##### Linux privilege checker ##### Searches for privileges, service settings, sensitive information, running processes, installed programs, network statistics, logs, permissions and various other information about the system. Suggests exploits based on the detected kernel version. Inspired from g0tm1lk's cheatsheet, available at http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html NOTES Full output may be excessive, I tried to break it down in specific functions to make it easy to check for relevant information only by commenting out the unnecessary bits. It's using the subprocess module for running commands. Running time may vary, with all checks enabled it took ~1min on a freshly installed Debian and ~4min on a custom Kali system. Regarding the exploit finding functionality: - in the vulnerable kernels, I prioritized the versions given in the respective CVE, unless specified otherwise in the exploit source code - there is some redundancy in the exploit dictionaries, because I wanted to keep them classified in kernel versions (2.4, 2.6, etc.) - some CVEs have multiple exploits available, I tried getting the verified ones, and those which were stable and up-to-date - some false positives / negatives are inevitable CODE BREAKDOWN The checks are split into functions for each information category: searchOS - gets information about the system, its version, SELinux status, uptime, and more chkSrvc - lists running processes chkApps - looks at what is installed on the system chkSrvcSettings - reads configuration files for various services, like apache, syslog and others lsJobs - checks what jobs are scheduled netInfo - various info about the network configuration currNetStats - current status of network connections chkUsers - information about user accounts on the system chkIntrstFiles - attempts to access files with potentially sensitive information, SSH config files, MySQL, and others chkLogs - looks at different log categories, in conjunction with the tail command chkWebSettings - what web concent is being served on the system chkFS - filesystem information findTools - looks for tools that might aid in further exploitation, like nmap, netcat, python, etc. findPerm - permissions check findExploits - suggests suitable exploits from ExploitDB based on the detected kernel version DEMO See text file for output. Sample output for the exploit finder: Kernel version is 3.10.0-514.21.1.el7.x86_64 ########################################### POTENTIALLY VULNERABLE TO Name: Double-free usb-midi SMEP Local Privilege Escalation CVE: CVE-2016-2384 Source code: https://www.exploit-db.com/exploits/41999/ ########################################### ########################################### POTENTIALLY VULNERABLE TO Name: overlayfs Privilege Escalation CVE: CVE-2015-1328 Source code: https://www.exploit-db.com/exploits/37292/ ########################################### ########################################### POTENTIALLY VULNERABLE TO Name: ptrace/sysret Privilege Escalation CVE: CVE-2014-4699 Source code: https://www.exploit-db.com/exploits/34134/ ########################################### ########################################### POTENTIALLY VULNERABLE TO Name: CLONE_NEWUSER|CLONE_FS Privilege Escalation CVE: N/A Source code: https://www.exploit-db.com/exploits/38390/ ########################################### ########################################### POTENTIALLY VULNERABLE TO Name: b43 Wireless Driver Privilege Escalation CVE: CVE-2013-2852 Source code: https://www.exploit-db.com/exploits/38559/ ########################################### ########################################### POTENTIALLY VULNERABLE TO Name: open-time Capability file_ns_capable() Privilege Escalation CVE: CVE-2013-1959 Source code: https://www.exploit-db.com/exploits/25450/ ###########################################
eburhan/linux_privcheck
Check privileges, settings and other information on Linux systems and suggest exploits based on kernel versions
Python