Linux Privilege Escalation

From BHaFSec Pentesting Notes Wiki
Jump to: navigation, search

Automation

AutoLocalPrivilegeEscalation script that downloads potential exploits for linux kernel from exploitdb, and compiles them automatically.
Unix-privesc-checker script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps

Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings Exploit

cve_2016_0728.c CVE-2016-0728 - caused by a reference leak in the keyrings facility. the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel.

CentOS 7.1/Fedora 22 - local root Exploit

CVE-2015-5273_CVE-2015-5287.py CVE-2015-5273 / CVE-2015-5287 - CentOS 7.1 / Fedora 22 abrt Local Root - CentOS version 7.1 and Fedora version 22 abrt local root exploit. It leverages abrt-hook-ccpp insecure open() usage and abrt-action-install-debuginfo insecure temp directory usage.

RHEL 7.0 / 7.1 abrt / sosreport Local Root

sosreport-rhel7.py - CVE-2015-5287 abrt/sosreport RHEL 7.0/7.1 local root

dirtyc0w (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel

dirtyc0w.c Description: Allows user to write on files meant to be read only. Usage: ./dirtyc0w file content

cowroot.c Description: Gives the user root by overwriting /etc/passwd or a suid binary. Usage: ./cowroot

dirtycow-mem.c Description: Gives the user root by patching libc's getuid call and invoking su. Usage: ./dirtycow-mem

pokemon.c Description: Allows user to write on files meant to be read only (does not use /proc/self/mem). Usage: ./d file content

More Reading

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation