blackMORE Ops Learn one trick a day ….
Sometimes it’s really hard to find the correct exploit for the device that you are pentesting. I found two good references that may be helpful or least will give you a good starting point. Both of these resources can suggest Linux exploits based on kernel version. The first one is available in Github and the second one I believe I saw in Twitter and bookmarked the link (can’t remember the Twitter handle, sorry, please remind me so that I can credit?).
Linux Exploit Suggester
Linux Exploit Suggester is a github project to identify exploits based on operating system release number(or Kernel version). This program run without arguments will perform a ‘uname -r’ to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide ‘-k’ flag to manually enter the Kernel Version/Operating System Release Version.
Github Project: https://github.com/PenturaLabs/Linux_Exploit_Suggester
Examples:
$ perl ./Linux_Exploit_Suggester.pl -k 3.0.0 Kernel local: 3.0.0 Possible Exploits: [+] semtex CVE-2013-2094 Source: www.exploit-db.com/download/25444/ [+] memodipper CVE-2012-0056 Source: http://www.exploit-db.com/exploits/18411/ [+] perf_swevent CVE-2013-2094 Source: http://www.exploit-db.com/download/26131
Flat file to find Linux Exploits by Kernel version
I copied the whole page here as the source page looks like a work in progress. This also seems to be based on the same Github Project only he’s added more (the author tweeted about that too). Kudos.
- Locate the Kernel version of the target machine(s) (e.g. uname -a or via nmap).
- Using this listing, locate exploit refereces that includes your version.
- Version numbers with 0’s indicate ALL subversions of that Kernel portion (e.g. 2.4.0 = 2.4.1 – 2.4.36).
- Provided for research only, Perform a through code review prior to use, use only hosts you have legal authority to pentest; no warranties or guarentees implied or provided!
| Exploit Name | Kernel Start | Kernel End | Exploit URL | Remarks |
| hudo | 2.0.0 | 6.0.1 | https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/hudo.c | See contents for specific versions |
| ip6t_so_set(loc) | 2.0.0 | 4.6.2 | https://www.exploit-db.com/exploits/40489/ | |
| libfutex(loc) | 2.0.0 | 2.0.0 | https://www.exploit-db.com/exploits/35370/ | |
| setreuic(0,0) | 2.0.0 | 4.0.1 | https://www.exploit-db.com/exploits/14219/ | |
| tack | 2.0.0 | 2.6.0 | https://www.exploit-db.com/exploits/38685/ | |
| rds-fail | 2.1.0 | 2.6.0 | http://vulnfactory.org/exploits/rds-fail.c | |
| ptrace | 2.2.0 | 2.4.0 | http://www.securiteam.com/exploits/5CP0Q0U9FY.html | |
| rip | 2.2.0 | 2.2.0 | https://packetstormsecurity.com/files/22124/rip.c.html | |
| viper Autoroot_v2 | 2.2.0 | 2.6.0 | http://www.exploit-id.com/tools/viper-auto-rooting | Warning:Verify remote source before use |
| remap | 2.4.0 | 2.4.0 | https://www.exploit-db.com/exploits/160/ | |
| pipe.c_32bit | 2.4.4 | 2.4.37 | http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c | |
| sock_sendpage | 2.4.4 | 2.4.37 | http://www.exploit-db.com/exploits/9435 | Alt:Proto Ops |
| sock_sendpage2 | 2.4.4 | 2.4.37 | http://www.exploit-db.com/exploits/9436 | Alt:Proto Ops |
| brk | 2.4.10 | 2.4.10 | http://www.cyberwarrior.us/code/linux/brk_vma.c | |
| expand_stack | 2.4.10 | 2.4.10 | https://www.exploit-db.com/exploits/778/ | |
| w00t | 2.4.10 | 2.4.21 | https://github.com/freebsd/freebsd/tree/master/tools/tools/net80211/w00t | |
| expand_stack | 2.4.16 | 2.4.31 | https://www.exploit-db.com/exploits/778/ | |
| w00t | 2.4.16 | 2.4.21 | https://github.com/freebsd/freebsd/tree/master/tools/tools/net80211/w00t | |
| newlocal | 2.4.17 | 2.4.19 | https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/newlocal.zip | |
| uselib24 | 2.4.17 | 2.4.17 | https://packetstormsecurity.com/files/35920/uselib24.c.html | |
| brk | 2.4.18 | 2.4.22 | http://www.cyberwarrior.us/code/linux/brk_vma.c | |
| km2 | 2.4.18 | 2.4.22 | http://downloads.securityfocus.com/vulnerabilities/exploits/binfmt_elf.c | |
| ave | 2.4.19 | 2.4.20 | ** Unknown Source Repository at this time.. manual search required | |
| mremap_pte | 2.4.20 | 2.4.20 | http://www.exploit-db.com/exploits/160/ | |
| loko | 2.4.22 | 2.4.24 | http://pastie.org/pastes/316474 | ** Warning** Mod code for IRC reverse shell |
| uselib24 | 2.4.22 | 2.4.29 | https://packetstormsecurity.com/files/35920/uselib24.c.html | |
| mremap_pte | 2.4.24 | 2.4.27 | http://www.exploit-db.com/exploits/160/ | |
| elfdump | 2.4.27 | 2.6.8 | https://www.exploit-db.com/exploits/624/ | |
| elflbl | 2.4.29 | 2.4.29 | http://www.exploit-db.com/exploits/744/ | |
| smpracer | 2.4.29 | 2.4.29 | https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2005/expand_stack-SMP-race.c | |
| smp_race_local | 2.4.29 | 2.4.29 | https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/expand_stack.c | |
| stackgrow2 | 2.4.29 | 2.4.29 | https://dl.packetstormsecurity.net/0501-exploits/stackgrow2.c.html | |
| american-sign-lang | 2.6.0 | 2.3.36 | https://www.exploit-db.com/exploits/15774/ | Alt:ASL |
| can_modharden | 2.6.0 | 2.6.0 | https://www.exploit-db.com/exploits/14814/ | |
| half_nelson | 2.6.0 | 2.6.36 | http://www.exploit-db.com/exploits/6851 | Alt:eConet |
| half_nelson1 | 2.6.0 | 2.6.36 | http://www.exploit-db.com/exploits/17787/ | Alt:eConet |
| pktcdvd | 2.6.0 | 2.6.36 | http://www.exploit-db.com/exploits/15150/ | |
| smpracer | 2.6.0 | 2.6.0 | https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2005/expand_stack-SMP-race.c | |
| sock_sendpage | 2.6.0 | 2.6.30 | http://www.exploit-db.com/exploits/9435 | Alt:Proto Ops |
| sock_sendpage2 | 2.6.0 | 2.6.30 | http://www.exploit-db.com/exploits/9436 | Alt:Proto Ops |
| vconsole | 2.6.0 | 2.6.0 | http://downloads.securityfocus.com/vulnerabilities/exploits/33672.c | |
| video4linux | 2.6.0 | 2.6.33 | http://www.exploit-db.com/exploits/15024/ | |
| udp_sendmsg_32bit | 2.6.1 | 2.6.19 | http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c | |
| krad | 2.6.5 | 2.6.11 | https://www.exploit-db.com/exploits/15774/ | |
| krad3 | 2.6.5 | 2.6.11 | http://exploit-db.com/exploits/1397 | |
| ong_bak | 2.6.5 | 2.6.5 | https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/ong_bak.c | |
| h00lyshit | 2.6.8 | 2.6.16 | http://www.exploit-db.com/exploits/2013/ | |
| stackgrow2 | 2.6.10 | 2.6.10 | https://dl.packetstormsecurity.net/0501-exploits/stackgrow2.c.html | |
| uselib24 | 2.6.10 | 2.6.10 | https://packetstormsecurity.com/files/35920/uselib24.c.html | |
| ftrex | 2.6.11 | 2.6.22 | http://www.exploit-db.com/exploits/6851 | |
| elfcd | 2.6.12 | 2.6.12 | https://www.exploit-db.com/exploits/25647/ | |
| py2 | 2.6.12 | 2.6.12 | https://www.exploit-db.com/exploits/1591/ | |
| kdump | 2.6.13 | 2.6.13 | https://www.exploit-db.com/exploits/17942/ | |
| local26 | 2.6.13 | 2.6.13 | https://www.exploit-db.com/exploits/160/ | |
| prctl | 2.6.13 | 2.6.17 | http://www.exploit-db.com/exploits/2004/ | |
| prctl2 | 2.6.13 | 2.6.17 | http://www.exploit-db.com/exploits/2005/ | |
| prctl3 | 2.6.13 | 2.6.17 | http://www.exploit-db.com/exploits/2006/ | |
| prctl4 | 2.6.13 | 2.6.17 | http://www.exploit-db.com/exploits/2011/ | |
| prctl_loc_priv | 2.6.13 | 2.6.17 | https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/exp.sh | |
| raptor_prctl | 2.6.13 | 2.6.23 | http://www.exploit-db.com/exploits/2031/ | |
| pipe.c_32bit | 2.6.15 | 2.6.31 | http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c | |
| vmsplice1 | 2.6.17 | 2.6.24 | http://www.expliot-db.com/exploits/5092 | Alt:Jessica Biel |
| can_bcm | 2.6.18 | 2.6.36 | http://www.exploit-db.com/exploits/14814/ | |
| do_pages_move | 2.6.18 | 2.6.31 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9627.tgz | Alt:Sieve |
| gconv_translit_find | 2.6.18 | 2.6.18 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34421.tar.gz | |
| reiserfs | 2.6.18 | 2.6.34 | http://www.exploit-db.com/exploits/12130/ | |
| dirty_cow_proc_race | 2.6.22 | 3.8.0 | https://www.exploit-db.com/exploits/40847/ | |
| dirty_cow_ptrace | 2.6.22 | 3.8.0 | https://www.exploit-db.com/exploits/40839/ | |
| vmsplice2 | 2.6.23 | 2.6.24 | http://www.exploit-db.com/exploits/5093 | Alt:Dianne Lane |
| exit_notify | 2.6.25 | 2.6.29 | http://www.exploit-db.com/exploits/8369 | |
| udev | 2.6.25 | 2.6.29 | http://www.exploit-db.com/exploits/8478 | |
| ptrace_kmod2 | 2.6.26 | 2.6.34 | http://www.exploit-db.com/exploits/15023/ | Alt:ia32syscall |
| sctp | 2.6.26 | 2.6.26 | https://github.com/offensive-security/exploit-database/blob/master/platforms/linux/local/7618.c | |
| rds | 2.6.30 | 2.6.36 | http://www.exploit-db.com/exploits/15285/ | |
| tomcat_privesc | 2.6.30 | 2.6.99 | https://www.exploit-db.com/exploits/40488/ | |
| gconv_translit_find | 2.6.32 | 2.6.32 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34421.tar.gz | |
| inode_Int_overflow | 2.6.32 | 3.16.0 | https://packetstormsecurity.com/files/139871/Linux-Kernel-2.6.32-642-3.16.0-4-Inode-Integer-Overflow.html | |
| caps_to_root | 2.6.34 | 2.6.36 | http://www.exploit-db.com/exploits/15916/ | |
| semtex | 2.6.37 | 2.6.39 | http://www.exploit-db.com/download/25444/ | |
| memodipper | 2.6.39 | 2.6.39 | http://www.exploit-db.com/exploits/18411/ | |
| memodipper | 3.0.0 | 3.1.1 | http://www.exploit-db.com/exploits/18411/ | |
| perf_swevent | 3.0.0 | 3.8.9 | http://www.exploit-db.com/download/26131 | |
| rowhammer | 3.0.0 | 6.0.0 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36310.tar.gz | |
| semtex | 3.0.0 | 3.1.1 | http://www.exploit-db.com/download/25444/ | |
| death-star | 3.1.0 | 3.1.8 | http://downloads.securityfocus.com/vulnerabilities/exploits/52201.txt | |
| timeoutpwn | 3.1.0 | 3.1.0 | https://www.kernel-exploits.com/media/timeoutpwn64.c | |
| overlayFS | 3.2.0 | 3.2.0 | http://0day.today/exploit/23763 | |
| usb-creator_v0.2 | 3.2.0 | 3.2.0 | http://0day.today/exploit/23566 | |
| sock_diag | 3.3.0 | 3.8.0 | https://www.exploit-db.com/exploits/33336/ | |
| libtiff3.7.1 | 3.4.0 | 3.4.0 | https://www.exploit-db.com/exploits/14219/ | |
| recvmmsg | 3.4.0 | 3.12.1 | https://www.exploit-db.com/exploits/31347/ | |
| timeoutpwn | 3.4.0 | 3.4.0 | https://www.kernel-exploits.com/media/timeoutpwn64.c | |
| libtiff3.7.1 | 3.5.1 | 3.5.7 | https://www.exploit-db.com/exploits/14219/ | |
| libtiff3.7.1 | 3.6.0 | 3.6.1 | https://www.exploit-db.com/exploits/14219/ | |
| libtiff3.7.1 | 3.7.0 | 3.7.4 | https://www.exploit-db.com/exploits/14219/ | |
| libtiff3.7.1 | 3.8.0 | 3.8.2 | https://www.exploit-db.com/exploits/14219/ | |
| libtiff3.7.1 | 3.9.0 | 3.9.3 | https://www.exploit-db.com/exploits/14219/ | |
| ifenslave | 3.10.0 | 3.10.0 | https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/ifenslave.c | |
| tomcat_privesc | 3.10.0 | 3.10.99 | https://www.exploit-db.com/exploits/40488/ | |
| Apport_abrt | 3.13.0 | 3.13.0 | https://www.exploit-db.com/exploits/36746/ | |
| overlayfs | 3.13.0 | 3.13.1 | https://www.exploit-db.com/exploits/40688/ | |
| overlayFS | 3.13.0 | 3.19.0 | http://0day.today/exploit/23763 | |
| overlayfs_shell(loc) | 3.13.0 | 3.18.0 | https://www.exploit-db.com/exploits/37292/ | |
| usb-creator_v0.2 | 3.13.0 | 3.13.0 | http://0day.today/exploit/23566 | |
| recvmmsg_privesc | 3.13.1 | 3.13.1 | https://www.exploit-db.com/exploits/40503/ | |
| libfutex | 3.14.0 | 3.14.6 | http://downloads.securityfocus.com/vulnerabilities/exploits/67906.c | |
| libfutex(loc) | 3.14.0 | 3.14.0 | https://www.exploit-db.com/exploits/35370/ | |
| Apport_abrt | 3.16.0 | 3.16.0 | https://www.exploit-db.com/exploits/36746/ | |
| overlayfs | 3.16.0 | 3.16.1 | https://www.exploit-db.com/exploits/40688/ | |
| usb-creator_v0.2 | 3.16.0 | 3.16.0 | http://0day.today/exploit/23566 | |
| af_packet_race | 3.19.0 | 3.19.1 | https://www.exploit-db.com/exploits/40871/ | |
| overlayfs | 3.19.0 | 3.19.1 | https://www.exploit-db.com/exploits/40688/ | |
| libtiff3.7.1 | 4.0.0 | 4.0.1 | https://www.exploit-db.com/exploits/14219/ | |
| overlayfs | 4.2.0 | 4.2.18 | https://www.exploit-db.com/exploits/40688/ | |
| overlayfs | 4.2.8 | 4.2.8 | https://www.exploit-db.com/exploits/40688/ | |
| overlayfs(loc) | 4.3.2 | 4.3.3 | https://www.exploit-db.com/exploits/39166/ | |
| bpf_loc_Priv_esc | 4.4.0 | 4.4.0 | https://www.exploit-db.com/exploits/40759/ | |
| perf_event_open | 4.4.0 | 4.4.0 | https://bugs.chromium.org/p/project-zero/issues/detail?id=807 | |
| refcnt_keyrings(loc) | 4.4.1 | 4.4.1 | https://www.exploit-db.com/exploits/39277/ | |
| logrotate_loc_Priv | 4.6.0 | 4.6.0 | https://www.exploit-db.com/exploits/40768/ | |
| netfilter_privesc(loc) | 4.6.3 | 4.6.3 | https://www.exploit-db.com/exploits/40435/ | |
| libtiff3.7.1 | 5.0.0 | 5.2.1 | https://www.exploit-db.com/exploits/14219/ | |
| libfutex | 6.0.0 | 6.0.0 | http://downloads.securityfocus.com/vulnerabilities/exploits/67906.c | |
| libfutex(loc) | 6.0.0 | 6.0.0 | https://www.exploit-db.com/exploits/35370/ | |
| libfutex2 | 6.0.0 | 6.0.0 | https://www.exploit-db.com/exploits/35370/ | |
| netBSD_mail(loc) | 6.0.0 | 6.1.5 | https://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.html | |
| netBSD_mail(loc) | 7.0.0 | 7.1.1 | https://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.html |
Someone can fork the original Github project and keep adding more to that as the original project was made GPLv2 by the author (thanks). Which means, you can:
- copy and distribute the program’s unmodified source code
- modify the program’s source code and distribute the modified source
You can possibly do the same thing using MetaSploit. Detailed steps on how to search exploits in MetaSploit can be found here. Either way, have a field day adding more, testing more and having fun. If you know of more exploits, suggest them via comments section. As usual, I don’t force any checks via comments section and it’s pretty open, so go ahead.