![]() linux-exploit-suggester.sh -pkglist-file dpkgOutput.txt -skip-pkg-versions Kernel version number is taken from current OS, sources for possible exploits are downloaded to current directory (only kernel space exploits are examined): $. ![]() linux-exploit-suggester.sh -pkglist-file dpkgOutput.txt As previously but no package versioning is performed (handy for quick preliminary checking if any package for which user space exploit is available is installed): $. linux-exploit-suggester.sh -skip-more-checks Sometimes it is desired to examine only package listing (in this case only check for userspace exploits is performed): (remote machine) $ dpkg -l > dpkgOutput.txt $. linux-exploit-suggester.sh -uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43: x86_64 x86_64 x86_64 GNU/Linux" -pkglist-file dpkgOutput.txt In terms of generated list of exploits its identical with executing (directly on the given remote machine): (remote machine) $. linux-exploit-suggester.sh -uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43: x86_64 x86_64 x86_64 GNU/Linux" Optionally -pkglist-file could be provided to -k or -uname to also check for user space exploits: (remote machine) $ dpkg -l > dpkgOutput.txt $. linux-exploit-suggester.sh -k 3.1 With -uname one provides slightly more information ( uname -a output from target machine) to linux-exploit-suggester.sh and receives slightly specific list of possible exploits (for example also target arch x86|x86_64 is taken into account when generating exploits list): $. linux-exploit-suggester.sh -checksec Running with -k option is handy if one wants to quickly examine which exploits could be potentially applicable for given kernel version (this is also compatibility mode with Linux_Exploit_Suggester): $. linux-exploit-suggester.sh -cvelist-file List available hardware/kernel security mechanisms for target machine: $. So for example for 'af_packet' exploit which requirements looks like this: Reqs: pkg=linux-kernel,ver>=3.2,ver -skip-more-checks Generate list of CVEs for the target kernel and check if exploit(s) for it exists (also performs additional checks): $ (uname -s uname -m uname -r uname -v) | curl -s -L -H "Accept: text/text" -data-binary | grep CVE | tr ' ' '\n' | grep -o -E 'CVE- - ' | sort -r -n | uniq > $. "Direct" mode (default run) The basic idea behind this mode is the same as previously but additionally in an effort to produce more relevant list of candidate exploits, the tool also performs series of additional checks (like: kernel build settings aka CONFIG_*, sysctl entries and other custom checks) to rule out exploits that for sure won't be applicable due to OS customization. Using this mode one can also check for candidate user space exploits (with -pkglist-file switch) if he has access to installed packages listing (output of dpkg -l/rpm -qa commands) of examined system. ![]() īcoles for his excellent and frequent contributions to LES.Overview The tool is meant to assist the security analyst in his testing for privilege escalation opportunities on Linux machine, it provides following features: "Remote" mode (-kernel or -uname switches) In this mode the analyst simply provides kernel version ( -kernel switch) or uname -a command output ( -uname switch) and receives list of candidate exploits for a given kernel version. Conduct source code analysis of chosen kernel hardening security measure then add it to the FEATURES array (if not already there) and publish your analysis at.See this article for an excellent example of adapting specific PoC exploit to different kernel versions. Then add your customized version of exploit as ext-url entry to LES and modify Tags to reflect newly added targets. Pick sources of the exploit of choice and customize it to run on different kernel version(s). Published exploits are often written only for PoC purposes only for one (or couple of) specific Linux distributions and/or kernel version(s).This will help you (and others) during pentests to rapidly identify critically vulnerable Linux machines. ![]() With this tag added LES will automatically highlight and bump dynamic Rank of the exploit when run on Ubuntu 12.04 with one of listed kernel versions. Tags: debian=9.0 which states: tagged exploit was verifed to work correctly on Ubuntu 12.04 with kernels: 3.2.0-23-generic, 3.2.0-29-generic, 3.5.0-23-generic and 3.5.0-29-generic. ![]()
0 Comments
Leave a Reply. |