Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 1322 lines (1156 sloc) 38.1 KB
#!/bin/bash
#
# Copyright 2016, Mariusz "mzet" Ziulek
#
# linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.
# This is free software, and you are welcome to redistribute it
# under the terms of the GNU General Public License. See LICENSE
# file for usage of this software.
#
VERSION=v0.6
# bash colors
txtred="\e[0;31m"
txtgrn="\e[0;32m"
txtblu="\e[0;36m"
txtrst="\e[0m"
# input data
UNAME_A=""
# parsed data for current OS
KERNEL=""
OS=""
DISTRO=""
ARCH=""
PKG_LIST=""
opt_fetch_bins=false
opt_fetch_srcs=false
opt_kernel_version=false
opt_uname_string=false
opt_pkglist_file=false
opt_full=false
opt_summary=false
opt_kernel_only=false
opt_userspace_only=false
opt_show_dos=false
ARGS=
SHORTOPTS="hVfbsu:k:dp:g"
LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,grepable,kernelspace-only,userspace-only"
## exploits database
declare -a EXPLOITS
declare -a EXPLOITS_USERSPACE
############ LINUX KERNELSPACE EXPLOITS ####################
n=0
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2004-1235]${txtrst} elflbl
Reqs: pkg=linux-kernel,ver=2.4.29
Tags:
analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/elflbl
exploit-db: 744
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2004-1235]${txtrst} uselib()
Reqs: pkg=linux-kernel,ver=2.4.29
Tags:
analysis-url: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
exploit-db: 778
Comments: Known to work only for 2.4 series (even though 2.6 is also vulnerable)
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2004-1235]${txtrst} krad3
Reqs: pkg=linux-kernel,ver>=2.6.5,ver<=2.6.11
Tags:
exploit-db: 1397
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2004-0077]${txtrst} mremap_pte
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.2
Tags:
exploit-db: 160
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2006-2451]${txtrst} raptor_prctl
Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
Tags:
exploit-db: 2031
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl
Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
Tags:
exploit-db: 2004
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl2
Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
Tags:
exploit-db: 2005
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl3
Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
Tags:
exploit-db: 2006
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2006-2451]${txtrst} prctl4
Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17
Tags:
exploit-db: 2011
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2006-3626]${txtrst} h00lyshit
Reqs: pkg=linux-kernel,ver>=2.6.8,ver<=2.6.16
Tags:
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit
exploit-db: 2013
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2008-0600]${txtrst} vmsplice1
Reqs: pkg=linux-kernel,ver>=2.6.17,ver<=2.6.24
Tags:
exploit-db: 5092
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2008-0600]${txtrst} vmsplice2
Reqs: pkg=linux-kernel,ver>=2.6.23,ver<=2.6.24
Tags:
exploit-db: 5093
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2008-4210]${txtrst} ftrex
Reqs: pkg=linux-kernel,ver>=2.6.11,ver<=2.6.22
Tags:
exploit-db: 6851
Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2008-4210]${txtrst} exit_notify
Reqs: pkg=linux-kernel,ver>=2.6.25,ver<=2.6.29
Tags:
exploit-db: 8369
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2692]${txtrst} sock_sendpage (simple version)
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11
exploit-db: 9479
Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
Tags: ubuntu=9.04
analysis-url: https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per_clear_on_setid-personality-bypass/
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9435.tgz
exploit-db: 9435
Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage2
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
Tags:
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9436.tgz
exploit-db: 9436
Comments: Works for systems with /proc/sys/vm/mmap_min_addr equal to 0
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage3
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
Tags:
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9641.tar.gz
exploit-db: 9641
Comments: /proc/sys/vm/mmap_min_addr needs to equal 0 OR pulseaudio needs to be installed
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2692,CVE-2009-1895]${txtrst} sock_sendpage (ppc)
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30
Tags: ubuntu=8.10,RHEL=4|5
exploit-db: 9545
Comments: /proc/sys/vm/mmap_min_addr needs to equal 0
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg (by spender)
Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
Tags:
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9574.tgz
exploit-db: 9574
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2698]${txtrst} udp_sendmsg
Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19
Tags: debian=4
exploit-db: 9575
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-2698]${txtrst} ip_append_data
Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86
Tags: fedora=4|5|6,RHEL=4
exploit-db: 9542
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 1
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
Tags:
exploit-db: 33321
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 2
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
Tags:
exploit-db: 33322
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-3547]${txtrst} pipe.c 3
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31
Tags:
exploit-db: 10018
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-3301]${txtrst} ptrace_kmod2
Reqs: pkg=linux-kernel,ver>=2.6.26,ver<=2.6.34
Tags: debian=6,ubuntu=10.04|10.10
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2
bin-url: https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod
bin-url: https://www.kernel-exploits.com/media/ptrace_kmod2-64
exploit-db: 15023
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-1146]${txtrst} reiserfs
Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.34
Tags: ubuntu=9.10
exploit-db: 12130
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-2959]${txtrst} can_bcm
Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.36
Tags: ubuntu=10.04
bin-url: https://www.kernel-exploits.com/media/can_bcm
exploit-db: 14814
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-3904]${txtrst} rds
Reqs: pkg=linux-kernel,ver>=2.6.30,ver<=2.6.36
Tags: debian=6,ubuntu=10.10|10.04|9.10,fedora=16
analysis-url: http://www.securityfocus.com/archive/1/514379
bin-url: https://www.kernel-exploits.com/media/rds
bin-url: https://www.kernel-exploits.com/media/rds64
exploit-db: 15285
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-3848,CVE-2010-3850,CVE-2010-4073]${txtrst} half_nelson
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
Tags: ubuntu=10.04|9.10
bin-url: https://www.kernel-exploits.com/media/half-nelson3
exploit-db: 17787
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} caps_to_root
Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36,x86
Tags: ubuntu=10.10
exploit-db: 15916
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} caps_to_root 2
Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36
Tags: ubuntu=10.10
exploit-db: 15944
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-4347]${txtrst} american-sign-language
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
Tags:
exploit-db: 15774
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-3437]${txtrst} pktcdvd
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
Tags: ubuntu=10.04
exploit-db: 15150
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-3081]${txtrst} video4linux
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.33
Tags: RHEL=5
exploit-db: 15024
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2012-0056]${txtrst} memodipper
Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=3.1.0
Tags: ubuntu=10.04|11.10
analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/
src-url: https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
bin-url: https://www.kernel-exploits.com/media/memodipper
bin-url: https://www.kernel-exploits.com/media/memodipper64
exploit-db: 18411
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2012-0056,CVE-2010-3849,CVE-2010-3850]${txtrst} full-nelson
Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36
Tags: ubuntu=9.10|10.04|10.10,ubuntu=10.04.1
src-url: http://vulnfactory.org/exploits/full-nelson.c
bin-url: https://www.kernel-exploits.com/media/full-nelson
bin-url: https://www.kernel-exploits.com/media/full-nelson64
exploit-db: 15704
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-1858]${txtrst} CLONE_NEWUSER|CLONE_FS
Reqs: pkg=linux-kernel,ver=3.8
Tags:
src-url: http://stealth.openwall.net/xSports/clown-newuser.c
analysis-url: https://lwn.net/Articles/543273/
exploit-db: 38390
author: Sebastian Krahmer
Comments: CONFIG_USER_NS needs to be enabled
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-2094]${txtrst} perf_swevent
Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9
Tags: RHEL=6,ubuntu=12.04
analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
bin-url: https://www.kernel-exploits.com/media/perf_swevent
bin-url: https://www.kernel-exploits.com/media/perf_swevent64
exploit-db: 26131
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-2094]${txtrst} perf_swevent 2
Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86_64
Tags: ubuntu=12.04
analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
src-url: https://cyseclabs.com/exploits/vnik_v1.c
exploit-db: 33589
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-0268]${txtrst} msr
Reqs: pkg=linux-kernel,ver>=2.6.18,ver<3.7.6
Tags:
exploit-db: 27297
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-1959]${txtrst} userns_root_sploit
Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.8.9
Tags:
analysis-url: http://www.openwall.com/lists/oss-security/2013/04/29/1
exploit-db: 25450
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-1979]${txtrst} socket_problem (DoS)
Reqs: pkg=linux-kernel,ver>=3.8.0,ver<3.8.11
Tags:
analysis-url: https://utcc.utoronto.ca/~cks/space/blog/linux/UnderstandingCredentialsCVE
exploit-db:
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2013-2094]${txtrst} semtex
Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9
Tags: RHEL=6
analysis-url: http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/
exploit-db: 25444
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-0038]${txtrst} timeoutpwn
Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1
Tags: ubuntu=13.10
analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
bin-url: https://www.kernel-exploits.com/media/timeoutpwn64
exploit-db: 31346
Comments: CONFIG_X86_X32 needs to be enabled
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-0038]${txtrst} timeoutpwn 2
Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1
Tags: ubuntu=13.10|13.04
analysis-url: http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html
exploit-db: 31347
Comments: CONFIG_X86_X32 needs to be enabled
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-0196]${txtrst} rawmodePTY
Reqs: pkg=linux-kernel,ver>=2.6.31,ver<=3.14.3
Tags:
analysis-url: http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html
exploit-db: 33516
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-2851]${txtrst} use-after-free in ping_init_sock() (DoS)
Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.14
Tags:
analysis-url: https://cyseclabs.com/page?n=02012016
exploit-db: 32926
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-4014]${txtrst} inode_capable
Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.13
Tagss: ubuntu=12.04
analysis-url: http://www.openwall.com/lists/oss-security/2014/06/10/4
exploit-db: 33824
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-4699]${txtrst} ptrace/sysret
Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.8
Tags: ubuntu=12.04
analysis-url: http://www.openwall.com/lists/oss-security/2014/07/08/16
exploit-db: 34134
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-4943]${txtrst} PPPoL2TP (DoS)
Reqs: pkg=linux-kernel,ver>=3.15
Tags:
analysis-url: https://cyseclabs.com/page?n=01102015
exploit-db: 36267
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-5207]${txtrst} fuse_suid
Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.16.1
Tags:
exploit-db: 34923
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: [CVE-2015-9322] BadIRET (DoS)
Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.17.5,x86_64
Tags: RHEL<=7,fedora=20
analysis-url: http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/
exploit-db: 36266
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-3290]${txtrst} espfix64_NMI
Reqs: pkg=linux-kernel,ver>=3.13,x86_64
Tags:
analysis-url: http://www.openwall.com/lists/oss-security/2015/08/04/8
exploit-db: 37722
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[N/A]${txtrst} bluetooth
Reqs: pkg=linux-kernel,ver<=2.6.11
Tags:
exploit-db: 4756
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-1328]${txtrst} overlayfs
Reqs: pkg=linux-kernel,ver>=3.13.0,ver<=3.19.0
Tags: ubuntu=12.04|14.04|14.10|15.04
analysis-url: http://seclists.org/oss-sec/2015/q2/717
bin-url: https://www.kernel-exploits.com/media/ofs_32
bin-url: https://www.kernel-exploits.com/media/ofs_64
exploit-db: 37292
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-8660]${txtrst} overlayfs (ovl_setattr)
Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3
Tags:
analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exploit-db: 39230
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-8660]${txtrst} overlayfs (ovl_setattr)
Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3
Tags: ubuntu=14.04|15.10
analysis-url: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
exploit-db: 39166
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-0728]${txtrst} keyring
Reqs: pkg=linux-kernel,ver>=3.10
Tags:
analysis-url: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
exploit-db: 40003
Comments: Exploit takes about ~30 minutes to run
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-2384]${txtrst} usb-midi
Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.4.8
Tags: ubuntu=14.04,fedora=22
analysis-url: https://xairy.github.io/blog/2016/cve-2016-2384
src-url: https://raw.githubusercontent.com/xairy/CVE-2016-2384/master/poc.c
exploit-db:
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-5195]${txtrst} dirtycow
Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3
Tags: RHEL=5|6|7,debian=7|8,ubuntu=16.10|16.04|14.04|12.04
analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exploit-db: 40611
author: Phil Oester
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-5195]${txtrst} dirtycow 2
Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3
Tags: RHEL=5|6|7,debian=7|8,ubuntu=16.10|16.04|14.04|12.04
analysis-url: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
exploit-db: 40616
author: Robin Verton
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-8655]${txtrst} chocobo_root
Reqs: pkg=linux-kernel,ver>=4.4.0,ver<4.9
Tags: ubuntu=16.04|14.04
analysis-url: http://www.openwall.com/lists/oss-security/2016/12/06/1
exploit-db: 40871
author: rebel
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2017-6074]${txtrst} dccp
Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=4.9.11
Tags: ubuntu=16.04
analysis-url: http://www.openwall.com/lists/oss-security/2017/02/22/3
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
exploit-db: 41458
author: Andrey Konovalov
EOF
)
EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2017-7308]${txtrst} af_packet
Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6
Tags: ubuntu=16.04(kernel:4.8.0-41)
analysis-url: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
src-url: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
exploit-db: 41994
author: Andrey Konovalov
EOF
)
############ USERSPACE EXPLOITS ###########################
n=0
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2004-0186]${txtrst} samba
Reqs: pkg=samba,ver<=2.2.8
Tags:
exploit-db: 23674
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-1185]${txtrst} udev
Reqs: pkg=udev
Tags: ubuntu=8.10|9.04
exploit-db: 8572
Comments: Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2009-1185]${txtrst} udev 2
Reqs: pkg=udev
Tags:
exploit-db: 8478
Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2010-0832]${txtrst} PAM MOTD
Reqs: pkg=libpam-modules,ver<=1.1.1
Tags: ubuntu=9.10|10.04
exploit-db: 14339
Comments: SSH access to non privileged user is needed
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: [CVE-2011-1485] pkexec
Reqs: pkg=polkit,ver=0.96
Tags: RHEL=6,ubuntu=10.04|10.10
exploit-db: 17942
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2012-0809]${txtrst} death_star (sudo)
Reqs: pkg=sudo,ver>=1.8.0,ver<=1.8.3
Tags: fedora=16
analysis-url: http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
exploit-db: 18436
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: [CVE-2014-0476] chkrootkit
Reqs: pkg=chkrootkit,ver<0.50
Tags:
analysis-url: http://seclists.org/oss-sec/2014/q2/430
exploit-db: 33899
Comments: Rooting depends on the crontab (up to one day of dealy)
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2014-5119]${txtrst} __gconv_translit_find
Reqs: pkg=glibc|libc6,x86
Tags: debian=6
analysis-url: http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html
src-url: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34421.tar.gz
exploit-db: 34421
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-1862]${txtrst} newpid (abrt)
Reqs: pkg=abrt
Tags: fedora=20
analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
exploit-db: 36746
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-3315]${txtrst} raceabrt
Reqs: pkg=abrt
Tags: fedora=21,RHEL=7
analysis-url: http://seclists.org/oss-sec/2015/q2/130
src-url: https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c
exploit-db: 36747
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-1318]${txtrst} newpid (apport)
Reqs: pkg=apport,ver>=2.13,ver<=2.17
Tags: ubuntu=14.04
analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
src-url: https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c
exploit-db: 36746
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-1318]${txtrst} newpid (apport) 2
Reqs: pkg=apport,ver>=2.13,ver<=2.17
Tags: ubuntu=14.04.2
analysis-url: http://openwall.com/lists/oss-security/2015/04/14/4
exploit-db: 36782
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-3202]${txtrst} fuse (fusermount)
Reqs: pkg=fuse,ver<2.9.3
Tags: debian=7.0|8.0,ubuntu=*
analysis-url: http://seclists.org/oss-sec/2015/q2/520
exploit-db: 37089
Comments: Needs cron or system admin interaction
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-1815]${txtrst} setroubleshoot
Reqs: pkg=setroubleshoot,ver<3.2.22
Tags: fedora=21
exploit-db: 36564
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-3246]${txtrst} userhelper
Reqs: pkg=libuser,ver<=0.60
Tags: RHEL<=7
analysis-url: https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt
exploit-db: 37706
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2015-6565]${txtrst} not_an_sshnuke
Reqs: pkg=openssh-server,ver>=6.8,ver<=6.9
Tags:
analysis-url: http://www.openwall.com/lists/oss-security/2017/01/26/2
exploit-db: 41173
author: Federico Bento
Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation)
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-1240]${txtrst} tomcat-rootprivesc-deb.sh
Reqs: pkg=tomcat
Tags: debian=8,ubuntu=16.04
analysis-url: https://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
src-url: http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh
exploit-db: 40450
author: Dawid Golunski
Comments: Affects only Debian-based distros
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-1247]${txtrst} nginxed-root.sh
Reqs: pkg=nginx|nginx-full
Tags: debian=8,ubuntu=14.04|16.04|16.10
analysis-url: https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
src-url: https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh
exploit-db: 40768
author: Dawid Golunski
Comments: Rooting depends on cron.daily (up to 24h of dealy). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-1531]${txtrst} perl_startup (exim)
Reqs: pkg=exim,ver<4.86.2
Tags:
analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
exploit-db: 39549
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-1531]${txtrst} perl_startup (exim) 2
Reqs: pkg=exim,ver<4.86.2
Tags:
analysis-url: http://www.exim.org/static/doc/CVE-2016-1531.txt
exploit-db: 39535
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-4989]${txtrst} setroubleshoot 2
Reqs: pkg=setroubleshoot
Tags: RHEL=6|7
analysis-url: https://c-skills.blogspot.com/2016/06/lets-feed-attacker-input-to-sh-c-to-see.html
src-url: https://github.com/stealth/troubleshooter/blob/master/straight-shooter.c
exploit-db:
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-5425]${txtrst} tomcat-RH-root.sh
Reqs: pkg=tomcat
Tags: RHEL=7
analysis-url: http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
src-url: http://legalhackers.com/exploits/tomcat-RH-root.sh
exploit-db: 40488
author: Dawid Golunski
Comments: Affects only RedHat-based distros
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-6663,CVE-2016-6664|CVE-2016-6662]${txtrst} mysql-exploit-chain
Reqs: pkg=mysql-server|mariadb-server,ver<5.5.52
Tags: ubuntu=16.04.1
analysis-url: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
src-url: http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
exploit-db: 40678
author: Dawid Golunski
Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-9566]${txtrst} nagios-root-privesc
Reqs: pkg=nagios,ver<4.2.4
Tags:
analysis-url: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html
src-url: https://legalhackers.com/exploits/CVE-2016-9566/nagios-root-privesc.sh
exploit-db: 40921
author: Dawid Golunski
Comments: Allows priv escalation from nagios user or nagios group
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2017-1000367]${txtrst} Sudoer-to-root
Reqs: pkg=sudo,ver<=1.8.20
Tags: RHEL=7(sudo:1.8.6p7)
analysis-url: https://www.sudo.ws/alerts/linux_tty.html
src-url: https://www.qualys.com/2017/05/30/cve-2017-1000367/linux_sudo_cve-2017-1000367.c
exploit-db: 42183
author: Qualys
Comments: Needs to be sudoer. Works only on SELinux enabled systems
EOF
)
EXPLOITS_USERSPACE[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2017-1000367]${txtrst} sudopwn
Reqs: pkg=sudo,ver<=1.8.20
Tags:
analysis-url: https://www.sudo.ws/alerts/linux_tty.html
src-url: https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c
exploit-db:
author: c0d3z3r0
Comments: Needs to be sudoer. Works only on SELinux enabled systems
EOF
)
version() {
echo "linux-exploit-suggester "$VERSION", mzet, http://z-labs.eu, October 2016"
}
usage() {
echo "Usage: linux-exploit-suggester.sh [OPTIONS]"
echo
echo " -V | --version - print version of this script"
echo " -h | --help - print this help"
echo " -k | --kernel <version> - provide kernel version"
echo " -u | --uname <string> - provide 'uname -a' string"
echo " -p | --pkglist-file <file> - provide file with 'dpkg -l' or 'rpm -qa' command output"
echo " -s | --fetch-sources - automatically downloads source for matched exploit"
echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available"
echo " -f | --full - show full info about matched exploit"
echo " -g | --grepable - show grep friendly info about matched exploit"
echo " --kernelspace-only - show only kernel vulnerabilities"
echo " --userspace-only - show only userspace vulnerabilities"
echo " -d | --show-dos - show also DoSes in results"
}
exitWithErrMsg() {
echo "$1" 1>&2
exit 1
}
# extracts all information from output of 'uname -a' command
parseUname() {
local uname=$1
KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1)
ARCH=$(echo "$uname" | awk '{print $(NF-1)}')
OS=""
echo "$uname" | grep -q -i 'deb' && OS="debian"
echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu"
echo "$uname" | grep -q -i '\.el' && OS="redhat"
# 'uname -a' output doesn't contain distribution number (at least not in case of all distros)
#DISTRO=""
}
getPkgList() {
local distro=$1
local pkglist_file=$2
# take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' listing or not recognized listing
if [ "$opt_pkglist_file" = "true" ]; then
# ubuntu/debian package listing file
if [ $(cat "$pkglist_file" | head -1 | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then
PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g')
# redhat package listing file
elif [ $(cat "$pkglist_file" | head -1 | grep -E '\.el[1-9]+\.') ]; then
PKG_LIST=$(cat "$pkglist_file")
# file not recognized - skipping
else
PKG_LIST=""
fi
elif [ "$distro" = "debian" -o "$distro" = "ubuntu" ]; then
PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g')
elif [ "$distro" = "redhat" ]; then
PKG_LIST=$(rpm -qa)
else
# packages listing not available
PKG_LIST=""
fi
}
# from: https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash
verComparision() {
if [[ $1 == $2 ]]
then
return 0
fi
local IFS=.
local i ver1=($1) ver2=($2)
# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
ver1[i]=0
done
for ((i=0; i<${#ver1[@]}; i++))
do
if [[ -z ${ver2[i]} ]]
then
# fill empty fields in ver2 with zeros
ver2[i]=0
fi
if ((10#${ver1[i]} > 10#${ver2[i]}))
then
return 1
fi
if ((10#${ver1[i]} < 10#${ver2[i]}))
then
return 2
fi
done
return 0
}
doVersionComparision() {
local reqVersion="$1"
local reqRelation="$2"
local currentVersion="$3"
verComparision $currentVersion $reqVersion
case $? in
0) currentRelation='=';;
1) currentRelation='>';;
2) currentRelation='<';;
esac
if [ "$reqRelation" == "=" ]; then
[ $currentRelation == "=" ] && return 0
elif [ "$reqRelation" == ">" ]; then
[ $currentRelation == ">" ] && return 0
elif [ "$reqRelation" == "<" ]; then
[ $currentRelation == "<" ] && return 0
elif [ "$reqRelation" == ">=" ]; then
[ $currentRelation == "=" ] && return 0
[ $currentRelation == ">" ] && return 0
elif [ "$reqRelation" == "<=" ]; then
[ $currentRelation == "=" ] && return 0
[ $currentRelation == "<" ] && return 0
fi
}
checkRequirement() {
#echo "Checking requirement: $1"
local IN="$1"
local pkgName="${2:4}"
if [[ "$IN" =~ ^pkg=.*$ ]]; then
# always true for Linux OS
[ ${pkgName} == "linux-kernel" ] && return 0
# verify if package is present
pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
if [ -n "$pkg" ]; then
return 0
fi
elif [[ "$IN" =~ ^ver.*$ ]]; then
version="${IN//[^0-9.]/}"
rest="${IN#ver}"
operator=${rest%$version}
if [ $pkgName == "linux-kernel" ]; then
doVersionComparision $version $operator $KERNEL && return 0
else
# extract package version and check if requiremnt is true
pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
# TODO: consider adding --skip-pkg-version option then version won't be checked for userspace pkgs
#[ -n "$pkg" ] && return 0
# versioning:
#echo "pkg: $pkg"
pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
#echo "version: $pkgVersion"
#echo "operator: $operator"
#echo "required version: $version"
#echo
doVersionComparision $version $operator $pkgVersion && return 0
fi
elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then
return 0
elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then
return 0
fi
return 1
}
# parse command line parameters
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
[ $? != 0 ] && exitWithErrMsg "Aborting."
eval set -- "$ARGS"
while true; do
case "$1" in
-u|--uname)
shift
UNAME_A="$1"
opt_uname_string=true
;;
-V|--version)
version
exit 0
;;
-h|--help)
usage
exit 0
;;
-f|--full)
opt_full=true
;;
-g|--grepable)
opt_summary=true
;;
-b|--fetch-binaries)
opt_fetch_bins=true
;;
-s|--fetch-sources)
opt_fetch_srcs=true
;;
-k|--kernel)
shift
KERNEL="$1"
opt_kernel_version=true
;;
-d|--show-dos)
opt_show_dos=true
;;
-p|--pkglist-file)
shift
PKGLIST_FILE="$1"
opt_pkglist_file=true
;;
--kernelspace-only)
opt_kernel_only=true
;;
--userspace-only)
opt_userspace_only=true
;;
*)
shift
if [ "$#" != "0" ]; then
exitWithErrMsg "Unknown option '$1'. Aborting."
fi
break
;;
esac
shift
done
# exit if both --kernel and --uname are set
[ "$opt_kernel_version" = "true" ] && [ $opt_uname_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting."
# exit if both --full and --grepable are set
[ "$opt_full" = "true" ] && [ $opt_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--grepable are mutually exclusive. Aborting."
# extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here:
# case 1: --kernel set
if [ "$opt_kernel_version" == "true" ]; then
# TODO: add kernel version number validation
[ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting."
ARCH=""
OS=""
# do not consider current OS
getPkgList "" "$PKGLIST_FILE"
# case 2: --uname set
elif [ "$opt_uname_string" == "true" ]; then
[ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
parseUname "$UNAME_A"
# do not consider current OS
getPkgList "" "$PKGLIST_FILE"
# case 3: neither --uname nor --kernel set: take input from current OS
else
UNAME_A=$(uname -a)
[ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
parseUname "$UNAME_A"
# extract package listing from current OS or from specified file (if --pkglist-file used)
getPkgList "$OS" "$PKGLIST_FILE"
fi
echo
echo "Kernel version: $KERNEL"
echo "Architecture: $ARCH"
echo "Distribution: $OS"
if [ -n "$PKGLIST_FILE" -a -n "$PKG_LIST" ]; then
pkgListFile="$PKGLIST_FILE"
elif [ -n "$PKGLIST_FILE" ]; then
pkgListFile="unrecognized file provided"
elif [ -n "$PKG_LIST" ]; then
pkgListFile="from current OS"
fi
echo "Package list: $pkgListFile"
echo
echo "Possible Exploits:"
echo
# handle --kernelspacy-only & --userspace-only filter options
if [ "$opt_kernel_only" = "true" -o -z "$PKG_LIST" ]; then
unset EXPLOITS_USERSPACE
declare -A EXPLOITS_USERSPACE
fi
if [ "$opt_userspace_only" = "true" ]; then
unset EXPLOITS
declare -A EXPLOITS
fi
# start analysis
for EXP in "${EXPLOITS[@]}" "${EXPLOITS_USERSPACE[@]}"; do
# create array from current exploit here doc and fetch needed lines
i=0
# ('-r' is used to not interpret backslash used for bash colors)
while read -r line
do
arr[i]="$line"
i=$((i + 1))
done <<< "$EXP"
REQS="${arr[1]}" && REQS="${REQS:6}"
NAME="${arr[0]}" && NAME="${NAME:6}"
# split line with requirements & loop thru all reqs one by one & check whether it is met
IFS=',' read -r -a array <<< "$REQS"
REQS_NUM=${#array[@]}
PASSED_REQ=0
for REQ in "${array[@]}"; do
if (checkRequirement "$REQ" "${array[0]}"); then
PASSED_REQ=$(($PASSED_REQ + 1))
else
break
fi
done
# execute for exploits with all requirements met
if [ $PASSED_REQ -eq $REQS_NUM ]; then
EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}')
analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}')
comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f 2-)
tags=$(echo "$EXP" | grep "Tags: " | awk '{print $2}')
reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f 2)
# exploit name without CVE number and without commonly used special chars
name=$(echo "$NAME" | cut -d' ' -f 2- | tr -d ' ()/')
src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}')
[ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB"
[ -z "$src_url" ] && exitWithErrMsg "Both 'src-url' and 'exploit-db' entries are empty for '$NAME' exploit - fix that. Aborting."
if [ -n "$analysis_url" ]; then
details="$analysis_url"
elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then
details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then
details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
else
details="$src_url"
fi
# skip DoS by default
dos=$(echo "$EXP" | grep -o -i "(dos")
[ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue
# handles --fetch-binaries option
if [ $opt_fetch_bins = "true" ]; then
for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do
[ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)"
wget -q -k "$i" -O "${name}_$(basename $i)"
done
fi
# handles --fetch-sources option
if [ $opt_fetch_srcs = "true" ]; then
[ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)"
wget -q -k "$src_url" -O "${name}_$(basename $src_url)" &
fi
# display result (grepable)
if [ "$opt_summary" = "true" ]; then
[ -z "$tags" ] && tags="-"
echo -e "$NAME || $reqs || $tags || $src_url"
continue
fi
# display result (standard)
echo -e "[+] $NAME"
echo -e "\n Details: $details"
[ -n "$tags" ] && echo -e " Tags: $tags"
echo -e " Download URL: $src_url"
[ -n "$comments" ] && echo -e " Comments: $comments"
# handles --full filter option
if [ "$opt_full" = "true" ]; then
[ -n "$reqs" ] && echo -e " Requirements: $reqs"
[ -n "$EXPLOIT_DB" ] && echo -e " exploit-db: $EXPLOIT_DB"
author=$(echo "$EXP" | grep "author: " | cut -d' ' -f 2-)
[ -n "$author" ] && echo -e " author: $author"
fi
echo
fi
done