Convert Figma logo to code with AI

The-Z-Labs logolinux-exploit-suggester

Linux privilege escalation auditing tool

5,545
1,091
5,545
20

Top Related Projects

15,911

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

Linux privilege escalation auditing tool

Next-Generation Linux Kernel Exploit Suggester

6,934

Scripted Local Linux Enumeration & Privilege Escalation Checks

linuxprivchecker.py -- a Linux Privilege Escalation Check Script

2,421

Privilege Escalation Project - Windows / Linux / Mac

Quick Overview

Linux Exploit Suggester is a Perl script designed to identify potential security vulnerabilities in Linux systems. It analyzes the target system's kernel version and installed packages, then suggests possible exploits that could be used to escalate privileges or gain unauthorized access.

Pros

  • Helps identify potential security vulnerabilities quickly
  • Regularly updated with new exploit information
  • Can be run without root privileges
  • Lightweight and easy to use

Cons

  • May produce false positives
  • Requires manual verification of suggested exploits
  • Limited to known vulnerabilities and exploits
  • Effectiveness depends on the accuracy of its exploit database

Getting Started

To use Linux Exploit Suggester:

  1. Download the script:

    wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
    
  2. Make the script executable:

    chmod +x linux-exploit-suggester.sh
    
  3. Run the script:

    ./linux-exploit-suggester.sh
    

For more options, use the -h flag:

./linux-exploit-suggester.sh -h

Note: This tool should be used responsibly and only on systems you have permission to test.

Competitor Comparisons

15,911

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

Pros of PEASS-ng

  • More comprehensive, covering both Linux and Windows systems
  • Actively maintained with frequent updates
  • Includes additional features like privilege escalation techniques and enumeration scripts

Cons of PEASS-ng

  • Larger codebase, potentially more complex to use and maintain
  • May have a steeper learning curve for beginners
  • Could trigger more false positives due to its extensive checks

Code Comparison

PEASS-ng (LinPEAS):

if [ "$(command -v nmap)" ]; then
  echo "nmap was found in PATH"
  nmap_loc="$(command -v nmap)"
  echo "nmap location: $nmap_loc"
  nmap_version=$(nmap --version | grep "Nmap version" | cut -d " " -f3)
  echo "nmap version: $nmap_version"
fi

linux-exploit-suggester:

if [ -x "$(command -v nmap)" ]; then
  printf "%b" "$GREEN"
  printf "nmap is installed\n"
  printf "%b" "$RESET"
else
  printf "%b" "$RED"
  printf "nmap is not installed\n"
  printf "%b" "$RESET"
fi

Both scripts check for the presence of nmap, but PEASS-ng provides more detailed information about its location and version, while linux-exploit-suggester focuses on a simple installed/not installed check.

Linux privilege escalation auditing tool

Pros of linux-exploit-suggester

  • More actively maintained with recent updates
  • Includes a wider range of exploits and vulnerabilities
  • Offers better compatibility with modern Linux distributions

Cons of linux-exploit-suggester

  • May have a steeper learning curve for beginners
  • Potentially slower execution due to more comprehensive checks

Code Comparison

linux-exploit-suggester:

#!/bin/bash
VERSION=v1.1

# Parse command line arguments
while [[ $# -gt 0 ]]; do
    key="$1"

linux-exploit-suggester>:

#!/bin/bash
VERSION=v0.9

# Parse command line arguments
while [[ $# -gt 0 ]]; do
    key="$1"

The code snippets show that linux-exploit-suggester has a more recent version number, indicating more frequent updates and potentially improved features or bug fixes.

Both repositories serve similar purposes in identifying potential Linux vulnerabilities, but linux-exploit-suggester appears to be the more up-to-date and comprehensive option. However, users should consider their specific needs and skill level when choosing between the two tools.

Next-Generation Linux Kernel Exploit Suggester

Pros of linux-exploit-suggester-2

  • More recent updates and active maintenance
  • Improved performance and faster execution
  • Enhanced detection capabilities for newer vulnerabilities

Cons of linux-exploit-suggester-2

  • Less comprehensive documentation compared to the original
  • Fewer configuration options and customization features
  • Smaller community and fewer contributors

Code Comparison

linux-exploit-suggester:

#!/bin/bash
VERSION=v0.9
LAST_EDIT="2018-06-13"

linux-exploit-suggester-2:

#!/usr/bin/perl
$VERSION = "2.0";

The original linux-exploit-suggester is written in Bash, while linux-exploit-suggester-2 is implemented in Perl. This change in programming language may contribute to the performance improvements in the newer version.

linux-exploit-suggester-2 has a more streamlined codebase, which can lead to faster execution times. However, the original version offers more extensive comments and documentation within the code itself.

Both tools serve similar purposes, aiming to identify potential kernel vulnerabilities on Linux systems. The choice between them may depend on specific requirements, such as execution speed, compatibility, or the need for the latest vulnerability detections.

6,934

Scripted Local Linux Enumeration & Privilege Escalation Checks

Pros of LinEnum

  • More comprehensive system enumeration, covering a wider range of system information
  • Includes checks for sensitive files and potential misconfigurations
  • Actively maintained with regular updates and contributions

Cons of LinEnum

  • Larger script size, potentially slower execution on target systems
  • May generate more noise in output, requiring more analysis to identify critical issues
  • Less focused on specific exploit suggestions

Code Comparison

LinEnum:

#!/bin/bash
version="0.982"

# ... (extensive system checks and enumeration logic)

cat $report

linux-exploit-suggester:

#!/usr/bin/env bash

VERSION=v1.1 (2021-11-23)

# ... (focused on kernel version checks and exploit matching)

print_exploits

LinEnum provides a more comprehensive system analysis, while linux-exploit-suggester focuses specifically on identifying potential kernel exploits based on the system version. LinEnum's code is more extensive, covering various system aspects, whereas linux-exploit-suggester has a more targeted approach to exploit suggestion.

linuxprivchecker.py -- a Linux Privilege Escalation Check Script

Pros of linuxprivchecker

  • More comprehensive system information gathering, including network configurations and installed packages
  • Provides a detailed report of potential privilege escalation vectors
  • Actively maintained with recent updates

Cons of linuxprivchecker

  • Focuses more on information gathering rather than suggesting specific exploits
  • May require more manual analysis of the output to identify vulnerabilities
  • Larger script size, potentially less suitable for quick deployment in constrained environments

Code Comparison

linuxprivchecker:

def get_system_info():
    print("[*] GETTING SYSTEM INFO...\n")
    results = []
    sysInfo = {"OS": execute("cat /etc/issue").strip('\n\r\t'),
               "Kernel": execute("uname -r"),
               "Hostname": execute("hostname")}
    results.append(sysInfo)
    return results

linux-exploit-suggester:

get_system_information() {
    printf "\n[+] Collecting system information\n"
    printf "    Linux Kernel: "
    uname -sr
    printf "    OS: "
    [ -f /etc/os-release ] && cat /etc/os-release | grep -E "^(NAME|VERSION)=" | tr '\n' ' '
    [ -f /etc/lsb-release ] && cat /etc/lsb-release | grep -E "^(DISTRIB_ID|DISTRIB_RELEASE)=" | tr '\n' ' '
    printf "\n"
}

Both scripts gather system information, but linuxprivchecker uses Python and provides more structured output, while linux-exploit-suggester uses Bash and focuses on kernel and OS version information.

2,421

Privilege Escalation Project - Windows / Linux / Mac

Pros of BeRoot

  • Multi-platform support (Windows, Linux, macOS)
  • Comprehensive privilege escalation checks beyond kernel exploits
  • Active development and regular updates

Cons of BeRoot

  • Larger codebase, potentially slower execution
  • Requires Python environment to run
  • May produce more false positives due to broader scope

Code Comparison

BeRoot (Python):

def check_suid_bin():
    suid = []
    for path in os.environ['PATH'].split(':'):
        for file in os.listdir(path):
            try:
                if os.stat(os.path.join(path, file)).st_mode & stat.S_ISUID:
                    suid.append(os.path.join(path, file))
            except:
                pass
    return suid

linux-exploit-suggester (Bash):

version_compare() {
    [ "$1" = "$2" ] && return 0
    ver1front=$(echo "$1" | cut -d "." -f -1)
    ver1back=$(echo "$1" | cut -d "." -f 2-)
    ver2front=$(echo "$2" | cut -d "." -f -1)
    ver2back=$(echo "$2" | cut -d "." -f 2-)
    [ "$ver1front" -gt "$ver2front" ] && return 0
    [ "$ver1front" -lt "$ver2front" ] && return 1
    [ "$ver1back" ] || [ "$ver2back" ] || return 0
    version_compare "$ver1back" "$ver2back"
}

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

LES: Linux privilege escalation auditing tool

Quick download:

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh

Details about LES usage and inner workings:

https://mzet-.github.io/2019/05/10/les-paper.html

Additional resources for the LES:

https://github.com/mzet-/les-res

Purpose

LES tool is designed to assist in detecting security deficiencies for a given Linux kernel/Linux-based machine. It provides following functionality:

Assessing kernel exposure on publicly known exploits

Tool assesses (using heuristics methods discussed in details here) exposure of the given kernel to publicly known Linux kernel exploits. Example of tool output:

$ ./linux-exploit-suggester.sh
...
[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,[ ubuntu=14.04 ]{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: probable
   Tags: [ ubuntu=14.04{kernel:4.4.0-*} ],ubuntu=16.04{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
...

For each exploit, exposure is calculated. Following 'Exposure' states are possible:

  • Highly probable - assessed kernel is most probably affected and there's a very good chance that PoC exploit will work out of the box without any major modifications.

  • Probable - it's possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target.

  • Less probable - additional manual analysis is needed to verify if kernel is affected.

  • Unprobable - highly unlikely that kernel is affected (exploit is not displayed in the tool's output)

Verifying state of kernel hardening security measures

LES can check for most of security settings available by your Linux kernel. It verifies not only the kernel compile-time configurations (CONFIGs) but also verifies run-time settings (sysctl) giving more complete picture of security posture for running kernel. This functionality is modern continuation of --kernel switch from checksec.sh tool by Tobias Klein. Example of tool output:

$ ./linux-exploit-suggester.sh --checksec

Mainline kernel protection mechanisms:

 [ Disabled ] GCC stack protector support (CONFIG_HAVE_STACKPROTECTOR)
              https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md

 [ Disabled ] GCC stack protector STRONG support (CONFIG_STACKPROTECTOR_STRONG)
              https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md

 [ Enabled  ] Low address space to protect from user allocation (CONFIG_DEFAULT_MMAP_MIN_ADDR)
              https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md

 [ Disabled ] Restrict unprivileged access to kernel syslog (CONFIG_SECURITY_DMESG_RESTRICT)
              https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md

 [ Enabled  ] Randomize the address of the kernel image (KASLR) (CONFIG_RANDOMIZE_BASE)
              https://github.com/mzet-/les-res/blob/master/features/kaslr.md

 [ Disabled ] Hardened user copy support (CONFIG_HARDENED_USERCOPY)
              https://github.com/mzet-/les-res/blob/master/features/hardened_usercopy.md

...

Usage

Assess exposure of the Linux box to publicly known exploits:

$ ./linux-exploit-suggester.sh

Show state of security features on the Linux box:

$ ./linux-exploit-suggester.sh --checksec

Assess exposure of Linux kernel on publicly known exploits based on the provided 'uname' string (i.e. output of uname -a command):

$ ./linux-exploit-suggester.sh --uname <uname-string>

For more usage examples, see here.

Getting involved

You hopefully now know what LES is and what it can do for you. Now see what you can do for LES:

  • Add newly published Linux privilege escalation exploits to it.
  • Test existing exploits on various Linux distributions with multiple kernel versions, then document your findings in a form of Tags in LES, e.g. of a tag: ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic} which states: tagged exploit was verifed to work correctly on Ubuntu 12.04 with kernels: 3.2.0-23-generic, 3.2.0-29-generic, 3.5.0-23-generic and 3.5.0-29-generic;. With this tag added LES will automatically highlight and bump dynamic Rank of the exploit when run on Ubuntu 12.04 with one of listed kernel versions. This will help you (and others) during pentests to rapidly identify critically vulnerable Linux machines.
  • Published exploits are often written only for PoC purposes only for one (or couple of) specific Linux distributions and/or kernel version(s). Pick sources of the exploit of choice and customize it to run on different kernel version(s). Then add your customized version of exploit as ext-url entry to LES and modify Tags to reflect newly added targets. See this article for an excellent example of adapting specific PoC exploit to different kernel versions.
  • Conduct source code analysis of chosen kernel hardening security measure then add it to the FEATURES array (if not already there) and publish your analysis at: https://github.com/mzet-/les-res/blob/master/features/<feature-name>.md.

Acknowledgments

bcoles for his excellent and frequent contributions to LES.