From 2f721b9c7c300e91305c5bed263d8179bd3fa786 Mon Sep 17 00:00:00 2001 From: "Abdulrahman Alhajri (alhajria9)" Date: Tue, 6 Apr 2021 22:18:19 +0530 Subject: [PATCH] Add files via upload added new leap software for local machine enumeration and privilege escalation --- leaps.py | 237 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 237 insertions(+) create mode 100644 leaps.py diff --git a/leaps.py b/leaps.py new file mode 100644 index 0000000..742b192 --- /dev/null +++ b/leaps.py @@ -0,0 +1,237 @@ +import platform +import os,grp +import socket +import subprocess as sub +import sys +class Item: + def __init__(self): + self.name=""; + self.author=""; + self.description=""; + def info(self): + return f'{self.name} by {self.author} {self.description}' +class Enumeration(Item): + + def info(self): + return "Enumeration "+Item.info(self) + + def detectos(self): + osystem=platform.system() + print('OS: '+str(osystem)) + def getgroup(self): + print([grp.getgrgid(g).gr_name for g in os.getgroups()]) + return [grp.getgrgid(g).gr_name for g in os.getgroups()] + def scanopenports(self): + ip = '127.0.0.1' #getting ip-address of host + for port in range(65535): #check for all available ports + try: + serv = socket.socket(socket.AF_INET,socket.SOCK_STREAM) # create a new socket + serv.bind((ip,port)) # bind socket with address + + except: + print('[OPEN] Port open :',port) #print open port number + + serv.close() #close connection + + def execute(self): + # esc="sudo bash" + # print("OS : "+str(os.system(esc))) + self.detectos() + self.scanopenports() + self.getgroup() +class PrevEsc(Item): + def executecmd(self,cmdDict): + for item in cmdDict: + cmd = cmdDict[item]["cmd"] + out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate() + if (sys.version_info > (3, 0)): + out = out.decode('utf-8') + results = out.split('\n') + cmdDict[item]["results"] = results + return cmdDict + def displayoutput(self,cmdDict): + for item in cmdDict: + msg = cmdDict[item]["msg"] + results = cmdDict[item]["results"] + print("[+] " + msg) + for result in results: + if result.strip() != "": + print(" " + result.strip()) + print("") + return + def sysinfo(self): + + # Basic system info + + results = [] + + sysInfo = {"OS": {"cmd": "hostnamectl |grep 'Operating System' |cut -d : -f 2", "msg": "Operating System", "results": results}, + "KERNEL": {"cmd": "cat /proc/version", "msg": "Kernel", "results": results}, + "HOSTNAME": {"cmd": "hostname", "msg": "Hostname", "results": results} + } + + sysInfo = self.executecmd(sysInfo) + self.displayoutput(sysInfo) + def networkinfo(self): + + results = [] + netInfo = {"NETINFO": {"cmd": "/sbin/ifconfig -a", "msg": "Interfaces", "results": results}, + "ROUTE": {"cmd": "route", "msg": "Route", "results": results}, + "NETSTAT": {"cmd": "netstat -antup | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results} + } + + netInfo = self.executecmd(netInfo) + + if netInfo['NETINFO']['results'] == ['']: + netInfo = {"NETINFO": {"cmd": "ip address show", "msg": "Interfaces", "results": results}, + "ROUTE": {"cmd": "ip route", "msg": "Route", "results": results}, + "NETSTAT": {"cmd": "ss -lut | grep -v 'TIME_WAIT'", "msg": "Netstat", "results": results} + } + netInfo = self.executecmd(netInfo) + + + self.displayoutput(netInfo) + + def fileinfo(self): + + results = [] + driveInfo = {"MOUNT": {"cmd": "mount", "msg": "Mount results", "results": results}, + "FSTAB": {"cmd": "cat /etc/fstab 2>/dev/null", "msg": "fstab entries", "results": results} + } + driveInfo = self.executecmd(driveInfo) + self.displayoutput(driveInfo) + def userInfo(self): + results = [] + userInfo = {"WHOAMI": {"cmd": "whoami", "msg": "Current User", "results": results}, + "ID": {"cmd": "id", "msg": "Current User ID", "results": results}, + "ALLUSERS": {"cmd": "cat /etc/passwd", "msg": "All users", "results": results}, + "SUPUSERS": {"cmd": "grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg": "Super Users Found:", "results": results}, + "HISTORY": {"cmd": "ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg": "Root and current user history (depends on privs)", "results": results}, + "ENV": {"cmd": "env 2>/dev/null | grep -v 'LS_COLORS'", "msg": "Environment", "results": results}, + "GROUPS":{"cmd":"grep 'docker\|lxd' /etc/group", "msg":"Users in docker group (https://fosterelli.co/privilege-escalation-via-docker.html) or lxc/lxd (https://github.com/initstring/lxd_root)", "results":results}, + "SUDOERS": {"cmd": "cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg": "Sudoers (privileged)", "results": results}, + "LOGGEDIN": {"cmd": "w 2>/dev/null", "msg": "Logged in User Activity", "results": results}, + "SSHSESSION":{"cmd":"ls /tmp/ssh* 2>/dev/null", "msg":"SSH Agent Connexion (https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/)", "results":results}, + "MULTIPLEX":{"cmd":"screen -ls 2> /dev/null || true && tmux ls 2> /dev/null", "msg":"Screen and Tmux socket (another user session may be open)", "results": results} + } + userInfo = self.executecmd(userInfo) + self.displayoutput(userInfo) + def privesc(self): + vul = {"Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds":{"minver":"4.4.0", "maxver":"4.14.18", "exploitdb":"47779", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}}, + "OpenSMTPD - OOB Read Local Privilege Escalation": {"minver": "6.4.0", "maxver": "6.6.4", "exploitdb": "48185", "lang": "ruby", "keywords": {"loc": ["proc", "pkg"], "val": "opensmtpd"}}, + "Linux BPF Sign Extension Local Privilege Escalation":{"minver":"5.3", "maxver":"5.4.2", "exploitdb":"45058", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, + "Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - SUID Method":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40616", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, + "Linux Kernel 2.6.22 < 3.9 (x86/x64) - Dirty COW - Firefart":{"minver":"2.6.22", "maxver":"3.9", "exploitdb":"40839", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, + "Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation":{"minver":"2.6.39", "maxver":"3.2.2", "exploitdb":"18411", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}}, + "2.2.x-2.4.x ptrace kmod local exploit": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "3", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.4.20 Module Loader Local Root Exploit": {"minver": "0", "maxver": "2.4.20", "exploitdb": "12", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4.22 "'do_brk()'" local Root Exploit (PoC)": {"minver": "2.4.22", "maxver": "2.4.22", "exploitdb": "129", "lang": "asm", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "<= 2.4.22 (do_brk) Local Root Exploit (working)": {"minver": "0", "maxver": "2.4.22", "exploitdb": "131", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4.x mremap() bound checking Root Exploit": {"minver": "2.4", "maxver": "2.4.99", "exploitdb": "145", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "<= 2.4.29-rc2 uselib() Privilege Elevation": {"minver": "0", "maxver": "2.4.29", "exploitdb": "744", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4 uselib() Privilege Elevation Exploit": {"minver": "2.4", "maxver": "2.4", "exploitdb": "778", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "895", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "926", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluez"}}, + "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)": {"minver": "0", "maxver": "2.6.11", "exploitdb": "1397", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit": {"minver": "0", "maxver": "99", "exploitdb": "1518", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "mysql"}}, + "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2004", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2005", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2006", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2011", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "<= 2.6.17.4 (proc) Local Root Exploit": {"minver": "0", "maxver": "2.6.17.4", "exploitdb": "2013", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)": {"minver": "2.6.13", "maxver": "2.6.17.4", "exploitdb": "2031", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit": {"minver": "4.10", "maxver": "7.04", "exploitdb": "3384", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}}, + "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit": {"minver": "2.4", "maxver": "2.6", "exploitdb": "4460", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit": {"minver": "0", "maxver": "2.6.11.5", "exploitdb": "4756", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "bluetooth"}}, + "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit": {"minver": "2.6.17", "maxver": "2.6.24.1", "exploitdb": "5092", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.23 - 2.6.24 vmsplice Local Root Exploit": {"minver": "2.6.23", "maxver": "2.6.24", "exploitdb": "5093", "lang": "c", "keywords": {"loc": ["os"], "val": "debian"}}, + "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit": {"minver": "0", "maxver": "99", "exploitdb": "5720", "lang": "python", "keywords": {"loc": ["os"], "val": "debian"}}, + "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit": {"minver": "0", "maxver": "2.6.22", "exploitdb": "6851", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.6.29 exit_notify() Local Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.29", "exploitdb": "8369", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6 UDEV Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8478", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}}, + "2.6 UDEV < 141 Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8572", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "udev"}}, + "2.6.x ptrace_attach Local Privilege Escalation Exploit": {"minver": "2.6", "maxver": "2.6.99", "exploitdb": "8673", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.29 ptrace_attach() Local Root Race Condition Exploit": {"minver": "2.6.29", "maxver": "2.6.29", "exploitdb": "8678", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit": {"minver": "0", "maxver": "2.6.28.3", "exploitdb": "9083", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Test Kernel Local Root Exploit 0day": {"minver": "2.6.18", "maxver": "2.6.30", "exploitdb": "9191", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)": {"minver": "2.6.9", "maxver": "2.6.30", "exploitdb": "9208", "lang": "c", "keywords": {"loc": ["pkg"], "val": "pulse"}}, + "2.x sock_sendpage() Local Ring0 Root Exploit": {"minver": "2", "maxver": "2.99", "exploitdb": "9435", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.x sock_sendpage() Local Root Exploit 2": {"minver": "2", "maxver": "2.99", "exploitdb": "9436", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9479", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit": {"minver": "2.6", "maxver": "2.6.19", "exploitdb": "9542", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9545", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9574", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.6.19 udp_sendmsg Local Root Exploit": {"minver": "0", "maxver": "2.6.19", "exploitdb": "9575", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4/2.6 sock_sendpage() Local Root Exploit [2]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4/2.6 sock_sendpage() Local Root Exploit [3]": {"minver": "2.4", "maxver": "2.6.99", "exploitdb": "9641", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "9844", "lang": "python", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "'pipe.c' Local Privilege Escalation Vulnerability": {"minver": "2.4.1", "maxver": "2.6.32", "exploitdb": "10018", "lang": "sh", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.6.18-20 2009 Local Root Exploit": {"minver": "2.6.18", "maxver": "2.6.20", "exploitdb": "10613", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Apache Spamassassin Milter Plugin Remote Root Command Execution": {"minver": "0", "maxver": "99", "exploitdb": "11662", "lang": "sh", "keywords": {"loc": ["proc"], "val": "spamass-milter"}}, + "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation": {"minver": "0", "maxver": "2.6.34", "exploitdb": "12130", "lang": "python", "keywords": {"loc": ["mnt"], "val": "reiser"}}, + "Ubuntu PAM MOTD local root": {"minver": "7", "maxver": "10.04", "exploitdb": "14339", "lang": "sh", "keywords": {"loc": ["os"], "val": "ubuntu"}}, + "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36", "exploitdb": "14814", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Kernel ia32syscall Emulation Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15023", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Linux RDS Protocol Local Privilege Escalation": {"minver": "0", "maxver": "2.6.36", "exploitdb": "15285", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "<= 2.6.37 Local Privilege Escalation (Full Nelson)": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15704", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.6.37-rc2 ACPI custom_method Privilege Escalation": {"minver": "0", "maxver": "2.6.37", "exploitdb": "15774", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "CAP_SYS_ADMIN to root Exploit": {"minver": "0", "maxver": "99", "exploitdb": "15916", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)": {"minver": "0", "maxver": "99", "exploitdb": "15944", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "< 2.6.36.2 Econet Privilege Escalation Exploit": {"minver": "0", "maxver": "2.6.36.2", "exploitdb": "17787", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Sendpage Local Privilege Escalation": {"minver": "2.4.4", "maxver": "2.4.37.4", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Sendpage Local Privilege Escalation": {"minver": "2.6.0", "maxver": "2.6.30.4", "exploitdb": "19933", "lang": "ruby", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability": {"minver": "2.4.18", "maxver": "2.4.19", "exploitdb": "21598", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22362", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)": {"minver": "2.2", "maxver": "2.4.99", "exploitdb": "22363", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + "Samba 2.2.8 Share Local Privilege Elevation Vulnerability": {"minver": "2.2.8", "maxver": "2.2.8", "exploitdb": "23674", "lang": "c", "keywords": {"loc": ["proc", "pkg"], "val": "samba"}}, + "open-time Capability file_ns_capable() Privilege Escalation": {"minver": "0", "maxver": "3.8.9", "exploitdb": "25450", "lang": "c", "keywords": {"loc": ["kernel"], "val": "kernel"}}, + } + avgprob = [] + highprob = [] + for sploit in vul: + lang = 0 # use to rank applicability of vul + keyword = vul[sploit]["keywords"]["val"] + sploitout = sploit + " || " + "https://www.exploit-db.com/exploits/" + \ + vul[sploit]["exploitdb"] + " || " + \ + "Language=" + vul[sploit]["lang"] + # first check for kernel applicability + #This is not more working because for Python 4.4 > 4.14 + #if (version >= vul[sploit]["minver"]) and (version <= vul[sploit]["maxver"]): + if checkVer(version, vul[sploit]["minver"], vul[sploit]["maxver"]): + # next check language applicability + if (vul[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))): + lang = 1 # language found, increase applicability score + elif vul[sploit]["lang"] == "sh": + lang = 1 # language found, increase applicability score + elif (vul[sploit]["lang"] in str(langs)): + lang = 1 # language found, increase applicability score + if lang == 0: + sploitout = sploitout + "**" # added mark if language not detected on system + # next check keyword matches to determine if some vul have a higher probability of success + for loc in vul[sploit]["keywords"]["loc"]: + if loc == "proc": + for proc in procs: + if keyword in proc: + # if sploit is associated with a running process consider it a higher probability/applicability + highprob.append(sploitout) + break + break + + + + + def execute(self): + self.sysinfo(); + self.networkinfo(); + self.fileinfo(); + self.userInfo(); + + +def main(): + en=Enumeration(); + en.execute(); + pv=PrevEsc(); + pv.execute(); + +if __name__ == "__main__": + main() \ No newline at end of file