Log4j remote code execution exploit with a trick to bypass words blocking patches. Works on Log4j versions 2.14.1 and below.
de7380eb6b3fc4c49f27978b8a6c7f1adef40597e054a9798db4c61a23e7311f
This Metasploit module exploit targets the Linux kernel bug in OverlayFS. A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
6c56ce8217d90e114635700a314b8fcfb2c5a11cfda46c96a6c0e2d713c433bb
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This Metasploit module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will trigger an LDAP connection to Metasploit. This Metasploit module is a generic scanner and is only capable of identifying instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include HTTP headers and the HTTP request path. Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid, Apache JSPWiki, Apache OFBiz.
0c99025a240dc811b182feb7d9c9d3253b1e32fb38ca51be4415745de5402484
This Metasploit module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.
6a4a44bfa015ee1e424da3c229e217a013236f2eec5a985ec1f2d2bbef888f5f
This Metasploit module checks the provided hosts for the CVE-2023-21554 vulnerability by sending a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that overflows the given buffer. On patched systems, the error is caught and no response is sent back. On vulnerable systems, the integer wraps around and depending on the length could cause an out-of-bounds write. In the context of this module a response is sent back, which indicates that the system is vulnerable.
a0cddadb1a675fdce4af377d71ed784a8906286c13da03dac1d38aa7dce5ef6b
This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.
d3cd670695bc394e4f3ed861de2d7c717dac789ada16fbb0c7c9e1612d66ab86
This Metasploit module leverages an unauthenticated web service to submit a job which will create a user with a specified role. The job involves running a wizard. After the necessary action is taken, the job is canceled to avoid unnecessary system changes.
9d4da8f09f54ec6089b8460657fec4b370a7fd9f0d3af4a870972933d253c5aa
This Metasploit module exploits a privilege escalation vulnerability in Active Directory Certificate Services (ADCS) to generate a valid certificate impersonating the Domain Controller (DC) computer account. This certificate is then used to authenticate to the target as the DC account using PKINIT preauthentication mechanism. The module will get and cache the Ticket-Granting-Ticket (TGT) for this account along with its NTLM hash. Finally, it requests a TGS impersonating a privileged user (Administrator by default). This TGS can then be used by other modules or external tools.
4711426ef94613fcb75202051eeb6967ed730af89bad38174d480f454b5faee3
A vulnerability exists within the Netlogon authentication process where the security properties granted by AES are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This Metasploit module leverages the vulnerability to reset the machine account password to an empty string, which will then allow the attacker to authenticate as the machine account. After exploitation, its important to restore this password to its original value. Failure to do so can result in service instability.
2e8cb0b33fee94cb76487f48c8612ae293bf93023140f19faf6766dfb2245f0e
This exploit finds the HMAC secret key used in Java serialization by Apache Tapestry. This key is located in the file AppModule.class by default and looks like the standard representation of UUID in hex digits (hd) : 6hd-4hd-4hd-4hd-12hd If the HMAC key has been changed to look differently, this module wont find the key because it tries to download the file and then uses a specific regex to find the key.
b1c7d62902e4bda90669843700bef91f0006f013f404b5ebf2f2d9ae7a80eaf5
Log4j 2.15.0 was released to address the widely reported JNDI Remote Code Execution (RCE) (CVE-2021-44228) vulnerability in Log4j. Shortly thereafter, 2.16.0 was released to address a Denial of Service (DoS) vulnerability (CVE-2021-45046). When examining the 2.15.0 release, Google security engineers found several issues with the Log4j 2.15.0 patch that showed that the severity of the issue addressed in 2.16 was in fact worse than initially understood. This is Google's proof of concept exploit.
c42c53b6fbd06585bd6895ecad8dddaa20237bb0cbb68646781ab1bf7e1461f2
Gentoo Linux Security Advisory 202402-16 - Multiple vulnerabilities have been discovered in Apache Log4j, the worst of which can lead to remote code execution. Versions less than or equal to 1.2.17 are affected.
79e0825715a2197c39850bba10de0d238187f4c93dcdf24c6b31b702cdb3131e
Gentoo Linux Security Advisory 202312-4 - A vulnerability has been found in Arduino which bundled a vulnerable version of log4j. Versions greater than or equal to 1.8.19 are affected.
e4428c05137adffbade83bd759fdfe5d40fde795984ac72eea694343c5ca0031
Gentoo Linux Security Advisory 202310-16 - A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution Versions greater than or equal to 6.5.55 are affected.
5602a819c766f09b96f00fbf929733dc41ef5cd1fb0f160a5790513002ec5cc2
Proof of concept remote code execution exploit that demonstrates a vulnerability in the Chrome renderer sandbox by simply visiting a malicious website.
0bef9994895034465485b3ccc1c259c22c1bde140f7e3d288d935477095db1e7
Proof of concept exploit for an information leak vulnerability in the Qualcomm Adreno GPU. The bug can be used to leak information in other user apps, as well as in the kernel from an untrusted app. The directory adreno_user contains a proof-of-concept for leaking memory from other applications. It will repeatedly trigger the bug and read the stale information contained in memory pages.
14a7bc813fbfd5b0814582d935ba39c5649faf3bc3609e054c88db47e4159c41
Proof of concept exploit for Android on Arm Mali GPU with a kernel driver bug that can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6 with the November 2022 and January 2023 patch.
1c81e6cc4abcfe0ecb1417d1ee980963d887a2109472ab157bbd2c2fa62921ef
Proof of concept exploit for the Arm Mali GPU that can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6. The original exploit that was sent to Google is included as hello-jni.c as a reference and was tested on the July 2022 patch of the Pixel 6. Due to the fact that Pixel 6 cannot be downgraded from Android 13 to Android 12, an updated version of the exploit, mali_shrinker_mmap.c is included, which supports various firmware in Android 13, including the December patch, which is the latest affected version.
bc50f9e9f9fe69b36613124dc79ca07e6c6523713f3c1192a6204b4ec7783f2c
Proof of concept exploit for a memory corruption vulnerability in the Arm Mali GPU kernel driver that was reported in January of 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root. The exploit is tested on the Google Pixel 6 and supports patch levels from November 2021 to February 2022. It is easy to add support for other firmware by changing a few image offsets.
66eea2398301c881c76dc1359392bb4e7585bacb1998c8e4de619ba964588857
Ubuntu Security Notice 5998-1 - It was discovered that the SocketServer component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. It was discovered that the JMSSink component of Apache Log4j 1.2 incorrectly handled deserialization. An attacker could possibly use this issue to execute arbitrary code.
0e9670eb797b9ec131a46bb75f321c8da3450087baa95b89a755d534ca79e9f4
This Metasploit module demonstrates how an incorrect access control for the Lenovo Diagnostics Driver allows a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory reads and writes.
4d81e8f2ae72805082f511a1afa0427bff321c86d10fa56019672dac926e51f8
This Metasploit module exploits a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes. This exploit will spawn SUID programs to get the freed cred object reallocated by a privileged process and abuse them to create a SUID root binary that will pop a shell. The dangling cred pointer will, however, lead to a kernel panic as soon as the task terminates and its credentials are destroyed. We therefore detach from the controlling terminal, block all signals and rest in silence until the system shuts down and we get killed hard, just to cry in vain, seeing the kernel collapse. The bug affected kernels from v5.12-rc3 to v5.14-rc7. More than 1 CPU is required for exploitation. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.
ddab5b3975fc82e2a23c5e4e05a57af4893abfbc613df02d507c1013c62dc088
The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.
566ceaa70e7ce9a3bd9825a0b7a97b644b608fe05fd23b30746e3017a5408ae6
Red Hat Security Advisory 2022-5053-01 - Log4j is a tool to help the programmer output log statements to a variety of output targets. Issues addressed include a deserialization vulnerability.
d6aae2486a87548e2da8656185a8bb2c62d41cf92abd190bf4dbc8bea522c0e8
The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.
1720ad267b345d6b91409cdb01c0ab129fc9f485ac71c4c4a816698bd6351239
This Metasploit module exploits a vulnerability in the Linux Kernel's watch_queue event notification system. It relies on a heap out-of-bounds write in kernel memory. The exploit may fail on the first attempt so multiple attempts may be needed. Note that the exploit can potentially cause a denial of service if multiple failed attempts occur, however this is unlikely.
b59181d9b536ad31ebdc6b3f83985c65e49fbe3242468f7709e7bb7a2d4b1e5f