kernelpop: kernel privilege escalation enumeration and exploitation framework

kernelpop

kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on the following operating systems:

  •  Linux
  •  Mac

It is designed to be python version-agnostic, meaning that it should work with both python2 and python3

currently supported CVE’s:

CVE-2017-1000379

CVE-2017-1000373

CVE-2017-1000372

CVE-2017-1000371

CVE-2017-1000370

CVE-2017-1000367

CVE-2017-1000112

CVE-2017-7308

CVE-2017-6074

CVE-2017-5123

CVE-2016-5195

CVE-2016-2384

CVE-2016-0728

CVE-2015-1328

CVE-2014-4699

CVE-2014-4014

CVE-2014-3153

CVE-2014-0196

CVE-2014-0038

CVE-2013-2094

CVE-2010-4347

CVE-2010-2959

CVE-2009-1185

enumeration output

user@debian:~/Desktop/kernelpop$ python3 kernelpop.py

##########################
#  welcome to kernelpop  #
#                        #
# let's pop some kernels #
##########################

[*] grabbing distro version and release from underlying OS (linuxdebian7)
[*] grabbing kernel version from 'uname -a'
[+] kernel (Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2 i686 GNU/Linux) identified as:
[base]
	type:			linux
	distro:			linuxdebian7
	version:		3.2.0-4
	architecture:		i686
[specific]
	type:			linux
	distro:			linuxdebian7
	version:		3.2.41-2
	architecture:		i686
[*] matching kernel to known exploits
[+] discovered 11 possible exploits !
	[[ distro kernel matched exploit available ]]
		CVE20165195_32	Dirty COW race condition root priv esc for 32 bit
	[[ distro kernel version vulnerable ]]
		CVE20144699	Exploitable race condition in linux before 3.15.4
		CVE20143153	`futex_requeue` vulnerability before 3.14.6 allows for priv esc
		CVE20162384	Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)
		CVE20140196	`n_tty_write` vuln before 3.14.4 allows priv esc to root
		CVE20132094_semtex	perf_swevent_init Local root exploit (32 bit)
		CVE20176074	`dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root
		CVE20132094_32	perf_swevent_init Local root exploit (32 bit)
	[[ base linux kernel vulnerable ]]
		CVE20144014	`chmod` restriction bypass allows users to get root before 3.14.8
		CVE20177308	`packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls.
		CVE20171000112	ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges.

 

In the output, there are a few categories. This is what each means

[[ distro kernel matched exploit available ]]

  • there is a distro version specific matched kernel exploit in the project that you can use to exploit the kernel. High likelihood of successful exploitation.

[[ distro kernel version vulnerable ]]

  • the distro kernel version is vulnerable to the vulnerability listed but was not explicitly stated as tested in the PoC exploit in the project. Exploitation without modification of the exploit may work but has a lower likelihood of success.

[[ base Linux kernel vulnerable ]]

  • it is unknown if the distro kernel version is vulnerable to the vulnerability, but the base Linux kernel is in the vulnerable range for the exploit. Exploitation without modification of the exploit is either unlikely or unknown, but may still work.

Download

  • run from the project source
$ git clone https://github.com/spencerdodd/kernelpop
$ cd kernelpop
$ python kernelpop.py || python3 kernelpop.py
  • build binary
$ git clone https://github.com/spencerdodd/kernelpop
$ cd kernelpop
$ ./create_executable.sh
$ ./kernelpop
  • steps to build binary without script
  1. install pyinstaller (steps vary per build system)
  2. $ pyinstaller kernelpop.py –onefile
  3. $ cp dist/kernelpop .

both of the binary build steps should create a binary kernelpop in the project root.

Usage

run modes:
(default) python3 kernelpop.py
(exploit-mode) python3 kernelpop.py -e {exploit name}
(input-mode) python3 kernelpop.py -i
other:
(json output file) –dump json
(xml output file) –dump xml

the default mode (passive)

The default mode processes information about the host kernel and compares it to the known kernel exploits available to the program. It then outputs a list of potentially useful vulnerabilities and attached exploits.

exploit mode (active)

-e {exploit name}

The exploit mode dynamically compiles and runs the exploit source code with stdio interactions inside the program. It can catch interrupts from short-stopped attempts as well. Use the name of the exploit that comes up in the initial kernelpopenumeration run in default mode.

  • dump-source (option) -d
    • This is a modifier for exploit mode. It dumps the source-files for the given exploit to their respective files in PLAYGROUND_PATH (default /tmp). This is useful for modifying exploit source on a box or working with exploits that require manual interaction or hard-coding of values. It is especially useful when running from a binary because you won’t have access to the project source code (i.e. exploit source).

uname mode (passive)

-u {uname -a output}

This option allows you to pass the output of a uname -a command to the program inline, which makes it useable for integration into automated scripts or for any other foreseeable reason. Replacement for interactive mode.

interactive mode (passive) [LEGACY – required for Mac by uname output]

-i {uname -a output}

The interactive mode allows you to perform enumeration with just the output of a uname -a command, which makes it useful as a host-side only enumeration tool. This run by starting kernelpop and with the -i flag and then passing the output of uname -a when requested. This is a legacy feature and replaced by uname mode, but remains supported as -u does not support Mac enumeration.

 path

-p {new PLAYGROUND_PATH dir}

The -p option sets the value of the global variable PLAYGROUND_PATH. This is the location where all exploit source files are written to, and exploits compiled to. This is set, by default, to /tmp. However, you can set it to any directory with this modifier in case you do not have write access in /tmp.

digestible output

--digest json

This option allows you to dump the results of a kernelpop run to a digestible json file for later processing. So far, I have just implemented the json dump, but I will work on an XML version if it is requested.

Source: https://github.com/spencerdodd/

Share