documentation/modules/post/multi/recon/local_exploit_suggester.md

The Local Exploit Suggester is a post-exploitation module that you can use to check a system for local vulnerabilities. It performs local exploit checks; it does not actually run any exploits, which is useful because this means you to scan a system without being intrusive. In addition to being stealthy, it's a time saver. You don't have to manually search for local exploits that will work; it'll show you which exploits the target is vulnerable to based on the system's platform and architecture.

The Local Exploit Suggester is available for Python, PHP, Mettle, Java and Windows Meterpreter.

## Vulnerable Application

To use the Local Exploit Suggester:

* You must have an open Meterpreter or shell session.

## Verification Steps

Please see the Overview section.

## Options

You can set the following options for the Local Exploit Suggester:

* **SHOWDESCRIPTION** - Set this option to true to see more details about each exploit.
* **ValidateArch** - This option lets us toggle whether or not a mismatch in session and module architecture should be validated or ignored.
* **ValidatePlatform** - This option lets us toggle whether or not a mismatch in session and module platform should be validated or ignored.
* **ValidateMeterpreterCommands** - This option lets us toggle whether or not Meterpreter commands that are missing from the current Meterpreter implementation should be validated or ignored.
* **Colors** - Similar to the option used for `HttpTrace`. This lets us change the colors used to show valid, invalid and ignored options or incompatibilities. Unsetting this option results in no colored output.

## Scenarios

When the Local Exploit Suggester runs, it displays a list of local exploits that the target may be vulnerable to, and it tells the user the likelihood of exploitation.

It also tells the user why the `check` methods for some exploits did not complete successfully, allowing for easier debugging.

Furthermore, with the `Verbose` option turned on, a table is printed showing modules that were not considered as valid for the current session, and gives reasons as to why.

The following terms are used to help you understand how vulnerable a target is to a particular exploit:

* **Vulnerable** - Indicates that the target is vulnerable. 
* **Appears** - Indicates that the target may be vulnerable based on the file version, but the vulnerable code has not been tested. 
* **Detected** - Indicates that the target has the file, but it cannot be determined whether or not the target is vulnerable. 

## Table Output

### Valid Modules

This table is shown by default, and shows which exploits have had their `check` methods executed, and provides information on the returned result.

Below is an example of how this table could look:

```
msf6 post(multi/recon/local_exploit_suggester) > run SESSION=-1 Verbose=false

[*] ::1 - Valid modules for session 3:
============================

 #   Name                                                                Potentially Vulnerable?  Check Result
 -   ----                                                                -----------------------  ------------
 1   exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec                 Yes                      The target is vulnerable.
 2   exploit/linux/local/cve_2022_0847_dirtypipe                         Yes                      The target appears to be vulnerable. Linux kernel version found: 5.14.0
 3   exploit/linux/local/cve_2022_0995_watch_queue                       Yes                      The target appears to be vulnerable.
 4   exploit/linux/local/desktop_privilege_escalation                    Yes                      The target is vulnerable.
 5   exploit/linux/local/network_manager_vpnc_username_priv_esc          Yes                      The service is running, but could not be validated.
 6   exploit/linux/local/pkexec                                          Yes                      The service is running, but could not be validated.
 7   exploit/linux/local/polkit_dbus_auth_bypass                         Yes                      The service is running, but could not be validated. Detected polkit framework version 0.105.
 8   exploit/linux/local/su_login                                        Yes                      The target appears to be vulnerable.
 9   exploit/android/local/futex_requeue                                 No                       The check raised an exception.
 10  exploit/linux/local/abrt_raceabrt_priv_esc                          No                       The target is not exploitable.
 11  exploit/linux/local/abrt_sosreport_priv_esc                         No                       The target is not exploitable.
 12  exploit/linux/local/af_packet_chocobo_root_priv_esc                 No                       The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable
 13  exploit/linux/local/af_packet_packet_set_ring_priv_esc              No                       The target is not exploitable.
 14  exploit/linux/local/apport_abrt_chroot_priv_esc                     No                       The target is not exploitable.
 15  exploit/linux/local/asan_suid_executable_priv_esc                   No                       The check raised an exception.
 16  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc          No                       The target is not exploitable.
 ...
 More modules here
 ...
```

When output to a terminal window with the `Colors` datastore option set, the table rows are highlighted appropriately based on the `Check Result`.

### Incompatible Modules

This table is hidden behind the `Verbose` toggle.

It provides a list of modules that did not have their `check` method executed, and provides information as to why a module is not compatible with the current session.

Below is an example of how this table could look:

```
msf6 post(multi/recon/local_exploit_suggester) > run SESSION=-1 Verbose=true ValidateArch=false ValidatePlatform=true

...
Valid modules table here
...

[*] ::1 - Current Session Info:
[*] ::1 - Session Type: meterpreter
[*] ::1 - Architecture: x64
[*] ::1 - Platform: linux
[*] ::1 - Incompatible modules for session 3:
==============================

 #    Name                                                                    Reasons                                                                                Platform       Architecture                                   Session Type
 -    ----                                                                    -------                                                                                --------       ------------                                   ------------
 1    exploit/aix/local/ibstat_path                                           Not Compatible (platform, session type)                                                Unix           cmd                                            No defined session types
 2    exploit/aix/local/xorg_x11_server                                       Not Compatible (platform, session type)                                                Unix           cmd                                            shell
 3    exploit/android/local/janus                                             Not Compatible (platform)                                                              Android        dalvik                                         meterpreter
 4    exploit/freebsd/local/intel_sysret_priv_esc                             Not Compatible (platform, session type)                                                BSD            x64                                            shell
 5    exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc                        Not Compatible (platform, session type)                                                BSD            x64                                            shell
 6    exploit/freebsd/local/mmap                                              Not Compatible (platform, session type)                                                BSD            x86                                            shell
 7    exploit/freebsd/local/rtld_execl_priv_esc                               Not Compatible (platform, session type)                                                BSD            x86, x64, armle, aarch64, ppc, mipsle, mipsbe  shell
 8    exploit/freebsd/local/watchguard_fix_corrupt_mail                       Not Compatible (platform, session type)                                                BSD            x64                                            shell
 9    exploit/linux/local/vmware_mount                                        Not Compatible (session type)                                                          Linux          x86                                            No defined session types
 10   exploit/openbsd/local/dynamic_loader_chpass_privesc                     Not Compatible (platform, session type)                                                BSD, Unix      cmd                                            shell
 11   exploit/osx/local/cfprefsd_race_condition                               Not Compatible (platform, session type)                                                OSX            x64                                            No defined session types
 12   exploit/osx/local/dyld_print_to_file_root                               Not Compatible (platform, session type)                                                OSX            x64                                            shell
 13   exploit/osx/local/feedback_assistant_root                               Not Compatible (platform)                                                              OSX            x64                                            meterpreter, shell
 14   exploit/osx/local/iokit_keyboard_root                                   Not Compatible (platform)                                                              OSX            x64                                            shell, meterpreter
 15   exploit/osx/local/libxpc_mitm_ssudo                                     Not Compatible (platform, session type)                                                OSX            x64                                            No defined session types
```
Note: In the table above, the session architecture is reported as `x64`. However, it is not considered as 'incompatible' as the `ValidateArch=false` option was used.

When the above is output to a terminal, the incompatibilities for a specific module (e.g. architecture or platform mismatch) are output in a different color if enabled with the `Color` datastore option.
Adding docs for Lester https://issues.corp.rapid7.com/browse/MS-1193 2016-03-24 16:51:02 -05:00			`The Local Exploit Suggester is a post-exploitation module that you can use to check a system for local vulnerabilities. It performs local exploit checks; it does not actually run any exploits, which is useful because this means you to scan a system without being intrusive. In addition to being stealthy, it's a time saver. You don't have to manually search for local exploits that will work; it'll show you which exploits the target is vulnerable to based on the system's platform and architecture.`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`The Local Exploit Suggester is available for Python, PHP, Mettle, Java and Windows Meterpreter.`
Adding docs for Lester https://issues.corp.rapid7.com/browse/MS-1193 2016-03-24 16:51:02 -05:00
			`## Vulnerable Application`

			`To use the Local Exploit Suggester:`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`* You must have an open Meterpreter or shell session.`
Adding docs for Lester https://issues.corp.rapid7.com/browse/MS-1193 2016-03-24 16:51:02 -05:00
			`## Verification Steps`

			`Please see the Overview section.`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`## Options`
Adding docs for Lester https://issues.corp.rapid7.com/browse/MS-1193 2016-03-24 16:51:02 -05:00
			`You can set the following options for the Local Exploit Suggester:`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`* SHOWDESCRIPTION - Set this option to true to see more details about each exploit.`
			`* ValidateArch - This option lets us toggle whether or not a mismatch in session and module architecture should be validated or ignored.`
			`* ValidatePlatform - This option lets us toggle whether or not a mismatch in session and module platform should be validated or ignored.`
			`* ValidateMeterpreterCommands - This option lets us toggle whether or not Meterpreter commands that are missing from the current Meterpreter implementation should be validated or ignored.`
			* Colors - Similar to the option used for `HttpTrace`. This lets us change the colors used to show valid, invalid and ignored options or incompatibilities. Unsetting this option results in no colored output.
Adding docs for Lester https://issues.corp.rapid7.com/browse/MS-1193 2016-03-24 16:51:02 -05:00
			`## Scenarios`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`When the Local Exploit Suggester runs, it displays a list of local exploits that the target may be vulnerable to, and it tells the user the likelihood of exploitation.`

Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			It also tells the user why the `check` methods for some exploits did not complete successfully, allowing for easier debugging.
Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00
			Furthermore, with the `Verbose` option turned on, a table is printed showing modules that were not considered as valid for the current session, and gives reasons as to why.

Adding docs for Lester https://issues.corp.rapid7.com/browse/MS-1193 2016-03-24 16:51:02 -05:00			`The following terms are used to help you understand how vulnerable a target is to a particular exploit:`

			`* Vulnerable - Indicates that the target is vulnerable.`
			`* Appears - Indicates that the target may be vulnerable based on the file version, but the vulnerable code has not been tested.`
Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`* Detected - Indicates that the target has the file, but it cannot be determined whether or not the target is vulnerable.`

			`## Table Output`

			`### Valid Modules`

			This table is shown by default, and shows which exploits have had their `check` methods executed, and provides information on the returned result.

			`Below is an example of how this table could look:`

			```
Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			`msf6 post(multi/recon/local_exploit_suggester) > run SESSION=-1 Verbose=false`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`[*] ::1 - Valid modules for session 3:`
			`============================`

			`# Name Potentially Vulnerable? Check Result`
			`- ---- ----------------------- ------------`
			`1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.`
			`2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0`
			`3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.`
			`4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.`
			`5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.`
			`6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.`
			`7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.`
			`8 exploit/linux/local/su_login Yes The target appears to be vulnerable.`
			`9 exploit/android/local/futex_requeue No The check raised an exception.`
			`10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.`
			`11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.`
			`12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable`
			`13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.`
			`14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.`
			`15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.`
			`16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.`
Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			`...`
			`More modules here`
			`...`
Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			```

			When output to a terminal window with the `Colors` datastore option set, the table rows are highlighted appropriately based on the `Check Result`.

Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			`### Incompatible Modules`
Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00
			This table is hidden behind the `Verbose` toggle.

			It provides a list of modules that did not have their `check` method executed, and provides information as to why a module is not compatible with the current session.

			`Below is an example of how this table could look:`

			```
Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			`msf6 post(multi/recon/local_exploit_suggester) > run SESSION=-1 Verbose=true ValidateArch=false ValidatePlatform=true`

			`...`
			`Valid modules table here`
			`...`

Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`[*] ::1 - Current Session Info:`
			`[*] ::1 - Session Type: meterpreter`
			`[*] ::1 - Architecture: x64`
			`[*] ::1 - Platform: linux`
Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			`[*] ::1 - Incompatible modules for session 3:`
Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00			`==============================`

			`# Name Reasons Platform Architecture Session Type`
			`- ---- ------- -------- ------------ ------------`
			`1 exploit/aix/local/ibstat_path Not Compatible (platform, session type) Unix cmd No defined session types`
			`2 exploit/aix/local/xorg_x11_server Not Compatible (platform, session type) Unix cmd shell`
			`3 exploit/android/local/janus Not Compatible (platform) Android dalvik meterpreter`
			`4 exploit/freebsd/local/intel_sysret_priv_esc Not Compatible (platform, session type) BSD x64 shell`
			`5 exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc Not Compatible (platform, session type) BSD x64 shell`
			`6 exploit/freebsd/local/mmap Not Compatible (platform, session type) BSD x86 shell`
			`7 exploit/freebsd/local/rtld_execl_priv_esc Not Compatible (platform, session type) BSD x86, x64, armle, aarch64, ppc, mipsle, mipsbe shell`
			`8 exploit/freebsd/local/watchguard_fix_corrupt_mail Not Compatible (platform, session type) BSD x64 shell`
			`9 exploit/linux/local/vmware_mount Not Compatible (session type) Linux x86 No defined session types`
			`10 exploit/openbsd/local/dynamic_loader_chpass_privesc Not Compatible (platform, session type) BSD, Unix cmd shell`
			`11 exploit/osx/local/cfprefsd_race_condition Not Compatible (platform, session type) OSX x64 No defined session types`
			`12 exploit/osx/local/dyld_print_to_file_root Not Compatible (platform, session type) OSX x64 shell`
			`13 exploit/osx/local/feedback_assistant_root Not Compatible (platform) OSX x64 meterpreter, shell`
			`14 exploit/osx/local/iokit_keyboard_root Not Compatible (platform) OSX x64 shell, meterpreter`
			`15 exploit/osx/local/libxpc_mitm_ssudo Not Compatible (platform, session type) OSX x64 No defined session types`
			```
Add 'run' commands to Local Exploit Suggester docs 2022-05-25 11:50:18 +01:00			Note: In the table above, the session architecture is reported as `x64`. However, it is not considered as 'incompatible' as the `ValidateArch=false` option was used.
Update Local Exploit Suggester documentation 2022-05-24 14:48:40 +01:00
			When the above is output to a terminal, the incompatibilities for a specific module (e.g. architecture or platform mismatch) are output in a different color if enabled with the `Color` datastore option.