what you don't know can hurt you
Showing 1 - 25 of 3,325 RSS Feed

Root Files

VyOS restricted-shell Escape / Privilege Escalation
Posted Sep 21, 2020
Authored by Brendan Coles, Rich Mirch | Site metasploit.com

This Metasploit module exploits command injection vulnerabilities and an insecure default sudo configuration on VyOS versions 1.0.0 through 1.1.8 to execute arbitrary system commands as root. VyOS features a restricted-shell system shell intended for use by low privilege users with operator privileges. This module exploits a vulnerability in the telnet command to break out of the restricted shell, then uses sudo to exploit a command injection vulnerability in /opt/vyatta/bin/sudo-users/vyatta-show-lldp.pl to execute commands with root privileges. This module has been tested successfully on VyOS 1.1.8 amd64 and VyOS 1.0.0 i386.

tags | exploit, arbitrary, shell, root, vulnerability
advisories | CVE-2018-18556
MD5 | 3d5d65d5e0f254ce3c9343e508e95b9d
TP-Link Cloud Cameras NCXXX Bonjour Command Injection
Posted Sep 18, 2020
Authored by Pietro Oliva | Site metasploit.com

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.

tags | exploit, arbitrary, shell, cgi, root, code execution
advisories | CVE-2020-12109
MD5 | 65581bfcfd69f6bd2c8b8917eda921c4
Mida Solutions eFramework ajaxreq.php Command Injection
Posted Sep 16, 2020
Authored by Brendan Coles, elbae | Site metasploit.com

This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.

tags | exploit, arbitrary, root, php
advisories | CVE-2020-15920
MD5 | 1b7215ff6d3355202c2e796fb94a2cac
macOS cfprefsd Arbitrary File Write / Local Privilege Escalation
Posted Sep 7, 2020
Authored by timwr, Insu Yun, Taesoo Kim, Jungwon Lim, Yonghwi Jin | Site metasploit.com

This Metasploit module exploits an arbitrary file write in cfprefsd on macOS versions 10.15.4 and below in order to run a payload as root. The CFPreferencesSetAppValue function, which is reachable from most unsandboxed processes, can be exploited with a race condition in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login a user can then login as root with the login root command without a password.

tags | exploit, arbitrary, root
advisories | CVE-2020-9839
MD5 | 5bc27419d79ae20808b9b53825a1e970
Bagisto Credential Disclosure
Posted Sep 1, 2020
Authored by devsecweb

As of 2020/09/01, all versions of Bagisto appear to leak database and email server credentials in the document root.

tags | exploit, root, info disclosure
MD5 | 7fc061d5cf8581a756c5a61f9a15896f
Gentoo Linux Security Advisory 202008-09
Posted Aug 25, 2020
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202008-9 - Multiple Shadow utilities were installed with setuid permissions, allowing possible root privilege escalation. Versions less than 4.8-r3 are affected.

tags | advisory, root
systems | linux, gentoo
advisories | CVE-2019-19882
MD5 | 89ef1f3b3f4055369defb4ce1615cc72
Eibiz i-Media Server Digital Signage 3.8.0 File Path Traversal
Posted Aug 21, 2020
Authored by LiquidWorm | Site zeroscience.mk

Eibiz i-Media Server Digital Signage version 3.8.0 is affected by a directory traversal vulnerability. An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the oldfile GET parameter.

tags | exploit, remote, root
MD5 | 48bcb45f0b05d6750b03ec9ce8698dc6
Bypassing Certificate Pinning In Modern Android Application Via Custom Root CA
Posted Aug 20, 2020
Authored by Nghia Van Le

This document is intended to provide detailed instructions for bypassing certificate pinning via a custom Root CA. It covers all the required topics for understanding this method.

tags | paper, root
MD5 | a7b082989a758162279f6f9571e01594
Geutebruck testaction.cgi Remote Command Execution
Posted Aug 17, 2020
Authored by Davy Douhine | Site metasploit.com

This Metasploit module exploits an authenticated arbitrary command execution vulnerability within the 'server' GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware versions 1.12.13.2 and 1.12.14.5 when the 'type' GET parameter is set to 'ntp'. Successful exploitation results in remote code execution as the root user.

tags | exploit, remote, arbitrary, cgi, root, code execution
advisories | CVE-2020-16205
MD5 | 1808f8c08c4e0f56746b33c5880b103d
Safari Webkit For iOS 7.1.2 JIT Optimization Bug
Posted Aug 14, 2020
Authored by timwr, Ian Beer, kudima, WanderingGlitch | Site metasploit.com

This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.

tags | exploit, kernel, root, shellcode
systems | apple, iphone, ios
advisories | CVE-2016-4669, CVE-2018-4162
MD5 | 193bef4f6ec1463a50a80fcde4b59fa1
Docker Privileged Container Escape
Posted Aug 6, 2020
Authored by stealthcopter | Site metasploit.com

This Metasploit module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged.

tags | exploit, root
systems | linux
MD5 | 1119f42290936fb48ebeebd091ecf88d
Ubuntu Security Notice USN-4442-1
Posted Jul 29, 2020
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4442-1 - Michael Kaczmarczik discovered that Sympa incorrectly handled HTTP GET/POST requests. An attacker could possibly use this issue to insert, edit or obtain sensitive information. It was discovered that Sympa incorrectly handled URL parameters. An attacker could possibly use this issue to perform XSS attacks. Nicolas Chatelain discovered that Sympa incorrectly handled environment variables. An attacker could possibly use this issue with a setuid binary and gain root privileges. Various other issues were also addressed.

tags | advisory, web, root
systems | linux, ubuntu
advisories | CVE-2018-1000550, CVE-2018-1000671, CVE-2020-10936
MD5 | 20f797199f0e729d298e107ea0ae73eb
Gentoo Linux Security Advisory 202007-31
Posted Jul 27, 2020
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202007-31 - Icinga installs files with insecure permissions allowing root privilege escalation. Versions less than 1.14.2 are affected.

tags | advisory, root
systems | linux, gentoo
advisories | CVE-2017-16882
MD5 | 83a1e114b4332561bedf53fc52e6f54a
Gentoo Linux Security Advisory 202007-25
Posted Jul 27, 2020
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202007-25 - A vulnerability was discovered in arpwatch which may allow local attackers to gain root privileges. Versions less than 2.1.15-r11 are affected.

tags | advisory, local, root
systems | linux, gentoo
MD5 | 4e7940c097f7141584f2b7f5ee8b0ee6
Oracle Solaris 11 Device Driver Utility 1.3.1 Race Condition
Posted Jul 15, 2020
Authored by Larry W. Cashdollar

Oracle Solaris 11 Device Driver Utility version 1.3.1 suffers from an insecure use of /tmp that can allow for a race condition which leads to privilege escalation. Included exploit provides a root shell.

tags | exploit, shell, root
systems | solaris
advisories | CVE-2020-14724
MD5 | 0d782daa9cfb79ed229915dc519292a7
F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution
Posted Jul 7, 2020
Authored by wvu, Mikhail Klyuchnikov | Site metasploit.com

This Metasploit module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the root user.

tags | exploit, shell, root
advisories | CVE-2020-5902
MD5 | bc9ef269b0fbd9bf35cb0c0f8d89b446
CDATA OLTs Backdoor / Privilege Escalation / Information Disclosure
Posted Jul 7, 2020
Authored by Pierre Kim

Various CDATA OLTs suffer from backdoor access with telnet, credential leaks, shell escape with root privileges, denial of service, and weak encryption algorithm vulnerabilities.

tags | exploit, denial of service, shell, root, vulnerability
MD5 | ef3e0aa364c3178ff74985235b1f0282
Mandos Encrypted File System Unattended Reboot Utility 1.8.12
Posted Jul 6, 2020
Authored by Teddy | Site fukt.bsnet.se

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

Changes: Various updates.
tags | tool, remote, root
systems | linux, unix
MD5 | 1dcf1f6b7712852fbd463df5241736b6
Ubuntu Security Notice USN-4408-1
Posted Jul 2, 2020
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4408-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass permission prompts, or execute arbitrary code. It was discovered that when performing add-on updates, certificate chains not terminating with built-in roots were silently rejected. This could result in add-ons becoming outdated. Various other issues were also addressed.

tags | advisory, denial of service, arbitrary, root
systems | linux, ubuntu
advisories | CVE-2020-12415, CVE-2020-12419, CVE-2020-12420, CVE-2020-12421, CVE-2020-12424, CVE-2020-12425, CVE-2020-12426
MD5 | 48c7a1a12cccbc01a51fc442ac452636
Inductive Automation Ignition Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a Java deserialization vulnerability in the Inductive Automation Ignition SCADA product, versions 8.0.0 to (and including) 8.0.7. This exploit was tested on versions 8.0.0 and 8.0.7 on both Linux and Windows. The default configuration is exploitable by an unauthenticated attacker, which can achieve remote code execution as SYSTEM on a Windows installation and root on Linux. The vulnerability was discovered and exploited at Pwn2Own Miami 2020 by the Flashback team (Pedro Ribeiro + Radek Domanski).

tags | exploit, java, remote, root, code execution
systems | linux, windows
advisories | CVE-2020-10644, CVE-2020-12004
MD5 | de6af616d3b724854268bccfee1cf557
NETGEAR R6700v3 Password Reset / Remote Code Execution
Posted Jun 25, 2020
Authored by Pedro Ribeiro, Radek Domanski | Site github.com

This document describes a stack overflow vulnerability that was found in October, 2019 and presented in the Pwn2Own Mobile 2019 competition in November 2019. The vulnerability is present in the UPNP daemon (/usr/sbin/upnpd), running on NETGEAR R6700v3 router with firmware versions V1.0.4.82_10.0.57 and V1.0.4.84_10.0.58. It allows for an unauthenticated reset of the root password and then spawns a telnetd to remotely access the account.

tags | exploit, overflow, root
MD5 | 994306f3ed8a91beb01786f127028f55
Trend Micro Web Security (Virtual Appliance) Remote Code Execution
Posted Jun 22, 2020
Authored by Mehmet Ince | Site metasploit.com

This Metasploit module exploits multiple vulnerabilities together in order to achieve a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing the mount_device parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability. Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this vulnerability in order to communicate with internal services in the product. Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user. Version prior to 6.5 SP2 Patch 4 (Build 1901) are affected.

tags | exploit, remote, root, vulnerability, code execution
advisories | CVE-2020-8604, CVE-2020-8605, CVE-2020-8606
MD5 | ed456cc0c792c24850deb91201642a41
Cayin CMS NTP Server 11.0 Remote Code Execution
Posted Jun 18, 2020
Authored by LiquidWorm, h00die | Site metasploit.com

This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0 and below. The code execution is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.

tags | exploit, remote, cgi, root, code execution
systems | linux, ubuntu
advisories | CVE-2020-7357
MD5 | 5b71abbf1e64c3cce0a48cc8d48f03b0
Gentoo Linux Security Advisory 202006-20
Posted Jun 16, 2020
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202006-20 - A vulnerability was discovered in Asterisk which may allow local attackers to gain root privileges. Versions less than 13.32.0-r1 are affected.

tags | advisory, local, root
systems | linux, gentoo
MD5 | 6359a22b5ff1c72d786edd0acc680db2
Cisco UCS Director Cloupia Script Remote Code Execution
Posted Jun 5, 2020
Authored by mr_me, wvu | Site metasploit.com

This Metasploit module exploits an authentication bypass and directory traversals in Cisco UCS Director versions prior to 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to leverage the Cloupia script interpreter to execute code. This functionality is part of the application's intended operation and considered a "foreverday." The authentication bypass and directory traversals only get us there. If you already have an API key, you may set it in the API_KEY option. The LEAK_FILE option may be set if you wish to leak the API key from a different absolute path, but normally this isn't advisable. Tested on Cisco's VMware distribution of 6.7.3.0.

tags | exploit, arbitrary, root
systems | cisco
advisories | CVE-2020-3243, CVE-2020-3250
MD5 | a3283617421910d08a845659be600c53
Page 1 of 133
Back12345Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close