exploit the possibilities
Showing 1 - 25 of 3,125 RSS Feed

Root Files

blueman set_dhcp_handler D-Bus Privilege Escalation
Posted Jan 16, 2019
Authored by The Grugq, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The org.blueman.Mechanism.EnableNetwork D-Bus interface exposes the set_dhcp_handler function which uses user input in a call to eval, without sanitization, resulting in arbitrary code execution as root. This module has been tested successfully with blueman version 1.23 on Debian 8 Jessie (x64).

tags | exploit, arbitrary, root, code execution, python
systems | linux, debian
advisories | CVE-2015-8612
MD5 | 733a4a54285c7ff07e42208a0ada25be
Mailcleaner Remote Code Execution
Posted Jan 8, 2019
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an operating system command under the context of the web server user which is root. /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability.

tags | exploit, web, root
advisories | CVE-2018-20323
MD5 | 385bd5fbbfdc9bc89d35cc72bfbbbe12
Debian Security Advisory 4356-1
Posted Dec 20, 2018
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4356-1 - Jacob Baines discovered a flaw in the handling of the DSI Opensession command in Netatalk, an implementation of the AppleTalk Protocol Suite, allowing an unauthenticated user to execute arbitrary code with root privileges.

tags | advisory, arbitrary, root, protocol
systems | linux, debian
advisories | CVE-2018-1160
MD5 | 9de55ea3fc805ca7f3f0c1fd3e1fd942
Mikrotik RouterOS Telnet Arbitrary Root File Creation
Posted Dec 14, 2018
Authored by Hacker Fantastic

An exploitable arbitrary file creation weakness has been identified in Mikrotik RouterOS that can be leveraged by a malicious attacker to exploit all known versions of Mikrotik RouterOS. The RouterOS contains a telnet client based on GNU inetutils with modifications to remove shell subsystem. However an attacker can leverage the "set tracefile" option to write an arbitrary file into any "rw" area of the filesystem, escaping the restricted shell to gain access to a "ash" busybox shell on some versions. The file is created with root privileges regardless of the RouterOS defined group.

tags | exploit, arbitrary, shell, root
MD5 | 3572fecc2d0fb3043e6bd86755fb6b8a
FreeBSD Security Advisory - FreeBSD-SA-18:14.bhyve
Posted Dec 6, 2018
Authored by Reno Robert | Site security.freebsd.org

FreeBSD Security Advisory - Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitrary code execution. A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root.

tags | advisory, arbitrary, root, code execution
systems | freebsd, bsd
advisories | CVE-2018-17160
MD5 | 7dc5a9cc50e7bfcc59073a947a869ea7
Emacs movemail Privilege Escalation
Posted Dec 4, 2018
Authored by wvu, Cliff Stoll, Markus Hess | Site metasploit.com

This Metasploit module exploits a SUID installation of the Emacs movemail utility to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local. The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.

tags | exploit, local, root
MD5 | 20bfe67322d67a400db20aaa251d6ccc
Unitrends Enterprise Backup bpserverd Privilege Escalation
Posted Nov 28, 2018
Authored by h00die, Benny Husted, Cale Smith, Jared Arave | Site metasploit.com

It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the localhost by dropping a python script on the local file system. Unitrends stopped bpserverd from listening remotely on version 10.

tags | exploit, remote, arbitrary, local, root, protocol, python
systems | linux
advisories | CVE-2018-6329
MD5 | 169be3643a7a30d9a8e1cb203cbc2994
Linux Nested User Namespace idmap Limit Local Privilege Escalation
Posted Nov 28, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in Linux kernels 4.15.0 to 4.18.18, and 4.19.0 to 4.19.1, where broken uid/gid mappings between nested user namespaces and kernel uid/gid mappings allow elevation to root (CVE-2018-18955). The target system must have unprivileged user namespaces enabled and the newuidmap and newgidmap helpers installed (from uidmap package). This Metasploit module has been tested successfully on: Fedora Workstation 28 kernel 4.16.3-301.fc28.x86_64; Kubuntu 18.04 LTS kernel 4.15.0-20-generic (x86_64); Linux Mint 19 kernel 4.15.0-20-generic (x86_64); Ubuntu Linux 18.04.1 LTS kernel 4.15.0-20-generic (x86_64).

tags | exploit, kernel, root
systems | linux, fedora, ubuntu
advisories | CVE-2018-18955
MD5 | bcf9a7b1fda21bc456a3d65c534bf1af
Mac OS X libxpc MITM Privilege Escalation
Posted Nov 28, 2018
Authored by saelo | Site metasploit.com

This Metasploit module exploits a vulnerability in libxpc on macOS versions 10.13.3 and below. The task_set_special_port API allows callers to overwrite their bootstrap port, which is used to communicate with launchd. This port is inherited across forks: child processes will use the same bootstrap port as the parent. By overwriting the bootstrap port and forking a child processes, we can now gain a MitM position between our child and launchd. To gain root we target the sudo binary and intercept its communication with opendirectoryd, which is used by sudo to verify credentials. We modify the replies from opendirectoryd to make it look like our password was valid.

tags | exploit, root
advisories | CVE-2018-4237
MD5 | 45269b24778bad6f66dc74a38caefbe2
Xorg X11 Server SUID Privilege Escalation
Posted Nov 25, 2018
Authored by Narendra Shinde, Raptor, Aaron Ringo | Site metasploit.com

This Metasploit module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 up to 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This Metasploit module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708). CentOS default install will require console auth for the users session. Cron launches the payload so if Selinux is enforcing exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if running. On exploitation a crontab.old backup file will be created by Xorg. This Metasploit module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistent with starting Xorg and running a cron.

tags | exploit, arbitrary, root
systems | linux, openbsd, centos
advisories | CVE-2018-14665
MD5 | 3bc1656931b4d8bbac2d3b28656c2582
Ubuntu Security Notice USN-3816-2
Posted Nov 20, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3816-2 - USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. Jann Horn discovered a race condition in chown_one. A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. It was discovered that systemd-tmpfiles mishandled symlinks in non-terminal path components. A local attacker could potentially exploit this by gaining ownership of certain files to obtain root privileges. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Various other issues were also addressed.

tags | advisory, arbitrary, local, root, vulnerability
systems | linux, ubuntu
advisories | CVE-2018-15686, CVE-2018-15687, CVE-2018-6954
MD5 | 90d52b61ecc5f6f5a4a47d93591f9c28
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Nov 13, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 2c9170145359581c4c8d1c13f564bce3
Ubuntu Security Notice USN-3816-1
Posted Nov 13, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3816-1 - Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. Jann Horn discovered a race condition in chown_one. A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. Various other issues were also addressed.

tags | advisory, arbitrary, local, root
systems | linux, ubuntu
advisories | CVE-2018-15686, CVE-2018-15687, CVE-2018-6954
MD5 | 0d1d149d094bc787a61b8d9a8420e7bb
Dell OpenManage Network Manager 6.2.0.51 SP3 Privilege Escalation
Posted Nov 6, 2018
Authored by Matthew Bergin | Site korelogic.com

Dell OpenManage Network Manager exposes a MySQL listener that can be accessed with default credentials. This MySQL service is running as the root user, so an attacker can exploit this configuration to, e.g., deploy a backdoor and escalate privileges into the root account.

tags | exploit, root
advisories | CVE-2018-15767, CVE-2018-15768
MD5 | 9296a80d1fafbfc2dd325ed3e1388fce
EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 Hard-Coded Credentails
Posted Oct 31, 2018
Authored by James Hemmings

EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 suffers from having hard-coded root SSH credentials.

tags | exploit, root
advisories | CVE-2018-10532
MD5 | 74d336172195e25186c5df5d4e7c0604
Ubuntu Security Notice USN-3802-1
Posted Oct 27, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3802-1 - Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.

tags | advisory, arbitrary, local, root
systems | linux, ubuntu
advisories | CVE-2018-14665
MD5 | 80f70d72f03779fe81b0034effbe13c1
xorg-x11-server Local Root
Posted Oct 25, 2018
Authored by infodox

xorg-x11-server versions prior to 1.20.3 local root exploit.

tags | exploit, local, root
advisories | CVE-2018-14665
MD5 | 0cfe0a9fcf4939ea10fe0f53904f85b6
WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation
Posted Oct 19, 2018
Authored by Mitchel Jordan

WiFiRanger version 7.0.8rc3 suffers from an incorrect access control that allows for ftp retrieval of an RSA identity that an attacker can use to ssh in as root.

tags | exploit, root
advisories | CVE-2018-17873
MD5 | 301d05eb6ae49dff97112c3a73c88308
Solaris RSH Stack Clash Privilege Escalation
Posted Oct 15, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).

tags | exploit, shell, x86, root
systems | solaris
advisories | CVE-2017-1000364, CVE-2017-3629, CVE-2017-3630, CVE-2017-3631
MD5 | 91b277586c77a3c37e33c0ac990f0483
FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root
Posted Oct 15, 2018
Authored by LiquidWorm | Site zeroscience.mk

The FLIR AX8 thermal sensor camera version 1.32.16 suffers from two unauthenticated command injection vulnerabilities. The issues can be triggered when calling multiple unsanitized HTTP GET/POST parameters within the shell_exec function in res.php and palette.php file. This can be exploited to inject arbitrary system commands and gain root remote code execution.

tags | exploit, remote, web, arbitrary, root, php, vulnerability, code execution
MD5 | d06114bdae6c5e38a699adb6567a8ba2
Teltonika RUT9XX Missing Access Control To UART Root Terminal
Posted Oct 12, 2018
Authored by David Gnedt | Site sba-research.org

Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.

tags | exploit, arbitrary, root
advisories | CVE-2018-17534
MD5 | 86bab5d22be82eacf0714c8c19138b14
Teltonika RUT9XX Unauthenticated OS Command Injection
Posted Oct 12, 2018
Authored by David Gnedt | Site sba-research.org

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

tags | exploit, remote, arbitrary, cgi, root, vulnerability
advisories | CVE-2018-17532
MD5 | 8a6dc3eb56196849d5108968e9b04d85
Mikrotik RouterOS Remote Root
Posted Oct 10, 2018
Authored by Jacob Baines

Mikrotik RouterOS versions 6.x suffer from a remote root code execution vulnerability.

tags | exploit, remote, root, code execution
advisories | CVE-2018-14847
MD5 | 65309fd018c6146c4490eff9ff55b2f5
ifwatchd Privilege Escalation
Posted Oct 8, 2018
Authored by Tim Brown, Brendan Coles, cenobyte | Site metasploit.com

This Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).

tags | exploit, arbitrary, x86, root
advisories | CVE-2014-2533
MD5 | 7a562f56fafb417de6cf725f6b38c71d
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Oct 8, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 05f34986eb4c21ba7fbb27faa2f9bc8f
Page 1 of 125
Back12345Next

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    13 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close