Twenty Year Anniversary
Showing 1 - 21 of 21 RSS Feed

Files from halfdog

Email addressme at halfdog.net
First Active2010-11-03
Last Active2018-06-12
glibc 'realpath()' Privilege Escalation
Posted Jun 12, 2018
Authored by halfdog, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This Metasploit module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.

tags | exploit, shell, root
systems | linux, debian, ubuntu
advisories | CVE-2018-1000001
MD5 | fdde72feb2388aee3f2e93395c3c6363
glibc getcwd() Local Privilege Escalation
Posted Jan 18, 2018
Authored by halfdog

glibc suffers from a getcwd() local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2018-1000001
MD5 | e79c3ac4621ad3e8b1aa9ccefe2bfd86
Ubuntu PT Chown Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

Ubuntu versions prior to 15.10 suffer from a PT chown arbitrary PTs access via user namespace privilege escalation vulnerability.

tags | exploit, arbitrary
systems | linux, ubuntu
advisories | CVE-2016-2856
MD5 | 1edc53deff5109a7d4082c9a466ae251
NTP Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

NTP suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2016-0727
MD5 | f0332636d6c950483b8adc38e39c671a
AUFS (Ubuntu 15.10) Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

AUFS (Ubuntu 15.10) suffers from an allow_userns fuse/xattr user namespaces privilege escalation vulnerability.

tags | exploit
systems | linux, ubuntu
advisories | CVE-2016-2853, CVE-2016-2854
MD5 | a9c05306851868e3765775b5ea049f69
Linux Kernel 2.6.32 Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

Linux kernel version 2.6.32 (Ubuntu 10.04) suffers from a /proc handling setuid privilege escalation vulnerability.

tags | exploit, kernel
systems | linux, ubuntu
advisories | CVE-2011-1020
MD5 | c88f9d10aef483344a49e72d50ebabca
Man-db 2.6.7.1 Privilege Escalation
Posted Jan 27, 2017
Authored by halfdog

Man-db version 2.6.7.1 suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2015-1336
MD5 | 23f5fea9cfaaa2a928d8b54c7cb5fc5d
Debian Exim Spool Local Root Privilege Escalation
Posted Jul 4, 2016
Authored by halfdog

Exim4 in some variants is started as root but switches to uid/gid Debian-exim/Debian-exim. But as Exim might need to store received messages in user mailboxes, it has to have the ability to regain privileges. This is also true when Exim is started as "sendmail". During internal operation, sendmail (Exim) will manipulate message spool files in directory structures owned by user "Debian-exim" without caring about symlink attacks. Thus execution of code as user "Debian-exim" can be used to gain root privileges by invoking "sendmail" as user "Debian-exim".

tags | exploit, root
systems | linux, debian
MD5 | 3852a5b85ee8ce158dfbcc3920ad337b
Linux Kernel USERNS Issues
Posted Feb 26, 2016
Authored by halfdog

The Linux kernel suffers from multiple privilege escalation vulnerabilities.

tags | advisory, kernel, vulnerability
systems | linux
MD5 | 09817dae36349933c47ed3d5daa8be3f
Linux Kernel overlayfs Local Privilege Escalation
Posted Jan 11, 2016
Authored by halfdog

This program demonstrates how to escalate privileges using an overlayfs mount within a user namespace.

tags | exploit
MD5 | cb6b4abeadb8fc888ce3a689c7f64f7c
Ubuntu catman Local Privilege Escalation
Posted Dec 16, 2015
Authored by halfdog

This is a short article on how to escalate privileges from man/man to root/root via the "catman" cron job.

tags | exploit, root
MD5 | c59187b0caafeb436bdadd7d370e1bb8
Ubuntu setgid Directory Privilege Escalation
Posted Dec 16, 2015
Authored by halfdog

This is a short article how to use the setgid directory /var/cache/man to escalate privileges from man/man to man/root on Ubuntu Vivid.

tags | exploit, root
systems | linux, ubuntu
MD5 | 44baa6c723dc17fc0df64dd54c01c4ae
Ubuntu Apport kernel_crashdump Symlink
Posted Sep 26, 2015
Authored by halfdog

This is a short write-up of the Ubuntu Apport kernel_crashdump symlink vulnerabilities along with some proof of concept code.

tags | exploit, vulnerability, proof of concept
systems | linux, ubuntu
advisories | CVE-2015-1338
MD5 | c31a63cba229a9419f43183d7f48eab0
Ubuntu Vivid Upstart Privilege Escalation
Posted Mar 2, 2015
Authored by halfdog

Ubuntu Vivid Upstart suffers from a logrotate privilege escalation vulnerability.

tags | exploit
systems | linux, ubuntu
MD5 | 554e49941bf10a5161fb9223087679f8
vm86 Syscall Linux Root Privilege Escalation
Posted Jan 7, 2014
Authored by halfdog

The initial observation was, that the linux vm86 syscall, which allows to use the virtual-8086 mode from userspace for emulating of old 8086 software as done with dosemu, was prone to trigger FPU errors. Closer analysis showed, that in general, the handling of the FPU control register and unhandled FPU-exception could trigger CPU-exceptions at unexpected locations, also in ring-0 code. Proof of concept code included.

tags | exploit, proof of concept
systems | linux
MD5 | d51c172c2a52d41901fa4a885e01e0af
VM86 Syscall Kernel Panic
Posted Dec 29, 2013
Authored by halfdog

This program maps memory pages to the low range above 64k to avoid conflicts with /proc/sys/vm/mmap_min_addr and then triggers the virtual-86 mode. Due to unhandled FPU errors, task switch will fail afterwards, kernel will attempt to kill other tasks when switching.

tags | exploit, kernel
MD5 | 9075820ac0281d8a25b589a6ca7c9d0a
Linux binfmt_script Disclosure
Posted Oct 11, 2012
Authored by halfdog

Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. Proof of concept included.

tags | exploit, kernel, proof of concept, info disclosure
systems | linux
MD5 | cd7a6236999b27cd9c3e4c0859b86a37
Oracle VM VirtualBox 4.1 Denial Of Service
Posted Sep 10, 2012
Authored by halfdog

Oracle VM VirtualBox version 4.1 suffers from a local denial of service vulnerability.

tags | exploit, denial of service, local
MD5 | e34dc728ed8bca91d836fb3d4e237b01
Apache Scoreboard Invalid Free
Posted Jan 13, 2012
Authored by halfdog

Modification of Apache Scoreboard data, shared by root (uid=0) and www-data process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs.

tags | advisory, root
MD5 | 05955092fc7ef0281eaa5d83e93e8741
Apache ap_pregsub Integer Overflow
Posted Nov 2, 2011
Authored by halfdog

An exploitable integer overflow in Apache allows a remote attacker to crash the process or perform execution of arbitrary code as the user running Apache. To exploit the vulnerability, a crafted .htaccess file has to be placed on the server.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2011-3607
MD5 | f9466031332b63edd0d3f81bf7a3ff6f
Unmount Any Filesystem Using fusermount
Posted Nov 3, 2010
Authored by halfdog | Site halfdog.net

At least on ubuntu lucid, the fusermount tool contains a timerace mounting a user filesystem and updating mtab, thus mtab entries with arbitrary paths can be created. Crafted mtab entries can then be used to unmount live parts of the filesystem. Proof of concept code included.

tags | exploit, arbitrary, proof of concept
systems | linux, ubuntu
MD5 | c91e20f9a8b0551c002beafa0000611b
Page 1 of 1
Back1Next

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    10 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close