{"id":13579491,"url":"https://github.com/The-Z-Labs/linux-exploit-suggester","last_synced_at":"2025-04-05T20:34:26.179Z","repository":{"id":37430830,"uuid":"70196342","full_name":"The-Z-Labs/linux-exploit-suggester","owner":"The-Z-Labs","description":"Linux privilege escalation auditing tool","archived":false,"fork":false,"pushed_at":"2024-02-17T11:44:50.000Z","size":394,"stargazers_count":5625,"open_issues_count":19,"forks_count":1101,"subscribers_count":128,"default_branch":"master","last_synced_at":"2024-10-29T15:33:58.344Z","etag":null,"topics":["applicable-exploits","exploits","hacking-tool","kernel-exploitation","linux-exploits","linux-kernel","privilege-escalation-exploits","published-exploits","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/The-Z-Labs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-10-06T21:55:51.000Z","updated_at":"2024-10-29T11:23:42.000Z","dependencies_parsed_at":"2024-04-02T04:43:16.021Z","dependency_job_id":null,"html_url":"https://github.com/The-Z-Labs/linux-exploit-suggester","commit_stats":null,"previous_names":["mzet-/linux-exploit-suggester"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-Z-Labs%2Flinux-exploit-suggester","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-Z-Labs%2Flinux-exploit-suggester/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-Z-Labs%2Flinux-exploit-suggester/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-Z-Labs%2Flinux-exploit-suggester/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/The-Z-Labs","download_url":"https://codeload.github.com/The-Z-Labs/linux-exploit-suggester/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399889,"owners_count":20932876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["applicable-exploits","exploits","hacking-tool","kernel-exploitation","linux-exploits","linux-kernel","privilege-escalation-exploits","published-exploits","security-tools"],"created_at":"2024-08-01T15:01:39.939Z","updated_at":"2025-04-05T20:34:21.428Z","avatar_url":"https://github.com/The-Z-Labs.png","language":"Shell","funding_links":[],"categories":["Shell","security-tools","HarmonyOS","漏洞库_漏洞靶场"],"sub_categories":["Windows Manager","资源传输下载"],"readme":"\n## LES: Linux privilege escalation auditing tool\n\nQuick download:\n\n    wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh\n\nDetails about LES usage and inner workings:\n\n    https://mzet-.github.io/2019/05/10/les-paper.html\n    \nAdditional resources for the LES:\n\n    https://github.com/mzet-/les-res\n\n## Purpose\n\nLES tool is designed to assist in detecting security deficiencies for a given Linux kernel/Linux-based machine. It provides following functionality:\n\n### Assessing kernel exposure on publicly known exploits\n\nTool assesses (using heuristics methods discussed in details [here](https://mzet-.github.io/2019/05/10/les-paper.html)) exposure of the given kernel to publicly known Linux kernel exploits. Example of tool output:\n\n```\n$ ./linux-exploit-suggester.sh\n...\n[+] [CVE-2017-16995] eBPF_verifier\n\n   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html\n   Exposure: highly probable\n   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,[ ubuntu=14.04 ]{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}\n   Download URL: https://www.exploit-db.com/download/45010\n   Comments: CONFIG_BPF_SYSCALL needs to be set \u0026\u0026 kernel.unprivileged_bpf_disabled != 1\n\n[+] [CVE-2017-1000112] NETIF_F_UFO\n\n   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1\n   Exposure: probable\n   Tags: [ ubuntu=14.04{kernel:4.4.0-*} ],ubuntu=16.04{kernel:4.8.0-*}\n   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c\n   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/cve-2017-1000112/CVE-2017-1000112/poc.c\n   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels\n\n[+] [CVE-2016-8655] chocobo_root\n\n   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1\n   Exposure: probable\n   Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]\n   Download URL: https://www.exploit-db.com/download/40871\n   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled\n...\n```\n\nFor each exploit, exposure is calculated. Following 'Exposure' states are possible:\n\n - **Highly probable** - assessed kernel is most probably affected and there's a very good chance that PoC exploit will work out of the box without any major modifications.\n\n - **Probable** - it's possible that exploit will work but most likely customization of PoC exploit will be needed to suit your target.\n\n - **Less probable** - additional manual analysis is needed to verify if kernel is affected.\n\n - **Unprobable** - highly unlikely that kernel is affected (exploit is not displayed in the tool's output)\n\n### Verifying state of kernel hardening security measures\n\nLES can check for most of security settings available by your Linux kernel. It verifies not only the kernel compile-time configurations (CONFIGs) but also verifies run-time settings (sysctl) giving more complete picture of security posture for running kernel. This functionality is modern continuation of `--kernel` switch from [checksec.sh](http://www.trapkit.de/tools/checksec.html) tool by Tobias Klein. Example of tool output:\n\n```\n$ ./linux-exploit-suggester.sh --checksec\n\nMainline kernel protection mechanisms:\n\n [ Disabled ] GCC stack protector support (CONFIG_HAVE_STACKPROTECTOR)\n              https://github.com/mzet-/les-res/blob/master/features/stackprotector-regular.md\n\n [ Disabled ] GCC stack protector STRONG support (CONFIG_STACKPROTECTOR_STRONG)\n              https://github.com/mzet-/les-res/blob/master/features/stackprotector-strong.md\n\n [ Enabled  ] Low address space to protect from user allocation (CONFIG_DEFAULT_MMAP_MIN_ADDR)\n              https://github.com/mzet-/les-res/blob/master/features/mmap_min_addr.md\n\n [ Disabled ] Restrict unprivileged access to kernel syslog (CONFIG_SECURITY_DMESG_RESTRICT)\n              https://github.com/mzet-/les-res/blob/master/features/dmesg_restrict.md\n\n [ Enabled  ] Randomize the address of the kernel image (KASLR) (CONFIG_RANDOMIZE_BASE)\n              https://github.com/mzet-/les-res/blob/master/features/kaslr.md\n\n [ Disabled ] Hardened user copy support (CONFIG_HARDENED_USERCOPY)\n              https://github.com/mzet-/les-res/blob/master/features/hardened_usercopy.md\n\n...\n```\n\n## Usage\n\nAssess exposure of the Linux box to publicly known exploits:\n\n```\n$ ./linux-exploit-suggester.sh\n```\n\nShow state of security features on the Linux box:\n\n```\n$ ./linux-exploit-suggester.sh --checksec\n```\n\nAssess exposure of Linux kernel on publicly known exploits based on the provided 'uname' string (i.e. output of `uname -a` command):\n\n```\n$ ./linux-exploit-suggester.sh --uname \u003cuname-string\u003e\n```\n\nFor more usage examples, see [here](https://mzet-.github.io/2019/05/10/les-paper.html).\n\n## Getting involved\n\nYou hopefully now know what LES is and what it can do for you. Now see what you can do for LES:\n\n- Add newly published Linux privilege escalation exploits to it.\n- Test existing exploits on various Linux distributions with multiple kernel versions, then document your findings in a form of `Tags` in LES, e.g. of a tag: `ubuntu=12.04{kernel:3.(2|5).0-(23|29)-generic}` which states: *tagged exploit was verifed to work correctly on Ubuntu 12.04 with kernels: 3.2.0-23-generic, 3.2.0-29-generic, 3.5.0-23-generic and 3.5.0-29-generic;*. With this tag added LES will automatically highlight and bump dynamic `Rank` of the exploit when run on Ubuntu 12.04 with one of listed kernel versions. This will help you (and others) during pentests to rapidly identify critically vulnerable Linux machines.\n- Published exploits are often written only for PoC purposes only for one (or couple of) specific Linux distributions and/or kernel version(s). Pick sources of the exploit of choice and customize it to run on different kernel version(s). Then add your customized version of exploit as `ext-url` entry to LES and modify `Tags` to reflect newly added targets. See [this](https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html) article for an excellent example of adapting specific PoC exploit to different kernel versions.\n- Conduct source code analysis of chosen kernel hardening security measure then add it to the `FEATURES` array (if not already there) and publish your analysis at: `https://github.com/mzet-/les-res/blob/master/features/\u003cfeature-name\u003e.md`.\n\n### Acknowledgments\n\n[bcoles](https://github.com/bcoles/) for his excellent and frequent contributions to LES.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FThe-Z-Labs%2Flinux-exploit-suggester","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FThe-Z-Labs%2Flinux-exploit-suggester","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FThe-Z-Labs%2Flinux-exploit-suggester/lists"}