Module: Msf::Post::Linux::Kernel

Includes:
Common
Defined in:
lib/msf/core/post/linux/kernel.rb

Instance Method Summary collapse

Methods included from Common

#clear_screen, #cmd_exec, #cmd_exec_get_pid, #command_exists?, #get_env, #get_envs, #has_pid?, #peer, #report_virtualization, #rhost, #rport

Instance Method Details

#aslr_enabled?Boolean

Returns true if Address Space Layout Randomization (ASLR) is enabled

Returns:

  • (Boolean)

165
166
167
168
169
170
# File 'lib/msf/core/post/linux/kernel.rb', line 165

def aslr_enabled?
  aslr = cmd_exec('cat /proc/sys/kernel/randomize_va_space').to_s.strip
  (aslr.eql?('1') || aslr.eql?('2'))
rescue
  raise 'Could not determine ASLR status'
end

#cpu_flagsArray

Returns a list of CPU flags

Returns:

  • (Array)

93
94
95
96
97
98
99
100
101
# File 'lib/msf/core/post/linux/kernel.rb', line 93

def cpu_flags
  cpuinfo = cmd_exec('cat /proc/cpuinfo').to_s

  return unless cpuinfo.include? 'flags'

  cpuinfo.scan(/^flags\s*:(.*)$/).flatten.join(' ').split(/\s/).map(&:strip).reject(&:empty?).uniq
rescue
  raise'Could not retrieve CPU flags'
end

#dmesg_restrict?Boolean

Returns true if dmesg restriction is enabled

Returns:

  • (Boolean)

211
212
213
214
215
# File 'lib/msf/core/post/linux/kernel.rb', line 211

def dmesg_restrict?
  cmd_exec('cat /proc/sys/kernel/dmesg_restrict').to_s.strip.eql? '1'
rescue
  raise 'Could not determine kernel.dmesg_restrict status'
end

#exec_shield_enabled?Boolean

Returns true if Exec-Shield is enabled

Returns:

  • (Boolean)

177
178
179
180
181
182
# File 'lib/msf/core/post/linux/kernel.rb', line 177

def exec_shield_enabled?
  exec_shield = cmd_exec('cat /proc/sys/kernel/exec-shield').to_s.strip
  (exec_shield.eql?('1') || exec_shield.eql?('2'))
rescue
  raise 'Could not determine exec-shield status'
end

#grsec_installed?Boolean

Returns true if grsecurity is installed

Returns:

  • (Boolean)

242
243
244
245
246
# File 'lib/msf/core/post/linux/kernel.rb', line 242

def grsec_installed?
  cmd_exec('test -c /dev/grsec && echo true').to_s.strip.include? 'true'
rescue
  raise 'Could not determine grsecurity status'
end

#kaiser_enabled?Boolean

Returns true if Kernel Address Isolation (KAISER) is enabled

Returns:

  • (Boolean)

130
131
132
133
134
# File 'lib/msf/core/post/linux/kernel.rb', line 130

def kaiser_enabled?
  cpu_flags.include? 'kaiser'
rescue
  raise 'Could not determine KAISER status'
end

#kernel_configArray

Returns the kernel boot config

Returns:

  • (Array)

61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/msf/core/post/linux/kernel.rb', line 61

def kernel_config
  return unless cmd_exec('test -r /boot/config-`uname -r` && echo true').include? 'true'

  output = cmd_exec("cat /boot/config-`uname -r`").to_s.strip

  return if output.empty?

  config = output.split("\n").map(&:strip).reject(&:empty?).reject {|i| i.start_with? '#'}

  return if config.empty?

  config
rescue
  raise 'Could not retrieve kernel config'
end

#kernel_hardwareString

Returns the kernel hardware

Returns:

  • (String)

52
53
54
# File 'lib/msf/core/post/linux/kernel.rb', line 52

def kernel_hardware
  uname('-m')
end

#kernel_modulesArray

Returns the kernel modules

Returns:

  • (Array)

82
83
84
85
86
# File 'lib/msf/core/post/linux/kernel.rb', line 82

def kernel_modules
  cmd_exec('cat /proc/modules').to_s.scan(/^[^ ]+/)
rescue
  raise 'Could not determine kernel modules'
end

#kernel_nameString

Returns the kernel name

Returns:

  • (String)

43
44
45
# File 'lib/msf/core/post/linux/kernel.rb', line 43

def kernel_name
  uname('-s')
end

#kernel_releaseString

Returns the kernel release

Returns:

  • (String)

25
26
27
# File 'lib/msf/core/post/linux/kernel.rb', line 25

def kernel_release
  uname('-r')
end

#kernel_versionString

Returns the kernel version

Returns:

  • (String)

34
35
36
# File 'lib/msf/core/post/linux/kernel.rb', line 34

def kernel_version
  uname('-v')
end

#kpti_enabled?Boolean

Returns true if Kernel Page-Table Isolation (KPTI) is enabled, false if not.

Returns:

  • (Boolean)

141
142
143
144
145
# File 'lib/msf/core/post/linux/kernel.rb', line 141

def kpti_enabled?
  cpu_flags.include? 'pti'
rescue
  raise 'Could not determine KPTI status'
end

#kptr_restrict?Boolean

Returns true if kernel pointer restriction is enabled

Returns:

  • (Boolean)

200
201
202
203
204
# File 'lib/msf/core/post/linux/kernel.rb', line 200

def kptr_restrict?
  cmd_exec('cat /proc/sys/kernel/kptr_restrict').to_s.strip.eql? '1'
rescue
  raise 'Could not determine kernel.kptr_restrict status'
end

#lkrg_installed?Boolean

Returns true if Linux Kernel Runtime Guard (LKRG) kernel module is installed

Returns:

  • (Boolean)

233
234
235
236
237
# File 'lib/msf/core/post/linux/kernel.rb', line 233

def lkrg_installed?
  cmd_exec('test -d /proc/sys/lkrg && echo true').to_s.strip.include? 'true'
rescue
  raise 'Could not determine LKRG status'
end

#mmap_min_addrInteger

Returns mmap minimum address

Returns:

  • (Integer)

222
223
224
225
226
227
228
# File 'lib/msf/core/post/linux/kernel.rb', line 222

def mmap_min_addr
  mmap_min_addr = cmd_exec('cat /proc/sys/vm/mmap_min_addr').to_s.strip
  return 0 unless mmap_min_addr =~ /\A\d+\z/
  mmap_min_addr
rescue
  raise 'Could not determine system mmap_min_addr'
end

#pax_installed?Boolean

Returns true if PaX is installed

Returns:

  • (Boolean)

251
252
253
254
255
# File 'lib/msf/core/post/linux/kernel.rb', line 251

def pax_installed?
  cmd_exec('/bin/grep -q "PaX:" /proc/self/status && echo true').to_s.strip.include? 'true'
rescue
  raise 'Could not determine PaX status'
end

#selinux_enforcing?Boolean

Returns true if SELinux is in enforcing mode

Returns:

  • (Boolean)

273
274
275
276
277
278
279
280
281
282
283
# File 'lib/msf/core/post/linux/kernel.rb', line 273

def selinux_enforcing?
  return false unless selinux_installed?

  sestatus = cmd_exec('/usr/sbin/sestatus').to_s.strip
  raise unless sestatus.include?('SELinux')

  return true if sestatus =~ /Current mode:\s*enforcing/
  false
rescue
  raise 'Could not determine SELinux status'
end

#selinux_installed?Boolean

Returns true if SELinux is installed

Returns:

  • (Boolean)

262
263
264
265
266
# File 'lib/msf/core/post/linux/kernel.rb', line 262

def selinux_installed?
  cmd_exec('id').to_s.include? 'context='
rescue
  raise 'Could not determine SELinux status'
end

#smap_enabled?Boolean

Returns true if kernel and hardware supports Supervisor Mode Access Prevention (SMAP), false if not.

Returns:

  • (Boolean)

108
109
110
111
112
# File 'lib/msf/core/post/linux/kernel.rb', line 108

def smap_enabled?
  cpu_flags.include? 'smap'
rescue
  raise 'Could not determine SMAP status'
end

#smep_enabled?Boolean

Returns true if kernel and hardware supports Supervisor Mode Execution Protection (SMEP), false if not.

Returns:

  • (Boolean)

119
120
121
122
123
# File 'lib/msf/core/post/linux/kernel.rb', line 119

def smep_enabled?
  cpu_flags.include? 'smep'
rescue
  raise 'Could not determine SMEP status'
end

#uname(opts = '-a') ⇒ String

Returns uname output

Returns:

  • (String)

14
15
16
17
18
# File 'lib/msf/core/post/linux/kernel.rb', line 14

def uname(opts='-a')
  cmd_exec("uname #{opts}").to_s.strip
rescue
  raise "Failed to run uname #{opts}"
end

#unprivileged_bpf_disabled?Boolean

Returns true if unprivileged bpf is disabled

Returns:

  • (Boolean)

189
190
191
192
193
# File 'lib/msf/core/post/linux/kernel.rb', line 189

def unprivileged_bpf_disabled?
  cmd_exec('cat /proc/sys/kernel/unprivileged_bpf_disabled').to_s.strip.eql? '1'
rescue
  raise 'Could not determine kernel.unprivileged_bpf_disabled status'
end

#userns_enabled?Boolean

Returns true if user namespaces are enabled, false if not.

Returns:

  • (Boolean)

152
153
154
155
156
157
158
# File 'lib/msf/core/post/linux/kernel.rb', line 152

def userns_enabled?
  return false if cmd_exec('cat /proc/sys/user/max_user_namespaces').to_s.strip.eql? '0'
  return false if cmd_exec('cat /proc/sys/kernel/unprivileged_userns_clone').to_s.strip.eql? '0'
  true
rescue
  raise 'Could not determine userns status'
end

#yama_enabled?Boolean

Returns true if Yama is enabled

Returns:

  • (Boolean)

303
304
305
306
307
308
# File 'lib/msf/core/post/linux/kernel.rb', line 303

def yama_enabled?
  return false unless yama_installed?
  !cmd_exec('cat /proc/sys/kernel/yama/ptrace_scope').to_s.strip.eql? '0'
rescue
  raise 'Could not determine Yama status'
end

#yama_installed?Boolean

Returns true if Yama is installed

Returns:

  • (Boolean)

290
291
292
293
294
295
296
# File 'lib/msf/core/post/linux/kernel.rb', line 290

def yama_installed?
  ptrace_scope = cmd_exec('cat /proc/sys/kernel/yama/ptrace_scope').to_s.strip
  return true if ptrace_scope =~ /\A\d\z/
  false
rescue
  raise 'Could not determine Yama status'
end