Home

Awesome

kernelpop

kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on the following operating systems:

It is designed to be python version-agnostic, meaning that it should work with both python2 and python3


example of enumeration to root (Linux)

got-root


ways to use

$ git clone https://github.com/spencerdodd/kernelpop
$ cd kernelpop
$ python kernelpop.py || python3 kernelpop.py
$ git clone https://github.com/spencerdodd/kernelpop
$ cd kernelpop
$ ./create_executable.sh
$ ./kernelpop
  1. install pyinstaller (steps vary per build system)
  2. $ pyinstaller kernelpop.py --onefile
  3. $ cp dist/kernelpop .

both of the binary build steps should create a binary kernelpop in the project root.


enumeration output

user@debian:~/Desktop/kernelpop$ python3 kernelpop.py

##########################
#  welcome to kernelpop  #
#                        #
# let's pop some kernels #
##########################

[*] grabbing distro version and release from underlying OS (linuxdebian7)
[*] grabbing kernel version from 'uname -a'
[+] kernel (Linux debian 3.2.0-4-686-pae #1 SMP Debian 3.2.41-2 i686 GNU/Linux) identified as:
[base]
	type:			linux
	distro:			linuxdebian7
	version:		3.2.0-4
	architecture:		i686
[specific]
	type:			linux
	distro:			linuxdebian7
	version:		3.2.41-2
	architecture:		i686
[*] matching kernel to known exploits
[+] discovered 11 possible exploits !
	[[ distro kernel matched exploit available ]]
		CVE20165195_32	Dirty COW race condition root priv esc for 32 bit
	[[ distro kernel version vulnerable ]]
		CVE20144699	Exploitable race condition in linux before 3.15.4
		CVE20143153	`futex_requeue` vulnerability before 3.14.6 allows for priv esc
		CVE20162384	Double free vulnerability in the `snd_usbmidi_create` (requires physical proximity)
		CVE20140196	`n_tty_write` vuln before 3.14.4 allows priv esc to root
		CVE20132094_semtex	perf_swevent_init Local root exploit (32 bit)
		CVE20176074	`dccp_rcv_state_process` in net/dccp/input.c mishandles structs and can lead to local root
		CVE20132094_32	perf_swevent_init Local root exploit (32 bit)
	[[ base linux kernel vulnerable ]]
		CVE20144014	`chmod` restriction bypass allows users to get root before 3.14.8
		CVE20177308	`packet_set_ring` in net/packet/af_packet.c can gain privileges via crafted system calls.
		CVE20171000112	ip_ufo_append_data() memory corruption flaw can be exploited to gain root privileges.

In the output, there are a few categories. This is what each means

[[ distro kernel matched exploit available ]]

[[ distro kernel version vulnerable ]]

[[ base linux kernel vulnerable ]]


requirements


usage

run modes:
	(default)	        python3 kernelpop.py
	(exploit-mode)	        python3 kernelpop.py -e {exploit name}
		(dump-source)   python3 kernelpop.py -e {exploit name} -d
	(uname-mode)            python3 kernelpop.py -u {uname -a output}
	(interactive-mode)      python3 kernelpop.py -i # LEGACY option (same as uname-mode)
other:
	(playground path)       -p {new path}
	(json output file)      --digest json

default mode (passive)

The default mode processes information about the host kernel and compares it to the known kernel exploits available to the program. It then outputs a list of potentially useful vulnerabilities and attached exploits.

exploit mode (active)

-e {exploit name}

The exploit mode dynamically compiles and runs the exploit source code with stdio interactions inside the program. It can catch interrupts from short-stopped attempts as well. Use the name of the exploit that comes up in the initial kernelpop enumeration run in default mode.

uname mode (passive)

-u {uname -a output}

This option allows you to pass the output of a uname -a command to the program inline, which makes it use-able for integration into automated scripts or for any other forseeable reason. Replacement for interactive mode.

interactive mode (passive) [LEGACY - required for Mac by uname output]

-i {uname -a output}

The interactive mode allows you to perform enumeration with just the output of a uname -a command, which makes it useful as a host-side only enumeration tool. This run by starting kernelpop and with the -i flag and then passing the output of uname -a when requested. This is a legacy feature and replaced by uname mode, but remains supported as -u does not support Mac enumeration.

PLAYGROUND path

-p {new PLAYGROUND_PATH dir}

The -p option sets the value of the global variable PLAYGROUND_PATH. This is the location where all exploit source files are written to, and exploits compiled to. This is set, by default, to /tmp. However, you can set it to any directory with this modifier in case you do not have write access in /tmp.

digestible ouput

--digest json

This option allows you to dump the results of a kernelpop run to a digestible json file for later processing. So far, I have just implemented the json dump, but I will work on an XML version if it is requested.

To Do

Process for adding kernel vulnerability windows: [ should write a scraper ]


currently supported CVE's:


exploit sources

https://github.com/SecWiki/linux-kernel-exploits

http://exploit-db.com/

https://github.com/lucyoa/kernel-exploits

https://github.com/SecWiki/windows-kernel-exploits

historical distro sources

Debian