def __init__(self): super().__init__() self.name = "CVE-2015-1328" self.type = "linux" self.brief_desc = "overlayfs implementation in linux kernel does not properly check file-create permissions" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 19, 21) ]
def __init__(self): super().__init__() self.name = "CVE20162384" self.formatted_name = "CVE-2016-2384" self.type = "linux" self.brief_desc = "Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)" self.reliability = LOW_RELIABILITY self.vulnerable_kernels = [ KernelWindow(DEBIAN_GENERIC, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 5, 0), KernelWindow(UBUNTU_GENERIC, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 5, 0), ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE-2014-4014" self.type = "linux" self.brief_desc = "`chmod` restriction bypass allows users to get root before 3.14.8" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 14, 7) ]
def __init__(self): super().__init__() self.name = "CVE20091185" self.formatted_name = "CVE-2009-1185" self.e_type = "linux" self.brief_desc = "udev before 1.4.1 NETLINK user space priv esc" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27) self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27), ] self.exploit_kernels = [] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20104347" self.formatted_name = "CVE-2010-4347" self.e_type = "linux" self.brief_desc = "american-sign-language ACPI LID root exploit" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 36) self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 36), ] self.exploit_kernels = [] self.architecture = ARCHITECTURE_x86_64 self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE-2017-5123" self.type = "linux" self.brief_desc = "waitid() not calling access_ok()" self.reliability = LOW_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 14, 4), KernelWindow(DEBIAN_UNSTABLE, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 14, 4), KernelWindow(UBUNTU_GENERIC, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 14, 4), ] self.source_c_path = "Need a source path to the exploit file to compile" self.compilation_path = os.path.join(PLAYGROUND_PATH, "exploit") self.compilation_command = [ "gcc", self.source_c_path, "-o", self.compilation_path ] self.exploit_command = "./pwn -o allyourbase.txt -i l33t.skills"
def __init__(self): super().__init__() self.name = "CVE-2017-1000373" self.type = "linux" self.brief_desc = "Stack clash vulnerability from qualys " self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(OPENBSD, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5) # TODO: openbsd v 6.1 and earlier ] self.architecture = ARCHITECTURE_i386
def __init__(self, playground_path=PLAYGROUND_PATH): LinuxExploit.__init__(self) self.name = "CVE20050736" self.formatted_name = "CVE-2005-0736" self.e_type = "linux" self.brief_desc = "Integer overflow in sys_epoll_wait in eventpoll.c" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 11) self.vulnerable_kernels = [ KernelWindow(RHEL, VERSION_VULNERABLE, 2, 6, 0, 2, 6, 9, highest_patch_level="2.6.9-5.EL"), ] self.exploit_kernels = [ KernelWindow(RHEL, EXPLOIT_AVAILABLE, 2, 6, 0, 2, 6, 9, highest_patch_level="2.6.9-5.EL"), ] self.architecture = ARCHITECTURE_i686 self.playground_path = playground_path self.exploit_source_file_name = "{}.c".format(self.name) self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name) self.compilation_path = os.path.join(self.playground_path, self.name) self.compilation_command = "gcc -o {} {} -static -O2".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE20173630" self.formatted_name = "CVE-2017-3630" self.e_type = "linux" self.brief_desc = "Stack clash vuln in solaris" self.reliability = HIGH_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 4, 8, 3) self.vulnerable_kernels = [ KernelWindow(SOLARIS, VERSION_VULNERABLE, 0, 0, 0, 4, 8, 3) ] self.exploit_kernels = [ KernelWindow(SOLARIS, EXPLOIT_AVAILABLE, 0, 0, 0, 4, 8, 3) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE-2017-1000112" self.type = "linux" self.brief_desc = "ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges." self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(UBUNTU_14, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 4, 83), KernelWindow(UBUNTU_14_LTS, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 4, 83), KernelWindow(UBUNTU_16, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 8, 58), KernelWindow(UBUNTU_16_LTS, CONFIRMED_VULNERABLE, 4, 0, 0, 4, 8, 58) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_PATH, "CVE20171000112.c") self.compilation_path = os.path.join(PLAYGROUND_PATH, "CVE20171000112") self.compilation_command = [ "gcc", self.source_c_path, "-o", self.compilation_path ] self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20175123" self.formatted_name = "CVE-2017-5123" self.type = "linux" self.brief_desc = "waitid() not calling access_ok()" self.reliability = LOW_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 4, 13, 0, 4, 13, 6), KernelWindow(DEBIAN_UNSTABLE, CONFIRMED_VULNERABLE, 4, 13, 0, 4, 13, 6), KernelWindow(UBUNTU_GENERIC, CONFIRMED_VULNERABLE, 4, 13, 0, 4, 13, 6), ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "NULLROOT" self.formatted_name = "Null Root" self.e_type = "mac" self.brief_desc = "root without password and no root account = root" self.reliability = HIGH_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_MAC, BASE_VULNERABLE, 10, 13, 1, 10, 13, 1) self.vulnerable_kernels = [ KernelWindow(GENERIC_MAC, VERSION_VULNERABLE, 10, 13, 1, 10, 13, 1) ] self.exploit_kernels = [ KernelWindow(GENERIC_MAC, EXPLOIT_AVAILABLE, 10, 13, 1, 10, 13, 1) ] self.architecture = ARCHITECTURE_GENERIC self.source_c_path = os.path.join(MAC_EXPLOIT_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(MAC_EXPLOIT_SOURCE_PATH, self.name) self.exploit_command = "python {}.py".format(self.compilation_path)
def __init__(self, playground_path=PLAYGROUND_PATH): LinuxExploit.__init__(self) self.name = "CVE20140038" self.formatted_name = "CVE-2014-0038" self.e_type = "linux" self.brief_desc = "recvmmsg syscall issues in x86_32 can lead to root (timeoutpwn)" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 3, 13, 2) self.vulnerable_kernels = [ KernelWindow(SUSE, VERSION_VULNERABLE, 0, 0, 0, 3, 11, 10, highest_patch_level="3.11.10-7.1"), KernelWindow(UBUNTU_13, VERSION_VULNERABLE, 0, 0, 0, 3, 11, 1, highest_patch_level="3.11.0-15.25"), KernelWindow(UBUNTU_12, VERSION_VULNERABLE, 0, 0, 0, 3, 8, 0, highest_patch_level=" 3.11.0-15.25~precise1"), KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 3, 8, 0), ] self.exploit_kernels = [ KernelWindow(UBUNTU_13, EXPLOIT_AVAILABLE, 0, 0, 0, 3, 11, 1, highest_patch_level="3.11.0-15.25"), ] self.architecture = ARCHITECTURE_i686 self.playground_path = playground_path self.exploit_source_file_name = "{}.c".format(self.name) self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name) self.compilation_path = os.path.join(self.playground_path, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path self.exploit_source = """
def __init__(self, playground_path=PLAYGROUND_PATH): MacExploit.__init__(self) self.name = "CVE20155889" self.formatted_name = "CVE-2015-5889" self.e_type = "mac" self.brief_desc = "issetugid() + rsh + libmalloc osx local root" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_MAC, BASE_VULNERABLE, 10, 9, 5, 10, 10, 5) self.vulnerable_kernels = [ KernelWindow(GENERIC_MAC, VERSION_VULNERABLE, 10, 9, 5, 10, 10, 5) ] self.exploit_kernels = [ KernelWindow(GENERIC_MAC, EXPLOIT_AVAILABLE, 10, 9, 5, 10, 10, 5) ] self.architecture = ARCHITECTURE_GENERIC self.playground_path = playground_path self.exploit_source_file_name = "{}.py".format(self.name) self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name) self.compilation_path = self.source_c_path self.compilation_command = "" self.exploit_command = "python {}.py".format(self.compilation_path) self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE-2017-7308" self.type = "linux" self.brief_desc = "`packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls." self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 10, 6), ] self.source_c_path = os.path.join(LINUX_EXPLOIT_PATH, "CVE20177308.c") self.compilation_path = os.path.join(PLAYGROUND_PATH, "CVE20177308") self.compilation_command = ["gcc", self.source_c_path, "-o", self.compilation_path] self.exploit_command = self.compilation_path
def __init__(self, playground_path=PLAYGROUND_PATH): LinuxExploit.__init__(self) self.name = "CVE20091185" self.formatted_name = "CVE-2009-1185" self.e_type = "linux" self.brief_desc = "udev before 1.4.1 NETLINK user space priv esc" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27) self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 6, 27), ] self.exploit_kernels = [] self.playground_path = playground_path self.exploit_source_file_name = "{}.c".format(self.name) self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name) self.compilation_path = os.path.join(self.playground_path, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE-2017-6074" self.type = "linux" self.brief_desc = "`dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 9, 11) ] self.source_c_path = "Need a source path to the exploit file to compile" self.compilation_path = os.path.join(PLAYGROUND_PATH, "exploit") self.compilation_command = ["gcc", self.source_c_path, "-o", self.compilation_path] self.exploit_command = "./pwn -o allyourbase.txt -i l33t.skills"
def __init__(self, playground_path=PLAYGROUND_PATH): LinuxExploit.__init__(self) self.name = "CVE20041235" self.formatted_name = "CVE-2004-1235" self.e_type = "linux" self.brief_desc = "Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 2, 4, 29) self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, VERSION_VULNERABLE, 0, 0, 0, 2, 4, 29), KernelWindow(UBUNTU_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 6, 8), KernelWindow(DEBIAN_GENERIC, BASE_VULNERABLE, 0, 0, 0, 2, 4, 19) ] self.exploit_kernels = [ KernelWindow(UBUNTU_4, EXPLOIT_AVAILABLE, 0, 0, 0, 2, 6, 8, highest_patch_level="2.6.8.1-4-686"), KernelWindow(DEBIAN_4, EXPLOIT_AVAILABLE, 0, 0, 0, 2, 4, 27, highest_patch_level="2.4.27-8"), KernelWindow(DEBIAN_3, EXPLOIT_AVAILABLE, 0, 0, 0, 2, 4, 19, highest_patch_level="2.4.19-4.woody3"), ] self.architecture = ARCHITECTURE_i686 self.playground_path = playground_path self.exploit_source_file_name = "{}.c".format(self.name) self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name) self.compilation_path = os.path.join(self.playground_path, self.name) self.compilation_command = "gcc -o {} {} -O2 -fomit-frame-pointer".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE20140196" self.formatted_name = "CVE-2014-0196" self.type = "linux" self.brief_desc = "`n_tty_write` vuln before 3.14.4 allows priv esc to root" self.reliability = LOW_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 14, 4) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {} -lutil -lpthread".format(self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20175123" self.formatted_name = "CVE-2017-5123" self.e_type = "linux" self.brief_desc = "waitid() not calling access_ok()" self.reliability = LOW_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4, 13, 0, 4, 13, 6) self.vulnerable_kernels = [ KernelWindow(RHEL, VERSION_VULNERABLE, 0, 0, 0, KERNEL_MAJOR_VERSION_CAP + 1, 0, 0) ] self.exploit_kernels = [ KernelWindow(RHEL, EXPLOIT_AVAILABLE, 0, 0, 0, KERNEL_MAJOR_VERSION_CAP + 1, 0, 0) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20144014" self.formatted_name = "CVE-2014-4014" self.type = "linux" self.brief_desc = "`chmod` restriction bypass allows users to get root before 3.14.8" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 14, 7) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20171000375" self.formatted_name = "CVE-2017-1000375" self.type = "linux" self.brief_desc = "Stack clash vulnerability from qualys" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(NETBSD, CONFIRMED_VULNERABLE, 4, 0, 0, 7, 1, 0) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path) self.exploit_command = "{0} {1}".format(self.compilation_path, "0x04000000")
def __init__(self): super().__init__() self.name = "CVE20151328" self.formatted_name = "CVE-2015-1328" self.type = "linux" self.brief_desc = "overlayfs implementation in linux kernel does not properly check file-create permissions" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 0, 0, 0, 3, 19, 21) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE-2017-1000379" self.type = "linux" self.brief_desc = "Stack clash vulnerability from qualys " self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(UBUNTU_17, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(UBUNTU_16, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(UBUNTU_14, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(DEBIAN_9, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(DEBIAN_8, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(DEBIAN_7, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(FEDORA, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5), KernelWindow(CENTOS, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5) ] self.architecture = ARCHITECTURE_amd64
def __init__(self): super().__init__() self.name = "CVE20164656" self.formatted_name = "CVE-2016-4656" self.e_type = "mac" self.brief_desc = "`Trident` exploit chain from `PEGASUS` APT" self.reliability = MEDIUM_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_MAC, BASE_VULNERABLE, 0, 0, 0, 10, 11, 16) self.vulnerable_kernels = [ KernelWindow(GENERIC_MAC, VERSION_VULNERABLE, 0, 0, 0, 10, 11, 16) ] self.exploit_kernels = [ KernelWindow(GENERIC_MAC, EXPLOIT_AVAILABLE, 0, 0, 0, 10, 11, 16) ] self.architecture = ARCHITECTURE_GENERIC self.source_c_path = os.path.join(MAC_EXPLOIT_SOURCE_PATH, self.name) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "clang -framework IOKit -framework Foundation -framework CoreFoundation " \ "-m32 -Wl,-pagezero_size,0 -O3 {}/exp.m {}/lsym.m -o {}".format( self.source_c_path, self.source_c_path, self.compilation_path) self.exploit_command = self.compilation_path
def __init__(self, playground_path=PLAYGROUND_PATH): LinuxExploit.__init__(self) self.name = "CVE201716996" self.formatted_name = "CVE-2017-16996" self.e_type = "linux" self.brief_desc = "eBPF Verifier check_alu_op() Sign Extension Local Root Exploit" self.reliability = HIGH_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 4, 0, 0, 4, 14, 8) self.playground_path = playground_path self.exploit_source_file_name = "{}.c".format(self.name) self.source_c_path = os.path.join(self.playground_path, self.exploit_source_file_name) self.compilation_path = os.path.join(self.playground_path, self.name) self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path self.exploit_source = """
def __init__(self): super().__init__() self.name = "CVE20165195_64" self.formatted_name = "CVE-2016-5195 (x86_64)" self.type = "linux" self.brief_desc = "Dirty COW race condition root priv esc for 64 bit" self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, CONFIRMED_VULNERABLE, 2, 0, 0, 4, 8, 3) ] self.architecture = ARCHITECTURE_x86_64 self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc {} -o {} -pthread".format(self.source_c_path, self.compilation_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20171000373" self.formatted_name = "CVE-2017-1000373" self.e_type = "linux" self.brief_desc = "Stack clash vulnerability from qualys " self.reliability = HIGH_RELIABILITY self.vulnerable_base = KernelWindow(GENERIC_LINUX, BASE_VULNERABLE, 0, 0, 0, 4, 11, 5) self.vulnerable_kernels = [ KernelWindow(OPENBSD, VERSION_VULNERABLE, 0, 0, 0, KERNEL_MAJOR_VERSION_CAP + 1, 0, 0) ] self.exploit_kernels = [ KernelWindow(OPENBSD, EXPLOIT_AVAILABLE, 0, 0, 0, KERNEL_MAJOR_VERSION_CAP + 1, 0, 0) ] self.architecture = ARCHITECTURE_i686 self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format( self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20171000367" self.formatted_name = "CVE-2017-1000367" self.type = "linux" self.brief_desc = "sudo get_process_ttyname() root priv esc" self.reliability = HIGH_RELIABILITY self.architecture = ARCHITECTURE_i686 self.vulnerable_kernels = [ KernelWindow(GENERIC_LINUX, POTENTIALLY_VULNERABLE, 0, 0, 0, 4, 20, 0) ] self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path
def __init__(self): super().__init__() self.name = "CVE20171000373" self.formatted_name = "CVE-2017-1000373" self.type = "linux" self.brief_desc = "Stack clash vulnerability from qualys " self.reliability = HIGH_RELIABILITY self.vulnerable_kernels = [ KernelWindow(OPENBSD, CONFIRMED_VULNERABLE, 0, 0, 0, 4, 11, 5) # TODO: openbsd v 6.1 and earlier ] self.architecture = ARCHITECTURE_i686 self.source_c_path = os.path.join(LINUX_EXPLOIT_SOURCE_PATH, "{}.c".format(self.name)) self.compilation_path = os.path.join(PLAYGROUND_PATH, self.name) self.compilation_command = "gcc -o {} {}".format(self.compilation_path, self.source_c_path) self.exploit_command = self.compilation_path