search

spencerdodd / kernelpop

kernel privilege escalation enumeration and exploitation framework
687 stars 130 forks source link

Feature Request - uname -a as a command line argument #22

Closed ralphyz closed 6 years ago

ralphyz commented 6 years ago

It would be fantastic if you could pass uname -a as a command line argument. Like this:

python3 ./kernelpop.py -u "Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64 GNU/Linux"

That would allow for use in your script in other script automation that we do while Red Teaming.

spencerdodd commented 6 years ago

Hey, thanks for the input! I've added a command line option -u to pass uname -a inline. Let me know if that works for you.

The feature is integrated as of https://github.com/spencerdodd/kernelpop/commit/95eef9fbb52be752b8f641d79b069e219dcd377c

Edit: note this can be done by passing the uname both with or without the quotation marks

ralphyz commented 6 years ago

Thanks for doing this! I am getting an error now, even doing it the old way.

root@kali-115:~/Tools/kernelpop# python kernelpop.py -u "Linux kali-115 4.15.0-kali2-amd64 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux"
[*] please note, vulnerability detection is not as accurate by uname alone
        consider running locally on the machine to be tested to get a more accurate reading
[*] processing uname: Linux kali-115 4.15.0-kali2-amd64 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux

##########################
#  welcome to kernelpop  #
#                        #
# let's pop some kernels #
##########################

[+] kernel (Linux kali-115 4.15.0-kali2-amd64 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux) identified as:
[base]
        type:                   linux
        distro:                 linuxdebian
        version:                4.15.0-kali2
        architecture:           amd64
[specific]
        type:                   linux
        distro:                 linuxdebian
        version:                4.15.11-1kali1
        architecture:           amd64
[*] matching kernel to known exploits
Traceback (most recent call last):
  File "kernelpop.py", line 51, in <module>
    main()
  File "kernelpop.py", line 40, in main
    kernelpop(mode="input", uname=uname, digest=digest_type)
  File "/root/Tools/kernelpop/src/kernelpop.py", line 636, in kernelpop
    identified_exploits = find_exploit_locally(kernel_v)
  File "/root/Tools/kernelpop/src/kernelpop.py", line 522, in find_exploit_locally
    exploit_instance = exploit_module()
  File "/root/Tools/kernelpop/exploits/linux/CVE20171000372.py", line 12, in __init__
    super().__init__()
TypeError: super() takes at least 1 argument (0 given)

Just to verify it wasn't that exploit (exploits/linux/CVE20171000372.py), I removed it and tried again. This time it gives the error on CVE20165195_64_poke.py.

spencerdodd commented 6 years ago

aha, yea I think that's because you're running it with python2. The super-class init call is python3 specific. Try with python3 and see what happens.

ralphyz commented 6 years ago

That was it! Sorry!!!!! This works great, and my team will be using it for our pentests!

Thank you!

spencerdodd commented 6 years ago

awesome, no worries! Additionally I'm working on porting the whole project to version-agnostic python so that it will run with both python2 and python3, so hopefully no one will run into the issue again.