Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

LEAPSoftware/leaps.py

Go to file
 
 
Cannot retrieve contributors at this time
237 lines (214 sloc) 20.1 KB
Raw Blame
Open in GitHub Desktop
import platform
import os,grp
import socket
import subprocess as sub
import sys
class Item:
def __init__(self):
self.name="";
self.author="";
self.description="";
def info(self):
return f'{self.name} by {self.author} {self.description}'
class Enumeration(Item):
def info(self):
return "Enumeration "+Item.info(self)
def detectos(self):
osystem=platform.system()
print('OS: '+str(osystem))
def getgroup(self):
print([grp.getgrgid(g).gr_name for g in os.getgroups()])
return [grp.getgrgid(g).gr_name for g in os.getgroups()]
def scanopenports(self):
ip = '127.0.0.1' #getting ip-address of host
for port in range(65535): #check for all available ports
try:
serv = socket.socket(socket.AF_INET,socket.SOCK_STREAM) # create a new socket
serv.bind((ip,port)) # bind socket with address
except:
print('[OPEN] Port open :',port) #print open port number
serv.close() #close connection
def execute(self):
# esc="sudo bash"
# print("OS : "+str(os.system(esc)))
self.detectos()
self.scanopenports()
self.getgroup()
class PrevEsc(Item):
def executecmd(self,cmdDict):
for item in cmdDict:
cmd = cmdDict[item]["cmd"]
out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
if (sys.version_info > (3, 0)):
out = out.decode('utf-8')
results = out.split('\n')
cmdDict[item]["results"] = results
return cmdDict
def displayoutput(self,cmdDict):
for item in cmdDict:
msg = cmdDict[item]["msg"]
results = cmdDict[item]["results"]
print("[+] " + msg)
for result in results:
if result.strip() != "":
print(" " + result.strip())
print("")
return
def sysinfo(self):
# Basic system info
results = []
sysInfo = {"OS": {"cmd": "hostnamectl |grep 'Operating System' |cut -d : -f 2", "msg": "Operating System", "results": results},
"KERNEL": {"cmd": "cat /proc/version", "msg": "Kernel", "results": results},
"HOSTNAME": {"cmd": "hostname", "msg": "Hostname", "results": results}
}
sysInfo = self.executecmd(sysInfo)
self.displayoutput(sysInfo)
def networkinfo(self):
results = []
netInfo = {"NETINFO": {"cmd": "/sbin/ifconfig -a", "msg": "Interfaces", "results": results},
"ROUTE": {"cmd": "route", "msg": "Route", "results": results},
"NETSTAT": {"cmd": "netstat -antup | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results}
}
netInfo = self.executecmd(netInfo)
if netInfo['NETINFO']['results'] == ['']:
netInfo = {"NETINFO": {"cmd": "ip address show", "msg": "Interfaces", "results": results},
"ROUTE": {"cmd": "ip route", "msg": "Route", "results": results},
"NETSTAT": {"cmd": "ss -lut | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results}
}
netInfo = self.executecmd(netInfo)
self.displayoutput(netInfo)
def fileinfo(self):
results = []
driveInfo = {"MOUNT": {"cmd": "mount", "msg": "Mount results", "results": results},
"FSTAB": {"cmd": "cat /etc/fstab 2>/dev/null", "msg": "fstab entries", "results": results}
}
driveInfo = self.executecmd(driveInfo)
self.displayoutput(driveInfo)
def userInfo(self):
results = []
userInfo = {"WHOAMI": {"cmd": "whoami", "msg": "Current User", "results": results},
"ID": {"cmd": "id", "msg": "Current User ID", "results": results},
"ALLUSERS": {"cmd": "cat /etc/passwd", "msg": "All users", "results": results},
"SUPUSERS": {"cmd": "grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg": "Super Users Found:", "results": results},
"HISTORY": {"cmd": "ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg": "Root and current user history (depends on privs)", "results": results},
"ENV": {"cmd": "env 2>/dev/null | grep -v 'LS_COLORS'", "msg": "Environment", "results": results},
"GROUPS":{"cmd":"grep 'docker\|lxd' /etc/group", "msg":"Users in docker group (https://fosterelli.co/privilege-escalation-via-docker.html) or lxc/lxd (https://github.com/initstring/lxd_root)", "results":results},
"SUDOERS": {"cmd": "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg": "Sudoers (privileged)", "results": results},
"LOGGEDIN": {"cmd": "w 2>/dev/null", "msg": "Logged in User Activity", "results": results},
"SSHSESSION":{"cmd":"ls /tmp/ssh* 2>/dev/null", "msg":"SSH Agent Connexion (https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/)", "results":results},
"MULTIPLEX":{"cmd":"screen -ls 2> /dev/null || true && tmux ls 2> /dev/null", "msg":"Screen and Tmux socket (another user session may be open)", "results": results}
}
userInfo = self.executecmd(userInfo)
self.displayoutput(userInfo)
def privesc(self):
vul = {"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds":{"minver":"4.4.0", "maxver":"4.14.18", "exploitdb":"47779", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},
"OpenSMTPD - OOB Read Local Privilege Escalation": {"minver": "6.4.0", "maxver": "6.6.4", "exploitdb": "48185", "lang": "ruby", "keywords": {"loc": ["proc", "pkg"], "val": "opensmtpd"}},
"Linux BPF Sign Extension Local Privilege Escalation":{"minver":"5.3", "maxver":"5.4.2", "exploitdb":"45058", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - SUID Method":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40616", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - Firefart":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40839", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation":{"minver":"2.6.39", "maxver":"3.2.2", "exploitdb":"18411", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
"2.2.x-2.4.x ptrace kmod local exploit": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "3", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.4.20 Module Loader Local Root Exploit": {"minver": "0", "maxver": "2.4.20", "exploitdb": "12", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4.22 "'do_brk()'" local Root Exploit (PoC)": {"minver": "2.4.22", "maxver": "2.4.22", "exploitdb": "129", "lang": "asm", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"<= 2.4.22 (do_brk) Local Root Exploit (working)": {"minver": "0", "maxver": "2.4.22", "exploitdb": "131", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4.x mremap() bound checking Root Exploit": {"minver": "2.4", "maxver": "2.4.99", "exploitdb": "145", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"<= 2.4.29-rc2 uselib() Privilege Elevation": {"minver": "0", "maxver": "2.4.29", "exploitdb": "744", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4 uselib() Privilege Elevation Exploit": {"minver": "2.4", "maxver": "2.4", "exploitdb": "778", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "895", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "926", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluez"}},
"<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)": {"minver": "0", "maxver": "2.6.11", "exploitdb": "1397", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit": {"minver": "0", "maxver": "99", "exploitdb": "1518", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "mysql"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2004", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2005", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2006", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2011", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"<= 2.6.17.4 (proc) Local Root Exploit": {"minver": "0", "maxver": "2.6.17.4", "exploitdb": "2013", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2031", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit": {"minver": "4.10", "maxver": "7.04", "exploitdb": "3384", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}},
"Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit": {"minver": "2.4", "maxver": "2.6", "exploitdb": "4460", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.6.11.5 BLUETOOTH Stack Local Root Exploit": {"minver": "0", "maxver": "2.6.11.5", "exploitdb": "4756", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluetooth"}},
"2.6.17 - 2.6.24.1 vmsplice Local Root Exploit": {"minver": "2.6.17", "maxver": "2.6.24.1", "exploitdb": "5092", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.23 - 2.6.24 vmsplice Local Root Exploit": {"minver": "2.6.23", "maxver": "2.6.24", "exploitdb": "5093", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}},
"Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit": {"minver": "0", "maxver": "99", "exploitdb": "5720", "lang": "python", "keywords": {"loc": ["os"], "val": "debian"}},
"Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit": {"minver": "0", "maxver": "2.6.22", "exploitdb": "6851", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.6.29 exit_notify() Local Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.29", "exploitdb": "8369", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6 UDEV Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8478", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}},
"2.6 UDEV < 141 Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8572", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}},
"2.6.x ptrace_attach Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8673", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.29 ptrace_attach() Local Root Race Condition Exploit": {"minver": "2.6.29", "maxver": "2.6.29", "exploitdb": "8678", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit": {"minver": "0", "maxver": "2.6.28.3", "exploitdb": "9083", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Test Kernel Local Root Exploit 0day": {"minver": "2.6.18", "maxver": "2.6.30", "exploitdb": "9191", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)": {"minver": "2.6.9", "maxver": "2.6.30", "exploitdb": "9208", "lang": "c", "keywords": {"loc": ["pkg"], "val": "pulse"}},
"2.x sock_sendpage() Local Ring0 Root Exploit": {"minver": "2", "maxver": "2.99", "exploitdb": "9435", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.x sock_sendpage() Local Root Exploit 2": {"minver": "2", "maxver": "2.99", "exploitdb": "9436", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9479", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit": {"minver": "2.6", "maxver": "2.6.19", "exploitdb": "9542", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit (ppc)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9545", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9574", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.6.19 udp_sendmsg Local Root Exploit": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9575", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit [2]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4/2.6 sock_sendpage() Local Root Exploit [3]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9641", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "9844", "lang": "python", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"'pipe.c' Local Privilege Escalation Vulnerability": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "10018", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.6.18-20 2009 Local Root Exploit": {"minver": "2.6.18", "maxver": "2.6.20", "exploitdb": "10613", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Apache Spamassassin Milter Plugin Remote Root Command Execution": {"minver": "0", "maxver": "99", "exploitdb": "11662", "lang": "sh", "keywords": {"loc": ["proc"], "val": "spamass-milter"}},
"<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation": {"minver": "0", "maxver": "2.6.34", "exploitdb": "12130", "lang": "python", "keywords": {"loc": ["mnt"], "val": "reiser"}},
"Ubuntu PAM MOTD local root": {"minver": "7", "maxver": "10.04", "exploitdb": "14339", "lang": "sh", "keywords": {"loc": ["os"], "val": "ubuntu"}},
"< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36", "exploitdb": "14814", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Kernel ia32syscall Emulation Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15023", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Linux RDS Protocol Local Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15285", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"<= 2.6.37 Local Privilege Escalation (Full Nelson)": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15704", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.6.37-rc2 ACPI custom_method Privilege Escalation": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15774", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"CAP_SYS_ADMIN to root Exploit": {"minver": "0", "maxver": "99", "exploitdb": "15916", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)": {"minver": "0", "maxver": "99", "exploitdb": "15944", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"< 2.6.36.2 Econet Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36.2", "exploitdb": "17787", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Sendpage Local Privilege Escalation": {"minver": "2.4.4", "maxver": "2.4.37.4", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Sendpage Local Privilege Escalation": {"minver": "2.6.0", "maxver": "2.6.30.4", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability": {"minver": "2.4.18", "maxver": "2.4.19", "exploitdb": "21598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22362", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22363", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
"Samba 2.2.8 Share Local Privilege Elevation Vulnerability": {"minver": "2.2.8", "maxver": "2.2.8", "exploitdb": "23674", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "samba"}},
"open-time Capability file_ns_capable() Privilege Escalation": {"minver": "0", "maxver": "3.8.9", "exploitdb": "25450", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}},
}
avgprob = []
highprob = []
for sploit in vul:
lang = 0 # use to rank applicability of vul
keyword = vul[sploit]["keywords"]["val"]
sploitout = sploit + " || " + "https://www.exploit-db.com/exploits/" + \
vul[sploit]["exploitdb"] + " || " + \
"Language=" + vul[sploit]["lang"]
# first check for kernel applicability
#This is not more working because for Python 4.4 > 4.14
#if (version >= vul[sploit]["minver"]) and (version <= vul[sploit]["maxver"]):
if checkVer(version, vul[sploit]["minver"], vul[sploit]["maxver"]):
# next check language applicability
if (vul[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
lang = 1 # language found, increase applicability score
elif vul[sploit]["lang"] == "sh":
lang = 1 # language found, increase applicability score
elif (vul[sploit]["lang"] in str(langs)):
lang = 1 # language found, increase applicability score
if lang == 0:
sploitout = sploitout + "**" # added mark if language not detected on system
# next check keyword matches to determine if some vul have a higher probability of success
for loc in vul[sploit]["keywords"]["loc"]:
if loc == "proc":
for proc in procs:
if keyword in proc:
# if sploit is associated with a running process consider it a higher probability/applicability
highprob.append(sploitout)
break
break
def execute(self):
self.sysinfo();
self.networkinfo();
self.fileinfo();
self.userInfo();
def main():
en=Enumeration();
en.execute();
pv=PrevEsc();
pv.execute();
if __name__ == "__main__":
main()