Basic usage:
python linux-soft-exploit-suggester.py
Update exploit database:
python linux-soft-exploit-suggester.py --update
Search packages from juicy binaries:
python linux-soft-exploit-suggester.py --juicy
Specify package list or exploit db:
python linux-soft-exploit-suggester.py --file package_list --db files_exploits.csv
Use Redhat/Centos format file:
python linux-soft-exploit-suggester.py --file package_list --distro redhat
Search exploit for major version:
python linux-soft-exploit-suggester.py --file package_list --level 4
Filter by remote exploits:
python linux-soft-exploit-suggester.py --file package_list --type remote
Search specific words in exploit title:
python linux-soft-exploit-suggester.py --file package_list --filter Overflow