exploit-suggester

This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try.  It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported.

Features

The current version of exploit-suggester has the following features:

  • Restrict search to only remote exploits (or local) using the -l option.
  • Perfom the search remotely – no need to upload exploit-suggester to target system.
  • Restrict search by rating so you can show only exploits that are likely to succeed (-r / -R options).
  • Displays URL for further reading and exploit download.

Download

exploit-suggester-0.3.tar.gz

Preamble

After gaining access to a low-privelege account during a pentest (e.g. through password guessing or a remote exploit) the next stage is usually to try to escallate privelges to root.  Techniques typically include:

  • Manipulation of any custom tools which might installed (SUID files, cron jobs)
  • Obtaining credentials from backup files which have weak file permissions
  • Exploiting any local trust relationships (.rhosts, SSH keys)
  • Trojaning the PATH if weak file permissions have been set on directories
  • Password guessing now you have a full list of usernames
  • Manipulation of 3rd part tools that have been installed (e.g. weak file permission on config files or in /etc/init.d)
  • Exploitation of public vulnerabiliites in software that’s currently installed

This tools focusses purely on the last technique.  This tool aims to help you quickly identify which vulnerbilities exist because of poor patching, and gives you a link to publicy available exploit code.

Good pentesters are more than capable of manually identifying which local exploits a system is susceptible to.  However, this process can be a little slow and sometimes degenerates into a tedeous trial and error process.  This tool aims to speed up the process by suggesting which exploits to try first.

What the tool does

It reads in a list of installed patches, correlates this information against a small internal database and lists plublic exploits which may help you on your quest for root.  Links are provided so that you can download the exploit and read about the vulnerability.

Some remote exploits are also listed because it was easy to implement.  However, this is of limited to use for remote tests as you need the patch list in order to generate a list of possible sploits.

What the tool doesn’t do

Exploit-suggester does NOT list all missing patches.  Other tools such as Patch Check Advanced do this job very effectively.  Exploit-suggester purposefully omits details of vulnerabilities for which public exploit code is not available.

It does not aim to reference all known exploit code, just to list enough help you get root.

It doesn’t provide the exploit code or tell you how to use it.  It simply points you in the right direction.

Links to descriptions of the vulnerabilities are provided, but this tool will not tell you about about the nature of the vulnerbility, fixes, recommendations or anything else that might help with reporting.

Installation

Exploit-suggester is just a PERL script, so installation should be trivial.  Simply place exploit-suggester.pl somehwere in your PATH.  The database file sploitdb.xml must be in the same directory as exploit-suggester.pl.

You may need to install the XML::Simple PERL module first.  If it’s not available through your package manager, you can get it from CPAN:

# perl -MCPAN -e shell
> install XML::Simple

Example Output

$ head showrev.out
Patch: 109618-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWeuxwe, SUNWeuezt, SUNWeudlg, SUNWeudda
Patch: 109889-01 Obsoletes: 109353-04 Requires:  Incompatibles:  Packages: SUNWkvmx, SUNWkvm, SUNWmdb, SUNWhea, SUNWpstl, SUNWpstlx
Patch: 110369-05 Obsoletes: 110709-02 Requires:  Incompatibles:  Packages: SUNWkvmx, SUNWcarx, SUNWcsr
...
$ ./exploit-suggestions.pl 8 sparc showrev.out
exploit-suggester v0.1 ( http://pentestmonkey.net/tools/exploit-suggester )

 -------------------------------------------------------------
|                     Runtime options                         |
 -------------------------------------------------------------
Solaris version: ................ 8
Architecture: ................... sparc
Patch file: ..................... showrev.out
Exploit database: ............... sploitdb.txt
Don't list sploits rated as ..... N/A - Exclude no ratings
List only sploits rated as ...... N/A - List any rating
List only local sploits ......... N/A - Show both

 -------------------------------------------------------------
|                   Suggested Exploits                        |
 -------------------------------------------------------------
Description:          'at' Arbitrary File Deletion
Remote:               0
Exploit Rating:       1 (Sploit normally works)
Patch installed:      108875-10
Min vulnerable patch: 108875-00
Max vulnerable patch: 108875-12
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/isec-solaris-at-rm.c
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/solaris-at.c
Info Link:            http://securityfocus.com/bid/6693

Description:          /usr/ucb/ps information leakage
Remote:               0
Exploit Rating:       1 (Sploit normally works)
Patch installed:      109023-01
Min vulnerable patch: 109023-00
Max vulnerable patch: 109023-05
Exploit Link:         http://milw0rm.com/exploits/2242
Note:                 Local environment variable leakage: /usr/ucb/ps -auxgeww

Description:          KCMS Arbitrary File Reading Vulnerability
Remote:               1
Exploit Rating:       1 (Sploit normally works)
Patch installed:      111400-01
Min vulnerable patch: 111400-00
Max vulnerable patch: 111400-01
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/solaris_kcms_readfile.pm
Info Link:            http://securityfocus.com/bid/6665

Description:          X11 Keyboard Extension Overflow
Remote:               0
Exploit Rating:       1 (Sploit normally works)
Patch installed:      119067-00
Min vulnerable patch: 119067-00
Max vulnerable patch: 119067-03
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/raptor_xkb.c
Info Link:            http://www.securityfocus.com/bid/19905

Description:          libdthelp Overflow Privilege Escalation
Remote:               0
Exploit Rating:       1 (Sploit normally works)
Patch installed:      108949-07
Min vulnerable patch: 108949-00
Max vulnerable patch: 108949-08
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/raptor_libdthelp.c
Info Link:            http://www.securityfocus.com/bid/8973

Description:          priocntl Vulnerability
Remote:               0
Exploit Rating:       1 (Sploit normally works)
Patch installed:      108528-13
Min vulnerable patch: 108528-00
Max vulnerable patch: 108528-17
Exploit Link:         http://archive.cert.uni-stuttgart.de/bugtraq/2002/11/msg00359.html
Info Link:            http://securityfocus.com/bid/6262

Description:          sadmind Authentication Spoofing
Remote:               1
Exploit Rating:       1 (Sploit normally works)
Patch installed:      116455-00
Min vulnerable patch: 116455-00
Max vulnerable patch: 116455-00
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/solaris_sadmind_exec.pm
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/rootdown.plm
Info Link:            http://securityfocus.com/bid/8615

Description:          vfs_getvfssw Kernel Module Loading Vulnerability
Remote:               0
Exploit Rating:       1 (Sploit normally works)
Patch installed:      108528-13
Min vulnerable patch: 108528-00
Max vulnerable patch: 108528-26
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/solaris_vfs_getvfssw.tar
Info Link:            http://securityfocus.com/bid/9962
Note:                 DoS risk if you insert the wrong kernel module

Description:          whodo Overflow
Remote:               0
Exploit Rating:       2 (Sploit untested)
Patch installed:      111826-00
Min vulnerable patch: 111826-00
Max vulnerable patch: 111826-00
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/whodoexp.c
Info Link:            http://securityfocus.com/bid/2935

Description:          LD_PRELOAD Privilege Escalation
Remote:               0
Exploit Rating:       3 (Sploit normally fails)
Patch installed:      109147-12
Min vulnerable patch: 109147-07
Max vulnerable patch: 109147-24
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/raptor_ldpreload.c
Info Link:            http://www.securityfocus.com/bid/8305/info

Description:          libsldap Overflow
Remote:               0
Exploit Rating:       3 (Sploit normally fails)
Patch installed:      111091-00
Min vulnerable patch: 111091-00
Max vulnerable patch: 111091-02
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/libsldap-exp.c
Exploit Link:         http://www.securityfocus.com/data/vulnerabilities/exploits/ldap_exp2.c
Info Link:            http://securityfocus.com/bid/2931

Limitations

Currently the database is biased towards exploiting Solaris 8 on SPARC.  I’ll update the database to more fully support other flavours of Solaris later.  I might also implement limited support for Windows and Linux too at some stage.

 

Tags: , ,

Posted in Audit