Email address | private |
---|---|
First Active | 2011-07-25 |
Last Active | 2019-11-12 |
This Metasploit module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd.
cdb60dbe662ae825c2e68b4e3467951ff4065037e1a4c7ab93afe4fd720eaf44
This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistent with starting Xorg.
9377740962fb859c56e4c74db8eb408580293ddee8808bfba3b45eda70d58cd2
This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This Metasploit module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This Metasploit module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.
720e628b35284931ff0424715e648634cd3ec31db1a89c8b1fff88eddfb6f4ab
Exponent CMS version 2.3.1 suffers from multiple cross site scripting vulnerabilities.
d7c212b63775bde5c49ae7979f6feda188aeede831184a2ef05a72bfb78c0ad3
Yealink VOIP Phone suffers from a persistent cross site scripting vulnerability.
594dab55fa06525eeb25a234672469d458221c09b400c782310c5903d307c318
Yealink VOIP Phone suffers from a persistent cross site scripting vulnerability.
1c5d7a80bb2cf3d1f660ade3a9a696b35ca2ec64015f60892c18290b1f7c608c
MailEnable Professional and Enterprise versions are prone to cross site scripting vulnerabilities as the user-supplied input received via the "Username" parameter of the "ForgottonPassword.aspx" page is not properly sanitized. Versions 4.2.6 and below, 5.52 and below and 6.02 and below are affected.
cab4ee58932f48fbb2493be671b4513aaa7da0caa31bfdb2f95731c6adf0d732
NetSaro Enterprise Manager version 2.0 suffers from cross site request forgery and cross site scripting vulnerabilities.
04fd1b5fea29b86f930d0d4af4271d77b858a03704dc36391d9621bdd648e4e1
ManageEngine ServiceDesk Plus version 8.0 build 8013 suffers from multiple cross site scripting vulnerabilities.
4307cd7c0b9620083e36f686fe14e007f7ca64884c5ceaa83beff75b77a767ac
SWAT (Samba Web Administration Tool) in Samba versions 3.0.x through 3.5.9 suffers from a cross site request forgery vulnerability.
d475476bb91d90ae8126882c28a969539769386b49ecf8a69ad974db8e791de9
ManageEngine ServiceDesk Plus version 8.0 allows a user with limited privileges access to certain functionality that should only be available to administrative users. Proof of concept included.
e8ccc4a1e95942aa9e19d5eff1d90052cd550386db0397b0735cad9c2fbbea44
OpenX Ad Server version 2.8.7 suffers from a cross site request forgery vulnerability.
2122972907040dd56b1dcbfb3d0e13db9229e8c17a99da1c23958464c856bccb