This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try. It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported.
The current version of exploit-suggester has the following features:
- Restrict search to only remote exploits (or local) using the -l option.
- Perfom the search remotely – no need to upload exploit-suggester to target system.
- Restrict search by rating so you can show only exploits that are likely to succeed (-r / -R options).
- Displays URL for further reading and exploit download.
After gaining access to a low-privelege account during a pentest (e.g. through password guessing or a remote exploit) the next stage is usually to try to escallate privelges to root. Techniques typically include:
- Manipulation of any custom tools which might installed (SUID files, cron jobs)
- Obtaining credentials from backup files which have weak file permissions
- Exploiting any local trust relationships (.rhosts, SSH keys)
- Trojaning the PATH if weak file permissions have been set on directories
- Password guessing now you have a full list of usernames
- Manipulation of 3rd part tools that have been installed (e.g. weak file permission on config files or in /etc/init.d)
- Exploitation of public vulnerabiliites in software that’s currently installed
This tools focusses purely on the last technique. This tool aims to help you quickly identify which vulnerbilities exist because of poor patching, and gives you a link to publicy available exploit code.
Good pentesters are more than capable of manually identifying which local exploits a system is susceptible to. However, this process can be a little slow and sometimes degenerates into a tedeous trial and error process. This tool aims to speed up the process by suggesting which exploits to try first.
What the tool does
It reads in a list of installed patches, correlates this information against a small internal database and lists plublic exploits which may help you on your quest for root. Links are provided so that you can download the exploit and read about the vulnerability.
Some remote exploits are also listed because it was easy to implement. However, this is of limited to use for remote tests as you need the patch list in order to generate a list of possible sploits.
What the tool doesn’t do
Exploit-suggester does NOT list all missing patches. Other tools such as Patch Check Advanced do this job very effectively. Exploit-suggester purposefully omits details of vulnerabilities for which public exploit code is not available.
It does not aim to reference all known exploit code, just to list enough help you get root.
It doesn’t provide the exploit code or tell you how to use it. It simply points you in the right direction.
Links to descriptions of the vulnerabilities are provided, but this tool will not tell you about about the nature of the vulnerbility, fixes, recommendations or anything else that might help with reporting.
Exploit-suggester is just a PERL script, so installation should be trivial. Simply place exploit-suggester.pl somehwere in your PATH. The database file sploitdb.xml must be in the same directory as exploit-suggester.pl.
You may need to install the XML::Simple PERL module first. If it’s not available through your package manager, you can get it from CPAN:
# perl -MCPAN -e shell
> install XML::Simple
$ head showrev.out Patch: 109618-01 Obsoletes: Requires: Incompatibles: Packages: SUNWeuxwe, SUNWeuezt, SUNWeudlg, SUNWeudda Patch: 109889-01 Obsoletes: 109353-04 Requires: Incompatibles: Packages: SUNWkvmx, SUNWkvm, SUNWmdb, SUNWhea, SUNWpstl, SUNWpstlx Patch: 110369-05 Obsoletes: 110709-02 Requires: Incompatibles: Packages: SUNWkvmx, SUNWcarx, SUNWcsr
$ ./exploit-suggestions.pl 8 sparc showrev.out exploit-suggester v0.1 ( http://pentestmonkey.net/tools/exploit-suggester ) ------------------------------------------------------------- | Runtime options | ------------------------------------------------------------- Solaris version: ................ 8 Architecture: ................... sparc Patch file: ..................... showrev.out Exploit database: ............... sploitdb.txt Don't list sploits rated as ..... N/A - Exclude no ratings List only sploits rated as ...... N/A - List any rating List only local sploits ......... N/A - Show both ------------------------------------------------------------- | Suggested Exploits | ------------------------------------------------------------- Description: 'at' Arbitrary File Deletion Remote: 0 Exploit Rating: 1 (Sploit normally works) Patch installed: 108875-10 Min vulnerable patch: 108875-00 Max vulnerable patch: 108875-12 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/isec-solaris-at-rm.c Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/solaris-at.c Info Link: http://securityfocus.com/bid/6693 Description: /usr/ucb/ps information leakage Remote: 0 Exploit Rating: 1 (Sploit normally works) Patch installed: 109023-01 Min vulnerable patch: 109023-00 Max vulnerable patch: 109023-05 Exploit Link: http://milw0rm.com/exploits/2242 Note: Local environment variable leakage: /usr/ucb/ps -auxgeww Description: KCMS Arbitrary File Reading Vulnerability Remote: 1 Exploit Rating: 1 (Sploit normally works) Patch installed: 111400-01 Min vulnerable patch: 111400-00 Max vulnerable patch: 111400-01 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/solaris_kcms_readfile.pm Info Link: http://securityfocus.com/bid/6665 Description: X11 Keyboard Extension Overflow Remote: 0 Exploit Rating: 1 (Sploit normally works) Patch installed: 119067-00 Min vulnerable patch: 119067-00 Max vulnerable patch: 119067-03 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/raptor_xkb.c Info Link: http://www.securityfocus.com/bid/19905 Description: libdthelp Overflow Privilege Escalation Remote: 0 Exploit Rating: 1 (Sploit normally works) Patch installed: 108949-07 Min vulnerable patch: 108949-00 Max vulnerable patch: 108949-08 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/raptor_libdthelp.c Info Link: http://www.securityfocus.com/bid/8973 Description: priocntl Vulnerability Remote: 0 Exploit Rating: 1 (Sploit normally works) Patch installed: 108528-13 Min vulnerable patch: 108528-00 Max vulnerable patch: 108528-17 Exploit Link: http://archive.cert.uni-stuttgart.de/bugtraq/2002/11/msg00359.html Info Link: http://securityfocus.com/bid/6262 Description: sadmind Authentication Spoofing Remote: 1 Exploit Rating: 1 (Sploit normally works) Patch installed: 116455-00 Min vulnerable patch: 116455-00 Max vulnerable patch: 116455-00 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/solaris_sadmind_exec.pm Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/rootdown.plm Info Link: http://securityfocus.com/bid/8615 Description: vfs_getvfssw Kernel Module Loading Vulnerability Remote: 0 Exploit Rating: 1 (Sploit normally works) Patch installed: 108528-13 Min vulnerable patch: 108528-00 Max vulnerable patch: 108528-26 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/solaris_vfs_getvfssw.tar Info Link: http://securityfocus.com/bid/9962 Note: DoS risk if you insert the wrong kernel module Description: whodo Overflow Remote: 0 Exploit Rating: 2 (Sploit untested) Patch installed: 111826-00 Min vulnerable patch: 111826-00 Max vulnerable patch: 111826-00 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/whodoexp.c Info Link: http://securityfocus.com/bid/2935 Description: LD_PRELOAD Privilege Escalation Remote: 0 Exploit Rating: 3 (Sploit normally fails) Patch installed: 109147-12 Min vulnerable patch: 109147-07 Max vulnerable patch: 109147-24 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/raptor_ldpreload.c Info Link: http://www.securityfocus.com/bid/8305/info Description: libsldap Overflow Remote: 0 Exploit Rating: 3 (Sploit normally fails) Patch installed: 111091-00 Min vulnerable patch: 111091-00 Max vulnerable patch: 111091-02 Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/libsldap-exp.c Exploit Link: http://www.securityfocus.com/data/vulnerabilities/exploits/ldap_exp2.c Info Link: http://securityfocus.com/bid/2931
Currently the database is biased towards exploiting Solaris 8 on SPARC. I’ll update the database to more fully support other flavours of Solaris later. I might also implement limited support for Windows and Linux too at some stage.
Posted in Audit