{"id":108,"date":"2007-09-29T20:36:39","date_gmt":"2007-09-29T20:36:39","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=108"},"modified":"2011-08-20T15:59:52","modified_gmt":"2011-08-20T15:59:52","slug":"exploit-suggester","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/tools\/audit\/exploit-suggester","title":{"rendered":"exploit-suggester"},"content":{"rendered":"<p>This tool reads the output of &#8220;showrev -p&#8221; on Solaris machines and outputs a list of exploits that you might want to try.\u00a0 It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported.<\/p>\n<h3>Features<\/h3>\n<p>The current version of exploit-suggester has the following features:<\/p>\n<ul>\n<li>Restrict search to only remote exploits (or local) using the -l option.<\/li>\n<li>Perfom the search remotely &#8211; no need to upload exploit-suggester to target system.<\/li>\n<li>Restrict search by rating so you can show only exploits that are likely to succeed (-r \/ -R options).<\/li>\n<li>Displays URL for further reading and exploit download.<\/li>\n<\/ul>\n<h3>Download<\/h3>\n<p><a href=\"http:\/\/pentestmonkey.net\/tools\/exploit-suggester\/exploit-suggester-0.3.tar.gz\">exploit-suggester-0.3.tar.gz<\/a><\/p>\n<h3><\/h3>\n<p><!--more--><\/p>\n<h3>Preamble<\/h3>\n<p>After gaining access to a low-privelege account during a pentest (e.g. through password guessing or a remote exploit) the next stage is usually to try to escallate privelges to root.\u00a0 Techniques typically include:<\/p>\n<ul>\n<li>Manipulation of any custom tools which might installed (SUID files, cron jobs)<\/li>\n<li>Obtaining credentials from backup files which have weak file permissions<\/li>\n<li>Exploiting any local trust relationships (.rhosts, SSH keys)<\/li>\n<li>Trojaning the PATH if weak file permissions have been set on directories<\/li>\n<li>Password guessing now you have a full list of usernames<\/li>\n<li>Manipulation of 3rd part tools that have been installed (e.g. weak file permission on config files or in \/etc\/init.d)<\/li>\n<li>Exploitation of public vulnerabiliites in software that&#8217;s currently installed<\/li>\n<\/ul>\n<p>This tools focusses purely on the last technique.\u00a0 This tool aims to help you quickly identify which vulnerbilities exist because of poor patching, and gives you a link to publicy available exploit code.<\/p>\n<p>Good pentesters are more than capable of manually identifying which local exploits a system is susceptible to.\u00a0 However, this process can be a little slow and sometimes degenerates into a tedeous trial and error process.\u00a0 This tool aims to speed up the process by suggesting which exploits to try first.<\/p>\n<h3>What the tool does<\/h3>\n<p>It reads in a list of installed patches, correlates this information against a small internal database and lists plublic exploits which may help you on your quest for root.\u00a0 Links are provided so that you can download the exploit and read about the vulnerability.<\/p>\n<p>Some remote exploits are also listed because it was easy to implement.\u00a0 However, this is of limited to use for remote tests as you need the patch list in order to generate a list of possible sploits.<\/p>\n<h3>What the tool doesn&#8217;t do<\/h3>\n<p>Exploit-suggester does NOT list all missing patches.\u00a0 Other tools such as <a href=\"http:\/\/www.par.univie.ac.at\/solaris\/pca\/\">Patch Check Advanced<\/a> do this job very effectively.\u00a0 Exploit-suggester purposefully omits details of vulnerabilities for which public exploit code is not available.<\/p>\n<p>It does not aim to reference all known exploit code, just to list enough help you get root.<\/p>\n<p>It doesn&#8217;t provide the exploit code or tell you how to use it.\u00a0 It simply points you in the right direction.<\/p>\n<p>Links to descriptions of the vulnerabilities are provided, but this tool will not tell you about about the nature of the vulnerbility, fixes, recommendations or anything else that might help with reporting.<\/p>\n<h3>Installation<\/h3>\n<p>Exploit-suggester is just a PERL script, so installation should be trivial.\u00a0 Simply place exploit-suggester.pl somehwere in your PATH.\u00a0 The database file sploitdb.xml must be in the same directory as exploit-suggester.pl.<\/p>\n<p>You may need to install the XML::Simple PERL module first.\u00a0 If it&#8217;s not available through your package manager, you can get it from CPAN:<\/p>\n<pre># perl -MCPAN -e shell<\/pre>\n<pre>&gt; install XML::Simple<\/pre>\n<h3>Example Output<\/h3>\n<pre>$ head showrev.out\r\nPatch: 109618-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWeuxwe, SUNWeuezt, SUNWeudlg, SUNWeudda\r\nPatch: 109889-01 Obsoletes: 109353-04 Requires:  Incompatibles:  Packages: SUNWkvmx, SUNWkvm, SUNWmdb, SUNWhea, SUNWpstl, SUNWpstlx\r\nPatch: 110369-05 Obsoletes: 110709-02 Requires:  Incompatibles:  Packages: SUNWkvmx, SUNWcarx, SUNWcsr<\/pre>\n<pre>...<\/pre>\n<pre>$ .\/exploit-suggestions.pl 8 sparc showrev.out\r\nexploit-suggester v0.1 ( http:\/\/pentestmonkey.net\/tools\/exploit-suggester )\r\n\r\n -------------------------------------------------------------\r\n|                     Runtime options                         |\r\n -------------------------------------------------------------\r\nSolaris version: ................ 8\r\nArchitecture: ................... sparc\r\nPatch file: ..................... showrev.out\r\nExploit database: ............... sploitdb.txt\r\nDon't list sploits rated as ..... N\/A - Exclude no ratings\r\nList only sploits rated as ...... N\/A - List any rating\r\nList only local sploits ......... N\/A - Show both\r\n\r\n -------------------------------------------------------------\r\n|                   Suggested Exploits                        |\r\n -------------------------------------------------------------\r\nDescription:          'at' Arbitrary File Deletion\r\nRemote:               0\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      108875-10\r\nMin vulnerable patch: 108875-00\r\nMax vulnerable patch: 108875-12\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/isec-solaris-at-rm.c\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/solaris-at.c\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/6693\r\n\r\nDescription:          \/usr\/ucb\/ps information leakage\r\nRemote:               0\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      109023-01\r\nMin vulnerable patch: 109023-00\r\nMax vulnerable patch: 109023-05\r\nExploit Link:         http:\/\/milw0rm.com\/exploits\/2242\r\nNote:                 Local environment variable leakage: \/usr\/ucb\/ps -auxgeww\r\n\r\nDescription:          KCMS Arbitrary File Reading Vulnerability\r\nRemote:               1\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      111400-01\r\nMin vulnerable patch: 111400-00\r\nMax vulnerable patch: 111400-01\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/solaris_kcms_readfile.pm\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/6665\r\n\r\nDescription:          X11 Keyboard Extension Overflow\r\nRemote:               0\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      119067-00\r\nMin vulnerable patch: 119067-00\r\nMax vulnerable patch: 119067-03\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/raptor_xkb.c\r\nInfo Link:            http:\/\/www.securityfocus.com\/bid\/19905\r\n\r\nDescription:          libdthelp Overflow Privilege Escalation\r\nRemote:               0\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      108949-07\r\nMin vulnerable patch: 108949-00\r\nMax vulnerable patch: 108949-08\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/raptor_libdthelp.c\r\nInfo Link:            http:\/\/www.securityfocus.com\/bid\/8973\r\n\r\nDescription:          priocntl Vulnerability\r\nRemote:               0\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      108528-13\r\nMin vulnerable patch: 108528-00\r\nMax vulnerable patch: 108528-17\r\nExploit Link:         http:\/\/archive.cert.uni-stuttgart.de\/bugtraq\/2002\/11\/msg00359.html\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/6262\r\n\r\nDescription:          sadmind Authentication Spoofing\r\nRemote:               1\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      116455-00\r\nMin vulnerable patch: 116455-00\r\nMax vulnerable patch: 116455-00\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/solaris_sadmind_exec.pm\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/rootdown.plm\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/8615\r\n\r\nDescription:          vfs_getvfssw Kernel Module Loading Vulnerability\r\nRemote:               0\r\nExploit Rating:       1 (Sploit normally works)\r\nPatch installed:      108528-13\r\nMin vulnerable patch: 108528-00\r\nMax vulnerable patch: 108528-26\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/solaris_vfs_getvfssw.tar\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/9962\r\nNote:                 DoS risk if you insert the wrong kernel module\r\n\r\nDescription:          whodo Overflow\r\nRemote:               0\r\nExploit Rating:       2 (Sploit untested)\r\nPatch installed:      111826-00\r\nMin vulnerable patch: 111826-00\r\nMax vulnerable patch: 111826-00\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/whodoexp.c\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/2935\r\n\r\nDescription:          LD_PRELOAD Privilege Escalation\r\nRemote:               0\r\nExploit Rating:       3 (Sploit normally fails)\r\nPatch installed:      109147-12\r\nMin vulnerable patch: 109147-07\r\nMax vulnerable patch: 109147-24\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/raptor_ldpreload.c\r\nInfo Link:            http:\/\/www.securityfocus.com\/bid\/8305\/info\r\n\r\nDescription:          libsldap Overflow\r\nRemote:               0\r\nExploit Rating:       3 (Sploit normally fails)\r\nPatch installed:      111091-00\r\nMin vulnerable patch: 111091-00\r\nMax vulnerable patch: 111091-02\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/libsldap-exp.c\r\nExploit Link:         http:\/\/www.securityfocus.com\/data\/vulnerabilities\/exploits\/ldap_exp2.c\r\nInfo Link:            http:\/\/securityfocus.com\/bid\/2931<\/pre>\n<p><strong>Limitations<\/strong><\/p>\n<p>Currently the database is biased towards exploiting Solaris 8 on SPARC.\u00a0 I&#8217;ll update the database to more fully support other flavours of Solaris later.\u00a0 I might also implement limited support for Windows and Linux too at some stage.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tool reads the output of &#8220;showrev -p&#8221; on Solaris machines and outputs a list of exploits that you might want to try.\u00a0 It currently focusses on local exploitation of Solaris 8 on SPARC, but other version of Solaris are partially supported. Features The current version of exploit-suggester has the following features: Restrict search to [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[73,19,76],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/108"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=108"}],"version-history":[{"count":2,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/108\/revisions"}],"predecessor-version":[{"id":415,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/108\/revisions\/415"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}