来自:https://www.securitysift.com/download/linuxprivchecker.py

#!/usr/env python

###############################################################################################################

## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script

## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift

##-------------------------------------------------------------------------------------------------------------

## [Details]:

## This script is intended to be executed locally on a Linux box to enumerate basic system info and

## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text

## passwords and applicable exploits.

##-------------------------------------------------------------------------------------------------------------

## [Warning]:

## This script comes as-is with no promise of functionality or accuracy.  I have no plans to maintain updates,

## I did not write it to be efficient and in some cases you may find the functions may not produce the desired

## results.  For example, the function that links packages to running processes is based on keywords and will

## not always be accurate.  Also, the exploit list included in this function will need to be updated over time.

## Feel free to change or improve it any way you see fit.

##-------------------------------------------------------------------------------------------------------------

## [Modification, Distribution, and Attribution]:

## You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original

## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's

## worth anything anyway :)

###############################################################################################################

# conditional import for older versions of python not compatible with subprocess

try:

    import subprocess as sub

    compatmode = 0 # newer version of python, no need for compatibility mode

except ImportError:

    import os # older version of python, need to use os instead

    compatmode = 1

# title / formatting

bigline = "================================================================================================="

smlline = "-------------------------------------------------------------------------------------------------"

print bigline

print "LINUX PRIVILEGE ESCALATION CHECKER"

print bigline

print

# loop through dictionary, execute the commands, store the results, return updated dict

def execCmd(cmdDict):

    for item in cmdDict:

        cmd = cmdDict[item]["cmd"]

    if compatmode == 0: # newer version of python, use preferred subprocess

            out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()

            results = out.split('\n')

    else: # older version of python, use os.popen

        echo_stdout = os.popen(cmd, 'r')

            results = echo_stdout.read().split('\n')

        cmdDict[item]["results"]=results

    return cmdDict

# print results for each previously executed command, no return value

def printResults(cmdDict):

    for item in cmdDict:

    msg = cmdDict[item]["msg"]

    results = cmdDict[item]["results"]

        print "[+] " + msg

        for result in results:

        if result.strip() != "":

            print "    " + result.strip()

    print

    return

def writeResults(msg, results):

    f = open("privcheckout.txt", "a");

    f.write("[+] " + str(len(results)-1) + " " + msg)

    for result in results:

        if result.strip() != "":

            f.write("    " + result.strip())

    f.close()

    return

# Basic system info

print "[*] GETTING BASIC SYSTEM INFO...\n"

results=[]

sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results},

       "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results},

       "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results}

      }

sysInfo = execCmd(sysInfo)

printResults(sysInfo)

# Networking Info

print "[*] GETTING NETWORKING INFO...\n"

netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results},

       "ROUTE":{"cmd":"route", "msg":"Route", "results":results},

       "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results}

      }

netInfo = execCmd(netInfo)

printResults(netInfo)

# File System Info

print "[*] GETTING FILESYSTEM INFO...\n"

driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results},

         "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results}

        }

driveInfo = execCmd(driveInfo)

printResults(driveInfo)

# Scheduled Cron Jobs

cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results},

        "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results}

       }

cronInfo = execCmd(cronInfo)

printResults(cronInfo)

# User Info

print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"

userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results},

        "ID":{"cmd":"id","msg":"Current User ID", "results":results},

        "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results},

        "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results},

        "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results},

        "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results},

        "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results},

        "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results}

       }

userInfo = execCmd(userInfo)

printResults(userInfo)

if "root" in userInfo["ID"]["results"][0]:

    print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n"

# File/Directory Privs

print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"

fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},

       "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},

       "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},

       "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},

       "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results}

      }

fdPerms = execCmd(fdPerms)

printResults(fdPerms)

pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results},

        "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results},

        "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results}

       }

pwdFiles = execCmd(pwdFiles)

printResults(pwdFiles)

# Processes and Applications

print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"

if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:

    getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian

else:

    getPkgs = "rpm -qa | sort -u" # RH/other

getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results},

              "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results}

         }

getAppProc = execCmd(getAppProc)

printResults(getAppProc) # comment to reduce output

otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results},

          "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results},

          "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results}

        }

otherApps = execCmd(otherApps)

printResults(otherApps)

print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n"

# find the package information for the processes currently running

# under root or another super user

procs = getAppProc["PROCS"]["results"]

pkgs = getAppProc["PKGS"]["results"]

supusers = userInfo["SUPUSERS"]["results"]

procdict = {} # dictionary to hold the processes running as super users

for proc in procs: # loop through each process

    relatedpkgs = [] # list to hold the packages related to a process

    try:

    for user in supusers: # loop through the known super users

        if (user != "") and (user in proc): # if the process is being run by a super user

            procname = proc.split(" ")[4] # grab the process name

        if "/" in procname:

            splitname = procname.split("/")

            procname = splitname[len(splitname)-1]

            for pkg in pkgs: # loop through the packages

            if not len(procname) < 3: # name too short to get reliable package results

                    if procname in pkg:

                if procname in procdict:

                    relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list

                if pkg not in relatedpkgs:

                    relatedpkgs.append(pkg) # add pkg to the list

                procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry

    except:

    pass

for key in procdict:

    print "    " + key # print the process name

    try:

        if not procdict[key][0] == "": # only print the rest if related packages were found

            print "        Possible Related Packages: "

            for entry in procdict[key]:

                print "            " + entry # print each related package

    except:

    pass

# EXPLOIT ENUMERATION

# First discover the avaialable tools

print

print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n"

devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}}

devTools = execCmd(devTools)

printResults(devTools)

print "[+] Related Shell Escape Sequences...\n"

escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]}

for cmd in escapeCmd:

    for result in devTools["TOOLS"]["results"]:

        if cmd in result:

        for item in escapeCmd[cmd]:

            print "    " + cmd + "-->\t" + item

print

print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n"

# Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)

# sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'

sploits= {      "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.4.20 Module Loader Local Root Exploit":{"minver":"", "maxver":"2.4.20", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"", "maxver":"2.4.22", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"", "maxver":"2.4.29", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}},

        "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"", "maxver":"2.6.11", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},

        "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"", "maxver":"2.6.11.5", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}},

        "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},

        "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"", "maxver":"", "exploitdb":"", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}},

        "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"", "maxver":"2.6.22", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"", "maxver":"2.6.29", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},

        "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},

        "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"", "maxver":"2.6.28.3", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}},

        "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"", "maxver":"2.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.x sock_sendpage() Local Root Exploit 2":{"minver":"", "maxver":"2.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"", "maxver":"2.6.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"", "maxver":"2.6.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"", "maxver":"", "exploitdb":"", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}},

        "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"", "maxver":"2.6.34", "exploitdb":"", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}},

        "Ubuntu PAM MOTD local root":{"minver":"", "maxver":"10.04", "exploitdb":"", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}},

        "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"", "maxver":"2.6.36", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Linux RDS Protocol Local Privilege Escalation":{"minver":"", "maxver":"2.6.36", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.6.37 Local Privilege Escalation":{"minver":"", "maxver":"2.6.37", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"", "maxver":"2.6.37", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "CAP_SYS_ADMIN to root Exploit":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"", "maxver":"2.6.36.2", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Sendpage Local Privilege Escalation":{"minver":"", "maxver":"", "exploitdb":"", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}},

        "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

}

# variable declaration

os = sysInfo["OS"]["results"][0]

version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]

langs = devTools["TOOLS"]["results"]

procs = getAppProc["PROCS"]["results"]

kernel = str(sysInfo["KERNEL"]["results"][0])

mount = driveInfo["MOUNT"]["results"]

#pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future

# lists to hold ranked, applicable sploits

# note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks

# all applicable exploits should be checked and this function could probably use some improvement

avgprob = []

highprob = []

for sploit in sploits:

    lang = 0 # use to rank applicability of sploits

    keyword = sploits[sploit]["keywords"]["val"]

    sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"]

    # first check for kernell applicability

    if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):

    # next check language applicability

    if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):

        lang = 1 # language found, increase applicability score

    elif sploits[sploit]["lang"] == "sh":

        lang = 1 # language found, increase applicability score

    elif (sploits[sploit]["lang"] in str(langs)):

        lang = 1 # language found, increase applicability score

    if lang == 0:

        sploitout = sploitout + "**" # added mark if language not detected on system

    # next check keyword matches to determine if some sploits have a higher probability of success

    for loc in sploits[sploit]["keywords"]["loc"]:

        if loc == "proc":

        for proc in procs:

            if keyword in proc:

            highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability

            break

            break

        elif loc == "os":

        if (keyword in os) or (keyword in kernel):

            highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability

            break

        elif loc == "mnt":

        if keyword in mount:

            highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability

            break

        else:

        avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version

print "    Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"

print

print "    The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"

for exploit in highprob:

    print "    - " + exploit

print

print "    The following exploits are applicable to this kernel version and should be investigated as well"

for exploit in avgprob:

    print "    - " + exploit

print

print "Finished"

print bigline

linux提权辅助工具(三):privchecker.py的更多相关文章

  1. 又一款linux提权辅助工具

    又一款linux提权辅助工具 – Linux_Exploit_Suggester 2013-09-06 10:34 1455人阅读 评论(0) 收藏 举报 https://github.com/Pen ...

  2. linux提权辅助工具(一):linux-exploit-suggester.sh

    来自:https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh ...

  3. linux提权辅助工具(四):LinEnum.sh

    来自:https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh #!/bin/bash #A script to e ...

  4. linux提权辅助工具(二):linux-exploit-suggester-2.pl

    来自:https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl #! ...

  5. 提权辅助工具:Windows--exploit-suggester.py安装及使用

    下载地址    https://github.com/AonCyberLabs/Windows-Exploit-Suggester1.安装xlrd包(注意python2.3版本的pip问题)      ...

  6. 后渗透提权辅助工具BeRoot详解

    0x00 工具介绍 前言 BeRoot是一个后期开发工具,用于检查常见的Windows的配置错误,以方便找到提高我们提权的方法.其二进制编译地址为: https://github.com/Alessa ...

  7. windows提权辅助工具koadic

    项目地址:https://github.com/zerosum0x0/koadic ┌─[root@sch01ar]─[/sch01ar] └──╼ #git clone https://github ...

  8. Linux 提权常用命令集

    转载:http://www.myhack58.com/Article/html/3/8/2017/83236.htm 0x00 操作系统相关 操作系统类型版本 cat /etc/issue cat / ...

  9. Unix/Linux提权漏洞快速检测工具unix-privesc-check

    Unix/Linux提权漏洞快速检测工具unix-privesc-check   unix-privesc-check是Kali Linux自带的一款提权漏洞检测工具.它是一个Shell文件,可以检测 ...

随机推荐

  1. DZNEmptyDataSet 使用

    gitHub地址:https://github.com/dzenbot/DZNEmptyDataSet 效果图: 代码: #import "UIScrollView+EmptyDataSet ...

  2. 【spring mvc】application context中【bean】的生命周期

    生命周期过程 主要分为四部分: 一.实例化 1. 当调用者通过 getBean( name )向 容器寻找Bean 时,如果容器注册了org.springframework.beans.factory ...

  3. spark 调优概述

    分为几个部分: 开发调优.资源调优.数据倾斜调优.shuffle调优 开发调优: 主要包括这几个方面 RDD lineage设计.算子的合理使用.特殊操作的优化等 避免创建重复的RDD,尽可能复用同一 ...

  4. 使WebDev.WebServer.exe 当web服务器

    Vs自带的Visual Studio Development_server非常好用.比XP的IIS强多了. XP的IIS经常报访问数过多. 但是, WebDev.WebServer.exe 有个限制就 ...

  5. Redis Python开发指南

    redis基本命令 String set     setex     psetex   mset   mget  getset getrange    setrange  setbit   getbi ...

  6. pyqt简单介绍和使用

    QML和PyQT5联合编程 安装pyqt pip3 install PyQT5 main.QML import QtQuick 2.2 import QtQuick.Controls 1.1 impo ...

  7. try with resources简洁的异常捕获机制

    通过前篇的<Java文件IO流的操作总结>,我们知道了基本输入输出流的使用方式,但是每次都需要在finally处关闭流资源,这样操作起来既啰嗦又麻烦,有没有更简洁的方式呢?本篇就来讲解jd ...

  8. 39. Combination Sum(回溯)

    Given a set of candidate numbers (candidates) (without duplicates) and a target number (target), fin ...

  9. 2018-2019 Russia Open High School Programming Contest

    A. Company Merging Solved. 温暖的签到. #include<bits/stdc++.h> using namespace std; ; typedef long ...

  10. centos配置用户级别的jdk的环境变量

    前面讲解了centos配置jdk的环境变量 的root级别的jdk配置 ,这里讲解用户级别的jdk配置. 在用户的当前目录下,如下,有四个隐藏的文件,文件打头是.bash******: 1.编辑.ba ...