This Metasploit module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. sosreport uses an insecure temporary directory, allowing local users to write to arbitrary files (CVE-2015-5287). This module has been tested successfully on abrt 2.1.11-12.el7 on RHEL 7.0 x86_64 and abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.
fb67e2e69d375b5a9cd6b9e13c28c727a1dc0a6071f2e268e407fb071b35e7f5
This Metasploit module exploits a race condition and use-after-free in the packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel to execute code as root (CVE-2016-8655). The bug was initially introduced in 2011 and patched in 2016 in version 4.4.0-53.74, potentially affecting a large number of kernels; however this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and two or more CPU cores. Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on Linux Mint 17.3 (x86_64); Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel versions 4.4.0-45-generic and 4.4.0-51-generic.
2c972042e97ba752bad7ba25468c594d74162a227ca514649eb33c75bf60c5e6
Linux AF_PACKET race condition exploit for Ubuntu 16.04 x86_64.
aa24077d1248b5baa880a452de7a35948ed45d8751c16500d808952b8c992c0d
This Metasploit module attempts to exploit two different CVEs (CVE-2015-1328 and CVE-2015-8660) related to overlayfs.
051ac68d3b034444740ccd04d39c409e4a6f9b78bb6c5b472cf8e1acac90159d
This Metasploit module attempts to exploit CVE-2014-0038, by sending a recvmmsg system call with a crafted timeout pointer parameter to gain root. This exploit has offsets for 3 Ubuntu 13 kernels built in: 3.8.0-19-generic (13.04 default) 3.11.0-12-generic (13.10 default) 3.11.0-15-generic (13.10) This exploit may take up to 13 minutes to run due to a decrementing (1/sec) pointer which starts at 0xff*3 (765 seconds)
82b7ac9274ee1da7aa1283d1f828bf5efb5666ae8d5432aec64d8da96a714f43
Ubuntu 14.04 LTS and 15.10 overlayfs local root exploit.
1bf1b95880d7fb521bfe0cf76bb75801961ebb5f6b4b91508407ee6bad1b5076
Local root exploit for Redhat Enterprise Linux versions 7.0 and 7.1 that leverages abrt/sosreport.
b790341fd59ae2e5d21dff21d1b31498f965eaa89caf7d3d86a361acf552509d
CentOS version 7.1 and Fedora version 22 abrt local root exploit. It leverages abrt-hook-ccpp insecure open() usage and abrt-action-install-debuginfo insecure temp directory usage.
2e6ff628343956da9862f4ece546ad0fa5bec7f2f3e42781031bd4c8eee3ff37
This Metasploit module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
1959cf26f98a303dd73293b46328a6156cc9e858b22283d3803da877cf76e849
The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04. Included is a full exploit demonstration root code execution.
f86829bc8ea48c36f6d3cd054fa6293bb6beab50057404ccaddcd6c16e8bed3c
Linux 3.4+ local root exploit that spawns a root shell leveraging CONFIG_X86_X32=y.
ede5fc0e0b7e794118d72948df2017010eaec9fd53af8390f4d8bde0ec184fa6
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
8d08e36aad4e2f2b6ca724385b7f3fba0f30c6ca89e770a9d239706fa1f4aeba