The Windscribe VPN client application for Windows makes use of a Windows service WindscribeService.exe which exposes a named pipe \\.\pipe\WindscribeService allowing execution of programs with elevated privileges. Windscribe versions prior to 1.82 do not validate user-supplied program names, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested successfully on Windscribe versions 1.80 and 1.81 on Windows 7 SP1 (x64).
7f200c24f141392d23225b9330afb247d5a945ace30e10996f31e175ed2e9dc9This Metasploit module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the rds_atomic_free_op function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels.
561f5de542c8d58118095440168a640aad5069622602f1d8eac2d963687098c9The Plantronics Hub client application for Windows makes use of an automatic update service SpokesUpdateService.exe which automatically executes a file specified in the MajorUpgrade.config configuration file as SYSTEM. The configuration file is writable by all users by default. This module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64). This Metasploit module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64).
158f8bba58dd0cfb1693ccc6021434881f579c25482bb12c46542cc4b0abb810This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).
3e6540f0f1a2e09ac135f635d113e22b32dffae061cff0c1ae9ba68f036aa0a2This Metasploit module uses Reptile rootkit's reptile_cmd backdoor executable to gain root privileges using the root command. This module has been tested successfully with Reptile from master branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).
8186f5f11335f41fb98ec8db0d3d1fb55357e44c311a504e72b4a26781481cf4This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.
bc46d127784cc25a8eebe3568a7dc33efb953a22d3a6de8a44f9394b892ee0c6This Metasploit module exploits an authenticated command injection vulnerability in FusionPBX versions 4.4.3 and prior. The exec.php file within the Operator Panel permits users with operator_panel_view permissions, or administrator permissions, to execute arbitrary commands as the web server user by sending a system command to the FreeSWITCH event socket interface. This module has been tested successfully on FusionPBX version 4.4.1 on Ubuntu 19.04 (x64).
38468e6614fd2cb8667101b151bf487ee43e93ccd419b6ad4216f21cee042b1eThis Metasploit module uses administrative functionality available in FusionPBX to gain a shell. The Command section of the application permits users with exec_view permissions, or superadmin permissions, to execute arbitrary system commands, or arbitrary PHP code, as the web server user. This module has been tested successfully on FusionPBX version 4.4.1 on Ubuntu 19.04 (x64).
9ddc511633ca4524be66e468aa2349e7ebf43ba65883baed79761e3c37b3b7afThis Metasploit module uses the FreeSWITCH event socket interface to execute system commands using the system API command. The event socket service is enabled by default and listens on TCP port 8021 on the local network interface. This module has been tested successfully on FreeSWITCH versions: 1.6.10-17-726448d~44bit on FreeSWITCH-Deb8-TechPreview virtual machine; 1.8.4~64bit on Ubuntu 19.04 (x64); and 1.10.1~64bit on Windows 7 SP1 (EN) (x64).
2af6ba6d2dae98ab9fd3f1dbb8b8f6ec3e20238f5bef67966c656048edd77ffcThis Metasploit module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The install directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the ajaxServerSettingsChk.php file as the web server user. This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64).
c186325528acbfb5de4f3fa7f089b9e55a0ed4689c4440a3e05bf3134759a1f7This Metasploit module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version 5.06. This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable. This module has been tested successfully on xscreensaver version 5.15 on Solaris 11.1 (x86) and xscreensaver version 5.15 on Solaris 11.3 (x86).
61fc2ea992be47242e9913209ccde2e47b80ce69f13985b6c1cff3d42dbfc4cfThis Metasploit module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME.
072effef6153caac38d664913a4c85d900178cc8a6bc497726bd11fee5a2a0bcThis Metasploit module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. sosreport uses an insecure temporary directory, allowing local users to write to arbitrary files (CVE-2015-5287). This module has been tested successfully on abrt 2.1.11-12.el7 on RHEL 7.0 x86_64 and abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.
fb67e2e69d375b5a9cd6b9e13c28c727a1dc0a6071f2e268e407fb071b35e7f5This Metasploit module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges. This module has been tested successfully on ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64) and ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
60b05f9c8dd9618a16984179687837c73ed7d9f5164d7df7821f81dfa103046cThis Metasploit module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling system(), in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This module has been tested successfully on Debian 9.8 (x64) and CentOS 7.4.1708 (x64).
fdcbf0c4d9e341553a52dec31cde80eee431ecb79d69538c1c636d8d6742a5caThis Metasploit module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with useradm.sh, the user's username and password are passed to htpasswd in a call to system() without validation. This module has been tested successfully on Xymon version 4.3.10 on Debian 6.
56921faf23d84d68f64c70045561cd00f989f797c3579b3de87eae4139a3e53cThis Metasploit module attempts to gain root privileges on systems running Serv-U FTP Server versions prior to 15.1.7. The Serv-U executable is setuid root, and uses ARGV[0] in a call to system(), without validation, when invoked with the -prepareinstallation flag, resulting in command execution with root privileges. This module has been tested successfully on Serv-U FTP Server version 15.1.6 (x64) on Debian 9.6 (x64).
741d912f9d81ee69caacd00759e742b27f2fbda4aa232a5b4199ceb2b7e3a311This Metasploit module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be specified in the MODPROBE_OPTIONS environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).
57d955347310170d1a380dba46ef41462b10f297e733fec17201a3831094af3bThis Metasploit module exploits a command injection vulnerability in elFinder versions prior to 2.1.48. The PHP connector component allows unauthenticated users to upload files and perform file modification operations, such as resizing and rotation of an image. The file name of uploaded files is not validated, allowing shell metacharacters. When performing image operations on JPEG files, the filename is passed to the exiftran utility without appropriate sanitization, causing shell commands in the file name to be executed, resulting in remote command injection as the web server user. The PHP connector is not enabled by default. The system must have exiftran installed and in the PATH. This module has been tested successfully on elFinder versions 2.1.47, 2.1.20, and 2.1.16 on Ubuntu.
5222268c0c1677f7e0637fd6b8a807ef9ea4bfb24107aadeb85ce45155354bc3This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.
f1711c3320d7c4e9f80661d007057fb1b0b673f47fb51ec2968a821bc6aa8991This Metasploit module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload.
be7441cb5d0ca4f4495067990292385a52fbdd586a1d34cad46036dcc7576c4cThis Metasploit module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer (ASan). ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The log_path option can be set using the ASAN_OPTIONS environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user. This module uploads a shared object and sprays symlinks to overwrite /etc/ld.so.preload in order to create a setuid root shell.
0e6f740ce9bc200d846f84b085e1b15b388b872a85100b6499f36331dcd60d30This Metasploit module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The org.blueman.Mechanism.EnableNetwork D-Bus interface exposes the set_dhcp_handler function which uses user input in a call to eval, without sanitization, resulting in arbitrary code execution as root. This module has been tested successfully with blueman version 1.23 on Debian 8 Jessie (x64).
85a43e99c894940e1f5253b2c619f91dc4dfc4fda5382f9ab944cf794316f8d4This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).
c991b79ae898a222baf512ec75bc5ae786505466b71b6453fd873f6b5482343cThis Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).
1e59da07b25c5d7ed7f7081baca4d6ef68b592b7e64e01af24769ec5d101e1a3
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed