exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 76 - 100 of 3,617 RSS Feed

Root Files

CentOS Stream 9 Missing Kernel Security Fix
Posted Apr 18, 2023
Authored by Jann Horn, Google Security Research

CentOS Stream 9 has a missing kernel security fix for a tun double-free amongst other missing fixes. Included is a local root exploit to demonstrate the issue.

tags | exploit, kernel, local, root
systems | linux, centos
advisories | CVE-2022-4744, CVE-2023-1249
SHA-256 | ff7d7021860395c29340e572b9c37574d2458d361ce7c71f08cc837f0834b69e
Rocket Software Unidata udadmin_server Authentication Bypass
Posted Apr 12, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of ":local:" and a password in the form of "<username>:<uid>:<gid>", where username and uid must be a valid account, but gid can be anything except 0. This exploit takes advantage of this login account to authenticate as a chosen user and run an arbitrary command (using the built-in OsCommand message).

tags | exploit, arbitrary, local, root, bypass
systems | linux
advisories | CVE-2023-28503
SHA-256 | a072b9a39317b3843159b4f19550be453c524b06398e48145609bb5afa1a4475
Rocket Software Unidata 8.2.4 Build 3003 Buffer Overflow
Posted Apr 12, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server, which runs as root. This vulnerability affects UniData versions 8.2.4 build 3003 and earlier (for Linux), but this module specifically targets UniData version 8.2.4 build 3001. Other versions will crash the forked process, but will not otherwise affect the RPC server. The username and password fields are copied to a stack-based buffer using a function that's equivalent to strcpy() (ie, has no bounds checking). Additionally, the password field is encoded in such a way that we can include NUL bytes.

tags | exploit, root, bypass
systems | linux
advisories | CVE-2023-28502
SHA-256 | 573fc6e16c91d795c9424c33a9909a1277e50ad02e08eb5886ceb1a2e2610251
HospitalRun 1.0.0-beta macOS Local Root
Posted Apr 6, 2023
Authored by Jean Pereira

HospitalRun version 1.0.0-beta local root exploit for macOS.

tags | exploit, local, root
SHA-256 | 5974878a49f1ebd87d13c459e69f6e25119f1ca212ec3fb8f6659b619d908c93
NetIQ / Microfocus Performance Endpoint 5.1 Remote Root / SYSTEM
Posted Apr 3, 2023
Authored by mu-b

NetIQ / Microfocus Performance Endpoint version 5.1 remote root / SYSTEM exploit.

tags | exploit, remote, root
SHA-256 | 1873ef6c5bd20ce923c52c185d0a39c62eea316da4d00135a50a4dbc42367c9e
Debian Security Advisory 5380-1
Posted Mar 30, 2023
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5380-1 - Jan-Niklas Sohn discovered that a user-after-free flaw in the Composite extension of the X.org X server may result in privilege escalation if the X server is running under the root user.

tags | advisory, root
systems | linux, debian
advisories | CVE-2023-1393
SHA-256 | 013d8199c96a3b7dd39b9bfe5fe4ea2bc5461ae2364515cecde74828ad3a6eb2
Outline 1.6.0 Unquoted Service Path
Posted Mar 30, 2023
Authored by Karsten Konig, Milad Karimi

Outline version 1.6.0 suffers from an unquoted service path vulnerability.

tags | exploit, local, root
systems | freebsd, bsd
SHA-256 | c7fdf86fb00365bd53d570e0ff758cfd8ba014d2dce9b75b8d6db96e15e882ee
Human Resource Management System 1.0 SQL Injection
Posted Mar 30, 2023
Authored by Karsten Konig, Matthijs Van der Vaart

Human Resource Management System version 1.0 suffers from an unauthenticated remote SQL injection vulnerability.

tags | exploit, local, root, vulnerability
systems | freebsd, bsd
SHA-256 | 4f80b588a513bbcbb3b08d9782eb8b87aa9be2291590ff110ec8d9d5b3b889e5
Optergy Proton And Enterprise BMS 2.0.3a Command Injection
Posted Mar 28, 2023
Authored by h00die-gr3y, Gjoko Krstic | Site metasploit.com

This Metasploit module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications. Versions 2.0.3a and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in the tools directory and gain full system access. Successful exploitation results in root command execution using sudo as user optergy.

tags | exploit, root
advisories | CVE-2019-7276
SHA-256 | 33babb5810832b13a94e71c123fd7427e2dfe9cd4f92a96b062b362c7592affd
Ubuntu Security Notice USN-5966-2
Posted Mar 24, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5966-2 - USN-5966-1 fixed vulnerabilities in amanda. Unfortunately it introduced a regression in GNUTAR-based backups. This update reverts all of the changes in amanda until a better fix is provided. Maher Azzouzi discovered an information disclosure vulnerability in the calcsize binary within amanda. calcsize is a suid binary owned by root that could possibly be used by a malicious local attacker to expose sensitive file system information.

tags | advisory, local, root, vulnerability, info disclosure
systems | linux, ubuntu
advisories | CVE-2022-37703, CVE-2022-37704, CVE-2022-37705
SHA-256 | 4749f55afc6287a649f39b41a2552f3b688b77959973ae84bd337045e4dad07f
Ubuntu Security Notice USN-5966-1
Posted Mar 23, 2023
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 5966-1 - Maher Azzouzi discovered an information disclosure vulnerability in the calcsize binary within amanda. calcsize is a suid binary owned by root that could possibly be used by a malicious local attacker to expose sensitive file system information. Maher Azzouzi discovered a privilege escalation vulnerability in the rundump binary within amanda. rundump is a suid binary owned by root that did not perform adequate sanitization of environment variables or commandline options and could possibly be used by a malicious local attacker to escalate privileges.

tags | advisory, local, root, info disclosure
systems | linux, ubuntu
advisories | CVE-2022-37703, CVE-2022-37704, CVE-2022-37705
SHA-256 | 2580ab51db5f3bf0e05ef50995b026255510f6945bca4387cdd8ab8d58501893
Zyxel Unauthenticated LAN Remote Code Execution
Posted Mar 22, 2023
Authored by Stefan Viehboeck, T. Weber, Gerhard Hechenberger, Steffen Robertz | Site metasploit.com

This Metasploit module exploits a buffer overflow in the zhttpd binary (/bin/zhttpd). It is present on more than 40 Zyxel routers and CPE devices. The code execution vulnerability can only be exploited by an attacker if the zhttp webserver is reachable. No authentication is required. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host.

tags | exploit, overflow, root, code execution
SHA-256 | fc9419af3871336277cafde42125966d876812e4e57c8b48da3a83050219381f
XNU NFSSVC Root Check Bypass / Use-After-Free
Posted Mar 16, 2023
Authored by Google Security Research, nedwill

XNU NFSSVC suffers from root check bypass and use-after-free vulnerabilities due to insufficient locking in upcall worker threads.

tags | exploit, root, vulnerability
advisories | CVE-2023-23514
SHA-256 | dd5db6e40185f5ad1603a814730e94b92ca2cfb3086268f82937050b80986d44
Fortinet FortiNAC keyUpload.jsp Arbitrary File Write
Posted Mar 15, 2023
Authored by jheysel-r7, Zach Hanley, Gwendal Guegniaud | Site metasploit.com

This Metasploit module uploads a payload to the /tmp directory in addition to a cron job to /etc/cron.d which executes the payload in the context of the root user. The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which is accessible remotely and without authentication. When you send the vulnerable endpoint a ZIP file, it will extract an attacker controlled file to a directory of the attackers choice on the target system. This issue is exploitable on FortiNAC versions 9.4 prior to 9.4.1, FortiNAC versions 9.2 prior to 9.2.6, FortiNAC versions 9.1 prior to 9.1.8, all versions of FortiNAC 8.8, all versions of FortiNAC 8.7, all versions of FortiNAC 8.6, all versions of FortiNAC 8.5, and all versions of FortiNAC 8.3.

tags | exploit, arbitrary, root
advisories | CVE-2022-39952
SHA-256 | b72056fdc9840a37268bab3325c1941ddb0082c5918cf14fec39001b268b461d
CoreDial sipXcom sipXopenfire 21.04 Remote Command Execution / Weak Permissions
Posted Mar 7, 2023
Authored by Systems Research Group

CoreDial sipXcom sipXopenfire versions 21.04 and below suffer from XMPP message system command argument injection and insecure service file permissions that when chained together gives root.

tags | exploit, root
advisories | CVE-2023-25355, CVE-2023-25356
SHA-256 | b306297e359b80aaed39f16e6cdc8e7a70a93aff1cb4084d52e8dfcfadc31596
Lucee Authenticated Scheduled Job Code Execution
Posted Mar 2, 2023
Authored by Alexander Philiotis | Site metasploit.com

This Metasploit module can be used to execute a payload on Lucee servers that have an exposed administrative web interface. It's possible for an administrator to create a scheduled job that queries a remote ColdFusion file, which is then downloaded and executed when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed, the payload will run as the user specified during the Lucee installation. On Windows, this is a service account; on Linux, it is either the root user or lucee.

tags | exploit, remote, web, root
systems | linux, windows
SHA-256 | 79602ec0e4fd423056fa80073c3578efbd79976ee050388452b17b67fd38c488
ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root
Posted Feb 27, 2023
Authored by d1g

ASUS ASMB8 iKVM firmware versions 1.14.51 and below suffers from a flaw where SNMPv2 can be used with write access to introduce arbitrary extensions to achieve remote code execution as root. The researchers also discovered a hardcoded administrative account.

tags | exploit, remote, arbitrary, root, code execution
advisories | CVE-2023-26602
SHA-256 | a23c3b2021225bfb676a55bbdeafbcf1689dc045c5b50ecbfacebfc7ffe2014b
ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution
Posted Feb 27, 2023
Authored by d1g

ABUS Security Camera version TVIP 20000-21150 suffers from local file inclusion, hardcoded credential, and command injection vulnerabilities. When coupled together, they can be leveraged to achieve remote access as root via ssh.

tags | exploit, remote, local, root, vulnerability, file inclusion
advisories | CVE-2023-26609
SHA-256 | 92decaa3308d461393dc637c13861ced7bcb4cd43a2c333235f9835ee562ecb9
Mandos Encrypted File System Unattended Reboot Utility 1.8.16
Posted Feb 8, 2023
Authored by Teddy | Site fukt.bsnet.se

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

Changes: Server related bug fix to start client checkers after a random delay.
tags | tool, remote, root
systems | linux, unix
SHA-256 | e301007184eafc99517bdaa09f3c8d3f42027b9aae335158f14cfcee60bfe108
Debian Security Advisory 5342-1
Posted Feb 7, 2023
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5342-1 - Jan-Niklas Sohn discovered that a user-after-free flaw in the X Input extension of the X.org X server may result in privilege escalation if the X server is running under the root user.

tags | advisory, root
systems | linux, debian
advisories | CVE-2023-0494
SHA-256 | d9cd986f6b68c068a98e8f263690e16240a4bad3bcee76be602630f0b4931e29
Apache Tomcat On Ubuntu Log Init Privilege Escalation
Posted Feb 6, 2023
Authored by h00die, Dawid Golunski | Site metasploit.com

This Metasploit module targets a vulnerability in Tomcat versions 6, 7, and 8 on Debian-based distributions where these older versions provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account to escalate their privileges from the tomcat user to root and fully compromise the target system.

tags | exploit, local, root
systems | linux, debian
advisories | CVE-2016-1240
SHA-256 | 0ac41921eb75c8008e9f94786db836a9f76e614d54c6925c606eecf1de5fb188
F5 Big-IP Create Administrative User
Posted Feb 3, 2023
Authored by Ron Bowes | Site metasploit.com

This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.

tags | exploit, local, root, vulnerability
advisories | CVE-2022-41622, CVE-2022-41800
SHA-256 | ec59a3d52e4d78cf9bacb372140fcd5f2f2c8928aed87fa348ad1aed6d0bcde0
io_uring Same Type Object Reuse Privilege Escalation
Posted Feb 1, 2023
Authored by h00die, Mathias Krause, Ryota Shiga | Site metasploit.com

This Metasploit module exploits a bug in io_uring leading to an additional put_cred() that can be exploited to hijack credentials of other processes. This exploit will spawn SUID programs to get the freed cred object reallocated by a privileged process and abuse them to create a SUID root binary that will pop a shell. The dangling cred pointer will, however, lead to a kernel panic as soon as the task terminates and its credentials are destroyed. We therefore detach from the controlling terminal, block all signals and rest in silence until the system shuts down and we get killed hard, just to cry in vain, seeing the kernel collapse. The bug affected kernels from v5.12-rc3 to v5.14-rc7. More than 1 CPU is required for exploitation. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

tags | exploit, shell, kernel, root
systems | linux, ubuntu
advisories | CVE-2022-1043
SHA-256 | ddab5b3975fc82e2a23c5e4e05a57af4893abfbc613df02d507c1013c62dc088
vmwgfx Driver File Descriptor Handling Privilege Escalation
Posted Feb 1, 2023
Authored by h00die, Mathias Krause | Site metasploit.com

If the vmwgfx driver fails to copy the fence_rep object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a freed file object. The authors use this bug to overwrite a SUID binary with their payload and gain root. Linux kernel versions 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

tags | exploit, kernel, root
systems | linux, ubuntu
advisories | CVE-2022-22942
SHA-256 | 6360a81de99a383330c5955ece5414f2f3b254143f1a5b9246e669769aa929fc
Control Web Panel Unauthenticated Remote Command Execution
Posted Jan 31, 2023
Authored by Spencer McIntyre, numan turle | Site metasploit.com

Control Web Panel versions prior to 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.

tags | exploit, web, root, code execution
advisories | CVE-2022-44877
SHA-256 | 00cb85e5ab25f2d5091aa8c72d9d5252d08919dce9dbd37743bea7469e5dbc51
Page 4 of 145
Back23456Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close