exploit-suggester : it focusses for Local Exploitation on Sun Solaris Machine.

Infosec / May 29, 2015 / Comments Off / Code Scripting, Exploits

This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try. It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported.
With sploitDB.xml /exploit Database:
– vfs_getvfssw Kernel Module Loading Vulnerability
– Arbitrary File Deletion
– profil Bug
– ufsdump Overflow
– netpr Overflow
– libdthelp Overflow Privilege Escalation
– CDE Mail Overflows
– kcms_configure Overflow
– Sun Solaris Netscape Portable Runtime API Local Privilege Escalation Vulnerability
– finger ‘a b c d e f g h’@sunhos
– rpc.yppasswdd Overflow
– sadmind Authentication Spoofing
– X11 Keyboard Extension Overflow
– LD_PRELOAD Privilege Escalation
– And more..

Script :

#!/usr/bin/perl -w
# exploit-suggester - Suggests exploits to try based on installed patches
# Copyright (C) 2008 pentestmonkey@pentestmonkey.net
# 
# This tool may be used for legal purposes only.  Users take full responsibility
# for any actions performed using this tool.  The author accepts no liability for
# damage caused by this tool.  If these terms are not acceptable to you, then
# you are not permitted to use this tool.
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as 
# published by the Free Software Foundation.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
use strict;
use File::Basename;
use Data::Dumper;
use Getopt::Std;
use XML::Simple;

my $VERSION = "0.3";
my @patch_revs;
my @sploit_list = ();
my %rating_text = (
	1 => "Sploit normally works",
	2 => "Sploit untested",
	3 => "Sploit normally fails"
);

my $usage=<<USAGE;
exploit-suggester v$VERSION ( http://pentestmonkey.net/tools/exploit-suggester )
Suggests exploits that might work based on a list of installed patches.
Usage: exploit-suggester.pl [ options ] solaris-version architecture showrev.txt
options are:
       -c config_file   Use a different XML sploit database
       -l 0|1           Only show local sploits (-l 1) or remote sploits (-l 0)
                        Default is to show both
       -r 1|2|3         Show only exploits with this rating
                          1 - $rating_text{"1"}
                          2 - $rating_text{"2"}
                          3 - $rating_text{"3"}
       -R 1|2|3         Do NOT show exploits with this rating
Example:
Determine Solaris version and architecture:
user\@solbox \$ uname -a
SunOS unknown 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
Retreive patch list from solaris box and copy it back to your box:
user\@solbox \$ showrev -p > showrev-p.out
Get list of suggested exploits:
u\@yourbox \$ exploit-suggester.pl 8 sparc showrev-p.out
USAGE

# Process command line args
my %opts;
getopts('r:l:R:c:', \%opts);
my $config_file     = dirname($0) . "/sploitdb.xml";
$config_file        = $opts{'c'} if $opts{'c'};
my $want_local      = undef;
my $want_rating     = undef;
my $not_want_rating = undef;
$want_local         = $opts{'l'} if $opts{'l'};
$want_rating        = $opts{'r'} if $opts{'r'};
$not_want_rating    = $opts{'R'} if $opts{'R'};
my $my_sol_ver      = shift or die $usage;
my $my_arch         = shift or die $usage;
my $patch_file      = shift or die $usage;

# Read in config file
my %sploits = %{XMLin($config_file, ForceArray => 1)};

foreach my $patch (keys %sploits) {
	my ($newkey) = $patch =~ /patch-(.*)/;
	$sploits{$newkey} = $sploits{$patch};
	delete($sploits{$patch});
}

# Read the patch file
my %revs;
open PATCHES, "<$patch_file" or die "ERROR: Can't read patch file $patch_file: $!\n";
while (<PATCHES>) {
	my $line = $_;
	chomp $line;

	# pca output
	my ($patch, $rev) = $line =~ /(\d{6})\s+(..)\s+/;

	if (defined($patch) and defined($rev)) {
		if ($rev eq '--') {
			$rev = '00';
		}
		push @patch_revs, "$patch-$rev";
		next;
	}

	# showrev output
	# Patch: 109134-19
	($patch, $rev) = $line =~ /^Patch:\s*(\d{6})-(\d\d)\s+/;

	if (defined($patch) and defined($rev)) {
		if (defined($revs{$patch})) {
			if ($revs{$patch} < $rev) {
				$revs{$patch} = $rev;
			}
		} else {
			$revs{$patch} = $rev;
		}
		next;
	}
}
close PATCHES;

# Print out runtime options
print "exploit-suggester v$VERSION ( http://pentestmonkey.net/tools/exploit-suggester )\n";
print "\n";
print " -------------------------------------------------------------\n";
print "|                     Runtime options                         |\n";
print " -------------------------------------------------------------\n";
print "Solaris version: ................ $my_sol_ver\n";
print "Architecture: ................... $my_arch\n";
print "Patch file: ..................... $patch_file\n";
print "Exploit database: ............... $config_file\n";
print "Don't list sploits rated as ..... " . (defined($not_want_rating) ? $not_want_rating : "N/A - Exclude no ratings") . "\n";
print "List only sploits rated as ...... " . (defined($want_rating) ? $want_rating : "N/A - List any rating") . "\n";
print "List only local sploits ......... " . (defined($want_local) ? $want_local : "N/A - Show both") . "\n";
print "\n";

print " -------------------------------------------------------------\n";
print "|                   Suggested Exploits                        |\n";
print " -------------------------------------------------------------\n";
# Check each patch-rev that's installed for known exploits
# print "\n[+] Checking if installed patches have exploitable flaws...\n";
foreach my $patch (sort keys %revs) {
	check_patch($patch . "-" . $revs{$patch});
}

# We may have information in the database which relates to 
# patches which aren't installed at all.  If they aren't installed,
# they we won't have checked them yet.  Check them now.
foreach my $patch (keys %sploits) {
	foreach my $sploit_href (@{$sploits{$patch}}) {
		unless (exists($sploit_href->{checked}) and $sploit_href->{checked}) {
			check_patch("$patch-00", $my_sol_ver, $my_arch);
		}
	}
}

output_sploit_list();

# Check supplied patch against our sploit database
sub check_patch {
	my $patch_rev = shift;
	my $sol_ver = shift;
	my $arch = shift;
	my ($patch, $rev) = $patch_rev =~ /(\d{6})-(\d\d)/;
	if (exists($sploits{"$patch"})) {
		foreach my $sploit_href (@{$sploits{"$patch"}}) {
			if ($rev >= $sploit_href->{min_rev} and
			    $rev <= $sploit_href->{max_rev}     ) {
			    	if (defined($sol_ver)) {
					next unless $sol_ver eq $sploit_href->{sol_ver};
				}
			    	if (defined($arch)) {
					next unless $arch eq $sploit_href->{arch};
				}

				# Filter out local/remote vulns as required
				if (defined($want_local)) {
					next if ($sploit_href->{remote} == $want_local);
				}

				# Filter on rating as required
				if (defined($want_rating)) {
					next if ($sploit_href->{rating} != $want_rating);
				}

				if (defined($not_want_rating)) {
					next if ($sploit_href->{rating} == $not_want_rating);
				}

				my $output;
				$output .= "Description:          " . $sploit_href->{desc} . "\n";
				$output .= "Remote:               " . $sploit_href->{remote} . "\n";
				$output .= "Exploit Rating:       " . $sploit_href->{rating} . " (" . $rating_text{$sploit_href->{rating}} . ")\n";
				$output .= "Patch installed:      $patch_rev\n";
				$output .= "Min vulnerable patch: $patch-" . $sploit_href->{min_rev} . "\n" ;
				$output .= "Max vulnerable patch: $patch-" . $sploit_href->{max_rev} . "\n" ;
				foreach my $string (@{$sploit_href->{exploit_link}}) {
					$output .= "Exploit Link:         " . $string . "\n";
				}
				foreach my $string (@{$sploit_href->{info_link}}) {
					$output .= "Info Link:            " . $string . "\n";
				}
				foreach my $string (@{$sploit_href->{note}}) {
					$output .= "Note:                 " . $string . "\n";
				}
				$output .= "\n";
				add_sploit($sploit_href->{rating}, $output);
			}
			$sploit_href->{checked} = 1;
		}
	}
}

sub add_sploit {
	my ($rating, $text) = @_;
	push @sploit_list, [$rating, $text];
}

sub output_sploit_list {
	foreach my $aref (sort { $a->[0] == $b->[0] ? $a->[1] cmp $b->[1] : $a->[0] <=> $b->[0] } @sploit_list) {
		print $aref->[1];
	}
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

#!/usr/bin/perl -w

# exploit-suggester - Suggests exploits to try based on installed patches

# This tool may be used for legal purposes only. Users take full responsibility

# for any actions performed using this tool. The author accepts no liability for

# damage caused by this tool. If these terms are not acceptable to you, then

# you are not permitted to use this tool.

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License version 2 as

# published by the Free Software Foundation.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License along

# with this program; if not, write to the Free Software Foundation, Inc.,

# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

# You are encouraged to send comments, improvements or suggestions to

# me at pentestmonkey@pentestmonkey.net

use strict;

use File::Basename;

use Data::Dumper;

use Getopt::Std;

use XML::Simple;

my $VERSION = "0.3";

my @patch_revs;

my @sploit_list = ();

my %rating_text = (

1 => "Sploit normally works",

2 => "Sploit untested",

3 => "Sploit normally fails"

);

my $usage=<<USAGE;

exploit-suggester v$VERSION ( http://pentestmonkey.net/tools/exploit-suggester )

Suggests exploits that might work based on a list of installed patches.

Usage: exploit-suggester.pl [ options ] solaris-version architecture showrev.txt

options are:

-c config_file Use a different XML sploit database

-l 0|1 Only show local sploits (-l 1) or remote sploits (-l 0)

Default is to show both

-r 1|2|3 Show only exploits with this rating

1 - $rating_text{"1"}

2 - $rating_text{"2"}

3 - $rating_text{"3"}

-R 1|2|3 Do NOT show exploits with this rating

Example:

Determine Solaris version and architecture:

user\@solbox \$ uname -a

SunOS unknown 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10

Retreive patch list from solaris box and copy it back to your box:

user\@solbox \$ showrev -p > showrev-p.out

Get list of suggested exploits:

u\@yourbox \$ exploit-suggester.pl 8 sparc showrev-p.out

USAGE

# Process command line args

my %opts;

getopts('r:l:R:c:', \%opts);

my $config_file = dirname($0) . "/sploitdb.xml";

$config_file = $opts{'c'} if $opts{'c'};

my $want_local = undef;

my $want_rating = undef;

my $not_want_rating = undef;

$want_local = $opts{'l'} if $opts{'l'};

$want_rating = $opts{'r'} if $opts{'r'};

$not_want_rating = $opts{'R'} if $opts{'R'};

my $my_sol_ver = shift or die $usage;

my $my_arch = shift or die $usage;

my $patch_file = shift or die $usage;

# Read in config file

my %sploits = %{XMLin($config_file, ForceArray => 1)};

foreach my $patch (keys %sploits) {

my ($newkey) = $patch =~ /patch-(.*)/;

$sploits{$newkey} = $sploits{$patch};

delete($sploits{$patch});

}

# Read the patch file

my %revs;

open PATCHES, "<$patch_file" or die "ERROR: Can't read patch file $patch_file: $!\n";

while (<PATCHES>) {

my $line = $_;

chomp $line;

# pca output

my ($patch, $rev) = $line =~ /(\d{6})\s+(..)\s+/;

if (defined($patch) and defined($rev)) {

if ($rev eq '--') {

$rev = '00';

}

push @patch_revs, "$patch-$rev";

next;

}

# showrev output

# Patch: 109134-19

($patch, $rev) = $line =~ /^Patch:\s*(\d{6})-(\d\d)\s+/;

if (defined($patch) and defined($rev)) {

if (defined($revs{$patch})) {

if ($revs{$patch} < $rev) {

$revs{$patch} = $rev;

}

} else {

$revs{$patch} = $rev;

}

next;

}

close PATCHES;

# Print out runtime options

print "exploit-suggester v$VERSION ( http://pentestmonkey.net/tools/exploit-suggester )\n";

print "\n";

print " -------------------------------------------------------------\n";

print "| Runtime options |\n";

print " -------------------------------------------------------------\n";

print "Solaris version: ................ $my_sol_ver\n";

print "Architecture: ................... $my_arch\n";

print "Patch file: ..................... $patch_file\n";

print "Exploit database: ............... $config_file\n";

print "Don't list sploits rated as ..... " . (defined($not_want_rating) ? $not_want_rating : "N/A - Exclude no ratings") . "\n";

print "List only sploits rated as ...... " . (defined($want_rating) ? $want_rating : "N/A - List any rating") . "\n";

print "List only local sploits ......... " . (defined($want_local) ? $want_local : "N/A - Show both") . "\n";

print "\n";

print " -------------------------------------------------------------\n";

print "| Suggested Exploits |\n";

print " -------------------------------------------------------------\n";

# Check each patch-rev that's installed for known exploits

# print "\n[+] Checking if installed patches have exploitable flaws...\n";

foreach my $patch (sort keys %revs) {

check_patch($patch . "-" . $revs{$patch});

}

# We may have information in the database which relates to

# patches which aren't installed at all. If they aren't installed,

# they we won't have checked them yet. Check them now.

foreach my $patch (keys %sploits) {

foreach my $sploit_href (@{$sploits{$patch}}) {

unless (exists($sploit_href->{checked}) and $sploit_href->{checked}) {

check_patch("$patch-00", $my_sol_ver, $my_arch);

}

output_sploit_list();

# Check supplied patch against our sploit database

sub check_patch {

my $patch_rev = shift;

my $sol_ver = shift;

my $arch = shift;

my ($patch, $rev) = $patch_rev =~ /(\d{6})-(\d\d)/;

if (exists($sploits{"$patch"})) {

foreach my $sploit_href (@{$sploits{"$patch"}}) {

if ($rev >= $sploit_href->{min_rev} and

$rev <= $sploit_href->{max_rev} ) {

if (defined($sol_ver)) {

next unless $sol_ver eq $sploit_href->{sol_ver};

}

if (defined($arch)) {

next unless $arch eq $sploit_href->{arch};

}

# Filter out local/remote vulns as required

if (defined($want_local)) {

next if ($sploit_href->{remote} == $want_local);

}

# Filter on rating as required

if (defined($want_rating)) {

next if ($sploit_href->{rating} != $want_rating);

}

if (defined($not_want_rating)) {

next if ($sploit_href->{rating} == $not_want_rating);

}

my $output;

$output .= "Description: " . $sploit_href->{desc} . "\n";

$output .= "Remote: " . $sploit_href->{remote} . "\n";

$output .= "Exploit Rating: " . $sploit_href->{rating} . " (" . $rating_text{$sploit_href->{rating}} . ")\n";

$output .= "Patch installed: $patch_rev\n";

$output .= "Min vulnerable patch: $patch-" . $sploit_href->{min_rev} . "\n" ;

$output .= "Max vulnerable patch: $patch-" . $sploit_href->{max_rev} . "\n" ;

foreach my $string (@{$sploit_href->{exploit_link}}) {

$output .= "Exploit Link: " . $string . "\n";

}

foreach my $string (@{$sploit_href->{info_link}}) {

$output .= "Info Link: " . $string . "\n";

}

foreach my $string (@{$sploit_href->{note}}) {

$output .= "Note: " . $string . "\n";

}

$output .= "\n";

add_sploit($sploit_href->{rating}, $output);

}

$sploit_href->{checked} = 1;

}

sub add_sploit {

my ($rating, $text) = @_;

push @sploit_list, [$rating, $text];

}

sub output_sploit_list {

foreach my $aref (sort { $a->[0] == $b->[0] ? $a->[1] cmp $b->[1] : $a->[0] <=> $b->[0] } @sploit_list) {

print $aref->[1];

}

Download: Master.zip | Clone Url
Source : https://github.com/pentestmonkey

Tags: Buffer Overflow, Perl Script, privilege escalation, remote shell, Sun Solaris, vulnerability Analysis

Archives

exploit-suggester : it focusses for Local Exploitation on Sun Solaris Machine.