def __init__(self):
super().__init__()
self.name = "CVE-2015-1328"
self.type = "linux"
self.brief_desc = "overlayfs implementation in linux kernel does not properly check file-create permissions"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 19,
21)
]
def __init__(self):
super().__init__()
self.name = "CVE20162384"
self.formatted_name = "CVE-2016-2384"
self.type = "linux"
self.brief_desc = "Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)"
self.reliability = LOW_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(DEBIAN_GENERIC, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 5,
0),
KernelWindow(UBUNTU_GENERIC, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 5,
0),
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE-2014-4014"
self.type = "linux"
self.brief_desc = "`chmod` restriction bypass allows users to get root before 3.14.8"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 14,
7)
]
def __init__(self):
super().__init__()
self.name = "CVE20091185"
self.formatted_name = "CVE-2009-1185"
self.e_type = "linux"
self.brief_desc = "udev before 1.4.1 NETLINK user space priv esc"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 27)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27),
]
self.exploit_kernels = []
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20104347"
self.formatted_name = "CVE-2010-4347"
self.e_type = "linux"
self.brief_desc = "american-sign-language ACPI LID root exploit"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 36)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 36),
]
self.exploit_kernels = []
self.architecture = ARCHITECTURE_x86_64
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE-2017-5123"
self.type = "linux"
self.brief_desc = "waitid() not calling access_ok()"
self.reliability = LOW_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 14,
4),
KernelWindow(DEBIAN_UNSTABLE, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 14,
4),
KernelWindow(UBUNTU_GENERIC, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 14,
4),
]
self.source_c_path = "Need a source path to the exploit file to compile"
self.compilation_path = os.path.join(PLAYGROUND_PATH, "exploit")
self.compilation_command = [
"gcc", self.source_c_path, "-o", self.compilation_path
]
self.exploit_command = "./pwn -o allyourbase.txt -i l33t.skills"
def __init__(self):
super().__init__()
self.name = "CVE-2017-1000373"
self.type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys "
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(OPENBSD, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11,
5) # TODO: openbsd v 6.1 and earlier
]
self.architecture = ARCHITECTURE_i386
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20050736"
self.formatted_name = "CVE-2005-0736"
self.e_type = "linux"
self.brief_desc = "Integer overflow in sys_epoll_wait in eventpoll.c"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 11)
self.vulnerable_kernels = [
KernelWindow(RHEL,
VERSION_VULNERABLE,
2,
6,
0,
2,
6,
9,
highest_patch_level="2.6.9-5.EL"),
]
self.exploit_kernels = [
KernelWindow(RHEL,
EXPLOIT_AVAILABLE,
2,
6,
0,
2,
6,
9,
highest_patch_level="2.6.9-5.EL"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -static -O2".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self):
super().__init__()
self.name = "CVE20173630"
self.formatted_name = "CVE-2017-3630"
self.e_type = "linux"
self.brief_desc = "Stack clash vuln in solaris"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 8, 3)
self.vulnerable_kernels = [
KernelWindow(SOLARIS, VERSION_VULNERABLE, 0, 0, 0, 4, 8, 3)
]
self.exploit_kernels = [
KernelWindow(SOLARIS, EXPLOIT_AVAILABLE, 0, 0, 0, 4, 8, 3)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE-2017-1000112"
self.type = "linux"
self.brief_desc = "ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges."
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(UBUNTU_14, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 4, 83),
KernelWindow(UBUNTU_14_LTS, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 4,
83),
KernelWindow(UBUNTU_16, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 8, 58),
KernelWindow(UBUNTU_16_LTS, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 8,
58)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_PATH,
"CVE20171000112.c")
self.compilation_path = os.path.join(PLAYGROUND_PATH, "CVE20171000112")
self.compilation_command = [
"gcc", self.source_c_path, "-o", self.compilation_path
]
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20175123"
self.formatted_name = "CVE-2017-5123"
self.type = "linux"
self.brief_desc = "waitid() not calling access_ok()"
self.reliability = LOW_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 4, 13, 0, 4, 13,
6),
KernelWindow(DEBIAN_UNSTABLE, CONFIRMED_VULNERABLE, 4, 13, 0, 4,
13, 6),
KernelWindow(UBUNTU_GENERIC, CONFIRMED_VULNERABLE, 4, 13, 0, 4, 13,
6),
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "NULLROOT"
self.formatted_name = "Null Root"
self.e_type = "mac"
self.brief_desc = "root without password and no root account = root"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_MAC, BASE_VULNERABLE, 10,
13, 1, 10, 13, 1)
self.vulnerable_kernels = [
KernelWindow(GENERIC_MAC, VERSION_VULNERABLE, 10, 13, 1, 10, 13, 1)
]
self.exploit_kernels = [
KernelWindow(GENERIC_MAC, EXPLOIT_AVAILABLE, 10, 13, 1, 10, 13, 1)
]
self.architecture = ARCHITECTURE_GENERIC
self.source_c_path = os.path.join(MAC_EXPLOIT_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(MAC_EXPLOIT_SOURCE_PATH,
self.name)
self.exploit_command = "python {}.py".format(self.compilation_path)
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20140038"
self.formatted_name = "CVE-2014-0038"
self.e_type = "linux"
self.brief_desc = "recvmmsg syscall issues in x86_32 can lead to root (timeoutpwn)"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 3, 13, 2)
self.vulnerable_kernels = [
KernelWindow(SUSE,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
10,
highest_patch_level="3.11.10-7.1"),
KernelWindow(UBUNTU_13,
VERSION_VULNERABLE,
0,
0,
0,
3,
11,
1,
highest_patch_level="3.11.0-15.25"),
KernelWindow(UBUNTU_12,
VERSION_VULNERABLE,
0,
0,
0,
3,
8,
0,
highest_patch_level=" 3.11.0-15.25~precise1"),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 8, 0),
]
self.exploit_kernels = [
KernelWindow(UBUNTU_13,
EXPLOIT_AVAILABLE,
0,
0,
0,
3,
11,
1,
highest_patch_level="3.11.0-15.25"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH):
MacExploit.__init__(self)
self.name = "CVE20155889"
self.formatted_name = "CVE-2015-5889"
self.e_type = "mac"
self.brief_desc = "issetugid() + rsh + libmalloc osx local root"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_MAC, BASE_VULNERABLE, 10, 9, 5, 10, 10, 5)
self.vulnerable_kernels = [
KernelWindow(GENERIC_MAC, VERSION_VULNERABLE, 10, 9, 5, 10, 10, 5)
]
self.exploit_kernels = [
KernelWindow(GENERIC_MAC, EXPLOIT_AVAILABLE, 10, 9, 5, 10, 10, 5)
]
self.architecture = ARCHITECTURE_GENERIC
self.playground_path = playground_path
self.exploit_source_file_name = "{}.py".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = self.source_c_path
self.compilation_command = ""
self.exploit_command = "python {}.py".format(self.compilation_path)
self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE-2017-7308" self.type = "linux" self.brief_desc = "`packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls." self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 10, 6), ] self.source_c_path = os.path.join(LINUX_EXPLOIT_PATH, "CVE20177308.c") self.compilation_path = os.path.join(PLAYGROUND_PATH, "CVE20177308") self.compilation_command = ["gcc", self.source_c_path, "-o", self.compilation_path] self.exploit_command = self.compilation_path
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20091185"
self.formatted_name = "CVE-2009-1185"
self.e_type = "linux"
self.brief_desc = "udev before 1.4.1 NETLINK user space priv esc"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 6, 27)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27),
]
self.exploit_kernels = []
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE-2017-6074" self.type = "linux" self.brief_desc = "`dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 9, 11) ] self.source_c_path = "Need a source path to the exploit file to compile" self.compilation_path = os.path.join(PLAYGROUND_PATH, "exploit") self.compilation_command = ["gcc", self.source_c_path, "-o", self.compilation_path] self.exploit_command = "./pwn -o allyourbase.txt -i l33t.skills"
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE20041235"
self.formatted_name = "CVE-2004-1235"
self.e_type = "linux"
self.brief_desc = "Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 2, 4, 29)
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 0, 0, 0, 2, 4, 29),
KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 8),
KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 4, 19)
]
self.exploit_kernels = [
KernelWindow(UBUNTU_4,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
6,
8,
highest_patch_level="2.6.8.1-4-686"),
KernelWindow(DEBIAN_4,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
4,
27,
highest_patch_level="2.4.27-8"),
KernelWindow(DEBIAN_3,
EXPLOIT_AVAILABLE,
0,
0,
0,
2,
4,
19,
highest_patch_level="2.4.19-4.woody3"),
]
self.architecture = ARCHITECTURE_i686
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path,
self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self):
super().__init__()
self.name = "CVE20140196"
self.formatted_name = "CVE-2014-0196"
self.type = "linux"
self.brief_desc = "`n_tty_write` vuln before 3.14.4 allows priv esc to root"
self.reliability = LOW_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 14, 4)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {} -lutil -lpthread".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20175123"
self.formatted_name = "CVE-2017-5123"
self.e_type = "linux"
self.brief_desc = "waitid() not calling access_ok()"
self.reliability = LOW_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4,
13, 0, 4, 13, 6)
self.vulnerable_kernels = [
KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.exploit_kernels = [
KernelWindow(RHEL, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20144014"
self.formatted_name = "CVE-2014-4014"
self.type = "linux"
self.brief_desc = "`chmod` restriction bypass allows users to get root before 3.14.8"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 14, 7)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20171000375"
self.formatted_name = "CVE-2017-1000375"
self.type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(NETBSD, CONFIRMED_VULNERABLE, 4, 0, 0, 7, 1, 0)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = "{0} {1}".format(self.compilation_path, "0x04000000")
def __init__(self):
super().__init__()
self.name = "CVE20151328"
self.formatted_name = "CVE-2015-1328"
self.type = "linux"
self.brief_desc = "overlayfs implementation in linux kernel does not properly check file-create permissions"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 19, 21)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE-2017-1000379" self.type = "linux" self.brief_desc = "Stack clash vulnerability from qualys " self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(UBUNTU_17, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(UBUNTU_16, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(UBUNTU_14, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(DEBIAN_9, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(DEBIAN_8, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(DEBIAN_7, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(FEDORA, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(CENTOS, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5) ] self.architecture = ARCHITECTURE_amd64
def __init__(self):
super().__init__()
self.name = "CVE20164656"
self.formatted_name = "CVE-2016-4656"
self.e_type = "mac"
self.brief_desc = "`Trident` exploit chain from `PEGASUS` APT"
self.reliability = MEDIUM_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_MAC, BASE_VULNERABLE, 0, 0,
0, 10, 11, 16)
self.vulnerable_kernels = [
KernelWindow(GENERIC_MAC, VERSION_VULNERABLE, 0, 0, 0, 10, 11, 16)
]
self.exploit_kernels = [
KernelWindow(GENERIC_MAC, EXPLOIT_AVAILABLE, 0, 0, 0, 10, 11, 16)
]
self.architecture = ARCHITECTURE_GENERIC
self.source_c_path = os.path.join(MAC_EXPLOIT_SOURCE_PATH, self.name)
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "clang -framework IOKit -framework Foundation -framework CoreFoundation " \
"-m32 -Wl,-pagezero_size,0 -O3 {}/exp.m {}/lsym.m -o {}".format(
self.source_c_path,
self.source_c_path,
self.compilation_path)
self.exploit_command = self.compilation_path
def __init__(self, playground_path=PLAYGROUND_PATH):
LinuxExploit.__init__(self)
self.name = "CVE201716996"
self.formatted_name = "CVE-2017-16996"
self.e_type = "linux"
self.brief_desc = "eBPF Verifier check_alu_op() Sign Extension Local Root Exploit"
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4, 0, 0, 4, 14, 8)
self.playground_path = playground_path
self.exploit_source_file_name = "{}.c".format(self.name)
self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name)
self.compilation_path = os.path.join(self.playground_path, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
self.exploit_source = """
def __init__(self):
super().__init__()
self.name = "CVE20165195_64"
self.formatted_name = "CVE-2016-5195 (x86_64)"
self.type = "linux"
self.brief_desc = "Dirty COW race condition root priv esc for 64 bit"
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 2, 0, 0, 4, 8, 3)
]
self.architecture = ARCHITECTURE_x86_64
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc {} -o {} -pthread".format(self.source_c_path, self.compilation_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20171000373"
self.formatted_name = "CVE-2017-1000373"
self.e_type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys "
self.reliability = HIGH_RELIABILITY
self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0,
0, 0, 4, 11, 5)
self.vulnerable_kernels = [
KernelWindow(OPENBSD, VERSION_VULNERABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.exploit_kernels = [
KernelWindow(OPENBSD, EXPLOIT_AVAILABLE, 0, 0, 0,
KERNEL_MAJOR_VERSION_CAP + 1, 0, 0)
]
self.architecture = ARCHITECTURE_i686
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH,
"{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(
self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20171000367"
self.formatted_name = "CVE-2017-1000367"
self.type = "linux"
self.brief_desc = "sudo get_process_ttyname() root priv esc"
self.reliability = HIGH_RELIABILITY
self.architecture = ARCHITECTURE_i686
self.vulnerable_kernels = [
KernelWindow(GENERIC_LINUX, POTENTIALLY_VULNERABLE, 0, 0, 0, 4, 20, 0)
]
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
def __init__(self):
super().__init__()
self.name = "CVE20171000373"
self.formatted_name = "CVE-2017-1000373"
self.type = "linux"
self.brief_desc = "Stack clash vulnerability from qualys "
self.reliability = HIGH_RELIABILITY
self.vulnerable_kernels = [
KernelWindow(OPENBSD, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5) # TODO: openbsd v 6.1 and earlier
]
self.architecture = ARCHITECTURE_i686
self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name))
self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name)
self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path)
self.exploit_command = self.compilation_path
