Find Linux Exploits by Kernel version

Sometimes it’s really hard to find the correct exploit for the device that you are pentesting. I found two good references that may be helpful or least will give you a good starting point. Both of these resources can suggest Linux exploits based on kernel version. The first one is available in Github and the second one I believe I saw in Twitter and bookmarked the link (can’t remember the Twitter handle, sorry, please remind me so that I can credit?).

Find Linux Exploits by Kernel version - blackMORE Ops - 1

Linux Exploit Suggester

Linux Exploit Suggester is a github project to identify exploits based on operating system release number(or Kernel version). This program run without arguments will perform a ‘uname -r’ to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide ‘-k’ flag to manually enter the Kernel Version/Operating System Release Version.

Github Project: https://github.com/PenturaLabs/Linux_Exploit_Suggester

Examples:

$ perl ./Linux_Exploit_Suggester.pl -k 3.0.0

Kernel local: 3.0.0

Possible Exploits:
[+] semtex
   CVE-2013-2094
   Source: www.exploit-db.com/download/25444/‎
[+] memodipper
   CVE-2012-0056
   Source: http://www.exploit-db.com/exploits/18411/
[+] perf_swevent
   CVE-2013-2094
   Source: http://www.exploit-db.com/download/26131

Flat file to find Linux Exploits by Kernel version

I copied the whole page here as the source page looks like a work in progress. This also seems to be based on the same Github Project only he’s added more (the author tweeted about that too). Kudos.

  1. Locate the Kernel version of the target machine(s) (e.g. uname -a or via nmap).
  2. Using this listing, locate exploit refereces that includes your version.
  3. Version numbers with 0’s indicate ALL subversions of that Kernel portion (e.g. 2.4.0 = 2.4.1 – 2.4.36).
  4. Provided for research only, Perform a through code review prior to use, use only hosts you have legal authority to pentest; no warranties or guarentees implied or provided!
Exploit Name Kernel Start Kernel End Exploit URL Remarks
hudo 2.0.0 6.0.1 https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/hudo.c See contents for specific versions
ip6t_so_set(loc) 2.0.0 4.6.2 https://www.exploit-db.com/exploits/40489/
libfutex(loc) 2.0.0 2.0.0 https://www.exploit-db.com/exploits/35370/
setreuic(0,0) 2.0.0 4.0.1 https://www.exploit-db.com/exploits/14219/
tack 2.0.0 2.6.0 https://www.exploit-db.com/exploits/38685/
rds-fail 2.1.0 2.6.0 http://vulnfactory.org/exploits/rds-fail.c
ptrace 2.2.0 2.4.0 http://www.securiteam.com/exploits/5CP0Q0U9FY.html
rip 2.2.0 2.2.0 https://packetstormsecurity.com/files/22124/rip.c.html
viper Autoroot_v2 2.2.0 2.6.0 http://www.exploit-id.com/tools/viper-auto-rooting Warning:Verify remote source before use
remap 2.4.0 2.4.0 https://www.exploit-db.com/exploits/160/
pipe.c_32bit 2.4.4 2.4.37 http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
sock_sendpage 2.4.4 2.4.37 http://www.exploit-db.com/exploits/9435 Alt:Proto Ops
sock_sendpage2 2.4.4 2.4.37 http://www.exploit-db.com/exploits/9436 Alt:Proto Ops
brk 2.4.10 2.4.10 http://www.cyberwarrior.us/code/linux/brk_vma.c
expand_stack 2.4.10 2.4.10 https://www.exploit-db.com/exploits/778/
w00t 2.4.10 2.4.21 https://github.com/freebsd/freebsd/tree/master/tools/tools/net80211/w00t
expand_stack 2.4.16 2.4.31 https://www.exploit-db.com/exploits/778/
w00t 2.4.16 2.4.21 https://github.com/freebsd/freebsd/tree/master/tools/tools/net80211/w00t
newlocal 2.4.17 2.4.19 https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/newlocal.zip
uselib24 2.4.17 2.4.17 https://packetstormsecurity.com/files/35920/uselib24.c.html
brk 2.4.18 2.4.22 http://www.cyberwarrior.us/code/linux/brk_vma.c
km2 2.4.18 2.4.22 http://downloads.securityfocus.com/vulnerabilities/exploits/binfmt_elf.c
ave 2.4.19 2.4.20 ** Unknown Source Repository at this time.. manual search required
mremap_pte 2.4.20 2.4.20 http://www.exploit-db.com/exploits/160/
loko 2.4.22 2.4.24 http://pastie.org/pastes/316474 ** Warning** Mod code for IRC reverse shell
uselib24 2.4.22 2.4.29 https://packetstormsecurity.com/files/35920/uselib24.c.html
mremap_pte 2.4.24 2.4.27 http://www.exploit-db.com/exploits/160/
elfdump 2.4.27 2.6.8 https://www.exploit-db.com/exploits/624/
elflbl 2.4.29 2.4.29 http://www.exploit-db.com/exploits/744/
smpracer 2.4.29 2.4.29 https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2005/expand_stack-SMP-race.c
smp_race_local 2.4.29 2.4.29 https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/expand_stack.c
stackgrow2 2.4.29 2.4.29 https://dl.packetstormsecurity.net/0501-exploits/stackgrow2.c.html
american-sign-lang 2.6.0 2.3.36 https://www.exploit-db.com/exploits/15774/ Alt:ASL
can_modharden 2.6.0 2.6.0 https://www.exploit-db.com/exploits/14814/
half_nelson 2.6.0 2.6.36 http://www.exploit-db.com/exploits/6851 Alt:eConet
half_nelson1 2.6.0 2.6.36 http://www.exploit-db.com/exploits/17787/ Alt:eConet
pktcdvd 2.6.0 2.6.36 http://www.exploit-db.com/exploits/15150/
smpracer 2.6.0 2.6.0 https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2005/expand_stack-SMP-race.c
sock_sendpage 2.6.0 2.6.30 http://www.exploit-db.com/exploits/9435 Alt:Proto Ops
sock_sendpage2 2.6.0 2.6.30 http://www.exploit-db.com/exploits/9436 Alt:Proto Ops
vconsole 2.6.0 2.6.0 http://downloads.securityfocus.com/vulnerabilities/exploits/33672.c
video4linux 2.6.0 2.6.33 http://www.exploit-db.com/exploits/15024/
udp_sendmsg_32bit 2.6.1 2.6.19 http://downloads.securityfocus.com/vulnerabilities/exploits/36108.c
krad 2.6.5 2.6.11 https://www.exploit-db.com/exploits/15774/
krad3 2.6.5 2.6.11 http://exploit-db.com/exploits/1397
ong_bak 2.6.5 2.6.5 https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/ong_bak.c
h00lyshit 2.6.8 2.6.16 http://www.exploit-db.com/exploits/2013/
stackgrow2 2.6.10 2.6.10 https://dl.packetstormsecurity.net/0501-exploits/stackgrow2.c.html
uselib24 2.6.10 2.6.10 https://packetstormsecurity.com/files/35920/uselib24.c.html
ftrex 2.6.11 2.6.22 http://www.exploit-db.com/exploits/6851
elfcd 2.6.12 2.6.12 https://www.exploit-db.com/exploits/25647/
py2 2.6.12 2.6.12 https://www.exploit-db.com/exploits/1591/
kdump 2.6.13 2.6.13 https://www.exploit-db.com/exploits/17942/
local26 2.6.13 2.6.13 https://www.exploit-db.com/exploits/160/
prctl 2.6.13 2.6.17 http://www.exploit-db.com/exploits/2004/
prctl2 2.6.13 2.6.17 http://www.exploit-db.com/exploits/2005/
prctl3 2.6.13 2.6.17 http://www.exploit-db.com/exploits/2006/
prctl4 2.6.13 2.6.17 http://www.exploit-db.com/exploits/2011/
prctl_loc_priv 2.6.13 2.6.17 https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/exp.sh
raptor_prctl 2.6.13 2.6.23 http://www.exploit-db.com/exploits/2031/
pipe.c_32bit 2.6.15 2.6.31 http://www.securityfocus.com/data/vulnerabilities/exploits/36901-1.c
vmsplice1 2.6.17 2.6.24 http://www.expliot-db.com/exploits/5092 Alt:Jessica Biel
can_bcm 2.6.18 2.6.36 http://www.exploit-db.com/exploits/14814/
do_pages_move 2.6.18 2.6.31 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9627.tgz Alt:Sieve
gconv_translit_find 2.6.18 2.6.18 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34421.tar.gz
reiserfs 2.6.18 2.6.34 http://www.exploit-db.com/exploits/12130/
dirty_cow_proc_race 2.6.22 3.8.0 https://www.exploit-db.com/exploits/40847/
dirty_cow_ptrace 2.6.22 3.8.0 https://www.exploit-db.com/exploits/40839/
vmsplice2 2.6.23 2.6.24 http://www.exploit-db.com/exploits/5093 Alt:Dianne Lane
exit_notify 2.6.25 2.6.29 http://www.exploit-db.com/exploits/8369
udev 2.6.25 2.6.29 http://www.exploit-db.com/exploits/8478
ptrace_kmod2 2.6.26 2.6.34 http://www.exploit-db.com/exploits/15023/ Alt:ia32syscall
sctp 2.6.26 2.6.26 https://github.com/offensive-security/exploit-database/blob/master/platforms/linux/local/7618.c
rds 2.6.30 2.6.36 http://www.exploit-db.com/exploits/15285/
tomcat_privesc 2.6.30 2.6.99 https://www.exploit-db.com/exploits/40488/
gconv_translit_find 2.6.32 2.6.32 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/34421.tar.gz
inode_Int_overflow 2.6.32 3.16.0 https://packetstormsecurity.com/files/139871/Linux-Kernel-2.6.32-642-3.16.0-4-Inode-Integer-Overflow.html
caps_to_root 2.6.34 2.6.36 http://www.exploit-db.com/exploits/15916/
semtex 2.6.37 2.6.39 http://www.exploit-db.com/download/25444/
memodipper 2.6.39 2.6.39 http://www.exploit-db.com/exploits/18411/
memodipper 3.0.0 3.1.1 http://www.exploit-db.com/exploits/18411/
perf_swevent 3.0.0 3.8.9 http://www.exploit-db.com/download/26131
rowhammer 3.0.0 6.0.0 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/36310.tar.gz
semtex 3.0.0 3.1.1 http://www.exploit-db.com/download/25444/
death-star 3.1.0 3.1.8 http://downloads.securityfocus.com/vulnerabilities/exploits/52201.txt
timeoutpwn 3.1.0 3.1.0 https://www.kernel-exploits.com/media/timeoutpwn64.c
overlayFS 3.2.0 3.2.0 http://0day.today/exploit/23763
usb-creator_v0.2 3.2.0 3.2.0 http://0day.today/exploit/23566
sock_diag 3.3.0 3.8.0 https://www.exploit-db.com/exploits/33336/
libtiff3.7.1 3.4.0 3.4.0 https://www.exploit-db.com/exploits/14219/
recvmmsg 3.4.0 3.12.1 https://www.exploit-db.com/exploits/31347/
timeoutpwn 3.4.0 3.4.0 https://www.kernel-exploits.com/media/timeoutpwn64.c
libtiff3.7.1 3.5.1 3.5.7 https://www.exploit-db.com/exploits/14219/
libtiff3.7.1 3.6.0 3.6.1 https://www.exploit-db.com/exploits/14219/
libtiff3.7.1 3.7.0 3.7.4 https://www.exploit-db.com/exploits/14219/
libtiff3.7.1 3.8.0 3.8.2 https://www.exploit-db.com/exploits/14219/
libtiff3.7.1 3.9.0 3.9.3 https://www.exploit-db.com/exploits/14219/
ifenslave 3.10.0 3.10.0 https://github.com/FuzzySecurity/Unix-PrivEsc/blob/master/ifenslave.c
tomcat_privesc 3.10.0 3.10.99 https://www.exploit-db.com/exploits/40488/
Apport_abrt 3.13.0 3.13.0 https://www.exploit-db.com/exploits/36746/
overlayfs 3.13.0 3.13.1 https://www.exploit-db.com/exploits/40688/
overlayFS 3.13.0 3.19.0 http://0day.today/exploit/23763
overlayfs_shell(loc) 3.13.0 3.18.0 https://www.exploit-db.com/exploits/37292/
usb-creator_v0.2 3.13.0 3.13.0 http://0day.today/exploit/23566
recvmmsg_privesc 3.13.1 3.13.1 https://www.exploit-db.com/exploits/40503/
libfutex 3.14.0 3.14.6 http://downloads.securityfocus.com/vulnerabilities/exploits/67906.c
libfutex(loc) 3.14.0 3.14.0 https://www.exploit-db.com/exploits/35370/
Apport_abrt 3.16.0 3.16.0 https://www.exploit-db.com/exploits/36746/
overlayfs 3.16.0 3.16.1 https://www.exploit-db.com/exploits/40688/
usb-creator_v0.2 3.16.0 3.16.0 http://0day.today/exploit/23566
af_packet_race 3.19.0 3.19.1 https://www.exploit-db.com/exploits/40871/
overlayfs 3.19.0 3.19.1 https://www.exploit-db.com/exploits/40688/
libtiff3.7.1 4.0.0 4.0.1 https://www.exploit-db.com/exploits/14219/
overlayfs 4.2.0 4.2.18 https://www.exploit-db.com/exploits/40688/
overlayfs 4.2.8 4.2.8 https://www.exploit-db.com/exploits/40688/
overlayfs(loc) 4.3.2 4.3.3 https://www.exploit-db.com/exploits/39166/
bpf_loc_Priv_esc 4.4.0 4.4.0 https://www.exploit-db.com/exploits/40759/
perf_event_open 4.4.0 4.4.0 https://bugs.chromium.org/p/project-zero/issues/detail?id=807
refcnt_keyrings(loc) 4.4.1 4.4.1 https://www.exploit-db.com/exploits/39277/
logrotate_loc_Priv 4.6.0 4.6.0 https://www.exploit-db.com/exploits/40768/
netfilter_privesc(loc) 4.6.3 4.6.3 https://www.exploit-db.com/exploits/40435/
libtiff3.7.1 5.0.0 5.2.1 https://www.exploit-db.com/exploits/14219/
libfutex 6.0.0 6.0.0 http://downloads.securityfocus.com/vulnerabilities/exploits/67906.c
libfutex(loc) 6.0.0 6.0.0 https://www.exploit-db.com/exploits/35370/
libfutex2 6.0.0 6.0.0 https://www.exploit-db.com/exploits/35370/
netBSD_mail(loc) 6.0.0 6.1.5 https://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.html
netBSD_mail(loc) 7.0.0 7.1.1 https://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.html

Someone can fork the original Github project and keep adding more to that as the original project was made GPLv2 by the author (thanks). Which means, you can:

  • copy and distribute the program’s unmodified source code
  • modify the program’s source code and distribute the modified source

You can possibly do the same thing using MetaSploit. Detailed steps on how to search exploits in MetaSploit can be found here.  Either way, have a field day adding more, testing more and having fun. If you know of more exploits, suggest them via comments section. As usual, I don’t force any checks via comments section and it’s pretty open, so go ahead.

Leave a Reply. (Anonymous comments allowed). Use WP, Twitter, FaceBook or Google+ for faster responses.