来自:https://www.securitysift.com/download/linuxprivchecker.py

#!/usr/env python

###############################################################################################################

## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script

## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift

##-------------------------------------------------------------------------------------------------------------

## [Details]:

## This script is intended to be executed locally on a Linux box to enumerate basic system info and

## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text

## passwords and applicable exploits.

##-------------------------------------------------------------------------------------------------------------

## [Warning]:

## This script comes as-is with no promise of functionality or accuracy.  I have no plans to maintain updates,

## I did not write it to be efficient and in some cases you may find the functions may not produce the desired

## results.  For example, the function that links packages to running processes is based on keywords and will

## not always be accurate.  Also, the exploit list included in this function will need to be updated over time.

## Feel free to change or improve it any way you see fit.

##-------------------------------------------------------------------------------------------------------------

## [Modification, Distribution, and Attribution]:

## You are free to modify and/or distribute this script as you wish.  I only ask that you maintain original

## author attribution and not attempt to sell it or incorporate it into any commercial offering (as if it's

## worth anything anyway :)

###############################################################################################################

# conditional import for older versions of python not compatible with subprocess

try:

    import subprocess as sub

    compatmode = 0 # newer version of python, no need for compatibility mode

except ImportError:

    import os # older version of python, need to use os instead

    compatmode = 1

# title / formatting

bigline = "================================================================================================="

smlline = "-------------------------------------------------------------------------------------------------"

print bigline

print "LINUX PRIVILEGE ESCALATION CHECKER"

print bigline

print

# loop through dictionary, execute the commands, store the results, return updated dict

def execCmd(cmdDict):

    for item in cmdDict:

        cmd = cmdDict[item]["cmd"]

    if compatmode == 0: # newer version of python, use preferred subprocess

            out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()

            results = out.split('\n')

    else: # older version of python, use os.popen

        echo_stdout = os.popen(cmd, 'r')

            results = echo_stdout.read().split('\n')

        cmdDict[item]["results"]=results

    return cmdDict

# print results for each previously executed command, no return value

def printResults(cmdDict):

    for item in cmdDict:

    msg = cmdDict[item]["msg"]

    results = cmdDict[item]["results"]

        print "[+] " + msg

        for result in results:

        if result.strip() != "":

            print "    " + result.strip()

    print

    return

def writeResults(msg, results):

    f = open("privcheckout.txt", "a");

    f.write("[+] " + str(len(results)-1) + " " + msg)

    for result in results:

        if result.strip() != "":

            f.write("    " + result.strip())

    f.close()

    return

# Basic system info

print "[*] GETTING BASIC SYSTEM INFO...\n"

results=[]

sysInfo = {"OS":{"cmd":"cat /etc/issue","msg":"Operating System","results":results},

       "KERNEL":{"cmd":"cat /proc/version","msg":"Kernel","results":results},

       "HOSTNAME":{"cmd":"hostname", "msg":"Hostname", "results":results}

      }

sysInfo = execCmd(sysInfo)

printResults(sysInfo)

# Networking Info

print "[*] GETTING NETWORKING INFO...\n"

netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results},

       "ROUTE":{"cmd":"route", "msg":"Route", "results":results},

       "NETSTAT":{"cmd":"netstat -antup | grep -v 'TIME_WAIT'", "msg":"Netstat", "results":results}

      }

netInfo = execCmd(netInfo)

printResults(netInfo)

# File System Info

print "[*] GETTING FILESYSTEM INFO...\n"

driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results},

         "FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results}

        }

driveInfo = execCmd(driveInfo)

printResults(driveInfo)

# Scheduled Cron Jobs

cronInfo = {"CRON":{"cmd":"ls -la /etc/cron* 2>/dev/null", "msg":"Scheduled cron jobs", "results":results},

        "CRONW": {"cmd":"ls -aRl /etc/cron* 2>/dev/null | awk '$1 ~ /w.$/' 2>/dev/null", "msg":"Writable cron dirs", "results":results}

       }

cronInfo = execCmd(cronInfo)

printResults(cronInfo)

# User Info

print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"

userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results},

        "ID":{"cmd":"id","msg":"Current User ID", "results":results},

        "ALLUSERS":{"cmd":"cat /etc/passwd", "msg":"All users", "results":results},

        "SUPUSERS":{"cmd":"grep -v -E '^#' /etc/passwd | awk -F: '$3 == 0{print $1}'", "msg":"Super Users Found:", "results":results},

        "HISTORY":{"cmd":"ls -la ~/.*_history; ls -la /root/.*_history 2>/dev/null", "msg":"Root and current user history (depends on privs)", "results":results},

        "ENV":{"cmd":"env 2>/dev/null | grep -v 'LS_COLORS'", "msg":"Environment", "results":results},

        "SUDOERS":{"cmd":"cat /etc/sudoers 2>/dev/null | grep -v '#' 2>/dev/null", "msg":"Sudoers (privileged)", "results":results},

        "LOGGEDIN":{"cmd":"w 2>/dev/null", "msg":"Logged in User Activity", "results":results}

       }

userInfo = execCmd(userInfo)

printResults(userInfo)

if "root" in userInfo["ID"]["results"][0]:

    print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n"

# File/Directory Privs

print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"

fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},

       "WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},

       "WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},

       "SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},

       "ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results}

      }

fdPerms = execCmd(fdPerms)

printResults(fdPerms)

pwdFiles = {"LOGPWDS":{"cmd":"find /var/log -name '*.log' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Logs containing keyword 'password'", "results":results},

        "CONFPWDS":{"cmd":"find /etc -name '*.c*' 2>/dev/null | xargs -l10 egrep 'pwd|password' 2>/dev/null", "msg":"Config files containing keyword 'password'", "results":results},

        "SHADOW":{"cmd":"cat /etc/shadow 2>/dev/null", "msg":"Shadow File (Privileged)", "results":results}

       }

pwdFiles = execCmd(pwdFiles)

printResults(pwdFiles)

# Processes and Applications

print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"

if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:

    getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian

else:

    getPkgs = "rpm -qa | sort -u" # RH/other

getAppProc = {"PROCS":{"cmd":"ps aux | awk '{print $1,$2,$9,$10,$11}'", "msg":"Current processes", "results":results},

              "PKGS":{"cmd":getPkgs, "msg":"Installed Packages", "results":results}

         }

getAppProc = execCmd(getAppProc)

printResults(getAppProc) # comment to reduce output

otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Version (Check out http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=sudo)", "results":results},

          "APACHE":{"cmd":"apache2 -v; apache2ctl -M; httpd -v; apachectl -l 2>/dev/null", "msg":"Apache Version and Modules", "results":results},

          "APACHECONF":{"cmd":"cat /etc/apache2/apache2.conf 2>/dev/null", "msg":"Apache Config File", "results":results}

        }

otherApps = execCmd(otherApps)

printResults(otherApps)

print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n"

# find the package information for the processes currently running

# under root or another super user

procs = getAppProc["PROCS"]["results"]

pkgs = getAppProc["PKGS"]["results"]

supusers = userInfo["SUPUSERS"]["results"]

procdict = {} # dictionary to hold the processes running as super users

for proc in procs: # loop through each process

    relatedpkgs = [] # list to hold the packages related to a process

    try:

    for user in supusers: # loop through the known super users

        if (user != "") and (user in proc): # if the process is being run by a super user

            procname = proc.split(" ")[4] # grab the process name

        if "/" in procname:

            splitname = procname.split("/")

            procname = splitname[len(splitname)-1]

            for pkg in pkgs: # loop through the packages

            if not len(procname) < 3: # name too short to get reliable package results

                    if procname in pkg:

                if procname in procdict:

                    relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list

                if pkg not in relatedpkgs:

                    relatedpkgs.append(pkg) # add pkg to the list

                procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry

    except:

    pass

for key in procdict:

    print "    " + key # print the process name

    try:

        if not procdict[key][0] == "": # only print the rest if related packages were found

            print "        Possible Related Packages: "

            for entry in procdict[key]:

                print "            " + entry # print each related package

    except:

    pass

# EXPLOIT ENUMERATION

# First discover the avaialable tools

print

print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n"

devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}}

devTools = execCmd(devTools)

printResults(devTools)

print "[+] Related Shell Escape Sequences...\n"

escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]}

for cmd in escapeCmd:

    for result in devTools["TOOLS"]["results"]:

        if cmd in result:

        for item in escapeCmd[cmd]:

            print "    " + cmd + "-->\t" + item

print

print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n"

# Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)

# sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'

sploits= {      "2.2.x-2.4.x ptrace kmod local exploit":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.4.20 Module Loader Local Root Exploit":{"minver":"", "maxver":"2.4.20", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.22 "'do_brk()'" local Root Exploit (PoC)":{"minver":"2.4.22", "maxver":"2.4.22", "exploitdb":"", "lang":"asm", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.4.22 (do_brk) Local Root Exploit (working)":{"minver":"", "maxver":"2.4.22", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.x mremap() bound checking Root Exploit":{"minver":"2.4", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.4.29-rc2 uselib() Privilege Elevation":{"minver":"", "maxver":"2.4.29", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4 uselib() Privilege Elevation Exploit":{"minver":"2.4", "maxver":"2.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.x / 2.6.x uselib() Local Privilege Escalation Exploit":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 bluez Local Root Privilege Escalation Exploit (update)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluez"}},

        "<= 2.6.11 (CPL 0) Local Root Exploit (k-rad3.c)":{"minver":"", "maxver":"2.6.11", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "MySQL 4.x/5.0 User-Defined Function Local Privilege Escalation Exploit":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"mysql"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (2)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (3)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit (4)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.6.17.4 (proc) Local Root Exploit":{"minver":"", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.13 <= 2.6.17.4 prctl() Local Root Exploit (logrotate)":{"minver":"2.6.13", "maxver":"2.6.17.4", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Ubuntu/Debian Apache 1.3.33/1.3.34 (CGI TTY) Local Root Exploit":{"minver":"4.10", "maxver":"7.04", "exploitdb":"", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},

        "Linux/Kernel 2.4/2.6 x86-64 System Call Emulation Exploit":{"minver":"2.4", "maxver":"2.6", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.11.5 BLUETOOTH Stack Local Root Exploit":{"minver":"", "maxver":"2.6.11.5", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"bluetooth"}},

        "2.6.17 - 2.6.24.1 vmsplice Local Root Exploit":{"minver":"2.6.17", "maxver":"2.6.24.1", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.23 - 2.6.24 vmsplice Local Root Exploit":{"minver":"2.6.23", "maxver":"2.6.24", "exploitdb":"", "lang":"c", "keywords":{"loc":["os"], "val":"debian"}},

        "Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit":{"minver":"", "maxver":"", "exploitdb":"", "lang":"python", "keywords":{"loc":["os"], "val":"debian"}},

        "Linux Kernel < 2.6.22 ftruncate()/open() Local Exploit":{"minver":"", "maxver":"2.6.22", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.29 exit_notify() Local Privilege Escalation Exploit":{"minver":"", "maxver":"2.6.29", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6 UDEV Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},

        "2.6 UDEV < 141 Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"udev"}},

        "2.6.x ptrace_attach Local Privilege Escalation Exploit":{"minver":"2.6", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.29 ptrace_attach() Local Root Race Condition Exploit":{"minver":"2.6.29", "maxver":"2.6.29", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"", "maxver":"2.6.28.3", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Test Kernel Local Root Exploit 0day":{"minver":"2.6.18", "maxver":"2.6.30", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)":{"minver":"2.6.9", "maxver":"2.6.30", "exploitdb":"", "lang":"c", "keywords":{"loc":["pkg"], "val":"pulse"}},

        "2.x sock_sendpage() Local Ring0 Root Exploit":{"minver":"", "maxver":"2.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.x sock_sendpage() Local Root Exploit 2":{"minver":"", "maxver":"2.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() ring0 Root Exploit (simple ver)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6 < 2.6.19 (32bit) ip_append_data() ring0 Root Exploit":{"minver":"2.6", "maxver":"2.6.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() Local Root Exploit (ppc)":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)":{"minver":"", "maxver":"2.6.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.19 udp_sendmsg Local Root Exploit":{"minver":"", "maxver":"2.6.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() Local Root Exploit [2]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4/2.6 sock_sendpage() Local Root Exploit [3]":{"minver":"2.4", "maxver":"2.6.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.1-2.4.37 and 2.6.1-2.6.32-rc5 Pipe.c Privelege Escalation":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"", "lang":"python", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "'pipe.c' Local Privilege Escalation Vulnerability":{"minver":"2.4.1", "maxver":"2.6.32", "exploitdb":"", "lang":"sh", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.6.18-20 2009 Local Root Exploit":{"minver":"2.6.18", "maxver":"2.6.20", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Apache Spamassassin Milter Plugin Remote Root Command Execution":{"minver":"", "maxver":"", "exploitdb":"", "lang":"sh", "keywords":{"loc":["proc"], "val":"spamass-milter"}},

        "<= 2.6.34-rc3 ReiserFS xattr Privilege Escalation":{"minver":"", "maxver":"2.6.34", "exploitdb":"", "lang":"python", "keywords":{"loc":["mnt"], "val":"reiser"}},

        "Ubuntu PAM MOTD local root":{"minver":"", "maxver":"10.04", "exploitdb":"", "lang":"sh", "keywords":{"loc":["os"], "val":"ubuntu"}},

        "< 2.6.36-rc1 CAN BCM Privilege Escalation Exploit":{"minver":"", "maxver":"2.6.36", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Kernel ia32syscall Emulation Privilege Escalation":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Linux RDS Protocol Local Privilege Escalation":{"minver":"", "maxver":"2.6.36", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "<= 2.6.37 Local Privilege Escalation":{"minver":"", "maxver":"2.6.37", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.37-rc2 ACPI custom_method Privilege Escalation":{"minver":"", "maxver":"2.6.37", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "CAP_SYS_ADMIN to root Exploit":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "CAP_SYS_ADMIN to Root Exploit 2 (32 and 64-bit)":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "< 2.6.36.2 Econet Privilege Escalation Exploit":{"minver":"", "maxver":"2.6.36.2", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Sendpage Local Privilege Escalation":{"minver":"", "maxver":"", "exploitdb":"", "lang":"ruby", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.4.18/19 Privileged File Descriptor Resource Exhaustion Vulnerability":{"minver":"2.4.18", "maxver":"2.4.19", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (1)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "2.2.x/2.4.x Privileged Process Hijacking Vulnerability (2)":{"minver":"2.2", "maxver":"2.4.99", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "Samba 2.2.8 Share Local Privilege Elevation Vulnerability":{"minver":"2.2.8", "maxver":"2.2.8", "exploitdb":"", "lang":"c", "keywords":{"loc":["proc","pkg"], "val":"samba"}},

        "open-time Capability file_ns_capable() - Privilege Escalation Vulnerability":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

        "open-time Capability file_ns_capable() Privilege Escalation":{"minver":"", "maxver":"", "exploitdb":"", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},

}

# variable declaration

os = sysInfo["OS"]["results"][0]

version = sysInfo["KERNEL"]["results"][0].split(" ")[2].split("-")[0]

langs = devTools["TOOLS"]["results"]

procs = getAppProc["PROCS"]["results"]

kernel = str(sysInfo["KERNEL"]["results"][0])

mount = driveInfo["MOUNT"]["results"]

#pkgs = getAppProc["PKGS"]["results"] # currently not using packages for sploit appicability but my in future

# lists to hold ranked, applicable sploits

# note: this is a best-effort, basic ranking designed to help in prioritizing priv escalation exploit checks

# all applicable exploits should be checked and this function could probably use some improvement

avgprob = []

highprob = []

for sploit in sploits:

    lang = 0 # use to rank applicability of sploits

    keyword = sploits[sploit]["keywords"]["val"]

    sploitout = sploit + " || " + "http://www.exploit-db.com/exploits/" + sploits[sploit]["exploitdb"] + " || " + "Language=" + sploits[sploit]["lang"]

    # first check for kernell applicability

    if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):

    # next check language applicability

    if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):

        lang = 1 # language found, increase applicability score

    elif sploits[sploit]["lang"] == "sh":

        lang = 1 # language found, increase applicability score

    elif (sploits[sploit]["lang"] in str(langs)):

        lang = 1 # language found, increase applicability score

    if lang == 0:

        sploitout = sploitout + "**" # added mark if language not detected on system

    # next check keyword matches to determine if some sploits have a higher probability of success

    for loc in sploits[sploit]["keywords"]["loc"]:

        if loc == "proc":

        for proc in procs:

            if keyword in proc:

            highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability

            break

            break

        elif loc == "os":

        if (keyword in os) or (keyword in kernel):

            highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability

            break

        elif loc == "mnt":

        if keyword in mount:

            highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability

            break

        else:

        avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version

print "    Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"

print

print "    The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"

for exploit in highprob:

    print "    - " + exploit

print

print "    The following exploits are applicable to this kernel version and should be investigated as well"

for exploit in avgprob:

    print "    - " + exploit

print

print "Finished"

print bigline

linux提权辅助工具(三):privchecker.py的更多相关文章

  1. 又一款linux提权辅助工具

    又一款linux提权辅助工具 – Linux_Exploit_Suggester 2013-09-06 10:34 1455人阅读 评论(0) 收藏 举报 https://github.com/Pen ...

  2. linux提权辅助工具(一):linux-exploit-suggester.sh

    来自:https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh ...

  3. linux提权辅助工具(四):LinEnum.sh

    来自:https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh #!/bin/bash #A script to e ...

  4. linux提权辅助工具(二):linux-exploit-suggester-2.pl

    来自:https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl #! ...

  5. 提权辅助工具:Windows--exploit-suggester.py安装及使用

    下载地址    https://github.com/AonCyberLabs/Windows-Exploit-Suggester1.安装xlrd包(注意python2.3版本的pip问题)      ...

  6. 后渗透提权辅助工具BeRoot详解

    0x00 工具介绍 前言 BeRoot是一个后期开发工具,用于检查常见的Windows的配置错误,以方便找到提高我们提权的方法.其二进制编译地址为: https://github.com/Alessa ...

  7. windows提权辅助工具koadic

    项目地址:https://github.com/zerosum0x0/koadic ┌─[root@sch01ar]─[/sch01ar] └──╼ #git clone https://github ...

  8. Linux 提权常用命令集

    转载:http://www.myhack58.com/Article/html/3/8/2017/83236.htm 0x00 操作系统相关 操作系统类型版本 cat /etc/issue cat / ...

  9. Unix/Linux提权漏洞快速检测工具unix-privesc-check

    Unix/Linux提权漏洞快速检测工具unix-privesc-check   unix-privesc-check是Kali Linux自带的一款提权漏洞检测工具.它是一个Shell文件,可以检测 ...

随机推荐

  1. java-mybaits-00801-逆向工程

    1.1     什么是逆向工程 参看地址:http://www.mybatis.org/generator/index.html 使用官方网站的mapper自动生成工具mybatis-generato ...

  2. Kafka丢失数据问题优化总结

    数据丢失是一件非常严重的事情事,针对数据丢失的问题我们需要有明确的思路来确定问题所在,针对这段时间的总结,我个人面对kafka 数据丢失问题的解决思路如下: 是否真正的存在数据丢失问题,比如有很多时候 ...

  3. Python---2. 函数

    转载: Py西游攻关之函数 补充: map函数和reduce函数的区别

  4. Python Web开发之路

    Flask相关 1.DBUtils数据库连接池 2.Flask之初体验 3.Flask之WTForms 4.Flask之信号 5.Flask之flask-session 6.Flask之flask-s ...

  5. CNN学习笔记:批标准化

    CNN学习笔记:批标准化 Batch Normalization Batch Normalization, 批标准化, 是将分散的数据统一的一种做法, 也是优化神经网络的一种方法. 在神经网络的训练过 ...

  6. EF Code First学习笔记:数据库创建(转)

    控制数据库的位置 默认情况下,数据库是创建在localhost\SQLEXPRESS服务器上,并且默认的数据库名为命名空间+context类名,例如我们前面的BreakAway.BreakAwayCo ...

  7. QML事件处理 八

    1.MouseArea MouseArea 是一个不可见的项目,通常用来和一个可见的项目配合使用来为其提供鼠标处理.鼠标处理的逻辑可以包含在一个MouseArea项目中. MouseArea的enab ...

  8. fiddler抓包HTTPS配置及代理设置

    使用fiddler抓包过程中遇到一系列的问题,浪费了大半天时间~~~写下解决办法 按照网上方法配置之后还是无法抓到cookies提示各种证书错误 1.卸载fiddler重新安装,设置 2.设置步骤 ( ...

  9. HDU1059 二进制拆分优化多重背包

    /*问你能不能将给出的资源平分成两半,那么我们就以一半为背包,运行多重背包模版 但是注意了,由于个数过大,直接运行会超时,所以要用二进制拆分每种的个数*/ #include<stdio.h> ...

  10. pyDay11

    内容来自廖雪峰的官方网站. 1.杨辉三角generator: def triangles(): L = [1] while True: yield L L.append(0) L = [L[i-1] ...