This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.
255a53ba4764640c38d52b8d61674d66f25d7a11c08ebc0d8b26cc5cdb1d4aceSolaris SunSSH versions 10 through 11.0 on x86 libpam remote root exploit.
93c50138db56dcc96e612d0fa56cca01459695d4f656345667a2e4fdec807e5dZTE Blade Vantage Z839 Emode.APK android.uid.system local privilege escalation exploit.
5707c5e52a89bad056708a3134f79220ebdb442a447b95cba37c95cdb026d117AIX version 5.3L libc local environment handling local root exploit. The AIX 5.3L (and possibly others) libc is vulnerable to multiple buffer overflow issues in the handling of locale environment variables. This allows for exploitation of any setuid root binary that makes use of functions such as setlocale() which do not perform bounds checking when handling LC_* environment variables. An attacker can leverage this issue to obtain root privileges on an impacted AIX system. This exploit makes use of the "/usr/bin/su" binary to trigger the overflow through LC_ALL and obtain root.
417e782bbe7c2cf1c638ceb5b8df48574778d0daeec6b31fde12bdc697f1dde1AIX version 5.3L /usr/sbin/lquerypv local root privilege escalation exploit.
0897775bf394074a0899890bf9b6b3c6e0a4fdb790821736714ba4384b53bd9cA trivial to reach stack-based buffer overflow is present in libpam on Solaris. The vulnerable code exists in pam_framework.c parse_user_name() which allocates a fixed size buffer of 512 bytes on the stack and parses a username supplied to PAM modules (such as authtok_get used by SunSSH). This issue can be reached remotely pre-authentication via SunSSH when "keyboard-interactive" is enabled to use PAM based authentication. The vulnerability was discovered being actively exploited by FireEye in the wild and is part of an APT toolkit called "EVILSUN". The vulnerability is present in both SPARC/x86 versions of Solaris and others (eg. illumos). This exploit uses ROP gadgets to disable nxstack through mprotect on x86 and a helper shellcode stub. Tested against latest Solaris 10 without patch applied and the configuration is vulnerable in a default vanilla install. This exploit requires libssh2, the vulnerability has been identified and confirmed reachable on Solaris 10 through 11.0.
4efe811f974352dcef13923a4c23660cd48238ef8eed2fdf0c41f3fb02116a22SGI IRIX versions 6.4.x and below run-time linker (rld) arbitrary file creation exploit.
6f90ee10780f9ce1e84434cd416d1bb52ce40db82cd9f3b32770f230eec3040cGNU inetutils versions 1.9.4 and below are vulnerable to a stack overflow vulnerability in the client-side environment variable handling which can be exploited to escape restricted shells on embedded devices. Most modern browsers no longer support telnet:// handlers, but in instances where URI handlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. A stack-based overflow is present in the handling of environment variables when connecting telnet.c to remote telnet servers through oversized DISPLAY arguments. A heap-overflow is also present which can be triggered in a different code path due to supplying oversized environment variables during client connection code.
67091428f5e24ce1f6e0eb140516487b2dad8b7e0affe5d248d2734e0ec4626fAn exploitable arbitrary file creation weakness has been identified in Mikrotik RouterOS that can be leveraged by a malicious attacker to exploit all known versions of Mikrotik RouterOS. The RouterOS contains a telnet client based on GNU inetutils with modifications to remove shell subsystem. However an attacker can leverage the "set tracefile" option to write an arbitrary file into any "rw" area of the filesystem, escaping the restricted shell to gain access to a "ash" busybox shell on some versions. The file is created with root privileges regardless of the RouterOS defined group.
a939b73387c51054bd5c4c1fabbeade0aabd8445df951b5f0caf507ff0713454xorg-x11-server versions prior to 1.20.3 local privilege escalation exploit.
f3cd2959f68332bfa2c323ef0adaf0aa7a1128133e424075a042a879dc030265This Metasploit module exploits a directory traversal vulnerability in the dtappgather executable included with Common Desktop Environment (CDE) on unpatched Solaris systems prior to Solaris 10u11 which allows users to gain root privileges. dtappgather allows users to create a user-owned directory at any location on the filesystem using the DTUSERSESSION environment variable. This Metasploit module creates a directory in /usr/lib/locale, writes a shared object to the directory, and runs the specified SUID binary with the shared object loaded using the LC_TIME environment variable. This Metasploit module has been tested successfully on: Solaris 9u7 (09/04) (x86); Solaris 10u1 (01/06) (x86); Solaris 10u2 (06/06) (x86); Solaris 10u4 (08/07) (x86); Solaris 10u8 (10/09) (x86); Solaris 10u9 (09/10) (x86).
6f75827f24c9c71623ec21ea18e8644185262819fb0757d5169bc8b6020326acGNS3 Mac OS-X version 1.5.2 ubridge privilege escalation exploit.
a5e76f57b9fe4ca0325f3a4fbe2fcec453b432eccb24a18d312f44c6c0d6947dPonyOS version 4.0 fluttershy LD_LIBRARY_PATH local kernel exploit.
6867351b25180ee9a58f9f9c9a924f9ce0d77cf00cf72948ef60b4c78af6b5b6Coppermine Gallery versions 1.5.44 and below suffer from a directory traversal vulnerability.
29f200ffcc0c01af4c8bb99c41ae0a82b17a73070333106e21afc34990b382ceSolaris versions 7 through 11 on both x86 and SPARC suffer from an EXTREMEPARR dtappgather local privilege escalation vulnerability.
1d0a7fc97f6c11277cffbbde3faa1e5dcaa3c351527a2b971ea140cbd1503bbbCoppermine Gallery versions 1.5.44 and below suffer from a directory traversal vulnerability.
43fda03afc24d1a05660bc4321ec19661ba3c068b6c93e616a51d887d736f241This is a shellshock exploit for RSSMON and BEAM, network services for Red Star OS version 3.0 SERVER edition.
bbdf7dd5e3730d17196110e9505289469c26b6f29655125d1177485822c140deNaenara Browser version 3.5 exploit (JACKRABBIT) that uses a known Firefox bug to obtain code execution on Red Star OS 3.0 desktop.
c4b4b34b00cd3c056e46e8970c599fc698341f1def3f5d9c4ca35d64efaf0e59TrendMicro InterScan Web Security Virtual Appliance remote code execution exploit that leverages the shellshock vulnerability to spawn a connect-back shell. TrendMicro has contacted Packet Storm and provided the following link with patch information: <a href="https://success.trendmicro.com/solution/1105233">https://success.trendmicro.com/solution/1105233</a>
7eefbb330b7be36adf17cb7725410f679d2aeac775a9e31cf85234029e4b66ccExim versions 4.84-3 and below suffer from a local privilege escalation vulnerability.
338e278d54bff0fcb3160902a0f4e6e04e509da47b831229d06ee56563a1ce5cAmanda versions 3.3.1 and below amstar command injection local root exploit #2.
284d84c47aaefe6f00825e9e93cb31647859b1a25d24d166cb7d556306f2a2b5Amanda version 3.3.1 suffers from a local root privilege escalation vulnerability via the setuid runtar binary.
2ab1cf9f4f7d96fe3a9f2cf09a358645b047b9ef18ef2daf06d8e51bc6c2b48cPonyOS versions 3.0 and below tty ioctl() local privilege escalation exploit.
309b43bdeb7461640755b45f94ada24175a9225ce852978a6cf15ccd49b2e228PonyOS versions 3.0 and below ELF loader privilege escalation exploit.
5c60cb1d2f49bf795a8889604606129d0372cc6882e3aade50ddafda87ca714cPonyOS versions 3.0 and below VFS privilege escalation exploit.
ef480619bfd3cba06fec4e08ff8068c41ddf33aebf80b9fb5a1574099b479586
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed