large overhaul. we can now specify the playground_path from the comma…

…nd line

README.md

@@ -128,8 +128,8 @@ run modes:
     (uname-mode)            python3 kernelpop.py -u {uname -a output}
     (interactive-mode)      python3 kernelpop.py -i # LEGACY option (same as uname-mode)
 other:
-        (playground path)       -p {new path}
-        (json output file)      --digest json
+    (playground path)       -p {new path}
+    (json output file)      --digest json
 ```
 
 ### default mode (passive)

all_exploits.py

@@ -44,47 +44,47 @@
 from exploits.mac.NULLROOT import NULLROOT
 
 all_exploits = [
-	CVE20040077(),
-	CVE20041235(),
-	CVE20050736(),
-	CVE20062451(),
-	CVE20063626(),
-	CVE20080600(),
-	CVE20080900(),
-	CVE20084210(),
-	CVE20177308(),
-	CVE20171000379(),
-	CVE20030961(),
-	CVE20091185(),
-	CVE20102959(),
-	CVE20104347(),
-	CVE20132094_32(),
-	CVE20132094_64(),
-	CVE20132094_semtex(),
-	CVE20140038(),
-	CVE20140038_2(),
-	CVE20140196(),
-	CVE20143153(),
-	CVE20144014(),
-	CVE20144699(),
-	CVE20151328_32(),
-	CVE20151328_64(),
-	CVE20160728(),
-	CVE20162384(),
-	CVE20165195_32(),
-	CVE20165195_32_poke(),
-	CVE20165195_64(),
-	CVE20165195_64_poke(),
-	CVE20173630(),
-	CVE20175123(),
-	CVE20176074(),
-	CVE20171000112(),
-	CVE20171000367(),
-	CVE20171000370(),
-	CVE20171000371(),
-	CVE20171000372(),
-	CVE20171000373(),
-	CVE20164656(),
-	CVE20155889(),
-	NULLROOT(),
-]
+	CVE20040077,
+	CVE20041235,
+	CVE20050736,
+	CVE20062451,
+	CVE20063626,
+	CVE20080600,
+	CVE20080900,
+	CVE20084210,
+	CVE20177308,
+	CVE20171000379,
+	CVE20030961,
+	CVE20091185,
+	CVE20102959,
+	CVE20104347,
+	CVE20132094_32,
+	CVE20132094_64,
+	CVE20132094_semtex,
+	CVE20140038,
+	CVE20140038_2,
+	CVE20140196,
+	CVE20143153,
+	CVE20144014,
+	CVE20144699,
+	CVE20151328_32,
+	CVE20151328_64,
+	CVE20160728,
+	CVE20162384,
+	CVE20165195_32,
+	CVE20165195_32_poke,
+	CVE20165195_64,
+	CVE20165195_64_poke,
+	CVE20173630,
+	CVE20175123,
+	CVE20176074,
+	CVE20171000112,
+	CVE20171000367,
+	CVE20171000370,
+	CVE20171000371,
+	CVE20171000372,
+	CVE20171000373,
+	CVE20164656,
+	CVE20155889,
+	NULLROOT,
+]

constants.py

@@ -1,5 +1,5 @@
 import os
-import subprocess# gross...but lets us build a single file without dynamic module loads from filepath..maybe rework this
+import subprocess
 
 ROOT_DIR = os.path.dirname(os.path.abspath(__file__))
 PLAYGROUND_PATH = "/tmp"
@@ -176,14 +176,19 @@
 }
 
 USAGE_STRING = \
-"""usage:
-\t(default)\t\tpython3 kernelpop.py
-\t(brute-mode)\tpython3 kernelpop.py -b
-\t(exploit-mode)\tpython3 kernelpop.py -e {exploit name}
-\t(input-mode)\tpython3 kernelpop.py -i
+"""
+-------------
+usage:
+-------------
+run modes:
+	(default)	        python3 kernelpop.py
+	(exploit-mode)	        python3 kernelpop.py -e {exploit name}
+		(dump-source)       python3 kernelpop.py -e {exploit name} -d
+	(uname-mode)            python3 kernelpop.py -u {uname -a output}
+	(interactive-mode)      python3 kernelpop.py -i # LEGACY option (same as uname-mode)
 other:
-\t(json output file) --dump json
-\t(xml output file) --dump xml"""
+	(playground path)       -p {new path}
+	(json output file)      --digest json"""
 
 HEADER = """
 ##########################

exploits/exploit.py

@@ -70,8 +70,7 @@ def write_exploit_source(self):
 		# we have to handle this nastily because python3 is PermissionError and python2 is IOError. PermissionError
 		# doesn't exist on python2...
 		except Exception as e:
-			color_print("\t[!] cannot write exploit source code to destination, permission denied", color="red")
-			color_print("\t\tException: {}".format(e.message))
+			color_print("\t[!] cannot write exploit source code to destination, permission denied (does the path exist?)", color="red")
 			color_print("\t[!] exiting", color="red")
 			exit(0)
 
@@ -176,8 +175,7 @@ def write_exploit_source(self):
 		# we have to handle this nastily because python3 is PermissionError and python2 is IOError. PermissionError
 		# doesn't exist on python2...
 		except Exception as e:
-			color_print("\t[!] cannot write exploit source code to destination, permission denied", color="red")
-			color_print("\t\tException: {}".format(e.message))
+			color_print("\t[!] cannot write exploit source code to destination, permission denied (does the path exist?)", color="red")
 			color_print("\t[!] exiting", color="red")
 			exit(0)
 

exploits/linux/CVE20030961.py

@@ -7,7 +7,7 @@
 
 
 class CVE20030961(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20030961"
 		self.formatted_name = "CVE-2003-0961"
@@ -19,9 +19,10 @@ def __init__(self):
 			KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 4, 22),
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20040077.py

@@ -7,7 +7,7 @@
 
 
 class CVE20040077(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20040077"
 		self.formatted_name = "CVE-2004-0077"
@@ -24,9 +24,10 @@ def __init__(self):
 			KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 4, 27),
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {} -O3 -static -fomit-frame-pointer".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20041235.py

@@ -7,7 +7,7 @@
 
 
 class CVE20041235(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20041235"
 		self.formatted_name = "CVE-2004-1235"
@@ -26,9 +26,10 @@ def __init__(self):
 			KernelWindow(DEBIAN_3, EXPLOIT_AVAILABLE, 0, 0, 0, 2, 4, 19, highest_patch_level="2.4.19-4.woody3"),
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20050736.py

@@ -7,7 +7,7 @@
 
 
 class CVE20050736(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20050736"
 		self.formatted_name = "CVE-2005-0736"
@@ -22,9 +22,10 @@ def __init__(self):
 			KernelWindow(RHEL, EXPLOIT_AVAILABLE, 2, 6, 0, 2, 6, 9, highest_patch_level="2.6.9-5.EL"),
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {} -static -O2".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20062451.py

@@ -7,7 +7,7 @@
 
 
 class CVE20062451(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20062451"
 		self.formatted_name = "CVE-2006-2451"
@@ -27,9 +27,10 @@ def __init__(self):
 			KernelWindow(SUSE, EXPLOIT_AVAILABLE, 2, 3, 16, 2, 6, 17, highest_patch_level="2.6.17-3")
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20063626.py

@@ -7,7 +7,7 @@
 
 
 class CVE20063626(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20063626"
 		self.formatted_name = "CVE-2006-3626"
@@ -33,9 +33,10 @@ def __init__(self):
 
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20080600.py

@@ -7,7 +7,7 @@
 
 
 class CVE20080600(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20080600"
 		self.formatted_name = "CVE-2008-0600"
@@ -29,9 +29,10 @@ def __init__(self):
 			KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 2, 6, 23, 2, 6, 24),
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20080900.py

@@ -7,7 +7,7 @@
 
 
 class CVE20080900(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20080900"
 		self.formatted_name = "CVE-2008-0900"
@@ -22,9 +22,10 @@ def __init__(self):
 			KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 24)
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {} -static -Wno-format".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20084210.py

@@ -7,7 +7,7 @@
 
 
 class CVE20084210(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20084210"
 		self.formatted_name = "CVE-2008-4210"
@@ -27,9 +27,10 @@ def __init__(self):
 
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20091185.py

@@ -11,7 +11,7 @@
 
 
 class CVE20091185(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20091185"
 		self.formatted_name = "CVE-2009-1185"
@@ -25,9 +25,10 @@ def __init__(self):
 		self.exploit_kernels = [
 
 		]
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """

exploits/linux/CVE20102959.py

@@ -6,7 +6,7 @@
 
 
 class CVE20102959(LinuxExploit):
-	def __init__(self):
+	def __init__(self, playground_path=PLAYGROUND_PATH):
 		LinuxExploit.__init__(self)
 		self.name = "CVE20102959"
 		self.formatted_name = "CVE-2010-2959"
@@ -32,9 +32,10 @@ def __init__(self):
 			KernelWindow(UBUNTU_10, EXPLOIT_AVAILABLE, 0, 0, 0, 2, 6, 31, highest_patch_level="2.6.31-608.19"),
 		]
 		self.architecture = ARCHITECTURE_i686
+		self.playground_path = playground_path
 		self.exploit_source_file_name = "{}.c".format(self.name)
-		self.source_c_path = os.path.join(PLAYGROUND_PATH, self.exploit_source_file_name)
-		self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
+		self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
+		self.compilation_path = os.path.join(self.playground_path, self.name)
 		self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
 		self.exploit_command = self.compilation_path
 		self.exploit_source = """