exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 21 of 21 RSS Feed

Files from halfdog

Email addressme at halfdog.net
First Active2010-11-03
Last Active2018-06-12
glibc 'realpath()' Privilege Escalation
Posted Jun 12, 2018
Authored by halfdog, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This Metasploit module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.

tags | exploit, shell, root
systems | linux, debian, ubuntu
advisories | CVE-2018-1000001
SHA-256 | 80545f11c3dbaf619131e029fba6bb2504458083b7b4795f41fd9210ad2c35da
glibc getcwd() Local Privilege Escalation
Posted Jan 18, 2018
Authored by halfdog

glibc suffers from a getcwd() local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2018-1000001
SHA-256 | b441728a6b8ed19a7661442e1bc22c727e93a78e559d6c68e57e3d8ca1f50f52
Ubuntu PT Chown Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

Ubuntu versions prior to 15.10 suffer from a PT chown arbitrary PTs access via user namespace privilege escalation vulnerability.

tags | exploit, arbitrary
systems | linux, ubuntu
advisories | CVE-2016-2856
SHA-256 | ebfda6a018f1d7bdcee1fac1fe9bffc5393c7667fb1b61ffa9a97d92473d2f4f
NTP Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

NTP suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2016-0727
SHA-256 | 8d030faabc096e431057616fc15a37c36b8595519b0f4b3b9895b50fc5eea65d
AUFS (Ubuntu 15.10) Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

AUFS (Ubuntu 15.10) suffers from an allow_userns fuse/xattr user namespaces privilege escalation vulnerability.

tags | exploit
systems | linux, ubuntu
advisories | CVE-2016-2853, CVE-2016-2854
SHA-256 | 20b06274c846785d08a17e0785b09b252e022b89872f6b1806dfba387493b3c6
Linux Kernel 2.6.32 Privilege Escalation
Posted Apr 1, 2017
Authored by halfdog

Linux kernel version 2.6.32 (Ubuntu 10.04) suffers from a /proc handling setuid privilege escalation vulnerability.

tags | exploit, kernel
systems | linux, ubuntu
advisories | CVE-2011-1020
SHA-256 | 3594c9413e10a2969f55206fd998c42d9a560202fece7a9015817bf484936e19
Man-db 2.6.7.1 Privilege Escalation
Posted Jan 27, 2017
Authored by halfdog

Man-db version 2.6.7.1 suffers from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2015-1336
SHA-256 | f3321c2590d0256d676629cb16846a5fc76289a0847e035b3cf4b146833e2461
Debian Exim Spool Local Root Privilege Escalation
Posted Jul 4, 2016
Authored by halfdog

Exim4 in some variants is started as root but switches to uid/gid Debian-exim/Debian-exim. But as Exim might need to store received messages in user mailboxes, it has to have the ability to regain privileges. This is also true when Exim is started as "sendmail". During internal operation, sendmail (Exim) will manipulate message spool files in directory structures owned by user "Debian-exim" without caring about symlink attacks. Thus execution of code as user "Debian-exim" can be used to gain root privileges by invoking "sendmail" as user "Debian-exim".

tags | exploit, root
systems | linux, debian
SHA-256 | bd74c62b27f39b7f46709bc09cd8804cada21ce8799966cc4bc67706ff142d5b
Linux Kernel USERNS Issues
Posted Feb 26, 2016
Authored by halfdog

The Linux kernel suffers from multiple privilege escalation vulnerabilities.

tags | advisory, kernel, vulnerability
systems | linux
SHA-256 | 0b1307cf1bccf05f7afed496f827ea994587f2a9aabae71db2922ee6a1d127fd
Linux Kernel overlayfs Local Privilege Escalation
Posted Jan 11, 2016
Authored by halfdog

This program demonstrates how to escalate privileges using an overlayfs mount within a user namespace.

tags | exploit
SHA-256 | 245a67dc153f223afb9bd229d16d9f5c37310e1f46c7558980b40f8cb6ac3420
Ubuntu catman Local Privilege Escalation
Posted Dec 16, 2015
Authored by halfdog

This is a short article on how to escalate privileges from man/man to root/root via the "catman" cron job.

tags | exploit, root
SHA-256 | 175278cb086bb0f7bb489a8359cc3e5d03b693facbe6d7c758563828b7199624
Ubuntu setgid Directory Privilege Escalation
Posted Dec 16, 2015
Authored by halfdog

This is a short article how to use the setgid directory /var/cache/man to escalate privileges from man/man to man/root on Ubuntu Vivid.

tags | exploit, root
systems | linux, ubuntu
SHA-256 | 3814fe1e9b83323aa0084f50fe299d22950a17ddb5de4ff5dab6bed52b7cc86c
Ubuntu Apport kernel_crashdump Symlink
Posted Sep 26, 2015
Authored by halfdog

This is a short write-up of the Ubuntu Apport kernel_crashdump symlink vulnerabilities along with some proof of concept code.

tags | exploit, vulnerability, proof of concept
systems | linux, ubuntu
advisories | CVE-2015-1338
SHA-256 | 6ad9dbf653da822a763a4a0ee8845d1ea92def27b988d96ac422f942ecd40aac
Ubuntu Vivid Upstart Privilege Escalation
Posted Mar 2, 2015
Authored by halfdog

Ubuntu Vivid Upstart suffers from a logrotate privilege escalation vulnerability.

tags | exploit
systems | linux, ubuntu
SHA-256 | 57ba2d59b5541f853776351cd1d83860c51f823ac02e23145009c9b6c6f926b2
vm86 Syscall Linux Root Privilege Escalation
Posted Jan 7, 2014
Authored by halfdog

The initial observation was, that the linux vm86 syscall, which allows to use the virtual-8086 mode from userspace for emulating of old 8086 software as done with dosemu, was prone to trigger FPU errors. Closer analysis showed, that in general, the handling of the FPU control register and unhandled FPU-exception could trigger CPU-exceptions at unexpected locations, also in ring-0 code. Proof of concept code included.

tags | exploit, proof of concept
systems | linux
SHA-256 | c0d7b7b3940841dcb9f666f46a4adb35352ef1442a9a3e3f3fde132e5689e1ef
VM86 Syscall Kernel Panic
Posted Dec 29, 2013
Authored by halfdog

This program maps memory pages to the low range above 64k to avoid conflicts with /proc/sys/vm/mmap_min_addr and then triggers the virtual-86 mode. Due to unhandled FPU errors, task switch will fail afterwards, kernel will attempt to kill other tasks when switching.

tags | exploit, kernel
SHA-256 | ad658d72431edc17d84f7ede3e6041ec2ef755c6e9a6f0e063d9951b0dd8656f
Linux binfmt_script Disclosure
Posted Oct 11, 2012
Authored by halfdog

Linux kernel binfmt_script handling in combination with CONFIG_MODULES can lead to disclosure of kernel stack data during execve via copy of data from dangling pointer to stack to growing argv list. Apart from that, the BINPRM_MAX_RECURSION can be exceeded: the maximum of 4 recursions is ignored, instead a maximum of roughly 2^6 recursions is in place. Proof of concept included.

tags | exploit, kernel, proof of concept, info disclosure
systems | linux
SHA-256 | 7bd378909366bd639a1af332dc8a07b872f1dbfc3c0f252621b3c7a24e1876ab
Oracle VM VirtualBox 4.1 Denial Of Service
Posted Sep 10, 2012
Authored by halfdog

Oracle VM VirtualBox version 4.1 suffers from a local denial of service vulnerability.

tags | exploit, denial of service, local
SHA-256 | 25f2cbb5e9534b8b6dade71c9587a5ad6a4181529ef1f4caa5a558b8f5d28627
Apache Scoreboard Invalid Free
Posted Jan 13, 2012
Authored by halfdog

Modification of Apache Scoreboard data, shared by root (uid=0) and www-data process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs.

tags | advisory, root
SHA-256 | c4fca211361fbba0c2cbccb0c6f798909ec36dbe33e746db01cba353100298ff
Apache ap_pregsub Integer Overflow
Posted Nov 2, 2011
Authored by halfdog

An exploitable integer overflow in Apache allows a remote attacker to crash the process or perform execution of arbitrary code as the user running Apache. To exploit the vulnerability, a crafted .htaccess file has to be placed on the server.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2011-3607
SHA-256 | de93709165ae3da045b8b7cd8bcaa006e9c80ce8ed576e25755ced04b4c304ff
Unmount Any Filesystem Using fusermount
Posted Nov 3, 2010
Authored by halfdog | Site halfdog.net

At least on ubuntu lucid, the fusermount tool contains a timerace mounting a user filesystem and updating mtab, thus mtab entries with arbitrary paths can be created. Crafted mtab entries can then be used to unmount live parts of the filesystem. Proof of concept code included.

tags | exploit, arbitrary, proof of concept
systems | linux, ubuntu
SHA-256 | 042dadda335de672c21630853a0e117fb84f2a7885909c01be5c0e5ea8732cd2
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close