This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This Metasploit module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.
fdde72feb2388aee3f2e93395c3c6363This Metasploit module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. When we run slui.exe with changed Registry key (HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin instead of slui.exe. The module modifies the registry in order for this exploit to work. The modification is reverted once the exploitation attempt has finished. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting the payload in a different process.
cbaf903a1f48babbbfdd55bd95607ccfNUUO NVRmini2 and NVRsolo suffer from a remote shell upload vulnerability.
bdc03f1cb1c4e45f65f4b6a879ef92ceWchat Fully Responsive PHP AJAX Chat Script version 1.5 suffers from a remote shell upload vulnerability.
ef20a197f0eb75efb49439e9806f82c9PHP Login and User Management versions 4.1.0 and below suffers from a remote shell upload vulnerability.
bd0631b0840255f200ab219736fbbaaaLikeSoftware CMS suffers from cross site request forgery and remote shell upload vulnerabilities.
fc933e734ee2c898fee0a9fe9c673698Easy File Uploader version 1.7 suffers from a remote shell upload vulnerability.
72afb65d3fa31008dd700ca8653852f9WordPress Peugeot Music plugin version 1.0 suffers from cross site request forgery and remote shell upload vulnerabilities.
977bc38dbf076cea5680909d6b0fd85c101 bytes small Linux/x86 reverse TCP shell shellcode that connects to 10.0.7.17:4444.
6eeac0567a3fef4c667bd7ed8a53c0af68 bytes small Linux/x86 reverse TCP shell shellcode.
992c716611405f56f700612608127eadMonstra CMS version 3.0.4 suffers from a shell upload remote code execution vulnerability.
0525bf838887d360c20e311c2ea4a50996 bytes small Linux/x86 reverse TCP shell shellcode that connects to 127.0.0.1:4444.
595d776824a93f7666b99a23897c290eProjectPier versions 0.8.8 and below suffer from remote file inclusion, authentication bypass, remote shell upload, and remote SQL injection vulnerabilities.
981d011a590304ccd6de6e3510500b73Whitepaper titled Linux Restricted Shell Bypass Guide.
d27133695ec11bcee5f1145b62e7f195Red Hat Security Advisory 2018-1195-01 - Chromium is an open-source web browser, powered by WebKit. This update upgrades Chromium to version 66.0.3359.117. Issues addressed include buffer overflow, bypass, remote shell upload, and use-after-free vulnerabilities.
1f2281c68c5837e3f5afd511d38bf5daThis Metasploit module exploits an authentication bypass vulnerability in the infosvr service running on UDP port 9999 on various ASUS routers to execute arbitrary commands as root. This Metasploit module launches the BusyBox Telnet daemon on the port specified in the TelnetPort option to gain an interactive remote shell. This Metasploit module was tested successfully on an ASUS RT-N12E with firmware version 2.0.0.35. Numerous ASUS models are reportedly affected, but untested.
0b841685aaa09cefb0a9621293d64a94Digital Guardian Management Console version 7.1.2.0015 suffers from a shell upload vulnerability that allows for remote code execution.
8bc838600cd56915e5e0d27198d67ab7Debian Linux Security Advisory 4167-1 - A buffer-overflow vulnerability was discovered in Sharutils, a set of utilities handle Shell Archives. An attacker with control on the input of the unshar command, could crash the application or execute arbitrary code in the its context.
f45edf0e1ca9bff52faa495942d41a56Debian Linux Security Advisory 4149-1 - Charles Duffy discovered that the Commandline class in the utilities for the Plexus framework performs insufficient quoting of double-encoded strings, which could result in the execution of arbitrary shell commands.
a87c86c6e125862540db4cdd0f7ccf12Debian Linux Security Advisory 4146-1 - Charles Duffy discovered that the Commandline class in the utilities for the Plexus framework performs insufficient quoting of double-encoded strings, which could result in the execution of arbitrary shell commands.
2c815b04a5e19aa066ea2366b9c74efcVehicle Sales Management System suffers from cross site scripting, shell upload, and remote SQL injection vulnerabilities.
7d59495ebc82f63f150cf2a13a37aed8Gentoo Linux Security Advisory 201803-4 - A vulnerability in Newsbeuter may allow remote attackers to execute arbitrary shell commands. Versions less than or equal to 2.9-r3 are affected.
13f887fee8686b564e52d56a034342e4Debian Linux Security Advisory 4134-1 - Bjorn Bosselmann discovered that the umount bash completion from util-linux does not properly handle embedded shell commands in a mountpoint name. An attacker with rights to mount filesystems can take advantage of this flaw for privilege escalation if a user (in particular root) is tricked into using the umount completion while a specially crafted mount is present.
739295b248b871432986dbfe7125e245This Metasploit module sends a magic packet to a NETGEAR device to enable telnetd. Upon successful connect, a root shell should be presented to the user.
a7246c6e4e3c5142a9103cda8aa6e9d7Joomla! Proclaim component version 9.1.1 suffers from a remote shell upload vulnerability.
e4b3f4730e22f3b7318737ee5628509e
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed