the-z-labs / linux-exploit-suggester Goto Github PK

Linux privilege escalation auditing tool

License: GNU General Public License v3.0

Shell 100.00%

applicable-exploits exploits hacking-tool kernel-exploitation linux-exploits linux-kernel privilege-escalation-exploits published-exploits security-tools

linux-exploit-suggester's People

Contributors

Stargazers

Watchers

Forkers

vysecurity shekkbuilder techlord-rce y0d4a exiahan phra jbarcia caijiji scriptingxss idkwim olivierh59500 jvgutierrez hiw0rld av1080p chaojianhu lllliiillll vishnudxb never-summer johnjohnsp1 fr0gger ahlafrenz yarbojanks cyri1s shlomieliberow haply olefasting mgcfish vnhacker1337 mingjiang-zeng async0x221e sneakymonk3y megamindat 0irebrwe adinanta h4ppy7ree pwapou mulugeta ckduy android-leak fnzv ch4p34un0ir g33kroid i0n0n beep3r zard777 allforlove1997 ykankaya bcoles kartikeyap buglessdr dm7 unwitnessed martin-0 obiwan111 adomore surereddy yehgdotnet ro9ueadmin bilportistivraboti tai-euler jqqqqqqqqqq fingerleakers nmhai pinenappler russweir senosigit heikipikker an4kein sbambach puzanov kzwkt m00zh33 fo0nikens star-bob theralfbrown jishuzhain sleepwalker-ins p0prxx lovebair2022 localurk avaudioplayer jothatron hapazores mucomplex zulou edgardo001 qingpengchen2011 erseco anarquias aridoshikagithub christopherhyoung bigttys0 fuckup1337 aishee lsh4ck looterz f8syw5v 5up3rc pakak22 fengzihk

linux-exploit-suggester's Issues

Software That May Be of Use

I have come across a similar shell script that’s also designed to find exploits although, it uses an online database to find exploits.

It may be worth copying some of the code from it so linux-exploit-suggester can also use the online database.

https://github.com/1N3/Findsploit

Userspace exploits are not listed on Fedora

The OS check fails on Fedora systems causing potential exploit candidates to be skipped.

[user@localhost linux-exploit-suggester]$ ./linux-exploit-suggester.sh  --userspace-only


Available information:

Kernel version: 3.19.8
Architecture: x86_64
Distribution: fedora
Distribution version: 20
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: N/A

Searching among:

0 kernel space exploits
0 user space exploits

Possible Exploits:

[Request] List All CVE In Read Me Or Wiki

Can you please list all the current supported CVEs in the read me or wiki so, it is easier to submit or request missing exploits.

Because, at the moment its hard to know what missing and what should be added.

Thanks

cat: write error: Broken pipe

system info:

www-data@openadmin:/tmp$ uname -a
Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

www-data@openadmin:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.3 LTS
Release:	18.04
Codename:	bionic

les version: today

les output:

www-data@openadmin:/tmp$ bash les.sh
bash les.sh

Available information:

Kernel version: 4.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 18.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

73 kernel space exploits
43 user space exploits

Possible Exploits:

cat: write error: Broken pipe
[+] [CVE-2018-18955] subuid_shell

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
   Exposure: probable
   Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
   Download URL: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45886.zip
   Comments: CONFIG_USER_NS needs to be enabled

[+] [CVE-2017-0358] ntfs-3g-modprobe

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
   Exposure: less probable
   Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
   Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.

Problem:
Please note the line after: "Possible Exploits:"
cat: write error: Broken pipe

There seem to be more exploits, but something goes wrong
For example, CVE-2019-13272 PTRACE_TRACEME should be appropriate but is not displayed

Baron Samedit is displayed for invalid GLIBC versions

On running in a certain case, CVE-2021-3156 is recommended.

   [+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: less probable
   Tags: mint=19,ubuntu=18|20, debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main```

GLIBC version

ldd --version | grep GLIBC
ldd (Ubuntu GLIBC 2.23-0ubuntu3) 2.23

CVE-2021-3156 requires libc 2.26+ as shown over at https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py#L112

As such, this should never have been recommended.

[Request] Log All Potential CVE To File

Can you please add the option to log all potential exploits to a log file in the same directory.
Thanks

Aborts with `Both 'src-url' and 'exploit-db' entries are empty for '\e[1;32m[CVE-2019-15666]\e[0m XFRM_UAF' exploit - fix that. Aborting.`

I just cloned the git repository (as of HEAD at commit 65589f8) and the script seems to abort inmidst execution as follows on an up-to-date RHEL7, rebooted into the most recent kernel:

$ ./linux-exploit-suggester.sh 

Available information:

Kernel version: 3.10.0
Architecture: x86_64
Distribution: RHEL
Distribution version: 7.8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

74 kernel space exploits
45 user space exploits

Possible Exploits:

[…]

[+] [CVE-2019-18634] sudo pwfeedback

   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.

Both 'src-url' and 'exploit-db' entries are empty for '\e[1;32m[CVE-2019-15666]\e[0m XFRM_UAF' exploit - fix that. Aborting.

So it seems as if the software expects some constrains which the internal database entry for CVE-2019-15666 can't fulfill.

(The unparsed ANSI sequences show up on the terminal as above — uninterpreted. Not sure if this is on purpose.)

Please update the script

The script does not detect this vulnerabilities:
https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability

CVE-2023-2640 and CVE-2023-32629

CVE text missing colors

Several exploits are missing the green text color.

$ grep "Name:" linux-exploit-suggester.sh  | fgrep -v grn
Name: [CVE-2015-9322] BadIRET (DoS)
Name: [CVE-2011-1485] pkexec
Name: [CVE-2014-0476] chkrootkit

Not sure if this is intentional - if there's perhaps some undocumented unspoken color coding convention.

Exploit Dirty cow 2 has been moved permanently.

First of all thank you for this amazing tool, I want a small correction in an exploit download page suggested by linux-exploit-suggester for Dirty Cow 2 https://www.exploit-db.com/exploits/40847.cpp, but the page has status 404, I want the exploit to suggest the new download page i.e. https://www.exploit-db.com/exploits/40847 as it has moved permanently.
You may refer to the attachments.

cannot create temp file for here-document: No such file or directory

When /tmp is not writable but /www/tmp is. I downloaded linux-exploit-suggester to /www/tmp and ran it:

bash-4.2$ bash les.sh
les.sh: line 81: cannot create temp file for here-document: No such file or directory
les.sh: line 92: cannot create temp file for here-document: No such file or directory
les.sh: line 101: cannot create temp file for here-document: No such file or directory
les.sh: line 110: cannot create temp file for here-document: No such file or directory
les.sh: line 119: cannot create temp file for here-document: No such file or directory
les.sh: line 128: cannot create temp file for here-document: No such file or directory
les.sh: line 137: cannot create temp file for here-document: No such file or directory
les.sh: line 146: cannot create temp file for here-document: No such file or directory
les.sh: line 155: cannot create temp file for here-document: No such file or directory
les.sh: line 165: cannot create temp file for here-document: No such file or directory
les.sh: line 174: cannot create temp file for here-document: No such file or directory
les.sh: line 183: cannot create temp file for here-document: No such file or directory
les.sh: line 193: cannot create temp file for here-document: No such file or directory
les.sh: line 202: cannot create temp file for here-document: No such file or directory
les.sh: line 212: cannot create temp file for here-document: No such file or directory
les.sh: line 224: cannot create temp file for here-document: No such file or directory
les.sh: line 235: cannot create temp file for here-document: No such file or directory
les.sh: line 246: cannot create temp file for here-document: No such file or directory
les.sh: line 256: cannot create temp file for here-document: No such file or directory
les.sh: line 266: cannot create temp file for here-document: No such file or directory
les.sh: line 275: cannot create temp file for here-document: No such file or directory
les.sh: line 284: cannot create temp file for here-document: No such file or directory
les.sh: line 293: cannot create temp file for here-document: No such file or directory
...
[CONTINUE]
...
Available information:

Kernel version: [REDACTED]
Architecture: x86_64
Distribution: RHEL
Distribution version: 
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

71 kernel space exploits
39 user space exploits

Possible Exploits:

les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
les.sh: line 2241: cannot create temp file for here-document: No such file or directory
les.sh: line 2224: cannot create temp file for here-document: No such file or directory
...
[CONTINUE]
...

However I ran https://github.com/jondonas/linux-exploit-suggester-2 and https://github.com/rebootuser/LinEnum without problem.

Syntax Errors

Don't have time to debug, but this occurs on Kernel 2.6.18-53 with CentOS 5

sh-3.1$ bash ./linux-exploit-suggester.sh

Kernel version: 2.6.18
Architecture: i386
Distribution: redhat
Package list: from current OS

Possible Exploits:

./linux-exploit-suggester.sh: line 1379: syntax error in conditional expression: unexpected token `|'
./linux-exploit-suggester.sh: line 1379: syntax error near `|t'
./linux-exploit-suggester.sh: line 1379: `        elif [[ "$src_url" =~ ^.*tgz|tar.gz|zip$ && -n "$EXPLOIT_DB" ]]; then'
sh-3.1$

Inventory notification

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

https://inventory.rawsec.ml/tools.html#linux-exploit-suggester.sh

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
Fast: Using static and client side technologies resulting in fast browsing.
Rich tables: search, sort, browse, filter, clear
Fancy informational popups
Badges / Shields
Static API
Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

Want to thank us?

If you want to thank us, you can help make the project better known by tweeting about it! For example:

So what?

That's all, this message is just to notify you if you care.

mapfile: command not found?

Hi there.

First of all, I would like to thank you for this awesome tool.

May I check if you encounter any issue running this script?

I got this error when i tried running it on some PWK machines.

./linux-exploit-suggester.sh: line 988: mapfile: command not found

I have attached screenshot below for your reference.

Thank you!

bash compatibility

$ ./les.sh
Script needs Bash in version 4.0 or newer. Aborting.

It says LES supports only bash 4.0+ and I was running it on bash 3.1 so I understand.

But on #3 you said

To avoid these kind of errors I've added bash version checking on script's startup. 4.0 is needed for associative arrays, =~ operator was added in 3.* so we should be good now.

So finally 3.* is not supported?

Please Help Me

Idk Im sure how im supposed to write any of this or what way im supposed to write it😩

[CVE-2017-16995] Incorrect kernel version check

It appears the kernel version check for CVE-2017-16995 is incorrect.

As an example, on a vulnerable Linux Mint 18 kernel 4.4.0-116-generic system:

user@mint-18 ~/Desktop/linux-exploit-suggester $ uname -r
4.4.0-116-generic
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
user@mint-18 ~/Desktop/linux-exploit-suggester $ fg
vi linux-exploit-suggester.sh

[1]+  Stopped                 vi linux-exploit-suggester.sh
user@mint-18 ~/Desktop/linux-exploit-suggester $ git diff linux-exploit-suggester.sh
diff --git a/linux-exploit-suggester.sh b/linux-exploit-suggester.sh
index e9c88d4..cad912c 100755
--- a/linux-exploit-suggester.sh
+++ b/linux-exploit-suggester.sh
@@ -688,7 +688,7 @@ EOF
 
 EXPLOITS[((n++))]=$(cat <<EOF
 Name: ${txtgrn}[CVE-2017-16995]${txtrst} eBPF_verifier
-Reqs: pkg=linux-kernel,ver>=4.9,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
+Reqs: pkg=linux-kernel,ver>=4.4,ver<=4.14.8,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
 Tags: ubuntu=16.04.4(kernel:4.4.0-116)
 analysis-url: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor
 Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./linux-exploit-suggester.sh | grep 2017-16995
[+] [CVE-2017-16995] eBPF_verifier
   Details: https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor

The 4.4.0-116-generic kernel on Ubuntu and Linux Mint is confirmed vulnerable to the exploit:

user@mint-18 ~/Desktop/linux-exploit-suggester $ wget 'https://www.exploit-db.com/download/44298'
--2018-03-25 15:32:03--  https://www.exploit-db.com/download/44298
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.8
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6021 (5.9K) [application/txt]
Saving to: '44298’

44298                           100%[=====================================================>]   5.88K  --.-KB/s    in 0s      

2018-03-25 15:32:04 (1.06 GB/s) - '44298’ saved [6021/6021]

user@mint-18 ~/Desktop/linux-exploit-suggester $ mv 44298 44298.c
user@mint-18 ~/Desktop/linux-exploit-suggester $ gcc 44298.c 
user@mint-18 ~/Desktop/linux-exploit-suggester $ ./a.out 
task_struct = ffff880036c23800
uidptr = ffff880038381c04
spawning root shell
mint-18 linux-exploit-suggester # id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),130(sambashare),1000(user)

It seems there some confusion over the CVEs. For example, the following sources provide conflicting information on the affected kernels:

Regardless, the specified exploit works on the 4.4 kernel.

在centos4.9上无法执行，显示Script needs Bash in version 4.0 or newer. Aborting

[Suggestion] Alternative exploit for CVE-2017-7308

https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c

I'm maintaining an updated exploit in the cve-2017-7308 branch of my fork of xairy's exploit.

I've added new offsets, new KASLR bypasses, additional pre-exploitation checks, and networking support for post-exploitation.

I'm not sure if you want to trust my code; and Xairy should get the credit. Perhaps the alternate link could be added to the comments, rather than replacing the existing src-url ?

Package version detection

Since the "ntfs-3g-1:2016.2.22AR.1-3" package is not detected otherwise.

However, the package “mysql-server-5.6.30-1” is still not detected. But if we replace "Reqs: pkg=mysql-server|mariadb-server,ver<5.5.52" with "Reqs: pkg=mysql-server|mariadb-server"

Typo: memodipper instead of mempodipper

The Exploit has a typo in its name.
It should be mempodipper instead of memodipper

EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2012-0056]${txtrst} **memodipper**
Reqs: pkg=linux-kernel,ver>=3.0.0,ver<=3.1.0
Tags: ubuntu=(10.04|11.10){kernel:3.0.0-12-(generic|server)}
Rank: 1
analysis-url: https://git.zx2c4.com/CVE-2012-0056/about/
src-url: https://git.zx2c4.com/CVE-2012-0056/plain/**mempodipper**.c
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper
bin-url: https://web.archive.org/web/20160602192631/https://www.kernel-exploits.com/media/memodipper64
exploit-db: 18411
EOF
)

Allow JSON output for automation integration

How To Add Exploit (CVE-2023-0386 OverlayFS)

I was hoping to add the somewhat recent OverlayFS Bug, but am having trouble getting this working as I would expect. I think the root of the problem could just be this script doesn't do a great job with Ubuntu's crazy kernel scheme of putting the minor version after a dash.

I added the following:

EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2023-0386]${txtrst} OverlayFS FuseFS SetUID Copy
Reqs: pkg=linux-kernel,ver<5.15.70
Tags: ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}
Rank: 1
analysis-url: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
src-url: https://github.com/xkaneiki/CVE-2023-0386
Comments: 
author: vulnerability discovery: Red Hat
EOF
)

But when I run it on my updated VM, it still says highly probable. That being said a lot of other kernel checks say its vulnerable.

uname output:

Linux ubuntu 5.15.0-73-generic #80~20.04.1-Ubuntu SMP Wed May 17 14:58:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

LES Output:

Available information:

Kernel version: 5.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

82 kernel space exploits
49 user space exploits

Possible Exploits:

[+] [CVE-2023-0386] OverlayFS FuseFS SetUID Copy

   Details: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
   Exposure: highly probable
   Tags: [ ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*} ]
   Download URL: https://github.com/xkaneiki/CVE-2023-0386

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: [ ubuntu=(20.04|21.04) ],debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

...

If I change the tag so it is not Ubuntu 20.04, the exploit moves from highly probable to less probable. Am I doing it correctly? I figured the

ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}

Would not match my uname of 5.15.0-73-generic.

Broken URLs to exploitdb binsploits repo

The ExploitDB binsploits repo appears to have been migrated to https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/9436.tgz, so currently the binsploits download links in linux-exploit-suggester are broken

CONFIG_CC_STACKPROTECTOR deprecated in kernel 4.16

Hi, I think CONFIG_CC_STACKPROTECTOR has being superseed by CONFIG_CC_STACKPROTECTOR_AUTO
https://outflux.net/blog/archives/2018/04/12/security-things-in-linux-v4-16/
https://patchwork.kernel.org/patch/9981173/

This is what I get in 4.16.6-1 (ARCH):
zgrep STACKPROTECTOR /proc/config.gz

CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR_AUTO=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
# CONFIG_CC_STACKPROTECTOR_STRONG is not set

And this in Ubuntu 16.04:
grep STACKPROTECTOR /boot/config-4.13.0-39-generic

CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
CONFIG_CC_STACKPROTECTOR_STRONG=y

grep STACKPROTECTOR /boot/config-4.4.0-121-generic

CONFIG_HAVE_CC_STACKPROTECTOR=y
CONFIG_CC_STACKPROTECTOR=y
# CONFIG_CC_STACKPROTECTOR_NONE is not set
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
CONFIG_CC_STACKPROTECTOR_STRONG=y

Incorrect details for double-fdput (CVE-2016-4557)

linux-exploit-suggester contains the following for double-fdput (CVE-2016-4557):

EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2016-4557]${txtrst} double-fdput()
Reqs: pkg=linux-kernel,ver>=4.4,ver<4.5.5,CONFIG_BPF_SYSCALL=y,sysctl:kernel.unprivileged_bpf_disabled!=1
Tags: ubuntu=16.04(kernel:4.4.0-62)
analysis-url: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
src-url: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
exploit-db: 40759
author: Jann Horn
EOF
)

Tags: ubuntu=16.04(kernel:4.4.0-62) is inaccurate, as Ubuntu claims the issue was resolved in 4.4.0-22 and exploit-db shows the exploit was tested on Ubuntu kernel 4.4.0-21.

Additionally, src-url: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552 is invalid, as direct URLs for attachment on the Chromium bug tracker return a HTTP 400 error unless a signed_aid parameter is provided.

[Suggestion] Alternative exploit for CVE-2017-1000112

https://github.com/bcoles/kernel-exploits/blob/cve-2017-1000112/CVE-2017-1000112/poc.c

I'm maintaining an updated exploit in the cve-2017-1000112 branch of my fork of xairy's exploit.

I've added new offsets, new KASLR bypasses, support for Linux Mint distros (17 and 18), and networking support for post-exploitation.