def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20084210"
self.formatted_name = "CVE-2008-4210"
self.e_type = "linux"
self.brief_desc = "Linux kernel < 2.6.22 open/ftruncate local exploit"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2, 6, 11, 2, 6, 22)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_8, VERSION_VULNERABLE, 2, 6, 11, 2, 6, 27, highest_patch_level="2.6.27-9-generic - 2.6.27-9.19"),
KernelWindow(UBUNTU_8, VERSION_VULNERABLE, 2, 6, 11, 2, 6, 24, highest_patch_level="2.6.24-22-generic - 2.6.24-22.45"),
KernelWindow(UBUNTU_7, VERSION_VULNERABLE, 2, 6, 11, 2, 6, 22, highest_patch_level="2.6.22-16-generic - 2.6.22-16.60"),
KernelWindow(UBUNTU_6, VERSION_VULNERABLE, 2, 6, 11, 2, 6, 15, highest_patch_level="2.6.15-53-686 - 2.6.15-53.74"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 2, 6, 11, 2, 6, 15),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 2, 6, 11, 2, 6, 18, highest_patch_level="2.6.18-6_2.6.18.dfsg.1-22etch3"),
]
self.exploit_kernels = [
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20144699"
self.formatted_name = "CVE-2014-4699"
self.e_type = "linux"
self.brief_desc = "Exploitable race condition in linux before 3.15.4"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 0, 0, 0, 3, 15, 4)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_10, VERSION_VULNERABLE, 0, 0, 0, 2, 6, 32, highest_patch_level="2.6.32-62.126"),
KernelWindow(UBUNTU_12, VERSION_VULNERABLE, 0, 0, 0, 3, 2, 0, highest_patch_level="3.2.0-65.99"),
KernelWindow(UBUNTU_13, VERSION_VULNERABLE, 0, 0, 0, 3, 11, 0, highest_patch_level="3.11.0-24.42"),
KernelWindow(UBUNTU_14, VERSION_VULNERABLE, 0, 0, 0, 3, 13, 0, highest_patch_level="3.13.0-30.55"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_8, VERSION_VULNERABLE, 0, 0, 0, 3, 14, 10, highest_patch_level="3.14.10-1"),
KernelWindow(DEBIAN_7, VERSION_VULNERABLE, 0, 0, 0, 3, 2, 60, highest_patch_level="3.2.60-1+deb7u1"),
KernelWindow(DEBIAN_6, VERSION_VULNERABLE, 0, 0, 0, 2, 6, 32, highest_patch_level="2.6.32-48squeeze8"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 32),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_12, EXPLOIT_AVAILABLE, 0, 0, 0, 3, 4, 0)
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -O2 -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20165195_32_poke"
self.formatted_name = "CVE-2016-5195 (x86) [poke variant]"
self.e_type = "linux"
self.brief_desc = "Dirty COW race condition root priv esc for 32 bit (poke variant)"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2,
0, 0, 4, 8, 3)
self.vulnerable_kernels = [
KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.exploit_kernels = [
KernelWindow(RHEL, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc {} -o {} -pthread".format(
self.source_c_path, self.compilation_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20140038"
self.formatted_name = "CVE-2014-0038"
self.e_type = "linux"
self.brief_desc = "recvmmsg syscall issues in x86_32 can lead to root (timeoutpwn)"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 3, 13, 2)
self.vulnerable_kernels = [
KernelWindow(SUSE,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
10,
highest_patch_level="3.11.10-7.1"),
KernelWindow(UBUNTU_13,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
1,
highest_patch_level="3.11.0-15.25"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
8,
0,
highest_patch_level=" 3.11.0-15.25~precise1"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 8, 0),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_13,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
11,
1,
highest_patch_level="3.11.0-15.25"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20080900"
self.formatted_name = "CVE-2008-0900"
self.e_type = "linux"
self.brief_desc = "CVE-2008-0900 'jessica_biel_naked_in_my_bed.c'"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2,
6, 17, 2, 6, 24)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 24)
]
self.exploit_kernels = [
KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 24)
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -static -Wno-format".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20175123"
self.formatted_name = "CVE-2017-5123"
self.e_type = "linux"
self.brief_desc = "waitid() not calling access_ok()"
self.reliability = LOW_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4,
13, 0, 4, 13, 6)
self.vulnerable_kernels = [
KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.exploit_kernels = [
KernelWindow(RHEL, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20062451"
self.formatted_name = "CVE-2006-2451"
self.e_type = "linux"
self.brief_desc = "Design flaw in prctl(PR_SET_DUMPABLE, ...) system call"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2, 3, 16, 2, 6, 17)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_6, VERSION_VULNERABLE, 2, 3, 16, 2, 6, 15, highest_patch_level="2.6.15-26-686 - 2.6.15-26.44"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 2, 3, 16, 2, 6, 15),
KernelWindow(DEBIAN_GENERIC, VERSION_VULNERABLE, 2, 3, 16, 2, 6, 15),
KernelWindow(SUSE, VERSION_VULNERABLE, 8, 0, 0, 10, 0, 0)
]
self.exploit_kernels = [
KernelWindow(UBUNTU_6, EXPLOIT_AVAILABLE, 2, 3, 16, 2, 6, 15, highest_patch_level="2.6.15-26-686 - 2.6.15-26.44"),
KernelWindow(DEBIAN_GENERIC, EXPLOIT_AVAILABLE, 2, 3, 16, 2, 6, 17, highest_patch_level="2.6.17-3"),
KernelWindow(SUSE, EXPLOIT_AVAILABLE, 2, 3, 16, 2, 6, 17, highest_patch_level="2.6.17-3")
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20080600"
self.formatted_name = "CVE-2008-0600"
self.e_type = "linux"
self.brief_desc = "vmsplice_to_pipe 2.6.17 through 2.6.24.1"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2, 6, 17, 2, 6, 24)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 24),
KernelWindow(UBUNTU_7, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 22, highest_patch_level="2.6.22-14-generic - 2.6.22-14.52"),
KernelWindow(UBUNTU_6, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 17, highest_patch_level="2.6.17-12-generic - 2.6.17.1-12.44"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 2, 6, 17, 2, 6, 24),
KernelWindow(DEBIAN_4, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 18, highest_patch_level="2.6.18.dfsg.1-18etch1"),
KernelWindow(DEBIAN_5, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 22, highest_patch_level="2.6.22-6.lenny1"),
KernelWindow(DEBIAN_6, VERSION_VULNERABLE, 2, 6, 17, 2, 6, 24, highest_patch_level="2.6.24-4"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 2, 6, 17, 2, 6, 24)
]
self.exploit_kernels = [
KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 2, 6, 23, 2, 6, 24),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20171000372"
self.formatted_name = "CVE-2017-1000372"
self.e_type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4,
11, 5, 4, 11, 5)
self.vulnerable_kernels = [
KernelWindow(OPENBSD, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.exploit_kernels = [
KernelWindow(OPENBSD, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20132094_semtex"
self.formatted_name = "CVE-2013-2094"
self.e_type = "linux"
self.brief_desc = "perf_swevent_init Local root exploit (32 bit)"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 3, 8, 9) # reported...maybe not real
self.vulnerable_kernels = [
KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0, 2, 6, 32, highest_patch_level="2.6.32-358.6.2"),
KernelWindow(SUSE, VERSION_VULNERABLE, 0, 0, 0, 3, 0, 74, highest_patch_level="3.0.74-0.6.8.1"),
KernelWindow(CENTOS, VERSION_VULNERABLE, 2, 6, 32, 2, 6, 37, highest_patch_level="2.6.32-358.6.2"),
KernelWindow(UBUNTU_12, VERSION_VULNERABLE, 0, 0, 0, 3, 2, 0, highest_patch_level="3.2.0-43.68"),
KernelWindow(UBUNTU_12, VERSION_VULNERABLE, 0, 0, 0, 3, 5, 0, highest_patch_level="3.5.0-30.51"),
KernelWindow(UBUNTU_13, VERSION_VULNERABLE, 0, 0, 0, 3, 5, 0, highest_patch_level="3.8.0-21.32"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_8, VERSION_VULNERABLE, 0, 0, 0, 3, 8, 11, highest_patch_level="3.8.11-1"),
KernelWindow(DEBIAN_7, VERSION_VULNERABLE, 0, 0, 0, 3, 2, 41, highest_patch_level="3.2.41-2+deb7u2"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 41),
]
self.exploit_kernels = [
# don't know what the PoC targets, so can't say for sure it'll work
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -O2".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20144014"
self.formatted_name = "CVE-2014-4014"
self.e_type = "linux"
self.brief_desc = "`chmod` restriction bypass allows users to get root before 3.14.8"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 3, 14, 8)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_13,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
0,
highest_patch_level="3.11.0-26.45"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-35.62~precise1"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-35.62"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 11, 0),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
14,
7,
highest_patch_level="3.14.7-1"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 14, 7),
]
self.exploit_kernels = []
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20041235"
self.formatted_name = "CVE-2004-1235"
self.e_type = "linux"
self.brief_desc = "Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 4, 29)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 0, 0, 0, 2, 4, 29),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 8),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 4, 19)
]
self.exploit_kernels = [
KernelWindow(UBUNTU_4,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
6,
8,
highest_patch_level="2.6.8.1-4-686"),
KernelWindow(DEBIAN_4,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
4,
27,
highest_patch_level="2.4.27-8"),
KernelWindow(DEBIAN_3,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
4,
19,
highest_patch_level="2.4.19-4.woody3"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE201716996"
self.formatted_name = "CVE-2017-16996"
self.e_type = "linux"
self.brief_desc = "eBPF Verifier check_alu_op() Sign Extension Local Root Exploit"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4, 0, 0, 4, 14, 8)
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20030961"
self.formatted_name = "CVE-2003-0961"
self.e_type = "linux"
self.brief_desc = "Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 4, 22)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 4, 22),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20050736"
self.formatted_name = "CVE-2005-0736"
self.e_type = "linux"
self.brief_desc = "Integer overflow in sys_epoll_wait in eventpoll.c"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 11)
self.vulnerable_kernels = [
KernelWindow(RHEL,
VERSION_VULNERABLE,
2,
6,
0,
2,
6,
9,
highest_patch_level="2.6.9-5.EL"),
]
self.exploit_kernels = [
KernelWindow(RHEL,
EXPLOIT_AVAILABLE,
2,
6,
0,
2,
6,
9,
highest_patch_level="2.6.9-5.EL"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -static -O2".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20171000367"
self.formatted_name = "CVE-2017-1000367"
self.e_type = "linux"
self.brief_desc = "sudo get_process_ttyname() root priv esc"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 20, 0)
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.vulnerable_kernels = []
self.exploit_kernels = []
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20091185"
self.formatted_name = "CVE-2009-1185"
self.e_type = "linux"
self.brief_desc = "udev before 1.4.1 NETLINK user space priv esc"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 27)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27),
]
self.exploit_kernels = []
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20104347"
self.formatted_name = "CVE-2010-4347"
self.e_type = "linux"
self.brief_desc = "american-sign-language ACPI LID root exploit"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 36)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 36),
]
self.exploit_kernels = []
self.architecture = ARCHITECTURE_x86_64
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20173630"
self.formatted_name = "CVE-2017-3630"
self.e_type = "linux"
self.brief_desc = "Stack clash vuln in solaris"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 8, 3)
self.vulnerable_kernels = [
KernelWindow(SOLARIS, VERSION_VULNERABLE, 0, 0, 0, 4, 8, 3)
]
self.exploit_kernels = [
KernelWindow(SOLARIS, EXPLOIT_AVAILABLE, 0, 0, 0, 4, 8, 3)
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20165195_32"
self.formatted_name = "CVE-2016-5195 (x86)"
self.e_type = "linux"
self.brief_desc = "Dirty COW race condition root priv esc for 32 bit"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2,
0, 0, 4, 8, 3)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_16,
VERSION_VULNERABLE,
2,
0,
0,
4,
8,
0,
highest_patch_level="4.8.0-26.28"),
KernelWindow(UBUNTU_16,
VERSION_VULNERABLE,
2,
0,
0,
4,
4,
0,
highest_patch_level="4.4.0-45.66"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
2,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-100.147"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
2,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-113.155"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_9,
VERSION_VULNERABLE,
2,
0,
0,
4,
7,
8,
highest_patch_level="4.7.8-1"),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
2,
0,
0,
3,
16,
36,
highest_patch_level="3.16.36-1+deb8u2"),
KernelWindow(DEBIAN_7,
VERSION_VULNERABLE,
2,
0,
0,
3,
2,
82,
highest_patch_level="3.2.82-1"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 82),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_16,
EXPLOIT_AVAILABLE,
2,
0,
0,
4,
8,
0,
highest_patch_level="4.8.0-26.28"),
KernelWindow(UBUNTU_16,
EXPLOIT_AVAILABLE,
2,
0,
0,
4,
4,
0,
highest_patch_level="4.4.0-45.66"),
KernelWindow(UBUNTU_14,
EXPLOIT_AVAILABLE,
2,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-100.147"),
KernelWindow(UBUNTU_12,
EXPLOIT_AVAILABLE,
2,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-113.155"),
KernelWindow(DEBIAN_9,
EXPLOIT_AVAILABLE,
2,
0,
0,
4,
7,
8,
highest_patch_level="4.7.8-1"),
KernelWindow(DEBIAN_8,
EXPLOIT_AVAILABLE,
2,
0,
0,
3,
16,
36,
highest_patch_level="3.16.36-1+deb8u2"),
KernelWindow(DEBIAN_7,
EXPLOIT_AVAILABLE,
2,
0,
0,
3,
2,
82,
highest_patch_level="3.2.82-1"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc {} -o {} -pthread".format(
self.source_c_path, self.compilation_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20171000370"
self.formatted_name = "CVE-2017-1000370"
self.e_type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys "
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4,
11, 5, 4, 11, 5)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_17, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(UBUNTU_16, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(UBUNTU_14, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(DEBIAN_10,
VERSION_VULNERABLE,
0,
0,
0,
KERNEL_MAJOR_VERSION_CAP + 1,
0,
0,
highest_patch_level="4.11.11-1"),
KernelWindow(DEBIAN_9,
VERSION_VULNERABLE,
0,
0,
0,
KERNEL_MAJOR_VERSION_CAP + 1,
0,
0,
highest_patch_level="4.9.30-2+deb9u5"),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
KERNEL_MAJOR_VERSION_CAP + 1,
0,
0,
highest_patch_level="3.16.43-2+deb8u5"),
KernelWindow(FEDORA, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(CENTOS, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_17, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(UBUNTU_16, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(UBUNTU_14, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(DEBIAN_10,
EXPLOIT_AVAILABLE,
0,
0,
0,
KERNEL_MAJOR_VERSION_CAP + 1,
0,
0,
highest_patch_level="4.11.11-1"),
KernelWindow(DEBIAN_9,
EXPLOIT_AVAILABLE,
0,
0,
0,
KERNEL_MAJOR_VERSION_CAP + 1,
0,
0,
highest_patch_level="4.9.30-2+deb9u5"),
KernelWindow(DEBIAN_8,
EXPLOIT_AVAILABLE,
0,
0,
0,
KERNEL_MAJOR_VERSION_CAP + 1,
0,
0,
highest_patch_level="3.16.43-2+deb8u5"),
KernelWindow(FEDORA, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
KernelWindow(CENTOS, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(PLAYGROUND_PATH,
"{}{}".format(self.name, ".so"))
self.compilation_command = "gcc -fpic -shared -nostdlib -Os -s -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = "xxd -i {} > {}.h".format(
self.compilation_path, self.compilation_path)
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20140196"
self.formatted_name = "CVE-2014-0196"
self.e_type = "linux"
self.brief_desc = "`n_tty_write` vuln before 3.14.4 allows priv esc to root"
self.reliability = LOW_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 2,
6, 31, 3, 14, 4)
self.vulnerable_kernels = [
KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0, 2, 6, 32),
KernelWindow(UBUNTU_10,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32-58.121"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-61.93"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
5,
0,
highest_patch_level="3.5.0-49.74"),
KernelWindow(UBUNTU_13,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
0,
highest_patch_level="3.11.0-20.35"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-24.47"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
14,
4,
highest_patch_level="3.14.4-1"),
KernelWindow(DEBIAN_7,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
57,
highest_patch_level="3.2.57-3+deb7u1"),
KernelWindow(DEBIAN_6,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32-48squeeze6"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 32)
]
self.exploit_kernels = []
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -lutil -lpthread".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20176074"
self.formatted_name = "CVE-2017-6074"
self.e_type = "linux"
self.brief_desc = "`dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root"
self.reliability = LOW_RELIABILITY # due to statement in public announcement
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 9, 11)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-123.166"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-110.157"),
KernelWindow(UBUNTU_16,
VERSION_VULNERABLE,
0,
0,
0,
4,
8,
0,
highest_patch_level="4.8.0-39.42"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_9,
VERSION_VULNERABLE,
0,
0,
0,
4,
9,
13,
highest_patch_level="4.9.13-1"),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
16,
39,
highest_patch_level="3.16.39-1+deb8u1"),
KernelWindow(DEBIAN_7,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
84,
highest_patch_level="3.2.84-2"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 84),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_14,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-110.157")
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.playground_path = playground_path
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20177308"
self.formatted_name = "CVE-2017-7308"
self.e_type = "linux"
self.brief_desc = "`packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls."
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 10, 6)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_16,
BASE_VULNERABLE,
0,
0,
0,
4,
8,
0,
highest_patch_level="4.8.0-46.49"),
KernelWindow(UBUNTU_16,
BASE_VULNERABLE,
0,
0,
0,
4,
4,
0,
highest_patch_level="4.4.0-72.93"),
KernelWindow(UBUNTU_14,
BASE_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0.116.126"),
KernelWindow(UBUNTU_12,
BASE_VULNERABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0.126.141"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_9,
BASE_VULNERABLE,
0,
0,
0,
4,
9,
18,
highest_patch_level="4.9.18-1"),
KernelWindow(DEBIAN_8,
BASE_VULNERABLE,
0,
0,
0,
3,
16,
43,
highest_patch_level="3.16.43-1"),
KernelWindow(DEBIAN_7,
BASE_VULNERABLE,
0,
0,
0,
3,
2,
88,
highest_patch_level="3.2.88-1"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 88),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_16, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20102959"
self.formatted_name = "CVE-2010-2959"
self.e_type = "linux"
self.brief_desc = "Integer overflow in CAN subsystem"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 35, 4)
self.vulnerable_kernels = [
KernelWindow(DEBIAN_5,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
26,
highest_patch_level="2.6.26-1um-2+24lenny1"
), # 2.6.26-1um-2+24lenny1
KernelWindow(FEDORA,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32.21-166.fc12"
), # Fedora 12 2.6.32.21-166.fc12
KernelWindow(SUSE,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
34,
highest_patch_level="2.6.34.7-0.2.2"),
KernelWindow(UBUNTU_10,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
31,
highest_patch_level="2.6.31-608.19"),
KernelWindow(UBUNTU_9,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
31,
highest_patch_level="2.6.31-214.30"),
KernelWindow(UBUNTU_9,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
28,
highest_patch_level="2.6.28-19.64"),
KernelWindow(UBUNTU_8,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
24,
highest_patch_level="2.6.24-28.75"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 24),
KernelWindow(UBUNTU_6,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
15,
highest_patch_level="2.6.15-55.87"),
KernelWindow(DEBIAN_5,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
26,
highest_patch_level="2.6.26-24lenny1"),
KernelWindow(DEBIAN_6,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32-20"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 32)
]
self.exploit_kernels = [
KernelWindow(UBUNTU_10,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
6,
31,
highest_patch_level="2.6.31-608.19"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20143153"
self.formatted_name = "CVE-2014-3153"
self.e_type = "linux"
self.brief_desc = "`futex_requeue` vulnerability before 3.14.6 allows for priv esc"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 3, 14, 16)
self.vulnerable_kernels = [
KernelWindow(SUSE, VERSION_VULNERABLE, 0, 0, 0, 3, 0, 100),
KernelWindow(UBUNTU_10,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32-61.124"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-64.97"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-29.53"),
KernelWindow(UBUNTU_13,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
0,
highest_patch_level="3.11.0-23.40"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
14,
5,
highest_patch_level="3.14.5-1"),
KernelWindow(DEBIAN_7,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
57,
highest_patch_level="3.2.57-3+deb7u2"),
KernelWindow(DEBIAN_6,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32-48squeeze7"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 32),
KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.exploit_kernels = [
KernelWindow(RHEL, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -lpthread".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20160728"
self.formatted_name = "CVE-2016-0728"
self.e_type = "linux"
self.brief_desc = "`join_session_keyring` function can be abused to get root NOTE: (takes about 30 minutes)"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 3,
8, 0, 4, 4, 1)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_15,
VERSION_VULNERABLE,
0,
0,
0,
4,
2,
0,
highest_patch_level="4.2.0-25.30"),
KernelWindow(UBUNTU_15,
VERSION_VULNERABLE,
0,
0,
0,
3,
19,
0,
highest_patch_level="3.19.0-47.53"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-76.120"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-76.120~precise1"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 13, 0),
KernelWindow(DEBIAN_9,
VERSION_VULNERABLE,
0,
0,
0,
4,
3,
3,
highest_patch_level="4.3.3-6"),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
16,
7,
highest_patch_level="3.16.7-ckt20-1+deb8u3"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 16, 7),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_15,
EXPLOIT_AVAILABLE,
0,
0,
0,
4,
2,
0,
highest_patch_level="4.2.0-25.30"),
KernelWindow(UBUNTU_15,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
19,
0,
highest_patch_level="3.19.0-47.53"),
KernelWindow(UBUNTU_14,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-76.120"),
KernelWindow(UBUNTU_12,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-76.120~precise1"),
KernelWindow(DEBIAN_9,
EXPLOIT_AVAILABLE,
0,
0,
0,
4,
3,
3,
highest_patch_level="4.3.3-6"),
KernelWindow(DEBIAN_8,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
16,
7,
highest_patch_level="3.16.7-ckt20-1+deb8u3"),
]
self.architecture = ARCHITECTURE_x86_64
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "apt-get libkeyutils-dev; gcc -o {} {} -lkeyutils -Wall".format(
self.compilation_path, self.source_c_path)
self.exploit_command = "{} {}".format(self.compilation_path, "PP_KEY")
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20162384"
self.formatted_name = "CVE-2016-2384"
self.e_type = "linux"
self.brief_desc = "Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)"
self.reliability = LOW_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 5, 0)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_15,
VERSION_VULNERABLE,
0,
0,
0,
4,
2,
0,
highest_patch_level="4.2.0-34.39"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-83.127"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-101.141"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
KernelWindow(DEBIAN_9,
VERSION_VULNERABLE,
0,
0,
0,
4,
4,
2,
highest_patch_level="4.4.2-1"),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
16,
7,
highest_patch_level="3.16.7-ckt20-1+deb8u4"),
KernelWindow(DEBIAN_7,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
73,
highest_patch_level="3.2.73-2+deb7u3"),
KernelWindow(DEBIAN_6,
VERSION_VULNERABLE,
0,
0,
0,
2,
6,
32,
highest_patch_level="2.6.32-48squeeze20"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 32),
]
self.exploit_kernels = []
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -masm=intel".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20151328_32"
self.formatted_name = "CVE-2015-1328 (32 bit)"
self.e_type = "linux"
self.brief_desc = "overlayfs implementation in linux kernel does not properly check file-create permissions"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 3, 19, 0)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-86.123"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-55.92"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
16,
0,
highest_patch_level="3.16.0-41.55"),
KernelWindow(UBUNTU_15,
VERSION_VULNERABLE,
0,
0,
0,
3,
19,
0,
highest_patch_level="3.19.0-21.21"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 2, 0),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_12,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
2,
0,
highest_patch_level="3.2.0-86.123"),
KernelWindow(UBUNTU_14,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-55.92"),
KernelWindow(UBUNTU_14,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
16,
0,
highest_patch_level="3.16.0-41.55"),
KernelWindow(UBUNTU_15,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
19,
0,
highest_patch_level="3.19.0-21.21"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20171000112"
self.formatted_name = "CVE-2017-1000112"
self.e_type = "linux"
self.brief_desc = "ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges."
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 8, 0)
self.vulnerable_kernels = [
KernelWindow(UBUNTU_17,
VERSION_VULNERABLE,
0,
0,
0,
4,
10,
0,
highest_patch_level="4.10.0-32.36"),
KernelWindow(UBUNTU_16,
VERSION_VULNERABLE,
0,
0,
0,
4,
4,
0,
highest_patch_level="4.4.0-91.114"),
KernelWindow(UBUNTU_14,
VERSION_VULNERABLE,
0,
0,
0,
3,
13,
0,
highest_patch_level="3.13.0-128.177"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 13, 0),
KernelWindow(DEBIAN_9,
VERSION_VULNERABLE,
0,
0,
0,
4,
9,
30,
highest_patch_level="4.9.30-2+deb9u5"),
KernelWindow(DEBIAN_8,
VERSION_VULNERABLE,
0,
0,
0,
3,
16,
43,
highest_patch_level="3.16.43-2+deb8u5"),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 16, 43),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_14, EXPLOIT_AVAILABLE, 0, 0, 0, 4, 4, 0),
KernelWindow(UBUNTU_16, EXPLOIT_AVAILABLE, 0, 0, 0, 4, 8, 0),
]
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """