exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 1,693 RSS Feed

Operating System: Fedora

Glibc Tunables Privilege Escalation
Posted Dec 21, 2023
Authored by Blasty, jheysel-r7, Qualys Threat Research Unit | Site metasploit.com

A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.

tags | exploit, overflow, local, root
systems | linux, debian, fedora, ubuntu
advisories | CVE-2023-4911
SHA-256 | e48ab23fe12076a6f076606de74abf4141a72444bfb88e5c9ea8bf73a3f2b891
GNOME Files 43.4 Privilege Escalation
Posted Aug 8, 2023
Authored by Georgi Guninski

GNOME Files version 43.4 (nautilus) on Fedora 37 will extract zip archives with setuid files for other user identifiers that can be leveraged to escalate privileges.

tags | exploit
systems | linux, fedora
SHA-256 | ac80117ac673973985c2dd78f43ddd88009c6d2d28c771696ceaab5aceb3f410
Apache Tomcat Privilege Escalation
Posted Mar 14, 2023
Authored by h00die, Dawid Golunski | Site metasploit.com

This Metasploit module exploits a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8. The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage temporary files including their creation. With this weak permission, you are able to inject commands into the systemd-tmpfiles service to write a cron job to execute a payload. systemd-tmpfiles is executed by default on boot on RedHat-based systems through systemd-tmpfiles-setup.service. Depending on the system in use, the execution of systemd-tmpfiles could also be triggered by other services, cronjobs, startup scripts etc. This module was tested against Tomcat 7.0.54-3 on Fedora 21.

tags | exploit
systems | linux, redhat, fedora
advisories | CVE-2016-5425
SHA-256 | 903a0ee785179782b1e32acadddf0c0d236bad5fe9aa7a732795ae129d42f00e
Sequoia: A Deep Root In Linux's Filesystem Layer
Posted Jul 21, 2021
Authored by Qualys Security Advisory

Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory.

tags | exploit, kernel, local, root, proof of concept
systems | linux, debian, fedora, ubuntu
advisories | CVE-2021-33909, CVE-2021-33910
SHA-256 | 0c0b69962c7c4951fd574d5a8b85049490d77ada7568b05cfb4bce7ca40aa09a
Fedora / Gnome fscaps Issue
Posted Jun 22, 2021
Authored by Tavis Ormandy, Google Security Research

Fedora with Gnome has an issue where it is not using fscaps safely.

tags | exploit
systems | linux, fedora
SHA-256 | 5fe12d617595a462d2a4fb41da183c392412f1d518d9ef97c94501d8e6a9f976
netkit-telnet 0.17 Remote Code Execution
Posted Mar 5, 2020
Authored by Ronald Huizer

netkit-telnet version 0.17 telnetd on Fedora 31 BraveStarr remote code execution exploit.

tags | exploit, remote, code execution
systems | linux, fedora
SHA-256 | b3e199216f3edbb0703f308315218c7eff607145a1632bdb92a43e0891a62931
vReliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
Posted Dec 23, 2019
Authored by Dan Rosenberg, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2010-3904
SHA-256 | bc46d127784cc25a8eebe3568a7dc33efb953a22d3a6de8a44f9394b892ee0c6
Grub2 grub2-set-bootflag Environment Corruption
Posted Nov 27, 2019
Authored by Tavis Ormandy, Google Security Research

Grub2 has grub2-set-bootflag setuid in the new Fedora release and has the ability to corrupt the environment.

tags | exploit
systems | linux, fedora
SHA-256 | 8b02b403cb65d197b55d479f14ebd82a934af9eca331f69bc357e66acc8a31b2
SystemTap 1.3 MODPROBE_OPTIONS Privilege Escalation
Posted Apr 19, 2019
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges by exploiting a vulnerability in the staprun executable included with SystemTap version 1.3. The staprun executable does not clear environment variables prior to executing modprobe, allowing an arbitrary configuration file to be specified in the MODPROBE_OPTIONS environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64).

tags | exploit, arbitrary, root
systems | linux, fedora
advisories | CVE-2010-4170
SHA-256 | 57d955347310170d1a380dba46ef41462b10f297e733fec17201a3831094af3b
Linux Nested User Namespace idmap Limit Local Privilege Escalation
Posted Nov 28, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2018-18955
SHA-256 | c991b79ae898a222baf512ec75bc5ae786505466b71b6453fd873f6b5482343c
Linux Kernel Local Privilege Escalation
Posted Jul 12, 2018
Authored by Rick Larabee

Linux kernels prior to version 4.13.9 (Ubuntu 16.04/Fedora 27) local privilege escalation exploit.

tags | exploit, kernel, local
systems | linux, fedora, ubuntu
advisories | CVE-2017-16995
SHA-256 | 72887b461f9ad6058e73a276ea69a30911f90cd29b4109630d7d6c9e074102b6
DHCP Client Command Injection (DynoRoot)
Posted Jun 12, 2018
Authored by Felix Wilhelm | Site metasploit.com

This Metasploit module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

tags | exploit, arbitrary, local, root, spoof, protocol
systems | linux, redhat, fedora
advisories | CVE-2018-1111
SHA-256 | 6b992abd6eb4488b1451744ac9a29b8cfc36bb9a4b8e764995041383204e8229
Reliable Datagram Sockets (RDS) Privilege Escalation
Posted May 19, 2018
Authored by Dan Rosenberg, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in the rds_page_copy_user function in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This Metasploit module has been tested successfully on Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2010-3904
SHA-256 | a2c6557a8aad197f0270adb44eb609acd74de83e2d42b87eb9f291e7a97fe369
Libuser roothelper Privilege Escalation
Posted May 13, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module attempts to gain root privileges on Red Hat based Linux systems, including RHEL, Fedora and CentOS, by exploiting a newline injection vulnerability in libuser and userhelper versions prior to 0.56.13-8 and version 0.60 before 0.60-7. This Metasploit module makes use of the roothelper.c exploit from Qualys to insert a new user with UID=0 in /etc/passwd. Note, the password for the current user is required by userhelper. Note, on some systems, such as Fedora 11, the user entry for the current user in /etc/passwd will become corrupted and exploitation will fail. This Metasploit module has been tested successfully on libuser packaged versions 0.56.13-4.el6 on CentOS 6.0 (x86_64); 0.56.13-5.el6 on CentOS 6.5 (x86_64); 0.60-5.el7 on CentOS 7.1-1503 (x86_64); 0.56.16-1.fc13 on Fedora 13 (i686); 0.59-1.fc19 on Fedora Desktop 19 (x86_64); 0.60-3.fc20 on Fedora Desktop 20 (x86_64); 0.60-6.fc21 on Fedora Desktop 21 (x86_64); 0.60-6.fc22 on Fedora Desktop 22 (x86_64); 0.56.13-5.el6 on Red Hat 6.6 (x86_64); and 0.60-5.el7 on Red Hat 7.0 (x86_64). RHEL 5 is vulnerable, however the installed version of glibc (2.5) is missing various functions required by roothelper.c.

tags | exploit, root
systems | linux, redhat, fedora, centos
advisories | CVE-2015-3245, CVE-2015-3246
SHA-256 | ce28cd945d7001cbd85762b794a3e30da40438ee327042dacf17e52946e63f92
MagniComp SysInfo mcsiwrapper Privilege Escalation
Posted Feb 20, 2018
Authored by Brendan Coles, Daniel Lawson, Romain Trouve | Site metasploit.com

This Metasploit module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This Metasploit module abuses this functionality to set the load path resulting in execution of arbitrary code as root. This Metasploit module has been tested successfully with SysInfo version 10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.

tags | exploit, arbitrary, x86, root
systems | linux, solaris, debian, fedora
advisories | CVE-2017-6516
SHA-256 | 809ebb68ed1aab5bb488f6d63c6c587cf594c965eb2d13367633fdff06cc093e
ABRT raceabrt Privilege Escalation
Posted Feb 15, 2018
Authored by Tavis Ormandy | Site metasploit.com

This Metasploit module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This Metasploit module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This Metasploit module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.

tags | exploit, arbitrary, local, root
systems | linux, redhat, fedora
advisories | CVE-2015-3315
SHA-256 | 01b8bf4ffa026e722d143beb159ab4a57e3e4542e56046a209e14abce7657161
glibc '$ORIGIN' Expansion Privilege Escalation
Posted Feb 10, 2018
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.

tags | exploit, arbitrary, root, code execution
systems | linux, fedora, centos
advisories | CVE-2010-3847
SHA-256 | 9a6bdfa99ad597fe9f9517dd0f8bdc9cdeba67fff5dacc64d849ac9bf5bfbfed
Apport / ABRT chroot Privilege Escalation
Posted Feb 3, 2018
Authored by Tavis Ormandy, Brendan Coles, StA(c)phane Graber, Ricardo F. Teixeira | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.

tags | exploit, x86, kernel, root, code execution
systems | linux, fedora, ubuntu
advisories | CVE-2015-1318
SHA-256 | 9c651a9002f5646905fcb8abdec1552897cd260c341ec403e60727c2cf691713
Linux Kernel ldso_dynamic Stack Clash Privilege Escalation
Posted Jun 30, 2017
Site qualys.com

Linux kernel ldso_dynamic stack clash privilege escalation exploit. This affects Debian 9/10, Ubuntu 14.04.5/16.04.2/17.04, and Fedora 23/24/25.

tags | exploit, kernel
systems | linux, debian, fedora, ubuntu
advisories | CVE-2017-1000366, CVE-2017-1000371
SHA-256 | 019f1ce6374470fd5095849ce9301acb133a3679244b764940a7e40a80e999df
Linux Kernel ldso_hwcap_64 Stack Clash Privilege Escalation
Posted Jun 30, 2017
Site qualys.com

Linux kernel ldso_hwcap_64 stack clash privilege escalation exploit. This affects Debian 7.7/8.5/9.0, Ubuntu 14.04.2/16.04.2/17.04, Fedora 22/25, and CentOS 7.3.1611.

tags | exploit, kernel
systems | linux, debian, fedora, ubuntu, centos
advisories | CVE-2017-1000366, CVE-2017-1000379
SHA-256 | 7c324e4c61aee597fae1e36e8fbd936e360099156578d347ef8a0c10d633cce6
Linux Kernel ldso_hwcap Stack Clash Privilege Escalation
Posted Jun 29, 2017
Site qualys.com

Linux kernel ldso_hwcap stack clash privilege escalation exploit. This affects Debian 7/8/9/10, Fedora 23/24/25, and CentOS 5.3/5.11/6.0/6.8/7.2.1511.

tags | exploit, kernel
systems | linux, debian, fedora, centos
advisories | CVE-2017-1000366, CVE-2017-1000370
SHA-256 | e3bc684fbe0cc5c683f1e0aa4b3c0294f9ee713b3f50398609a3d2677cd20406
Linux Kernel 3.x usb-midi Local Privilege Escalation
Posted May 12, 2017
Authored by Andrey Konovalov

Linux kernel version 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) double-free usb-midi SMEP local privilege escalation exploit.

tags | exploit, kernel, local
systems | linux, fedora, ubuntu
advisories | CVE-2016-2384
SHA-256 | e7882ec726796b90a0e6bf5db2b33500a6997e2fba0c1e07b3cf8985646d15b1
Linux Kernel 4.6.3 Netfilter Privilege Escalation
Posted Nov 23, 2016
Authored by h00die, vnik | Site metasploit.com

This Metasploit module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation.

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2016-4997
SHA-256 | bf300c0c899733b435995c0ef2a36f7a7f24b72ea483dc9898f85b794dba5bc8
Linux Kernel 4.6.3 Netfilter Privilege Escalation
Posted Sep 27, 2016
Authored by h00die, vnik | Site metasploit.com

This Metasploit module attempts to exploit a netfilter bug on Linux Kernels befoe 4.6.3, and currently only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic. Several conditions have to be met for successful exploitation: Ubuntu: 1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such) 2. libc6-dev-i386 (ubuntu), glibc-devel.i686

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2016-4997
SHA-256 | 3ed3279ffabc1d769fe51805e802f0af5a86f32107a739ee1f3f3ec23f7e3010
CentOS 7.1 / Fedora 22 abrt Local Root
Posted Dec 1, 2015
Authored by rebel

CentOS version 7.1 and Fedora version 22 abrt local root exploit. It leverages abrt-hook-ccpp insecure open() usage and abrt-action-install-debuginfo insecure temp directory usage.

tags | exploit, local, root
systems | linux, fedora, centos
advisories | CVE-2015-5273, CVE-2015-5287
SHA-256 | 2e6ff628343956da9862f4ece546ad0fa5bec7f2f3e42781031bd4c8eee3ff37
Page 1 of 68
Back12345Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close