Linux kernel versions prior to 4.14.8 utilize the Berkeley Packet Filter (BPF) which contains a vulnerability where it may improperly perform signing for an extension. This can be utilized to escalate privileges. The target system must be compiled with BPF support and must not have kernel.unprivileged_bpf_disabled set to 1. This Metasploit module has been tested successfully on many different kernels.
3a7fa7070c41ddc4726fd312fb66650ad5d4cd33a694060cfd4542206f2d48f1This Metasploit module triggers an arbitrary shared library load vulnerability in GoAhead web server versions between 2.5 and that have the CGI module enabled.
bee949e92c0ea2f22d837f57390d8e28e16e861007e5e679292d373e6ac8037aThis Metasploit module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL versions 5.5.9 and below, directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.
e271ecc64a4930d48b45420b13646e62bddc742c830913aff948fcd6de464829pfSense versions 2.3.1_1 and below contain a remote command execution vulnerability post authentication in the system_groupmanager.php page.
7e95005faf5bd57e5f8dd4d924787a1fff296c90c38c30c7cdaff7910db8bb51WP Mobile Detector Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /wp-content/plugins/wp-mobile-detector/resize.php script does contains a remote file include for files not cached by the system already. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server.
78c713af652be903f93b72d84bd37300ff88c13c97f655448730f42c48f8d6a6The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication. Versions prior to 3.0.4 contain OS command injection in the ping command which can be used to execute arbitrary commands as root.
737f912aedaeba8a1d57b9dc8bd11fe5911f1fbdc0923fc3bb63f868636273f6IPFire, a free linux based open source firewall distribution, version prior to 2.19 Update Core 110 contains a remote command execution vulnerability in the ids.cgi page in the OINKCODE field.
f8bdea7a53ee5a4ab20fad1a03f6c2a2dfaa0823d9fec5b982ed96aa724d1965ntfs-3g mount helper in Ubuntu 16.04, 16.10, Debian 7, 8, and possibly 9 does not properly sanitize the environment when executing modprobe. This can be abused to load a kernel module and execute a binary payload as the root user.
2ca15f26f7b775b7c9e764235153327a7035b9b299e27a2b52603944e606c8c3This Metasploit module utilizes an administrative module which allows for command execution. This page is completely unprotected from any authentication when given a POST request.
cfcbce3052c73130003476d0ee627bdcb72ab71008ac686ffaae35583cfb31c0This Metasploit module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation.
bf300c0c899733b435995c0ef2a36f7a7f24b72ea483dc9898f85b794dba5bc8Linux kernel versions 4.4 and above where CONFIG_BPF_SYSCALL and kernel.unprivileged_bpf_disabled sysctl is not set to 1 allow for BPF to be abused for privilege escalation. Ubuntu 16.04 has all of these conditions met.
f1306f2352a229f463a8023d32004c95fc69e0766b3089ee18e864c38cfcb735This Metasploit module attempts to exploit two different CVEs (CVE-2015-1328 and CVE-2015-8660) related to overlayfs.
051ac68d3b034444740ccd04d39c409e4a6f9b78bb6c5b472cf8e1acac90159dPSEvents.exe within several Panda Security products runs hourly with SYSTEM privileges. When run, it checks a user writable folder for certain DLL files, and if any are found they are automatically run. Vulnerable products include Panda Global Protection 2016 versions 16.1.2 and below, Panda Antivirus Pro 2016 versions 16.1.2 and below, Panda Small Business Protection versions 16.1.2 and below, and Panda Internet Security 2016 versions 16.1.2 and below.
675a9794c4c179230ddd016c62462e8da69b4d5e807de5679903fd32ada74613This Metasploit module attempts to exploit CVE-2014-0038, by sending a recvmmsg system call with a crafted timeout pointer parameter to gain root. This exploit has offsets for 3 Ubuntu 13 kernels built in: 3.8.0-19-generic (13.04 default) 3.11.0-12-generic (13.10 default) 3.11.0-15-generic (13.10) This exploit may take up to 13 minutes to run due to a decrementing (1/sec) pointer which starts at 0xff*3 (765 seconds)
82b7ac9274ee1da7aa1283d1f828bf5efb5666ae8d5432aec64d8da96a714f43This Metasploit module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices.
d99d8e8e47f339eb8ec87c59d4b0730de722cf4968e5c5a3fa8af0475db0a59fThis Metasploit module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2. libc6-dev-i386 (ubuntu), glibc-devel.i686
3ed3279ffabc1d769fe51805e802f0af5a86f32107a739ee1f3f3ec23f7e3010This Metasploit module attempts to exploit a race condition in mail.local with the SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1), NetBSD 6.1 - 6.1.5, and NetBSD 6.0 - 6.0.6. Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
538ce6a834dffd6d9e669ab16ae984c12556d38cab1d2870f6bbbd5bc570cb23This Metasploit module will create a service on the box, and mark it for auto-restart.
79da7c70153554395ef5348119b04ecdb39ab60cb29fef4eae875f83f0352191This Metasploit module will create a cron or crontab entry to execute a payload. The module includes the ability to automatically clean up those entries to prevent multiple executions. syslog will get a copy of the cron entry.
9793155803f506f6e27c18e5277bed947632ef874e5664d5251d4e9d7cb8c507Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cyber criminals to easily run arbitrary code on these routers, rendering it vulnerable as a security device. Some models include a non-standard echo command which doesn't honor -e, and are therefore not currently exploitable with Metasploit. See URLs or module markdown for additional options.
23aa19a2ba418a35cd8bbecabd42ee2c073706a9c5dc4bf7724e7a87210b3a29The login component of the Polycom Command Shell on Polycom HDX video endpints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication. Versions prior to 3.0.4 contain OS command injection in the ping command which can be used to execute arbitrary commands as root.
548cc509510583c6e9073f79cf341d4f7d444c54333db5eee6854c756f2f9ecfCentreon Web Interface versions 2.5.3 and below utilize an ECHO for logging SQL errors. This functionality can be abused for arbitrary code execution, and can be triggered via the login screen prior to authentication.
5c09582d8455d486f9a8b546afc64ba7e1c0033c02c90405893cf9e6a8d35f16Tiki-Wiki CMS's calendar module contains a remote code execution vulnerability within the viewmode GET parameter. The calendar module is NOT enabled by default. If enabled, the default permissions are set to NOT allow anonymous users to access.
9131c295c6f0a87ffeed5ec24203a47294ef439eb9e76d9c596efa1d5fafc764The configuration page in version 7.1.9 and below of op5 allows the ability to test a system command, which can be abused to run arbitrary code as an unprivileged user.
34a689b22e757960916b2b0af3d9484a9d86ebc2d53f95c0c172deab2122b07eIPFire, a free linux based open source firewall distribution, versions prior to 2.19 Update Core 101 contain a remote command execution vulnerability in the proxy.cgi page.
4455d8714ad0f2e393232ebc31503bf395db118a9964e731f57356a841e46f2a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed