Twenty Year Anniversary
Showing 1 - 25 of 3,114 RSS Feed

Root Files

Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Nov 13, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing. The file upload vulnerability should have been fixed in versions 3.4.1 and 3.3.1 Update 02.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 2c9170145359581c4c8d1c13f564bce3
Ubuntu Security Notice USN-3816-1
Posted Nov 13, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3816-1 - Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. Jann Horn discovered a race condition in chown_one. A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. Various other issues were also addressed.

tags | advisory, arbitrary, local, root
systems | linux, ubuntu
advisories | CVE-2018-15686, CVE-2018-15687, CVE-2018-6954
MD5 | 0d1d149d094bc787a61b8d9a8420e7bb
Dell OpenManage Network Manager 6.2.0.51 SP3 Privilege Escalation
Posted Nov 6, 2018
Authored by Matthew Bergin | Site korelogic.com

Dell OpenManage Network Manager exposes a MySQL listener that can be accessed with default credentials. This MySQL service is running as the root user, so an attacker can exploit this configuration to, e.g., deploy a backdoor and escalate privileges into the root account.

tags | exploit, root
advisories | CVE-2018-15767, CVE-2018-15768
MD5 | 9296a80d1fafbfc2dd325ed3e1388fce
EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 Hard-Coded Credentails
Posted Oct 31, 2018
Authored by James Hemmings

EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 suffers from having hard-coded root SSH credentials.

tags | exploit, root
advisories | CVE-2018-10532
MD5 | 74d336172195e25186c5df5d4e7c0604
Ubuntu Security Notice USN-3802-1
Posted Oct 27, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3802-1 - Narendra Shinde discovered that the X.Org X server incorrectly handled certain command line parameters when running as root with the legacy wrapper. When certain graphics drivers are being used, a local attacker could possibly use this issue to overwrite arbitrary files and escalate privileges.

tags | advisory, arbitrary, local, root
systems | linux, ubuntu
advisories | CVE-2018-14665
MD5 | 80f70d72f03779fe81b0034effbe13c1
xorg-x11-server Local Root
Posted Oct 25, 2018
Authored by infodox

xorg-x11-server versions prior to 1.20.3 local root exploit.

tags | exploit, local, root
advisories | CVE-2018-14665
MD5 | 0cfe0a9fcf4939ea10fe0f53904f85b6
WiFiRanger 7.0.8rc3 Incorrect Access Control / Privilege Escalation
Posted Oct 19, 2018
Authored by Mitchel Jordan

WiFiRanger version 7.0.8rc3 suffers from an incorrect access control that allows for ftp retrieval of an RSA identity that an attacker can use to ssh in as root.

tags | exploit, root
advisories | CVE-2018-17873
MD5 | 301d05eb6ae49dff97112c3a73c88308
Solaris RSH Stack Clash Privilege Escalation
Posted Oct 15, 2018
Authored by Brendan Coles, Qualys Security Advisory | Site metasploit.com

This Metasploit module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This Metasploit module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This Metasploit module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This Metasploit module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).

tags | exploit, shell, x86, root
systems | solaris
advisories | CVE-2017-1000364, CVE-2017-3629, CVE-2017-3630, CVE-2017-3631
MD5 | 91b277586c77a3c37e33c0ac990f0483
FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root
Posted Oct 15, 2018
Authored by LiquidWorm | Site zeroscience.mk

The FLIR AX8 thermal sensor camera version 1.32.16 suffers from two unauthenticated command injection vulnerabilities. The issues can be triggered when calling multiple unsanitized HTTP GET/POST parameters within the shell_exec function in res.php and palette.php file. This can be exploited to inject arbitrary system commands and gain root remote code execution.

tags | exploit, remote, web, arbitrary, root, php, vulnerability, code execution
MD5 | d06114bdae6c5e38a699adb6567a8ba2
Teltonika RUT9XX Missing Access Control To UART Root Terminal
Posted Oct 12, 2018
Authored by David Gnedt | Site sba-research.org

Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.

tags | exploit, arbitrary, root
advisories | CVE-2018-17534
MD5 | 86bab5d22be82eacf0714c8c19138b14
Teltonika RUT9XX Unauthenticated OS Command Injection
Posted Oct 12, 2018
Authored by David Gnedt | Site sba-research.org

Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.

tags | exploit, remote, arbitrary, cgi, root, vulnerability
advisories | CVE-2018-17532
MD5 | 8a6dc3eb56196849d5108968e9b04d85
Mikrotik RouterOS Remote Root
Posted Oct 10, 2018
Authored by Jacob Baines

Mikrotik RouterOS versions 6.x suffer from a remote root code execution vulnerability.

tags | exploit, remote, root, code execution
advisories | CVE-2018-14847
MD5 | 65309fd018c6146c4490eff9ff55b2f5
ifwatchd Privilege Escalation
Posted Oct 8, 2018
Authored by Tim Brown, Brendan Coles, cenobyte | Site metasploit.com

This Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).

tags | exploit, arbitrary, x86, root
advisories | CVE-2014-2533
MD5 | 7a562f56fafb417de6cf725f6b38c71d
Cisco Prime Infrastructure Unauthenticated Remote Code Execution
Posted Oct 8, 2018
Authored by Pedro Ribeiro | Site metasploit.com

Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing.

tags | exploit, remote, root, vulnerability, code execution, file upload
systems | cisco
advisories | CVE-2018-15379
MD5 | 05f34986eb4c21ba7fbb27faa2f9bc8f
Unitrends UEB HTTP API Remote Code Execution
Posted Oct 5, 2018
Authored by h00die, Benny Husted, Cale Smith, Jared Arave | Site metasploit.com

It was discovered that the api/storage web interface in Unitrends Backup (UB) before 10.0.0 has an issue in which one of its input parameters was not validated. A remote attacker could use this flaw to bypass authentication and execute arbitrary commands with root privilege on the target system. UEB v9 runs the api under root privileges and api/storage is vulnerable. UEB v10 runs the api under limited privileges and api/hosts is vulnerable.

tags | exploit, remote, web, arbitrary, root
advisories | CVE-2017-12478, CVE-2018-6328
MD5 | a0e08b19c154dc12f718909d936f193c
Solaris EXTREMEPARR dtappgather Privilege Escalation
Posted Sep 25, 2018
Authored by Brendan Coles, Hacker Fantastic, Shadow Brokers | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability in the dtappgather executable included with Common Desktop Environment (CDE) on unpatched Solaris systems prior to Solaris 10u11 which allows users to gain root privileges. dtappgather allows users to create a user-owned directory at any location on the filesystem using the DTUSERSESSION environment variable. This Metasploit module creates a directory in /usr/lib/locale, writes a shared object to the directory, and runs the specified SUID binary with the shared object loaded using the LC_TIME environment variable. This Metasploit module has been tested successfully on: Solaris 9u7 (09/04) (x86); Solaris 10u1 (01/06) (x86); Solaris 10u2 (06/06) (x86); Solaris 10u4 (08/07) (x86); Solaris 10u8 (10/09) (x86); Solaris 10u9 (09/10) (x86).

tags | exploit, x86, root
systems | solaris
advisories | CVE-2017-3622
MD5 | f10a9baa72d2639e9298d5dc6fb5e7c2
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
Posted Sep 18, 2018
Authored by Marco Ivaldi, Brendan Coles | Site metasploit.com

This Metasploit module exploits an arbitrary file write vulnerability in the Netscape Portable Runtime library (libnspr) on unpatched Solaris systems prior to Solaris 10u3 which allows users to gain root privileges. libnspr versions prior to 4.6.3 allow users to specify a log file with the `NSPR_LOG_FILE` environment variable. The log file is created with the privileges of the running process, resulting in privilege escalation when used in combination with a SUID executable. This Metasploit module writes a shared object to the trusted library directory `/usr/lib/secure` and runs the specified SUID binary with the shared object loaded using the `LD_LIBRARY_PATH` environment variable. This Metasploit module has been tested successfully with libnspr version 4.5.1 on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).

tags | exploit, arbitrary, x86, root
systems | solaris
advisories | CVE-2006-4842
MD5 | 0f80a93992c7fdfbc617a2b680a3059e
HiScout GRC Suite File Upload
Posted Sep 13, 2018
Authored by Sebastian Auwaerter

HiScout GRC Suite versions prior to 3.1.5 suffer from a file upload vulnerability. An authenticated attacker with the permission to edit or add a "WebSiteElement" to the "content" pages is able to upload any file with any file extension to the data directory of the application. This directory is in the web root and the uploaded file is executed on the server if ".aspx" is chosen as the file extension and if the file contains aspx source code. Any commands can be executed with the permissions of the web server user on the server by exploiting this vulnerability.

tags | exploit, web, root, file upload
advisories | CVE-2018-16796
MD5 | a35fd22828c02d235e1b374dd87de2af
Network Manager VPNC Username Privilege Escalation
Posted Aug 31, 2018
Authored by Brendan Coles, Denis Andzakovic | Site metasploit.com

This Metasploit module exploits an injection vulnerability in the Network Manager VPNC plugin to gain root privileges. This Metasploit module uses a new line injection vulnerability in the configured username for a VPN network connection to inject a `Password helper` configuration directive into the connection configuration. The specified helper is executed by Network Manager as root when the connection is started. Network Manager VPNC versions prior to 1.2.6 are vulnerable. This Metasploit module has been tested successfully with VPNC versions: 1.2.4-4 on Debian 9.0.0 (x64); and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64).

tags | exploit, root
systems | linux, debian, ubuntu
advisories | CVE-2018-10900
MD5 | 37f40fef98e4c4b4a836d2e93622bc7f
Mandos Encrypted File System Unattended Reboot Utility 1.7.20
Posted Aug 20, 2018
Authored by Teddy | Site fukt.bsnet.se

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

Changes: Various updates.
tags | tool, remote, root
systems | linux, unix
MD5 | 0bba68e11c8427696515793eaef2d6cc
Linux/x64 Add Root User (toor/toor) Shellcode
Posted Aug 13, 2018
Authored by epi

99 bytes small Linux/x64 add root user (toor/toor) shellcode.

tags | root, shellcode
systems | linux
MD5 | 9775537f5f6c148127aac7a712b5fdbb
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Posted Aug 3, 2018
Authored by h00die, Brendan Coles, Andrey Konovalov | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing UDP Fragmentation Offload (UFO). This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels 4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros based on Ubuntu, such as Linux Mint. The target system must have unprivileged user namespaces enabled and SMAP disabled. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This Metasploit module has been tested successfully on various Ubuntu and Linux Mint systems, including: Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop; Ubuntu 16.04 4.8.0-53-generic; Linux Mint 17.3 4.4.0-89-generic; Linux Mint 18 4.8.0-58-generic

tags | exploit, kernel, root, udp
systems | linux, ubuntu
advisories | CVE-2017-1000112
MD5 | 365cc8e31e8378f416a359810066fcda
Sun Solaris 11.3 AVS Local Kernel Root
Posted Aug 2, 2018
Authored by mu-b

Sun Solaris versions 10 and 11.3 and below local kernel root exploit.

tags | exploit, kernel, local, root
systems | solaris
advisories | CVE-2018-2892
MD5 | e87115e82276d32408f82a68e1b2de6f
SecureSphere 12.0.0.50 SealMode Shell Escape
Posted Aug 2, 2018
Authored by 0x09AL | Site metasploit.com

This Metasploit module exploits a vulnerability in SecureSphere cli to escape the sealed-mode of Imperva and execute code as the root user. This Metasploit module requires credentials of a user to login to the SSH or can be exploited by a less privileged user.

tags | exploit, root
MD5 | dc4e5753e6a22352b8fc80287a6a39a8
CoSoSys Endpoint Protector 4.5.0.1 Remote Root Command Injection
Posted Aug 2, 2018
Authored by 0x09AL

CoSoSys Endpoint Protector version 4.5.0.1 suffers from an authenticated remote root command injection vulnerability.

tags | exploit, remote, root
MD5 | 55e44da31aa68dc41af25b68ebbeb0bb
Page 1 of 125
Back12345Next

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    1 Files
  • 18
    Nov 18th
    1 Files
  • 19
    Nov 19th
    3 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close