Twenty Year Anniversary
Showing 1 - 25 of 42 RSS Feed

Files from Brendan Coles

Email addressbcoles at gmail.com
First Active2011-06-24
Last Active2018-05-22
AF_PACKET chocobo_root Privilege Escalation
Posted May 22, 2018
Authored by rebel, Brendan Coles | Site metasploit.com

This Metasploit module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel versions 4.4.0-45-generic and 4.4.0-51-generic.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2016-8655
MD5 | 4e74e49fb99838182c2b1099fc25b230
Reliable Datagram Sockets (RDS) Privilege Escalation
Posted May 19, 2018
Authored by Dan Rosenberg, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This Metasploit module has been tested successfully on Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2010-3904
MD5 | ca0aaa65162c3d2e20a520b81415f4ae
AF_PACKET packet_set_ring Privilege Escalation
Posted May 17, 2018
Authored by Brendan Coles, Andrey Konovalov | Site metasploit.com

This Metasploit module exploits a heap-out-of-bounds write in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2017-7308). The bug was initially introduced in 2011 and patched in version 4.10.6, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46, including Linux distros based on Ubuntu Xenial, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on Linux Mint 18 (x86_64) with kernel versions: 4.8.0-34-generic; 4.8.0-36-generic; 4.8.0-39-generic; 4.8.0-41-generic; 4.8.0-42-generic; 4.8.0-44-generic; 4.8.0-45-generic.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2017-7308
MD5 | 619464075778b62a92b3753066e120ba
Libuser roothelper Privilege Escalation
Posted May 13, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This Metasploit module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This Metasploit module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16-1.fc13 on Fedora 13 (i686); 0.59-1.fc19 on Fedora Desktop 19 (x86_64); 0.60-3.fc20 on Fedora Desktop 20 (x86_64); 0.60-6.fc21 on Fedora Desktop 21 (x86_64); 0.60-6.fc22 on Fedora Desktop 22 (x86_64); 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and 0.60-5.el7 on Red Hat 7.0 (x86_64). RHEL 5 is vulnerable, however the installed version of glibc (2.5) is missing various functions required by roothelper.c.

tags | exploit, root
systems | linux, redhat, fedora, centos
advisories | CVE-2015-3245, CVE-2015-3246
MD5 | 29f14e9f5067bd0c43af11f1008beb02
lastore-daemon D-Bus Privilege Escalation
Posted Apr 21, 2018
Authored by Brendan Coles, Kings Way | Site metasploit.com

This Metasploit module attempts to gain root privileges on Deepin Linux systems by using lastore-daemon to install a package. The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary system packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group. This Metasploit module has been tested successfully with lastore-daemon version 0.9.53-1 on Deepin Linux 15.5 (x64).

tags | exploit, arbitrary, root, code execution
systems | linux
MD5 | baa73891b2b9f0118971e92d8daa13cc
ProcessMaker Plugin Code Execution
Posted Apr 3, 2018
Authored by Brendan Coles | Site metasploit.com

This Metasploit module will generate and upload a plugin to ProcessMaker resulting in execution of PHP code as the web server user. Credentials for a valid user account with Administrator roles is required to run this module. This Metasploit module has been tested successfully on ProcessMaker versions 1.6-4276, 2.0.23, 3.0 RC 1, 3.2.0, 3.2.1 on Windows 7 SP 1; and version 3.2.0 on Debian Linux 8.

tags | exploit, web, php
systems | linux, windows, debian, 7
MD5 | 62ca13841303372ebfe7885ec8e1b271
DuckDuckGo 4.2.0 WebRTC Private IP Leakage
Posted Apr 3, 2018
Authored by Brendan Coles, Mishra Dhiraj | Site metasploit.com

This Metasploit module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.

tags | exploit, web, arbitrary
advisories | CVE-2018-6849
MD5 | 1d9975950bdc7255d15ef79cf990fc30
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
MagniComp SysInfo mcsiwrapper Privilege Escalation
Posted Feb 20, 2018
Authored by Brendan Coles, Daniel Lawson, Romain Trouve | Site metasploit.com

This Metasploit module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This Metasploit module abuses this functionality to set the load path resulting in execution of arbitrary code as root. This Metasploit module has been tested successfully with SysInfo version 10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.

tags | exploit, arbitrary, x86, root
systems | linux, solaris, debian, fedora
advisories | CVE-2017-6516
MD5 | 8b66a6c82ba59a4ce479a1d17b9e36b6
Juju-run Agent Privilege Escalation
Posted Feb 11, 2018
Authored by Brendan Coles, David Ames, Ryan Beisner | Site metasploit.com

This Metasploit module attempts to gain root privileges on Juju agent systems running the juju-run agent utility. Juju agent systems running agent tools prior to version 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket to manage software ("units") without setting appropriate permissions, allowing unprivileged local users to execute arbitrary commands as root. This Metasploit module has been tested successfully with Juju agent tools versions 1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju 1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64.

tags | exploit, arbitrary, x86, local, root
systems | linux, unix, ubuntu
advisories | CVE-2017-9232
MD5 | eb38e1fdceb4a094a0ae325d89253b30
glibc '$ORIGIN' Expansion Privilege Escalation
Posted Feb 10, 2018
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.

tags | exploit, arbitrary, root, code execution
systems | linux, fedora, centos
advisories | CVE-2010-3847
MD5 | e8b55dc3fe5f3080c962d9dabae028c4
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
Apport / ABRT chroot Privilege Escalation
Posted Feb 3, 2018
Authored by Tavis Ormandy, Brendan Coles, StA(c)phane Graber, Ricardo F. Teixeira | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.

tags | exploit, x86, kernel, root, code execution
systems | linux, fedora, ubuntu
advisories | CVE-2015-1318
MD5 | 1dc9fd5c90665c8934d2712e757240c3
VMware Workstation ALSA Config File Local Privilege Escalation
Posted Jan 5, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This Metasploit module has been tested successfully on VMware Player version 12.5.0 on Debian Linux.

tags | exploit, root
systems | linux, debian
advisories | CVE-2017-4915
MD5 | f3b6448b87cca47f57a97189ff144abb
Nitro Pro PDF Reader 11.0.3.173 Remote Code Execution
Posted Aug 2, 2017
Authored by mr_me, sinn3r, Brendan Coles | Site metasploit.com

This Metasploit module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro PDF Reader version 11. The saveAs() Javascript API function allows for writing arbitrary files to the file system. Additionally, the launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog Note: This is 100% reliable.

tags | exploit, arbitrary, local, javascript
advisories | CVE-2017-7442
MD5 | 18ea66b3d4ade909dbf22fe503cf7764
VICIdial user_authorization Unauthenticated Command Execution
Posted Jul 22, 2017
Authored by Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to exec(). This Metasploit module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.

tags | exploit, web, arbitrary
systems | linux, centos
MD5 | 97f5f8a82932db45a47b13397a65ccd6
Metasploit RPC Console Command Execution
Posted Jul 22, 2017
Authored by Brendan Coles | Site metasploit.com

This Metasploit module connects to a specified Metasploit RPC server and uses the 'console.write' procedure to execute operating system commands. Valid credentials are required to access the RPC interface. This Metasploit module has been tested successfully on Metasploit 4.15 on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit 4.14 on Windows 7 SP1.

tags | exploit
systems | windows, 7
MD5 | b76c5685a0298b752e8aaaf4f214e190
Samba is_known_pipename() Arbitrary Module Load
Posted May 27, 2017
Authored by H D Moore, Tavis Ormandy, Brendan Coles, steelo | Site metasploit.com

This Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.

tags | exploit, arbitrary
advisories | CVE-2017-7494
MD5 | 540c24e5e6cfcfa8e2adea53b8b83491
Serviio Media Server checkStreamUrl Command Execution
Posted May 17, 2017
Authored by LiquidWorm, Brendan Coles | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability in the console component of Serviio Media Server versions 1.4 to 1.8 on Windows operating systems. The console service (on port 23423 by default) exposes a REST API which which does not require authentication. The 'action' API endpoint does not sufficiently sanitize user-supplied data in the 'VIDEO' parameter of the 'checkStreamUrl' method. This parameter is used in a call to cmd.exe resulting in execution of arbitrary commands. This Metasploit module has been tested successfully on Serviio Media Server versions 1.4.0, 1.5.0, 1.6.0 and 1.8.0 on Windows 7.

tags | exploit, remote, arbitrary
systems | windows, 7
advisories | OSVDB-41961
MD5 | ab1da9f50ece75772d5c07e501778759
MVPower DVR Shell Unauthenticated Command Execution
Posted Feb 25, 2017
Authored by Brendan Coles, Andrew Tierney, Paul Davies | Site metasploit.com

This Metasploit module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This Metasploit module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17). The TV-7108HE model is also reportedly affected, but untested.

tags | exploit, remote, web, arbitrary, shell
MD5 | b943340b352d3992b7f12c896f1c4222
Dell KACE K1000 File Upload
Posted Apr 13, 2016
Authored by Brendan Coles, Bradley Austin | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in Kace K1000 versions 5.0 to 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 which allows unauthenticated users to execute arbitrary commands under the context of the 'www' user. This Metasploit module also abuses the 'KSudoClient::RunCommandWait' function to gain root privileges. This Metasploit module has been tested successfully with Dell KACE K1000 version 5.3.

tags | exploit, arbitrary, root, file upload
MD5 | c04ab65765d94cdc1e56b808b44fc1bc
D-Link DCS-931L Arbitrary File Upload
Posted Jan 6, 2016
Authored by Brendan Coles, J. Rach, Allen Harper, Mike Baucom | Site metasploit.com

This Metasploit module exploits a file upload vulnerability in D-Link DCS-931L network cameras. The setFileUpload functionality allows authenticated users to upload files to anywhere on the file system, allowing system files to be overwritten, resulting in execution of arbitrary commands. This Metasploit module has been tested successfully on a D-Link DCS-931L with firmware versions 1.01_B7 (2013-04-19) and 1.04_B1 (2014-04-21). D-Link DCS-930L, DCS-932L, DCS-933L models are also reportedly affected, but untested.

tags | exploit, arbitrary, file upload
advisories | CVE-2015-2049
MD5 | c004fc97c48c539da2a1404559c5804c
SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
Posted Mar 6, 2014
Authored by Brendan Coles, Mohamed Shetta | Site metasploit.com

This Metasploit module exploits a remote arbitrary file write vulnerability in SolidWorks Workgroup PDM 2014 SP2 and prior. For targets running Windows Vista or newer the payload is written to the startup folder for all users and executed upon next user logon. For targets before Windows Vista code execution can be achieved by first uploading the payload as an exe file, and then upload another mof file, which schedules WMI to execute the uploaded payload. This Metasploit module has been tested successfully on SolidWorks Workgroup PDM 2011 SP0 on Windows XP SP3 (EN) and Windows 7 SP1 (EN).

tags | exploit, remote, arbitrary, code execution
systems | windows, xp, vista, 7
MD5 | 616b6529ac383dc0589643283677afc7
Simple E-Document Arbitrary File Upload
Posted Jan 28, 2014
Authored by Brendan Coles, vinicius777 | Site metasploit.com

This Metasploit module exploits a file upload vulnerability found in Simple E-Document versions 3.0 to 3.1. Attackers can bypass authentication and abuse the upload feature in order to upload malicious PHP files which results in arbitrary remote code execution as the web server user. File uploads are disabled by default.

tags | exploit, remote, web, arbitrary, php, code execution, file upload
MD5 | 6673942972dbee1582ce76afa3bf104d
Kimai 0.9.2 db_restore.php SQL Injection
Posted Nov 28, 2013
Authored by Brendan Coles, drone | Site metasploit.com

This Metasploit module exploits a SQL injection vulnerability in Kimai version 0.9.2.x. The 'db_restore.php' file allows unauthenticated users to execute arbitrary SQL queries. This Metasploit module writes a PHP payload to disk if the following conditions are met: The PHP configuration must have 'display_errors' enabled, Kimai must be configured to use a MySQL database running on localhost; and the MySQL user must have write permission to the Kimai 'temporary' directory.

tags | exploit, arbitrary, php, sql injection
MD5 | aec9a8141849e97ce005dc4486ce99e3
Page 1 of 2
Back12Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    62 Files
  • 24
    May 24th
    24 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close