# les.sh

\#!/bin/bash

##

## Copyright (c) 2016-2019, mzet

##

## linux-exploit-suggester.sh comes with ABSOLUTELY NO WARRANTY.

## This is free software, and you are welcome to redistribute it

## under the terms of the GNU General Public License. See LICENSE

## file for usage of this software.

##

VERSION=v1.0

## bash colors

\#txtred="\e\[0;31m" txtred="\e\[91;1m" txtgrn="\e\[1;32m" txtgray="\e\[0;37m" txtblu="\e\[0;36m" txtrst="\e\[0m" bldwht='\e\[1;37m' wht='\e\[0;36m' bldblu='\e\[1;34m' yellow='\e\[1;93m' lightyellow='\e\[0;93m'

## input data

UNAME\_A=""

## parsed data for current OS

KERNEL="" OS="" DISTRO="" ARCH="" PKG\_LIST=""

## kernel config

KCONFIG=""

CVELIST\_FILE=""

opt\_fetch\_bins=false opt\_fetch\_srcs=false opt\_kernel\_version=false opt\_uname\_string=false opt\_pkglist\_file=false opt\_cvelist\_file=false opt\_checksec\_mode=false opt\_full=false opt\_summary=false opt\_kernel\_only=false opt\_userspace\_only=false opt\_show\_dos=false opt\_skip\_more\_checks=false opt\_skip\_pkg\_versions=false

ARGS= SHORTOPTS="hVfbsu:k:dp:g" LONGOPTS="help,version,full,fetch-binaries,fetch-sources,uname:,kernel:,show-dos,pkglist-file:,short,kernelspace-only,userspace-only,skip-more-checks,skip-pkg-versions,cvelist-file:,checksec"

### exploits database

declare -a EXPLOITS declare -a EXPLOITS\_USERSPACE

### temporary array for purpose of sorting exploits (based on exploits' rank)

declare -a exploits\_to\_sort declare -a SORTED\_EXPLOITS

\############ LINUX KERNELSPACE EXPLOITS #################### n=0

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2004-1235]${txtrst} elflbl Reqs: pkg=linux-kernel,ver=2.4.29 Tags: Rank: 1 analysis-url: <http://isec.pl/vulnerabilities/isec-0021-uselib.txt> bin-url: <https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/elflbl> exploit-db: 744 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2004-1235]${txtrst} uselib() Reqs: pkg=linux-kernel,ver=2.4.29 Tags: Rank: 1 analysis-url: <http://isec.pl/vulnerabilities/isec-0021-uselib.txt> exploit-db: 778 Comments: Known to work only for 2.4 series (even though 2.6 is also vulnerable) EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2004-1235]${txtrst} krad3 Reqs: pkg=linux-kernel,ver>=2.6.5,ver<=2.6.11 Tags: Rank: 1 exploit-db: 1397 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2004-0077]${txtrst} mremap\_pte Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.2 Tags: Rank: 1 exploit-db: 160 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2006-2451]${txtrst} raptor\_prctl Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2031 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2006-2451]${txtrst} prctl Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2004 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2006-2451]${txtrst} prctl2 Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2005 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2006-2451]${txtrst} prctl3 Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2006 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2006-2451]${txtrst} prctl4 Reqs: pkg=linux-kernel,ver>=2.6.13,ver<=2.6.17 Tags: Rank: 1 exploit-db: 2011 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2006-3626]${txtrst} h00lyshit Reqs: pkg=linux-kernel,ver>=2.6.8,ver<=2.6.16 Tags: Rank: 1 bin-url: <https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/h00lyshit> exploit-db: 2013 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2008-0600]${txtrst} vmsplice1 Reqs: pkg=linux-kernel,ver>=2.6.17,ver<=2.6.24 Tags: Rank: 1 exploit-db: 5092 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2008-0600]${txtrst} vmsplice2 Reqs: pkg=linux-kernel,ver>=2.6.23,ver<=2.6.24 Tags: Rank: 1 exploit-db: 5093 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2008-4210]${txtrst} ftrex Reqs: pkg=linux-kernel,ver>=2.6.11,ver<=2.6.22 Tags: Rank: 1 exploit-db: 6851 Comments: world-writable sgid directory and shell that does not drop sgid privs upon exec (ash/sash) are required EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2008-4210]${txtrst} exit\_notify Reqs: pkg=linux-kernel,ver>=2.6.25,ver<=2.6.29 Tags: Rank: 1 exploit-db: 8369 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2692]${txtrst} sock\_sendpage (simple version) Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30 Tags: ubuntu=7.10,RHEL=4,fedora=4|5|6|7|8|9|10|11 Rank: 1 exploit-db: 9479 Comments: Works for systems with /proc/sys/vm/mmap\_min\_addr equal to 0 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2692,CVE-2009-1895]${txtrst} sock\_sendpage Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30 Tags: ubuntu=9.04 Rank: 1 analysis-url: <https://xorl.wordpress.com/2009/07/16/cve-2009-1895-linux-kernel-per\\_clear\\_on\\_setid-personality-bypass/> src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9435.tgz> exploit-db: 9435 Comments: /proc/sys/vm/mmap\_min\_addr needs to equal 0 OR pulseaudio needs to be installed EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2692,CVE-2009-1895]${txtrst} sock\_sendpage2 Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30 Tags: Rank: 1 src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9436.tgz> exploit-db: 9436 Comments: Works for systems with /proc/sys/vm/mmap\_min\_addr equal to 0 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2692,CVE-2009-1895]${txtrst} sock\_sendpage3 Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30 Tags: Rank: 1 src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9641.tar.gz> exploit-db: 9641 Comments: /proc/sys/vm/mmap\_min\_addr needs to equal 0 OR pulseaudio needs to be installed EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2692,CVE-2009-1895]${txtrst} sock\_sendpage (ppc) Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.30 Tags: ubuntu=8.10,RHEL=4|5 Rank: 1 exploit-db: 9545 Comments: /proc/sys/vm/mmap\_min\_addr needs to equal 0 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2698]${txtrst} udp\_sendmsg (by spender) Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19 Tags: Rank: 1 src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/9574.tgz> exploit-db: 9574 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2698]${txtrst} udp\_sendmsg Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19 Tags: debian=4 Rank: 1 exploit-db: 9575 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-2698]${txtrst} ip\_append\_data Reqs: pkg=linux-kernel,ver>=2.6.1,ver<=2.6.19,x86 Tags: fedora=4|5|6,RHEL=4 Rank: 1 exploit-db: 9542 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-3547]${txtrst} pipe.c 1 Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31 Tags: Rank: 1 exploit-db: 33321 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-3547]${txtrst} pipe.c 2 Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31 Tags: Rank: 1 exploit-db: 33322 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-3547]${txtrst} pipe.c 3 Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.31 Tags: Rank: 1 exploit-db: 10018 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-3301]${txtrst} ptrace\_kmod2 Reqs: pkg=linux-kernel,ver>=2.6.26,ver<=2.6.34 Tags: debian=6.0{kernel:2.6.(32|33|34|35)-(1|2|trunk)-amd64},ubuntu=(10.04|10.10){kernel:2.6.(32|35)-(19|21|24)-server} Rank: 1 bin-url: <https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/kmod2> bin-url: <https://web.archive.org/web/20111103042904/http://tarantula.by.ru/localroot/2.6.x/ptrace-kmod> bin-url: <https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/ptrace\\_kmod2-64> exploit-db: 15023 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-1146]${txtrst} reiserfs Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.34 Tags: ubuntu=9.10 Rank: 1 exploit-db: 12130 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-2959]${txtrst} can\_bcm Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=2.6.36 Tags: ubuntu=10.04{kernel:2.6.32-24-generic} Rank: 1 bin-url: <https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/can\\_bcm> exploit-db: 14814 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-3904]${txtrst} rds Reqs: pkg=linux-kernel,ver>=2.6.30,ver<2.6.37 Tags: debian=6.0{kernel:2.6.(31|32|34|35)-(1|trunk)-amd64},ubuntu=10.10|9.10,fedora=13{kernel:2.6.33.3-85.fc13.i686.PAE},ubuntu=10.04{kernel:2.6.32-(21|24)-generic} Rank: 1 analysis-url: <http://www.securityfocus.com/archive/1/514379> src-url: <http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c> bin-url: <https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds> bin-url: <https://web.archive.org/web/20160602192641/https://www.kernel-exploits.com/media/rds64> exploit-db: 15285 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-3848,CVE-2010-3850,CVE-2010-4073]${txtrst} half\_nelson Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36 Tags: ubuntu=(10.04|9.10){kernel:2.6.(31|32)-(14|21)-server} Rank: 1 bin-url: <http://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/half-nelson3> exploit-db: 17787 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[N/A]${txtrst} caps\_to\_root Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36,x86 Tags: ubuntu=10.10 Rank: 1 exploit-db: 15916 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[N/A]${txtrst} caps\_to\_root 2 Reqs: pkg=linux-kernel,ver>=2.6.34,ver<=2.6.36 Tags: ubuntu=10.10 Rank: 1 exploit-db: 15944 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-4347]${txtrst} american-sign-language Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36 Tags: Rank: 1 exploit-db: 15774 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-3437]${txtrst} pktcdvd Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36 Tags: ubuntu=10.04 Rank: 1 exploit-db: 15150 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-3081]${txtrst} video4linux Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.33 Tags: RHEL=5 Rank: 1 exploit-db: 15024 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2012-0056]${txtrst} memodipper Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=3.1.0 Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)} Rank: 1 analysis-url: <https://git.zx2c4.com/CVE-2012-0056/about/> src-url: <https://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64> exploit-db: 18411 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2012-0056,CVE-2010-3849,CVE-2010-3850]${txtrst} full-nelson Reqs: pkg=linux-kernel,ver>=2.6.0,ver<=2.6.36 Tags: ubuntu=(9.10|10.10){kernel:2.6.(31|35)-(14|19)-(server|generic)},ubuntu=10.04{kernel:2.6.32-(21|24)-server} Rank: 1 src-url: <http://vulnfactory.org/exploits/full-nelson.c> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/full-nelson64> exploit-db: 15704 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2013-1858]${txtrst} CLONE\_NEWUSER|CLONE\_FS Reqs: pkg=linux-kernel,ver=3.8,CONFIG\_USER\_NS=y Tags: Rank: 1 src-url: <http://stealth.openwall.net/xSports/clown-newuser.c> analysis-url: <https://lwn.net/Articles/543273/> exploit-db: 38390 author: Sebastian Krahmer Comments: CONFIG\_USER\_NS needs to be enabled EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2013-2094]${txtrst} perf\_swevent Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86\_64 Tags: RHEL=6,ubuntu=12.04{kernel:3.2.0-(23|29)-generic},fedora=16{kernel:3.1.0-7.fc16.x86\_64},fedora=17{kernel:3.3.4-5.fc17.x86\_64},debian=7{kernel:3.2.0-4-amd64} Rank: 1 analysis-url: <http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf\\_swevent> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/perf\\_swevent64> exploit-db: 26131 author: Andrea 'sorbo' Bittau Comments: No SMEP/SMAP bypass EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2013-2094]${txtrst} perf\_swevent 2 Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9,x86\_64 Tags: ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} Rank: 1 analysis-url: <http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/> src-url: <https://cyseclabs.com/exploits/vnik\\_v1.c> exploit-db: 33589 author: Vitaly 'vnik' Nikolenko Comments: No SMEP/SMAP bypass EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2013-0268]${txtrst} msr Reqs: pkg=linux-kernel,ver>=2.6.18,ver<3.7.6 Tags: Rank: 1 exploit-db: 27297 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2013-1959]${txtrst} userns\_root\_sploit Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.8.9 Tags: Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2013/04/29/1> exploit-db: 25450 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2013-2094]${txtrst} semtex Reqs: pkg=linux-kernel,ver>=2.6.32,ver<3.8.9 Tags: RHEL=6 Rank: 1 analysis-url: <http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/> exploit-db: 25444 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-0038]${txtrst} timeoutpwn Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG\_X86\_X32=y Tags: ubuntu=13.10 Rank: 1 analysis-url: <http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/timeoutpwn64> exploit-db: 31346 Comments: CONFIG\_X86\_X32 needs to be enabled EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-0038]${txtrst} timeoutpwn 2 Reqs: pkg=linux-kernel,ver>=3.4.0,ver<=3.13.1,CONFIG\_X86\_X32=y Tags: ubuntu=(13.04|13.10){kernel:3.(8|11).0-(12|15|19)-generic} Rank: 1 analysis-url: <http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html> exploit-db: 31347 Comments: CONFIG\_X86\_X32 needs to be enabled EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-0196]${txtrst} rawmodePTY Reqs: pkg=linux-kernel,ver>=2.6.31,ver<=3.14.3 Tags: Rank: 1 analysis-url: <http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html> exploit-db: 33516 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-2851]${txtrst} use-after-free in ping\_init\_sock() ${bldblu}(DoS)${txtrst} Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.14 Tags: Rank: 0 analysis-url: <https://cyseclabs.com/page?n=02012016> exploit-db: 32926 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-4014]${txtrst} inode\_capable Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.13 Tags: ubuntu=12.04 Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2014/06/10/4> exploit-db: 33824 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-4699]${txtrst} ptrace/sysret Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.8 Tags: ubuntu=12.04 Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2014/07/08/16> exploit-db: 34134 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-4943]${txtrst} PPPoL2TP ${bldblu}(DoS)${txtrst} Reqs: pkg=linux-kernel,ver>=3.2,ver<=3.15.6 Tags: Rank: 1 analysis-url: <https://cyseclabs.com/page?n=01102015> exploit-db: 36267 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-5207]${txtrst} fuse\_suid Reqs: pkg=linux-kernel,ver>=3.0.1,ver<=3.16.1 Tags: Rank: 1 exploit-db: 34923 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-9322]${txtrst} BadIRET Reqs: pkg=linux-kernel,ver>=3.0.1,ver<3.17.5,x86\_64 Tags: RHEL<=7,fedora=20 Rank: 1 analysis-url: <http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/> src-url: <http://site.pi3.com.pl/exp/p\\_cve-2014-9322.tar.gz> exploit-db: author: Rafal 'n3rgal' Wojtczuk & Adam 'pi3' Zabrocki EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-3290]${txtrst} espfix64\_NMI Reqs: pkg=linux-kernel,ver>=3.13,ver<4.1.6,x86\_64 Tags: Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2015/08/04/8> exploit-db: 37722 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[N/A]${txtrst} bluetooth Reqs: pkg=linux-kernel,ver<=2.6.11 Tags: Rank: 1 exploit-db: 4756 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-1328]${txtrst} overlayfs Reqs: pkg=linux-kernel,ver>=3.13.0,ver<=3.19.0 Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic} Rank: 1 analysis-url: <http://seclists.org/oss-sec/2015/q2/717> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs\\_32> bin-url: <https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/ofs\\_64> exploit-db: 37292 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-8660]${txtrst} overlayfs (ovl\_setattr) Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3 Tags: Rank: 1 analysis-url: <http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/> exploit-db: 39230 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-8660]${txtrst} overlayfs (ovl\_setattr) Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.3.3 Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic} Rank: 1 analysis-url: <http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/> exploit-db: 39166 EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-0728]${txtrst} keyring Reqs: pkg=linux-kernel,ver>=3.10,ver<4.4.1 Tags: Rank: 0 analysis-url: <http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/> exploit-db: 40003 Comments: Exploit takes about \~30 minutes to run. Exploit is not reliable, see: <https://cyseclabs.com/blog/cve-2016-0728-poc-not-working> EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-2384]${txtrst} usb-midi Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=4.4.8 Tags: ubuntu=14.04,fedora=22 Rank: 1 analysis-url: <https://xairy.github.io/blog/2016/cve-2016-2384> src-url: <https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c> exploit-db: 41999 Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user author: Andrey 'xairy' Konovalov EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-4997]${txtrst} target\_offset Reqs: pkg=linux-kernel,ver>=4.4.0,ver<=4.4.0,cmd:grep -qi ip\_tables /proc/modules Tags: ubuntu=16.04{kernel:4.4.0-21-generic} Rank: 1 src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip> Comments: ip\_tables.ko needs to be loaded exploit-db: 40049 author: Vitaly 'vnik' Nikolenko EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-4557]${txtrst} double-fdput() Reqs: pkg=linux-kernel,ver>=4.4,ver<4.5.5,CONFIG\_BPF\_SYSCALL=y,sysctl:kernel.unprivileged\_bpf\_disabled!=1 Tags: ubuntu=16.04{kernel:4.4.0-(21|38|42|98|140)-generic} Rank: 1 analysis-url: <https://bugs.chromium.org/p/project-zero/issues/detail?id=808> src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip> Comments: CONFIG\_BPF\_SYSCALL needs to be set && kernel.unprivileged\_bpf\_disabled != 1 exploit-db: 40759 author: Jann Horn EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-5195]${txtrst} dirtycow Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3 Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04 Rank: 4 analysis-url: <https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails> Comments: For RHEL/CentOS see exact vulnerable versions here: <https://access.redhat.com/sites/default/files/rh-cve-2016-5195\\_5.sh> exploit-db: 40611 author: Phil Oester EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-5195]${txtrst} dirtycow 2 Reqs: pkg=linux-kernel,ver>=2.6.22,ver<=4.8.3 Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Rank: 4 analysis-url: <https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails> ext-url: <https://www.exploit-db.com/download/40847.cpp> Comments: For RHEL/CentOS see exact vulnerable versions here: <https://access.redhat.com/sites/default/files/rh-cve-2016-5195\\_5.sh> exploit-db: 40839 author: FireFart (author of exploit at EDB 40839); Gabriele Bonacini (author of exploit at 'ext-url') EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-8655]${txtrst} chocobo\_root Reqs: pkg=linux-kernel,ver>=4.4.0,ver<4.9,CONFIG\_USER\_NS=y,sysctl:kernel.unprivileged\_userns\_clone==1 Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2016/12/06/1> Comments: CAP\_NET\_RAW capability is needed OR CONFIG\_USER\_NS=y needs to be enabled bin-url: <https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/CVE-2016-8655/chocobo\\_root> exploit-db: 40871 author: rebel EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-9793]${txtrst} SO\_{SND|RCV}BUFFORCE Reqs: pkg=linux-kernel,ver>=3.11,ver<4.8.14,CONFIG\_USER\_NS=y,sysctl:kernel.unprivileged\_userns\_clone==1 Tags: Rank: 1 analysis-url: <https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793> src-url: <https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c> Comments: CAP\_NET\_ADMIN caps OR CONFIG\_USER\_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only exploit-db: 41995 author: Andrey 'xairy' Konovalov EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-6074]${txtrst} dccp Reqs: pkg=linux-kernel,ver>=2.6.18,ver<=4.9.11,CONFIG\_IP\_DCCP=\[my] Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2017/02/22/3> Comments: Requires Kernel be built with CONFIG\_IP\_DCCP enabled. Includes partial SMEP/SMAP bypass exploit-db: 41458 author: Andrey 'xairy' Konovalov EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-7308]${txtrst} af\_packet Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG\_USER\_NS=y,sysctl:kernel.unprivileged\_userns\_clone==1 Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} Rank: 1 analysis-url: <https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html> src-url: <https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c> ext-url: <https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c> Comments: CAP\_NET\_RAW cap or CONFIG\_USER\_NS=y needed. Modified version at 'ext-url' adds support for additional kernels bin-url: <https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-7308/exploit> exploit-db: 41994 author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-16995]${txtrst} eBPF\_verifier Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG\_BPF\_SYSCALL=y,sysctl:kernel.unprivileged\_bpf\_disabled!=1 Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic} Rank: 5 analysis-url: <https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html> Comments: CONFIG\_BPF\_SYSCALL needs to be set && kernel.unprivileged\_bpf\_disabled != 1 bin-url: <https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-16995/exploit.out> exploit-db: 45010 author: Rick Larabee EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000112]${txtrst} NETIF\_F\_UFO Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.13,CONFIG\_USER\_NS=y,sysctl:kernel.unprivileged\_userns\_clone==1 Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*} Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2017/08/13/1> src-url: <https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c> ext-url: <https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c> Comments: CAP\_NET\_ADMIN cap or CONFIG\_USER\_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels bin-url: <https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2017-1000112/exploit.out> exploit-db: author: Andrey 'xairy' Konovalov (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000253]${txtrst} PIE\_stack\_corruption Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.13,x86\_64 Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} Rank: 1 analysis-url: <https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt> src-url: <https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c> exploit-db: 42887 author: Qualys Comments: EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2018-5333]${txtrst} rds\_atomic\_free\_op NULL pointer dereference Reqs: pkg=linux-kernel,ver=4.4.0,cmd:grep -qi rds /proc/modules,x86\_64 Tags: ubuntu=16.04{kernel:4.4.0-(112|116)-generic} Rank: 1 src-url: <https://gist.githubusercontent.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4/raw/959325819c78248a6437102bb289bb8578a135cd/cve-2018-5333-poc.c> ext-url: <https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2018-5333/cve-2018-5333.c> Comments: rds.ko kernel module needs to be loaded. Modified version at 'ext-url' adds support for additional targets and bypassing KASLR. author: wbowling (orginal exploit author); bcoles (author of exploit update at 'ext-url') EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2018-18955]${txtrst} subuid\_shell Reqs: pkg=linux-kernel,ver>=4.15,ver<=4.19.2,CONFIG\_USER\_NS=y,sysctl:kernel.unprivileged\_userns\_clone==1,cmd:\[ -u /usr/bin/newuidmap ],cmd:\[ -u /usr/bin/newgidmap ] Tags: ubuntu=18.04{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28} Rank: 1 analysis-url: <https://bugs.chromium.org/p/project-zero/issues/detail?id=1712> src-url: <https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip> exploit-db: 45886 author: Jann Horn Comments: CONFIG\_USER\_NS needs to be enabled EOF )

EXPLOITS\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2019-13272]${txtrst} PTRACE\_TRACEME Reqs: pkg=linux-kernel,ver>=4,ver<5.1.17,sysctl:kernel.yama.ptrace\_scope==0,x86\_64 Tags: ubuntu=16.04{kernel:4.15.0-*},ubuntu=18.04{kernel:4.15.0-*},debian=9{kernel:4.9.0-*},debian=10{kernel:4.19.0-*},fedora=30{kernel:5.0.9-\*} Rank: 1 analysis-url: <https://bugs.chromium.org/p/project-zero/issues/detail?id=1903> src-url: <https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47133.zip> ext-url: <https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2019-13272/poc.c> Comments: Requires an active PolKit agent. exploit-db: 47133 exploit-db: 47163 author: Jann Horn (orginal exploit author); bcoles (author of exploit update at 'ext-url') EOF )

\############ USERSPACE EXPLOITS ########################### n=0

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2004-0186]${txtrst} samba Reqs: pkg=samba,ver<=2.2.8 Tags: Rank: 1 exploit-db: 23674 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-1185]${txtrst} udev Reqs: pkg=udev,ver<141,cmd:\[\[ -f /etc/udev/rules.d/95-udev-late.rules || -f /lib/udev/rules.d/95-udev-late.rules ]] Tags: ubuntu=8.10|9.04 Rank: 1 exploit-db: 8572 Comments: Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2009-1185]${txtrst} udev 2 Reqs: pkg=udev,ver<141 Tags: Rank: 1 exploit-db: 8478 Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-0832]${txtrst} PAM MOTD Reqs: pkg=libpam-modules,ver<=1.1.1 Tags: ubuntu=9.10|10.04 Rank: 1 exploit-db: 14339 Comments: SSH access to non privileged user is needed EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2010-4170]${txtrst} SystemTap Reqs: pkg=systemtap,ver<=1.3 Tags: RHEL=5{systemtap:1.1-3.el5},fedora=13{systemtap:1.2-1.fc13} Rank: 1 author: Tavis Ormandy exploit-db: 15620 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2011-1485]${txtrst} pkexec Reqs: pkg=polkit,ver=0.96 Tags: RHEL=6,ubuntu=10.04|10.10 Rank: 1 exploit-db: 17942 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2011-2921]${txtrst} ktsuss Reqs: pkg=ktsuss,ver<=1.4 Tags: sparky=5|6 Rank: 1 analysis-url: <https://www.openwall.com/lists/oss-security/2011/08/13/2> src-url: <https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2011-2921/ktsuss-lpe.sh> EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2012-0809]${txtrst} death\_star (sudo) Reqs: pkg=sudo,ver>=1.8.0,ver<=1.8.3 Tags: fedora=16 Rank: 1 analysis-url: <http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory\\_sudo.txt> exploit-db: 18436 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-0476]${txtrst} chkrootkit Reqs: pkg=chkrootkit,ver<0.50 Tags: Rank: 1 analysis-url: <http://seclists.org/oss-sec/2014/q2/430> exploit-db: 33899 Comments: Rooting depends on the crontab (up to one day of delay) EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2014-5119]${txtrst} \_\_gconv\_translit\_find Reqs: pkg=glibc|libc6,x86 Tags: debian=6 Rank: 1 analysis-url: <http://googleprojectzero.blogspot.com/2014/08/the-poisoned-nul-byte-2014-edition.html> src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/34421.tar.gz> exploit-db: 34421 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-1862]${txtrst} newpid (abrt) Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core\_pattern Tags: fedora=20 Rank: 1 analysis-url: <http://openwall.com/lists/oss-security/2015/04/14/4> src-url: <https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c> exploit-db: 36746 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-3315]${txtrst} raceabrt Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core\_pattern Tags: fedora=19{abrt:2.1.5-1.fc19},fedora=20{abrt:2.2.2-2.fc20},fedora=21{abrt:2.3.0-3.fc21},RHEL=7{abrt:2.1.11-12.el7} Rank: 1 analysis-url: <http://seclists.org/oss-sec/2015/q2/130> src-url: <https://gist.githubusercontent.com/taviso/fe359006836d6cd1091e/raw/32fe8481c434f8cad5bcf8529789231627e5074c/raceabrt.c> exploit-db: 36747 author: Tavis Ormandy EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-1318]${txtrst} newpid (apport) Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core\_pattern Tags: ubuntu=14.04 Rank: 1 analysis-url: <http://openwall.com/lists/oss-security/2015/04/14/4> src-url: <https://gist.githubusercontent.com/taviso/0f02c255c13c5c113406/raw/eafac78dce51329b03bea7167f1271718bee4dcc/newpid.c> exploit-db: 36746 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-1318]${txtrst} newpid (apport) 2 Reqs: pkg=apport,ver>=2.13,ver<=2.17,cmd:grep -qi apport /proc/sys/kernel/core\_pattern Tags: ubuntu=14.04.2 Rank: 1 analysis-url: <http://openwall.com/lists/oss-security/2015/04/14/4> exploit-db: 36782 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-3202]${txtrst} fuse (fusermount) Reqs: pkg=fuse,ver<2.9.3 Tags: debian=7.0|8.0,ubuntu=\* Rank: 1 analysis-url: <http://seclists.org/oss-sec/2015/q2/520> exploit-db: 37089 Comments: Needs cron or system admin interaction EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-1815]${txtrst} setroubleshoot Reqs: pkg=setroubleshoot,ver<3.2.22 Tags: fedora=21 Rank: 1 exploit-db: 36564 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-3246]${txtrst} userhelper Reqs: pkg=libuser,ver<=0.60 Tags: RHEL=6{libuser:0.56.13-(4|5).el6},RHEL=6{libuser:0.60-5.el7},fedora=13|19|20|21|22 Rank: 1 analysis-url: <https://www.qualys.com/2015/07/23/cve-2015-3245-cve-2015-3246/cve-2015-3245-cve-2015-3246.txt> exploit-db: 37706 Comments: RHEL 5 is also vulnerable, but installed version of glibc (2.5) lacks functions needed by roothelper.c EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-5287]${txtrst} abrt/sosreport-rhel7 Reqs: pkg=abrt,cmd:grep -qi abrt /proc/sys/kernel/core\_pattern Tags: RHEL=7{abrt:2.1.11-12.el7} Rank: 1 analysis-url: <https://www.openwall.com/lists/oss-security/2015/12/01/1> src-url: <https://www.openwall.com/lists/oss-security/2015/12/01/1/1> exploit-db: 38832 author: rebel EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-6565]${txtrst} not\_an\_sshnuke Reqs: pkg=openssh-server,ver>=6.8,ver<=6.9 Tags: Rank: 1 analysis-url: <http://www.openwall.com/lists/oss-security/2017/01/26/2> exploit-db: 41173 author: Federico Bento Comments: Needs admin interaction (root user needs to login via ssh to trigger exploitation) EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2015-8612]${txtrst} blueman set\_dhcp\_handler d-bus privesc Reqs: pkg=blueman,ver<2.0.3 Tags: debian=8{blueman:1.23} Rank: 1 analysis-url: <https://twitter.com/thegrugq/status/677809527882813440> exploit-db: 46186 author: Sebastian Krahmer Comments: Distros use own versioning scheme. Manual verification needed. EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-1240]${txtrst} tomcat-rootprivesc-deb.sh Reqs: pkg=tomcat Tags: debian=8,ubuntu=16.04 Rank: 1 analysis-url: <https://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html> src-url: <http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh> exploit-db: 40450 author: Dawid Golunski Comments: Affects only Debian-based distros EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-1247]${txtrst} nginxed-root.sh Reqs: pkg=nginx|nginx-full,ver<1.10.3 Tags: debian=8,ubuntu=14.04|16.04|16.10 Rank: 1 analysis-url: <https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html> src-url: <https://legalhackers.com/exploits/CVE-2016-1247/nginxed-root.sh> exploit-db: 40768 author: Dawid Golunski Comments: Rooting depends on cron.daily (up to 24h of delay). Affected: deb8: <1.6.2; 14.04: <1.4.6; 16.04: 1.10.0; gentoo: <1.10.2-r3 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-1531]${txtrst} perl\_startup (exim) Reqs: pkg=exim,ver<4.86.2 Tags: Rank: 1 analysis-url: <http://www.exim.org/static/doc/CVE-2016-1531.txt> exploit-db: 39549 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-1531]${txtrst} perl\_startup (exim) 2 Reqs: pkg=exim,ver<4.86.2 Tags: Rank: 1 analysis-url: <http://www.exim.org/static/doc/CVE-2016-1531.txt> exploit-db: 39535 EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-4989]${txtrst} setroubleshoot 2 Reqs: pkg=setroubleshoot Tags: RHEL=6|7 Rank: 1 analysis-url: <https://c-skills.blogspot.com/2016/06/lets-feed-attacker-input-to-sh-c-to-see.html> src-url: <https://github.com/stealth/troubleshooter/raw/master/straight-shooter.c> exploit-db: EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-5425]${txtrst} tomcat-RH-root.sh Reqs: pkg=tomcat Tags: RHEL=7 Rank: 1 analysis-url: <http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html> src-url: <http://legalhackers.com/exploits/tomcat-RH-root.sh> exploit-db: 40488 author: Dawid Golunski Comments: Affects only RedHat-based distros EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-6663,CVE-2016-6664|CVE-2016-6662]${txtrst} mysql-exploit-chain Reqs: pkg=mysql-server|mariadb-server,ver<5.5.52 Tags: ubuntu=16.04.1 Rank: 1 analysis-url: <https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html> src-url: <http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c> exploit-db: 40678 author: Dawid Golunski Comments: Also MariaDB ver<10.1.18 and ver<10.0.28 affected EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2016-9566]${txtrst} nagios-root-privesc Reqs: pkg=nagios,ver<4.2.4 Tags: Rank: 1 analysis-url: <https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html> src-url: <https://legalhackers.com/exploits/CVE-2016-9566/nagios-root-privesc.sh> exploit-db: 40921 author: Dawid Golunski Comments: Allows priv escalation from nagios user or nagios group EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-0358]${txtrst} ntfs-3g-modprobe Reqs: pkg=ntfs-3g,ver<2017.4 Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2} Rank: 1 analysis-url: <https://bugs.chromium.org/p/project-zero/issues/detail?id=1072> src-url: <https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip> exploit-db: 41356 author: Jann Horn Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores. EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-5899]${txtrst} s-nail-privget Reqs: pkg=s-nail,ver<14.8.16 Tags: ubuntu=16.04,manjaro=16.10 Rank: 1 analysis-url: <https://www.openwall.com/lists/oss-security/2017/01/27/7> src-url: <https://www.openwall.com/lists/oss-security/2017/01/27/7/1> ext-url: <https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh> author: wapiflapi (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') Comments: Distros use own versioning scheme. Manual verification needed. EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000367]${txtrst} Sudoer-to-root Reqs: pkg=sudo,ver<=1.8.20,cmd:\[ -f /usr/sbin/getenforce ] Tags: RHEL=7{sudo:1.8.6p7} Rank: 1 analysis-url: <https://www.sudo.ws/alerts/linux\\_tty.html> src-url: <https://www.qualys.com/2017/05/30/cve-2017-1000367/linux\\_sudo\\_cve-2017-1000367.c> exploit-db: 42183 author: Qualys Comments: Needs to be sudoer. Works only on SELinux enabled systems EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000367]${txtrst} sudopwn Reqs: pkg=sudo,ver<=1.8.20,cmd:\[ -f /usr/sbin/getenforce ] Tags: Rank: 1 analysis-url: <https://www.sudo.ws/alerts/linux\\_tty.html> src-url: <https://raw.githubusercontent.com/c0d3z3r0/sudo-CVE-2017-1000367/master/sudopwn.c> exploit-db: author: c0d3z3r0 Comments: Needs to be sudoer. Works only on SELinux enabled systems EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000366,CVE-2017-1000370]${txtrst} linux\_ldso\_hwcap Reqs: pkg=glibc|libc6,ver<=2.25,x86 Tags: Rank: 1 analysis-url: <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> src-url: <https://www.qualys.com/2017/06/19/stack-clash/linux\\_ldso\\_hwcap.c> exploit-db: 42274 author: Qualys Comments: Uses "Stack Clash" technique, works against most SUID-root binaries EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000366,CVE-2017-1000371]${txtrst} linux\_ldso\_dynamic Reqs: pkg=glibc|libc6,ver<=2.25,x86 Tags: debian=9|10,ubuntu=14.04.5|16.04.2|17.04,fedora=23|24|25 Rank: 1 analysis-url: <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> src-url: <https://www.qualys.com/2017/06/19/stack-clash/linux\\_ldso\\_dynamic.c> exploit-db: 42276 author: Qualys Comments: Uses "Stack Clash" technique, works against most SUID-root PIEs EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000366,CVE-2017-1000379]${txtrst} linux\_ldso\_hwcap\_64 Reqs: pkg=glibc|libc6,ver<=2.25,x86\_64 Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611 Rank: 1 analysis-url: <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> src-url: <https://www.qualys.com/2017/06/19/stack-clash/linux\\_ldso\\_hwcap\\_64.c> exploit-db: 42275 author: Qualys Comments: Uses "Stack Clash" technique, works against most SUID-root binaries EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2017-1000370,CVE-2017-1000371]${txtrst} linux\_offset2lib Reqs: pkg=glibc|libc6,ver<=2.25,x86 Tags: Rank: 1 analysis-url: <https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt> src-url: <https://www.qualys.com/2017/06/19/stack-clash/linux\\_offset2lib.c> exploit-db: 42273 author: Qualys Comments: Uses "Stack Clash" technique EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2018-1000001]${txtrst} RationalLove Reqs: pkg=glibc|libc6,ver<2.27,CONFIG\_USER\_NS=y,sysctl:kernel.unprivileged\_userns\_clone==1,x86\_64 Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9} Rank: 1 analysis-url: <https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/> src-url: <https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c> Comments: kernel.unprivileged\_userns\_clone=1 required bin-url: <https://raw.githubusercontent.com/rapid7/metasploit-framework/master/data/exploits/cve-2018-1000001/RationalLove> exploit-db: 43775 author: halfdog EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2018-10900]${txtrst} vpnc\_privesc.py Reqs: pkg=networkmanager-vpnc|network-manager-vpnc,ver<1.2.6 Tags: ubuntu=16.04{network-manager-vpnc:1.1.93-1},debian=9.0{network-manager-vpnc:1.2.4-4},manjaro=17 Rank: 1 analysis-url: <https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc> src-url: <https://bugzilla.novell.com/attachment.cgi?id=779110> exploit-db: 45313 author: Denis Andzakovic Comments: Distros use own versioning scheme. Manual verification needed. EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2018-14665]${txtrst} raptor\_xorgy Reqs: pkg=xorg-x11-server-Xorg,cmd:\[ -u /usr/bin/Xorg ] Tags: centos=7.4 Rank: 1 analysis-url: <https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html> exploit-db: 45922 author: raptor Comments: X.Org Server before 1.20.3 is vulnerable. Distros use own versioning scheme. Manual verification needed. EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2019-7304]${txtrst} dirty\_sock Reqs: pkg=snapd,ver<2.37,cmd:\[ -S /run/snapd.socket ] Tags: ubuntu=18.10,mint=19 Rank: 1 analysis-url: <https://initblog.com/2019/dirty-sock/> exploit-db: 46361 exploit-db: 46362 src-url: <https://github.com/initstring/dirty\\_sock/archive/master.zip> author: InitString Comments: Distros use own versioning scheme. Manual verification needed. EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2019-10149]${txtrst} raptor\_exim\_wiz Reqs: pkg=exim|exim4,ver>=4.87,ver<=4.91 Tags: Rank: 1 analysis-url: <https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt> exploit-db: 46996 author: raptor EOF )

EXPLOITS\_USERSPACE\[((n++))]=$(cat <\<EOF Name: ${txtgrn}\[CVE-2019-12181]${txtrst} Serv-U FTP Server Reqs: cmd:\[ -u /usr/local/Serv-U/Serv-U ] Tags: debian=9 Rank: 1 analysis-url: <https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html> exploit-db: 47009 src-url: <https://raw.githubusercontent.com/guywhataguy/CVE-2019-12181/master/servu-pe-cve-2019-12181.c> ext-url: <https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-12181/SUroot> author: Guy Levin (orginal exploit author); Brendan Coles (author of exploit update at 'ext-url') Comments: Modified version at 'ext-url' uses bash exec technique, rather than compiling with gcc. EOF )

\###########################################################

### security related HW/kernel features

\########################################################### n=0

FEATURES\[((n++))]=$(cat <\<EOF section: Mainline kernel protection mechanisms: EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Kernel Page Table Isolation (PTI) support available: ver>=4.15 enabled: cmd:grep -Eqi '\spti' /proc/cpuinfo analysis-url: <https://github.com/mzet-/les-res/blob/master/features/pti.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: GCC stack protector support available: CONFIG\_HAVE\_STACKPROTECTOR=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md> EOF )

FEATURES\[((n++))]=$(cat <=3.14 analysis-url: <https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Low address space to protect from user allocation available: CONFIG\_DEFAULT\_MMAP\_MIN\_ADDR=\[0-9]+ enabled: sysctl:vm.mmap\_min\_addr!=0 analysis-url: <https://github.com/mzet-/les-res/blob/master/features/mmap\\_min\\_addr.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Prevent users from using ptrace to examine the memory and state of their processes available: CONFIG\_SECURITY\_YAMA=y enabled: sysctl:kernel.yama.ptrace\_scope!=0 analysis-url: <https://github.com/mzet-/les-res/blob/master/features/yama\\_ptrace\\_scope.md> EOF )

FEATURES\[((n++))]=$(cat <=2.6.37 enabled: sysctl:kernel.dmesg\_restrict!=0 analysis-url: <https://github.com/mzet-/les-res/blob/master/features/dmesg\\_restrict.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Randomize the address of the kernel image (KASLR) available: CONFIG\_RANDOMIZE\_BASE=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/kaslr.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Hardened user copy support available: CONFIG\_HARDENED\_USERCOPY=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/hardened\\_usercopy.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Make kernel text and rodata read-only available: CONFIG\_STRICT\_KERNEL\_RWX=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/strict\\_kernel\\_rwx.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Set loadable kernel module data as NX and text as RO available: CONFIG\_STRICT\_MODULE\_RWX=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/strict\\_module\\_rwx.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: BUG() conditions reporting available: CONFIG\_BUG=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/bug.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Additional 'cred' struct checks available: CONFIG\_DEBUG\_CREDENTIALS=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/debug\\_credentials.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Sanity checks for notifier call chains available: CONFIG\_DEBUG\_NOTIFIERS=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/debug\\_notifiers.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Extended checks for linked-lists walking available: CONFIG\_DEBUG\_LIST=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/debug\\_list.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Checks on scatter-gather tables available: CONFIG\_DEBUG\_SG=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/debug\\_sg.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Checks for data structure corruptions available: CONFIG\_BUG\_ON\_DATA\_CORRUPTION=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/bug\\_on\\_data\\_corruption.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Checks for a stack overrun on calls to 'schedule' available: CONFIG\_SCHED\_STACK\_END\_CHECK=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/sched\\_stack\\_end\\_check.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Freelist order randomization on new pages creation available: CONFIG\_SLAB\_FREELIST\_RANDOM=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/slab\\_freelist\\_random.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Freelist metadata hardening available: CONFIG\_SLAB\_FREELIST\_HARDENED=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/slab\\_freelist\\_hardened.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Allocator validation checking available: CONFIG\_SLUB\_DEBUG\_ON=y,cmd:! grep 'slub\_debug=-' /proc/cmdline analysis-url: <https://github.com/mzet-/les-res/blob/master/features/slub\\_debug.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Virtually-mapped kernel stacks with guard pages available: CONFIG\_VMAP\_STACK=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/vmap\\_stack.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Pages poisoning after free\_pages() call available: CONFIG\_PAGE\_POISONING=y enabled: cmd: grep 'page\_poison=1' /proc/cmdline analysis-url: <https://github.com/mzet-/les-res/blob/master/features/page\\_poisoning.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Using 'refcount\_t' instead of 'atomic\_t' available: CONFIG\_REFCOUNT\_FULL=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/refcount\\_full.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Hardening common str/mem functions against buffer overflows available: CONFIG\_FORTIFY\_SOURCE=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/fortify\\_source.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Restrict /dev/mem access available: CONFIG\_STRICT\_DEVMEM=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/strict\\_devmem.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Restrict I/O access to /dev/mem available: CONFIG\_IO\_STRICT\_DEVMEM=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/io\\_strict\\_devmem.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF section: Hardware-based protection features: EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Supervisor Mode Execution Protection (SMEP) support available: ver>=3.0 enabled: cmd:grep -qi smep /proc/cpuinfo analysis-url: <https://github.com/mzet-/les-res/blob/master/features/smep.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Supervisor Mode Access Prevention (SMAP) support available: ver>=3.7 enabled: cmd:grep -qi smap /proc/cpuinfo analysis-url: <https://github.com/mzet-/les-res/blob/master/features/smap.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF section: 3rd party kernel protection mechanisms: EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Grsecurity available: CONFIG\_GRKERNSEC=y enabled: cmd:test -c /dev/grsec EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: PaX available: CONFIG\_PAX=y enabled: cmd:test -x /sbin/paxctl EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Linux Kernel Runtime Guard (LKRG) kernel module enabled: cmd:test -d /proc/sys/lkrg analysis-url: <https://github.com/mzet-/les-res/blob/master/features/lkrg.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF section: Attack Surface: EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: User namespaces for unprivileged accounts available: CONFIG\_USER\_NS=y enabled: sysctl:kernel.unprivileged\_userns\_clone==1 analysis-url: <https://github.com/mzet-/les-res/blob/master/features/user\\_ns.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Unprivileged access to bpf() system call available: CONFIG\_BPF\_SYSCALL=y enabled: sysctl:kernel.unprivileged\_bpf\_disabled!=1 analysis-url: <https://github.com/mzet-/les-res/blob/master/features/bpf\\_syscall.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Syscalls filtering available: CONFIG\_SECCOMP=y enabled: cmd:grep -i Seccomp /proc/self/status | awk '{print $2}' analysis-url: <https://github.com/mzet-/les-res/blob/master/features/bpf\\_syscall.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Support for /dev/mem access available: CONFIG\_DEVMEM=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/devmem.md> EOF )

FEATURES\[((n++))]=$(cat <\<EOF feature: Support for /dev/kmem access available: CONFIG\_DEVKMEM=y analysis-url: <https://github.com/mzet-/les-res/blob/master/features/devkmem.md> EOF )

version() { echo "linux-exploit-suggester "$VERSION", mzet, <https://z-labs.eu>, March 2019" }

usage() { echo "Usage: linux-exploit-suggester.sh \[OPTIONS]" echo echo " -V | --version - print version of this script" echo " -h | --help - print this help" echo " -k | --kernel - provide kernel version" echo " -u | --uname - provide 'uname -a' string" echo " --skip-more-checks - do not perform additional checks (kernel config, sysctl) to determine if exploit is applicable" echo " --skip-pkg-versions - skip checking for exact userspace package version (helps to avoid false negatives)" echo " -p | --pkglist-file - provide file with 'dpkg -l' or 'rpm -qa' command output" echo " --cvelist-file - provide file with Linux kernel CVEs list" echo " --checksec - list security related features for your HW/kernel" echo " -s | --fetch-sources - automatically downloads source for matched exploit" echo " -b | --fetch-binaries - automatically downloads binary for matched exploit if available" echo " -f | --full - show full info about matched exploit" echo " -g | --short - show shorten info about matched exploit" echo " --kernelspace-only - show only kernel vulnerabilities" echo " --userspace-only - show only userspace vulnerabilities" echo " -d | --show-dos - show also DoSes in results" }

exitWithErrMsg() { echo "$1" 1>&2 exit 1 }

## extracts all information from output of 'uname -a' command

parseUname() { local uname=$1

```
KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1)
KERNEL_ALL=$(echo "$uname" | awk '{print $3}')
ARCH=$(echo "$uname" | awk '{print $(NF-1)}')

OS=""
echo "$uname" | grep -q -i 'deb' && OS="debian"
echo "$uname" | grep -q -i 'ubuntu' && OS="ubuntu"
echo "$uname" | grep -q -i '\-ARCH' && OS="arch"
echo "$uname" | grep -q -i '\-deepin' && OS="deepin"
echo "$uname" | grep -q -i '\-MANJARO' && OS="manjaro"
echo "$uname" | grep -q -i '\.fc' && OS="fedora"
echo "$uname" | grep -q -i '\.el' && OS="RHEL"
echo "$uname" | grep -q -i '\.mga' && OS="mageia"

# 'uname -a' output doesn't contain distribution number (at least not in case of all distros)
```

}

getPkgList() { local distro=$1 local pkglist\_file=$2

```
# take package listing from provided file & detect if it's 'rpm -qa' listing or 'dpkg -l' or 'pacman -Q' listing of not recognized listing
if [ "$opt_pkglist_file" = "true" -a -e "$pkglist_file" ]; then

    # ubuntu/debian package listing file
    if [ $(head -1 "$pkglist_file" | grep 'Desired=Unknown/Install/Remove/Purge/Hold') ]; then
        PKG_LIST=$(cat "$pkglist_file" | awk '{print $2"-"$3}' | sed 's/:amd64//g')

        OS="debian"
        [ "$(grep ubuntu "$pkglist_file")" ] && OS="ubuntu"
    # redhat package listing file
    elif [ "$(grep -E '\.el[1-9]+[\._]' "$pkglist_file" | head -1)" ]; then
        PKG_LIST=$(cat "$pkglist_file")
        OS="RHEL"
    # fedora package listing file
    elif [ "$(grep -E '\.fc[1-9]+'i "$pkglist_file" | head -1)" ]; then
        PKG_LIST=$(cat "$pkglist_file")
        OS="fedora"
    # mageia package listing file
    elif [ "$(grep -E '\.mga[1-9]+' "$pkglist_file" | head -1)" ]; then
        PKG_LIST=$(cat "$pkglist_file")
        OS="mageia"
    # pacman package listing file
    elif [ "$(grep -E '\ [0-9]+\.' "$pkglist_file" | head -1)" ]; then
        PKG_LIST=$(cat "$pkglist_file" | awk '{print $1"-"$2}')
        OS="arch"
    # file not recognized - skipping
    else
        PKG_LIST=""
    fi

elif [ "$distro" = "debian" -o "$distro" = "ubuntu" -o "$distro" = "deepin" ]; then
    PKG_LIST=$(dpkg -l | awk '{print $2"-"$3}' | sed 's/:amd64//g')
elif [ "$distro" = "RHEL" -o "$distro" = "fedora" -o "$distro" = "mageia" ]; then
    PKG_LIST=$(rpm -qa)
elif [ "$distro" = "arch" -o "$distro" = "manjaro" ]; then
    PKG_LIST=$(pacman -Q | awk '{print $1"-"$2}')
elif [ -x /usr/bin/equery ]; then
    PKG_LIST=$(/usr/bin/equery --quiet list '*' -F '$name:$version' | cut -d/ -f2- | awk '{print $1":"$2}')
else
    # packages listing not available
    PKG_LIST=""
fi
```

}

## from: <https://stackoverflow.com/questions/4023830/how-compare-two-strings-in-dot-separated-version-format-in-bash>

verComparision() {

```
if [[ $1 == $2 ]]
then
    return 0
fi

local IFS=.
local i ver1=($1) ver2=($2)

# fill empty fields in ver1 with zeros
for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
do
    ver1[i]=0
done

for ((i=0; i<${#ver1[@]}; i++))
do
    if [[ -z ${ver2[i]} ]]
    then
        # fill empty fields in ver2 with zeros
        ver2[i]=0
    fi
    if ((10#${ver1[i]} > 10#${ver2[i]}))
    then
        return 1
    fi
    if ((10#${ver1[i]} < 10#${ver2[i]}))
    then
        return 2
    fi
done

return 0
```

}

doVersionComparision() { local reqVersion="$1" local reqRelation="$2" local currentVersion="$3"

```
verComparision $currentVersion $reqVersion
case $? in
    0) currentRelation='=';;
    1) currentRelation='>';;
    2) currentRelation='<';;
esac

if [ "$reqRelation" == "=" ]; then
    [ $currentRelation == "=" ] && return 0
elif [ "$reqRelation" == ">" ]; then
    [ $currentRelation == ">" ] && return 0
elif [ "$reqRelation" == "<" ]; then
    [ $currentRelation == "<" ] && return 0
elif [ "$reqRelation" == ">=" ]; then
    [ $currentRelation == "=" ] && return 0
    [ $currentRelation == ">" ] && return 0
elif [ "$reqRelation" == "<=" ]; then
    [ $currentRelation == "=" ] && return 0
    [ $currentRelation == "<" ] && return 0
fi
```

}

compareValues() { curVal=$1 val=$2 sign=$3

```
if [ "$sign" == "==" ]; then
    [ "$val" == "$curVal" ] && return 0
elif [ "$sign" == "!=" ]; then
    [ "$val" != "$curVal" ] && return 0
fi

return 1
```

}

checkRequirement() { #echo "Checking requirement: $1" local IN="$1" local pkgName="${2:4}"

```
if [[ "$IN" =~ ^pkg=.*$ ]]; then

    # always true for Linux OS
    [ ${pkgName} == "linux-kernel" ] && return 0

    # verify if package is present 
    pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)
    if [ -n "$pkg" ]; then
        return 0
    fi

elif [[ "$IN" =~ ^ver.*$ ]]; then
    version="${IN//[^0-9.]/}"
    rest="${IN#ver}"
    operator=${rest%$version}

    if [ "$pkgName" == "linux-kernel" -o "$opt_checksec_mode" == "true" ]; then

        # for --cvelist-file mode skip kernel version comparision
        [ "$opt_cvelist_file" = "true" ] && return 0

        doVersionComparision $version $operator $KERNEL && return 0
    else
        # extract package version and check if requiremnt is true
        pkg=$(echo "$PKG_LIST" | grep -E -i "^$pkgName-[0-9]+" | head -1)

        # skip (if run with --skip-pkg-versions) version checking if package with given name is installed
        [ "$opt_skip_pkg_versions" = "true" -a -n "$pkg" ] && return 0

        # versioning:
        #echo "pkg: $pkg"
        pkgVersion=$(echo "$pkg" | grep -E -i -o -e '-[\.0-9\+:p]+[-\+]' | cut -d':' -f2 | sed 's/[\+-]//g' | sed 's/p[0-9]//g')
        #echo "version: $pkgVersion"
        #echo "operator: $operator"
        #echo "required version: $version"
        #echo
        doVersionComparision $version $operator $pkgVersion && return 0
    fi
elif [[ "$IN" =~ ^x86_64$ ]] && [ "$ARCH" == "x86_64" -o "$ARCH" == "" ]; then
    return 0
elif [[ "$IN" =~ ^x86$ ]] && [ "$ARCH" == "i386" -o "$ARCH" == "i686" -o "$ARCH" == "" ]; then
    return 0
elif [[ "$IN" =~ ^CONFIG_.*$ ]]; then

    # skip if check is not applicable (-k or --uname or -p set) or if user said so (--skip-more-checks)
    [ "$opt_skip_more_checks" = "true" ] && return 0

    # if kernel config IS available:
    if [ -n "$KCONFIG" ]; then
        if $KCONFIG | grep -E -qi $IN; then
            return 0;
        # required option wasn't found, exploit is not applicable
        else
            return 1;
        fi
    # config is not available
    else
        return 0;
    fi
elif [[ "$IN" =~ ^sysctl:.*$ ]]; then

    # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
    [ "$opt_skip_more_checks" = "true" ] && return 0

    sysctlCondition="${IN:7}"

    # extract sysctl entry, relation sign and required value
    if echo $sysctlCondition | grep -qi "!="; then
        sign="!="
    elif echo $sysctlCondition | grep -qi "=="; then
        sign="=="
    else
        exitWithErrMsg "Wrong sysctl condition. There is syntax error in your features DB. Aborting."
    fi
    val=$(echo "$sysctlCondition" | awk -F "$sign" '{print $2}')
    entry=$(echo "$sysctlCondition" | awk -F "$sign" '{print $1}')

    # get current setting of sysctl entry
    curVal=$(/sbin/sysctl -a 2> /dev/null | grep "$entry" | awk -F'=' '{print $2}')

    # special case for --checksec mode: return 2 if there is no such switch in sysctl
    [ -z "$curVal" -a "$opt_checksec_mode" = "true" ] && return 2

    # for other modes: skip if there is no such switch in sysctl
    [ -z "$curVal" ] && return 0

    # compare & return result
    compareValues $curVal $val $sign && return 0

elif [[ "$IN" =~ ^cmd:.*$ ]]; then

    # skip if check is not applicable (-k or --uname or -p modes) or if user said so (--skip-more-checks)
    [ "$opt_skip_more_checks" = "true" ] && return 0

    cmd="${IN:4}"
    if eval "${cmd}"; then
        return 0
    fi
fi

return 1
```

}

getKernelConfig() {

```
if [ -f /proc/config.gz ] ; then
    KCONFIG="zcat /proc/config.gz"
elif [ -f /boot/config-`uname -r` ] ; then
    KCONFIG="cat /boot/config-`uname -r`"
elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then
    KCONFIG="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config"
else
    KCONFIG=""
fi
```

}

checksecMode() {

```
MODE=0

# start analysis
```

for FEATURE in "${FEATURES\[@]}"; do

```
# create array from current exploit here doc and fetch needed lines
i=0
# ('-r' is used to not interpret backslash used for bash colors)
while read -r line
do
    arr[i]="$line"
    i=$((i + 1))
done <<< "$FEATURE"

# modes: kernel-feature (1) | hw-feature (2) | 3rdparty-feature (3) | attack-surface (4)
NAME="${arr[0]}"
PRE_NAME="${NAME:0:8}"
NAME="${NAME:9}"
if [ "${PRE_NAME}" = "section:" ]; then
	# advance to next MODE
	MODE=$(($MODE + 1))

    echo
    echo -e "${bldwht}${NAME}${txtrst}"
    echo
    continue
fi

AVAILABLE="${arr[1]}" && AVAILABLE="${AVAILABLE:11}"
ENABLE=$(echo "$FEATURE" | grep "enabled: " | awk -F'ed: ' '{print $2}')
analysis_url=$(echo "$FEATURE" | grep "analysis-url: " | awk '{print $2}')

# split line with availability requirements & loop thru all availability reqs one by one & check whether it is met
IFS=',' read -r -a array <<< "$AVAILABLE"
AVAILABLE_REQS_NUM=${#array[@]}
AVAILABLE_PASSED_REQ=0
CONFIG=""
for REQ in "${array[@]}"; do

	# find CONFIG_ name (if present) for current feature (only for display purposes)
	if [ -z "$CONFIG" ]; then
		config=$(echo "$REQ" | grep "CONFIG_")
		[ -n "$config" ] && CONFIG="($(echo $REQ | cut -d'=' -f1))"
	fi

    if (checkRequirement "$REQ"); then
        AVAILABLE_PASSED_REQ=$(($AVAILABLE_PASSED_REQ + 1))
    else
        break
    fi
done

# split line with enablement requirements & loop thru all enablement reqs one by one & check whether it is met
ENABLE_PASSED_REQ=0
ENABLE_REQS_NUM=0
noSysctl=0
if [ -n "$ENABLE" ]; then
    IFS=',' read -r -a array <<< "$ENABLE"
    ENABLE_REQS_NUM=${#array[@]}
    for REQ in "${array[@]}"; do
        cmdStdout=$(checkRequirement "$REQ")
        retVal=$?
        if [ $retVal -eq 0 ]; then
            ENABLE_PASSED_REQ=$(($ENABLE_PASSED_REQ + 1))
        elif [ $retVal -eq 2 ]; then
        # special case: sysctl entry is not present on given system: signal it as: N/A
            noSysctl=1
            break
        else
            break
        fi
    done
fi

feature=$(echo "$FEATURE" | grep "feature: " | cut -d' ' -f 2-)

if [ -n "$cmdStdout" ]; then
    if [ "$cmdStdout" -eq 0 ]; then
        state="[ ${txtred}Set to $cmdStdout${txtrst} ]"
		cmdStdout=""
    else
        state="[ ${txtgrn}Set to $cmdStdout${txtrst} ]"
		cmdStdout=""
    fi
else

unknown="[ ${txtgray}Unknown${txtrst}  ]"

# for 3rd party (3) mode display "N/A" or "Enabled"
if [ $MODE -eq 3 ]; then
    enabled="[ ${txtgrn}Enabled${txtrst}   ]"
    disabled="[   ${txtgray}N/A${txtrst}    ]"

# for attack-surface (4) mode display "Locked" or "Exposed"
elif [ $MODE -eq 4 ]; then
   enabled="[ ${txtred}Exposed${txtrst}  ]"
   disabled="[ ${txtgrn}Locked${txtrst}   ]"

#other modes" "Disabled" / "Enabled"
else
	enabled="[ ${txtgrn}Enabled${txtrst}  ]"
	disabled="[ ${txtred}Disabled${txtrst} ]"
fi

if [ -z "$KCONFIG" -a "$ENABLE_REQS_NUM" = 0 ]; then
    state=$unknown
elif [ $AVAILABLE_PASSED_REQ -eq $AVAILABLE_REQS_NUM -a $ENABLE_PASSED_REQ -eq $ENABLE_REQS_NUM ]; then
    state=$enabled
else
    state=$disabled
fi

fi

echo -e " $state $feature ${wht}${CONFIG}${txtrst}"
[ -n "$analysis_url" ] && echo -e "              $analysis_url"
echo
```

done

}

displayExposure() { RANK=$1

```
if [ "$RANK" -ge 6 ]; then
    echo "highly probable"
elif [ "$RANK" -ge 3 ]; then
    echo "probable"
else
    echo "less probable"
fi
```

}

## parse command line parameters

ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@") \[ $? != 0 ] && exitWithErrMsg "Aborting."

eval set -- "$ARGS"

while true; do case "$1" in -u|--uname) shift UNAME\_A="$1" opt\_uname\_string=true ;; -V|--version) version exit 0 ;; -h|--help) usage exit 0 ;; -f|--full) opt\_full=true ;; -g|--short) opt\_summary=true ;; -b|--fetch-binaries) opt\_fetch\_bins=true ;; -s|--fetch-sources) opt\_fetch\_srcs=true ;; -k|--kernel) shift KERNEL="$1" opt\_kernel\_version=true ;; -d|--show-dos) opt\_show\_dos=true ;; -p|--pkglist-file) shift PKGLIST\_FILE="$1" opt\_pkglist\_file=true ;; --cvelist-file) shift CVELIST\_FILE="$1" opt\_cvelist\_file=true ;; --checksec) opt\_checksec\_mode=true ;; --kernelspace-only) opt\_kernel\_only=true ;; --userspace-only) opt\_userspace\_only=true ;; --skip-more-checks) opt\_skip\_more\_checks=true ;; --skip-pkg-versions) opt\_skip\_pkg\_versions=true ;; \*) shift if \[ "$#" != "0" ]; then exitWithErrMsg "Unknown option '$1'. Aborting." fi break ;; esac shift done

## check Bash version (associative arrays need Bash in version 4.0+)

if ((BASH\_VERSINFO\[0] < 4)); then exitWithErrMsg "Script needs Bash in version 4.0 or newer. Aborting." fi

## exit if both --kernel and --uname are set

\[ "$opt\_kernel\_version" = "true" ] && \[ $opt\_uname\_string = "true" ] && exitWithErrMsg "Switches -u|--uname and -k|--kernel are mutually exclusive. Aborting."

## exit if both --full and --short are set

\[ "$opt\_full" = "true" ] && \[ $opt\_summary = "true" ] && exitWithErrMsg "Switches -f|--full and -g|--short are mutually exclusive. Aborting."

## --cvelist-file mode is standalone mode and is not applicable when one of -k | -u | -p | --checksec switches are set

if \[ "$opt\_cvelist\_file" = "true" ]; then \[ ! -e "$CVELIST\_FILE" ] && exitWithErrMsg "Provided CVE list file does not exists. Aborting." \[ "$opt\_kernel\_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --cvelist-file are mutually exclusive. Aborting." \[ "$opt\_uname\_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --cvelist-file are mutually exclusive. Aborting." \[ "$opt\_pkglist\_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --cvelist-file are mutually exclusive. Aborting." fi

## --checksec mode is standalone mode and is not applicable when one of -k | -u | -p | --cvelist-file switches are set

if \[ "$opt\_checksec\_mode" = "true" ]; then \[ "$opt\_kernel\_version" = "true" ] && exitWithErrMsg "Switches -k|--kernel and --checksec are mutually exclusive. Aborting." \[ "$opt\_uname\_string" = "true" ] && exitWithErrMsg "Switches -u|--uname and --checksec are mutually exclusive. Aborting." \[ "$opt\_pkglist\_file" = "true" ] && exitWithErrMsg "Switches -p|--pkglist-file and --checksec are mutually exclusive. Aborting." fi

## extract kernel version and other OS info like distro name, distro version, etc. 3 possibilities here:

## case 1: --kernel set

if \[ "$opt\_kernel\_version" == "true" ]; then # TODO: add kernel version number validation \[ -z "$KERNEL" ] && exitWithErrMsg "Unrecognized kernel version given. Aborting." ARCH="" OS=""

```
# do not perform additional checks on current machine
opt_skip_more_checks=true

# do not consider current OS
getPkgList "" "$PKGLIST_FILE"
```

## case 2: --uname set

elif \[ "$opt\_uname\_string" == "true" ]; then \[ -z "$UNAME\_A" ] && exitWithErrMsg "uname string empty. Aborting." parseUname "$UNAME\_A"

```
# do not perform additional checks on current machine
opt_skip_more_checks=true

# do not consider current OS
getPkgList "" "$PKGLIST_FILE"
```

## case 3: --cvelist-file mode

elif \[ "$opt\_cvelist\_file" = "true" ]; then

```
# get kernel configuration in this mode
[ "$opt_skip_more_checks" = "false" ] && getKernelConfig
```

## case 4: --checksec mode

elif \[ "$opt\_checksec\_mode" = "true" ]; then

```
# this switch is not applicable in this mode
opt_skip_more_checks=false

# get kernel configuration in this mode
getKernelConfig
[ -z "$KCONFIG" ] && echo "WARNING. Kernel Config not found on the system results won't be complete."

# launch checksec mode
checksecMode

exit 0
```

## case 5: no --uname | --kernel | --cvelist-file | --checksec set

else

```
# --pkglist-file NOT provided: take all info from current machine
# case for vanilla execution: ./linux-exploit-suggester.sh
if [ "$opt_pkglist_file" == "false" ]; then
    UNAME_A=$(uname -a)
    [ -z "$UNAME_A" ] && exitWithErrMsg "uname string empty. Aborting."
    parseUname "$UNAME_A"

    # get kernel configuration in this mode
    [ "$opt_skip_more_checks" = "false" ] && getKernelConfig

    # extract distribution version from /etc/os-release OR /etc/lsb-release
    [ -n "$OS" -a "$opt_skip_more_checks" = "false" ] && DISTRO=$(grep -s -E '^DISTRIB_RELEASE=|^VERSION_ID=' /etc/*-release | cut -d'=' -f2 | head -1 | tr -d '"')

    # extract package listing from current OS
    getPkgList "$OS" ""

# --pkglist-file provided: only consider userspace exploits against provided package listing
else
    KERNEL=""
    #TODO: extract machine arch from package listing
    ARCH=""
    unset EXPLOITS
    declare -A EXPLOITS
    getPkgList "" "$PKGLIST_FILE"

    # additional checks are not applicable for this mode
    opt_skip_more_checks=true
fi
```

fi

echo echo -e "${bldwht}Available information:${txtrst}" echo \[ -n "$KERNEL" ] && echo -e "Kernel version: ${txtgrn}$KERNEL${txtrst}" || echo -e "Kernel version: ${txtred}N/A${txtrst}" echo "Architecture: $(\[ -n "$ARCH" ] && echo -e "${txtgrn}$ARCH${txtrst}" || echo -e "${txtred}N/A${txtrst}")" echo "Distribution: $(\[ -n "$OS" ] && echo -e "${txtgrn}$OS${txtrst}" || echo -e "${txtred}N/A${txtrst}")" echo -e "Distribution version: $(\[ -n "$DISTRO" ] && echo -e "${txtgrn}$DISTRO${txtrst}" || echo -e "${txtred}N/A${txtrst}")"

echo "Additional checks (CONFIG\_\*, sysctl entries, custom Bash commands): $(\[ "$opt\_skip\_more\_checks" == "false" ] && echo -e "${txtgrn}performed${txtrst}" || echo -e "${txtred}N/A${txtrst}")"

if \[ -n "$PKGLIST\_FILE" -a -n "$PKG\_LIST" ]; then pkgListFile="${txtgrn}$PKGLIST\_FILE${txtrst}" elif \[ -n "$PKGLIST\_FILE" ]; then pkgListFile="${txtred}unrecognized file provided${txtrst}" elif \[ -n "$PKG\_LIST" ]; then pkgListFile="${txtgrn}from current OS${txtrst}" fi

echo -e "Package listing: $(\[ -n "$pkgListFile" ] && echo -e "$pkgListFile" || echo -e "${txtred}N/A${txtrst}")"

## handle --kernelspacy-only & --userspace-only filter options

if \[ "$opt\_kernel\_only" = "true" -o -z "$PKG\_LIST" ]; then unset EXPLOITS\_USERSPACE declare -A EXPLOITS\_USERSPACE fi

if \[ "$opt\_userspace\_only" = "true" ]; then unset EXPLOITS declare -A EXPLOITS fi

echo echo -e "${bldwht}Searching among:${txtrst}" echo echo "${#EXPLOITS\[@]} kernel space exploits" echo "${#EXPLOITS\_USERSPACE\[@]} user space exploits" echo

echo -e "${bldwht}Possible Exploits:${txtrst}" echo

## start analysis

j=0 for EXP in "${EXPLOITS\[@]}" "${EXPLOITS\_USERSPACE\[@]}"; do

```
# create array from current exploit here doc and fetch needed lines
i=0
# ('-r' is used to not interpret backslash used for bash colors)
while read -r line
do
    arr[i]="$line"
    i=$((i + 1))
done <<< "$EXP"

NAME="${arr[0]}" && NAME="${NAME:6}"
REQS="${arr[1]}" && REQS="${REQS:6}"
TAGS="${arr[2]}" && TAGS="${TAGS:6}"
RANK="${arr[3]}" && RANK="${RANK:6}"

# split line with requirements & loop thru all reqs one by one & check whether it is met
IFS=',' read -r -a array <<< "$REQS"
REQS_NUM=${#array[@]}
PASSED_REQ=0
for REQ in "${array[@]}"; do
    if (checkRequirement "$REQ" "${array[0]}"); then
        PASSED_REQ=$(($PASSED_REQ + 1))
    else
        break
    fi
done

# execute for exploits with all requirements met
if [ $PASSED_REQ -eq $REQS_NUM ]; then

    # additional requirement for --cvelist-file mode: check if CVE associated with the exploit is on the CVELIST_FILE
    if [ "$opt_cvelist_file" = "true" ]; then

        # extract CVE(s) associated with given exploit (also translates ',' to '|' for easy handling multiple CVEs case - via extended regex)
        cve=$(echo "$NAME" | grep '.*\[.*\].*' | cut -d 'm' -f2 | cut -d ']' -f1 | tr -d '[' | tr "," "|")
        #echo "CVE: $cve"

        # check if it's on CVELIST_FILE list, if no move to next exploit
        [ ! $(cat "$CVELIST_FILE" | grep -E "$cve") ] && continue
    fi

    # process tags and highlight those that match current OS (only for deb|ubuntu|RHEL and if we know distro version - direct mode)
    tags=""
    if [ -n "$TAGS" -a -n "$OS" ]; then
        IFS=',' read -r -a tags_array <<< "$TAGS"
        TAGS_NUM=${#tags_array[@]}

        # bump RANK slightly (+1) if we're in '--uname' mode and there's a TAG for OS from uname string
        [ "$(echo "${tags_array[@]}" | grep "$OS")" -a "$opt_uname_string" == "true" ] && RANK=$(($RANK + 1))

        for TAG in "${tags_array[@]}"; do
            tag_distro=$(echo "$TAG" | cut -d'=' -f1)
            tag_distro_num_all=$(echo "$TAG" | cut -d'=' -f2)
            # in case of tag of form: 'ubuntu=16.04{kernel:4.4.0-21} remove kernel versioning part for comparision
            tag_distro_num="${tag_distro_num_all%{*}"

            # we're in '--uname' mode OR (for normal mode) if there is distro version match
            if [ "$opt_uname_string" == "true" -o \( "$OS" == "$tag_distro" -a "$(echo "$DISTRO" | grep -E "$tag_distro_num")" \) ]; then

                # bump current exploit's rank by 2 for distro match (and not in '--uname' mode)
                [ "$opt_uname_string" == "false" ] && RANK=$(($RANK + 2))

                # get name (kernel or package name) and version of kernel/pkg if provided:
                tag_pkg=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 1)
                tag_pkg_num=""
                [ $(echo "$tag_distro_num_all" | grep '{') ] && tag_pkg_num=$(echo "$tag_distro_num_all" | cut -d'{' -f 2 | tr -d '}' | cut -d':' -f 2)

                #[ -n "$tag_pkg_num" ] && echo "tag_pkg_num: $tag_pkg_num; kernel: $KERNEL_ALL"

                # if pkg/kernel version is not provided:
                if [ -z "$tag_pkg_num" ]; then
                    [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ ${TAG} ]${txtrst}"

                # kernel version provided, check for match:
                elif [ -n "$tag_pkg_num" -a "$tag_pkg" = "kernel" ]; then
                    if [ $(echo "$KERNEL_ALL" | grep -E "${tag_pkg_num}") ]; then
                        # kernel version matched - bold highlight
                        TAG="${yellow}[ ${TAG} ]${txtrst}"

                        # bump current exploit's rank additionally by 3 for kernel version regex match
                        RANK=$(($RANK + 3))
                    else
                        [ "$opt_uname_string" == "false" ] && TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{kernel:$tag_pkg_num}"
                    fi

                # pkg version provided, check for match (TBD):
                elif [ -n "$tag_pkg_num" -a -n "$tag_pkg"  ]; then
                    TAG="${lightyellow}[ $tag_distro=$tag_distro_num ]${txtrst}{$tag_pkg:$tag_pkg_num}"
                fi

            fi

            # append current tag to tags list
            tags="${tags}${TAG},"
        done
        # trim ',' added by above loop
        [ -n "$tags" ] && tags="${tags%?}"
    else
        tags="$TAGS"
    fi

    # insert the matched exploit (with calculated Rank and highlighted tags) to arrary that will be sorted
    EXP=$(echo "$EXP" | sed -e '/^Name:/d' -e '/^Reqs:/d' -e '/^Tags:/d')
    exploits_to_sort[j]="${RANK}Name: ${NAME}D3L1mReqs: ${REQS}D3L1mTags: ${tags}D3L1m$(echo "$EXP" | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/D3L1m/g')"
    ((j++))
fi
```

done

## sort exploits based on calculated Rank

IFS=$'\n' SORTED\_EXPLOITS=($(sort -r <<<"${exploits\_to\_sort\[\*]}")) unset IFS

## display sorted exploits

for EXP\_TEMP in "${SORTED\_EXPLOITS\[@]}"; do

```
RANK=$(echo "$EXP_TEMP" | awk -F'Name:' '{print $1}')

# convert entry back to canonical form
EXP=$(echo "$EXP_TEMP" | sed 's/^[0-9]//g' | sed 's/D3L1m/\n/g')

# create array from current exploit here doc and fetch needed lines
i=0
# ('-r' is used to not interpret backslash used for bash colors)
while read -r line
do
    arr[i]="$line"
    i=$((i + 1))
done <<< "$EXP"

NAME="${arr[0]}" && NAME="${NAME:6}"
REQS="${arr[1]}" && REQS="${REQS:6}"
TAGS="${arr[2]}" && tags="${TAGS:6}"

EXPLOIT_DB=$(echo "$EXP" | grep "exploit-db: " | awk '{print $2}')
analysis_url=$(echo "$EXP" | grep "analysis-url: " | awk '{print $2}')
ext_url=$(echo "$EXP" | grep "ext-url: " | awk '{print $2}')
comments=$(echo "$EXP" | grep "Comments: " | cut -d' ' -f 2-)
reqs=$(echo "$EXP" | grep "Reqs: " | cut -d' ' -f 2)

# exploit name without CVE number and without commonly used special chars
name=$(echo "$NAME" | cut -d' ' -f 2- | tr -d ' ()/')

src_url=$(echo "$EXP" | grep "src-url: " | awk '{print $2}')
[ -z "$src_url" ] && [ -n "$EXPLOIT_DB" ] && src_url="https://www.exploit-db.com/download/$EXPLOIT_DB"
[ -z "$src_url" ] && exitWithErrMsg "Both 'src-url' and 'exploit-db' entries are empty for '$NAME' exploit - fix that. Aborting."

if [ -n "$analysis_url" ]; then
    details="$analysis_url"
elif $(echo "$src_url" | grep -q 'www.exploit-db.com'); then
    details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then
    details="https://www.exploit-db.com/exploits/$EXPLOIT_DB/"
else
    details="$src_url"
fi

# skip DoS by default
dos=$(echo "$EXP" | grep -o -i "(dos")
[ "$opt_show_dos" == "false" ] && [ -n "$dos" ] && continue

# handles --fetch-binaries option
if [ $opt_fetch_bins = "true" ]; then
    for i in $(echo "$EXP" | grep "bin-url: " | awk '{print $2}'); do
        [ -f "${name}_$(basename $i)" ] && rm -f "${name}_$(basename $i)"
        wget -q -k "$i" -O "${name}_$(basename $i)"
    done
fi

# handles --fetch-sources option
if [ $opt_fetch_srcs = "true" ]; then
    [ -f "${name}_$(basename $src_url)" ] && rm -f "${name}_$(basename $src_url)"
    wget -q -k "$src_url" -O "${name}_$(basename $src_url)" &
fi

# display result (short)
if [ "$opt_summary" = "true" ]; then
[ -z "$tags" ] && tags="-"
echo -e "$NAME || $tags || $src_url"
continue
fi
```

## display result (standard)

```
echo -e "[+] $NAME"
echo -e "\n   Details: $details"
    echo -e "   Exposure: $(displayExposure $RANK)"
    [ -n "$tags" ] && echo -e "   Tags: $tags"
    echo -e "   Download URL: $src_url"
    [ -n "$ext_url" ] && echo -e "   ext-url: $ext_url"
    [ -n "$comments" ] && echo -e "   Comments: $comments"

    # handles --full filter option
    if [ "$opt_full" = "true" ]; then
        [ -n "$reqs" ] && echo -e "   Requirements: $reqs"

        [ -n "$EXPLOIT_DB" ] && echo -e "   exploit-db: $EXPLOIT_DB"

        author=$(echo "$EXP" | grep "author: " | cut -d' ' -f 2-)
        [ -n "$author" ] && echo -e "   author: $author"
    fi

    echo
```

done