Metasploit modules that can be used to exploit Redhat products
-
ABRT raceabrt Privilege Escalation
Disclosure Date: 2015-04-14First seen: 2020-04-26exploit/linux/local/abrt_raceabrt_priv_escThis module attempts to gain root privileges on Linux systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64; abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64; abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64. Authors: - Tavis Ormandy - bcoles <bcoles@gmail.com> -
Exim GHOST (glibc gethostbyname) Buffer Overflow
Disclosure Date: 2015-01-27First seen: 2020-04-26exploit/linux/smtp/exim_gethostbyname_bofThis module remotely exploits CVE-2015-0235, aka GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions on x86 and x86_64 GNU/Linux systems that run the Exim mail server. Authors: - Unknown -
WildFly Directory Traversal
Disclosure Date: 2014-10-22First seen: 2020-04-26auxiliary/scanner/http/wildfly_traversalThis module exploits a directory traversal vulnerability found in the WildFly 8.1.0.Final web server running on port 8080, named JBoss Undertow. The vulnerability only affects to Windows systems. Authors: - Roberto Soares Espreto <robertoespreto@gmail.com> -
SSL/TLS Version Detection
Disclosure Date: 2014-10-14First seen: 2022-12-23auxiliary/scanner/ssl/ssl_versionCheck if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die -
SSL/TLS Version Detection
Disclosure Date: 2014-10-14First seen: 2022-12-23auxiliary/scanner/ssl/ssl_versionCheck if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die -
OpenSSL Server-Side ChangeCipherSpec Injection Scanner
Disclosure Date: 2014-06-05First seen: 2020-04-26auxiliary/scanner/ssl/openssl_ccsThis module checks for the OpenSSL ChangeCipherSpec (CCS) Injection vulnerability. The problem exists in the handling of early CCS messages during session negotiation. Vulnerable installations of OpenSSL accepts them, while later implementations do not. If successful, an attacker can leverage this vulnerability to perform a man-in-the-middle (MITM) attack by downgrading the cipher spec between a client and server. This issue was first reported in early June, 2014. Authors: - Masashi Kikuchi - Craig Young <CYoung@tripwire.com> - juan vazquez <juan.vazquez@metasploit.com> -
Android 'Towelroot' Futex Requeue Kernel Exploit
Disclosure Date: 2014-05-03First seen: 2020-04-26exploit/android/local/futex_requeueThis module exploits a bug in futex_requeue in the Linux kernel, using similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable. Authors: - Pinkie Pie - geohot - timwr -
OpenSSL Heartbeat (Heartbleed) Information Leak
Disclosure Date: 2014-04-07First seen: 2020-04-26auxiliary/scanner/ssl/openssl_heartbleedThis module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several actions, allowing for scanning, dumping of memory contents to loot, and private key recovery. The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP. The repeat command can be used to make running the SCAN or DUMP many times more powerful. As in: repeat -t 60 run; sleep 2 To run every two seconds for one minute. Authors: - Neel Mehta - Riku - Antti - Matti - Jared Stafford <jspenguin@jspenguin.org> - FiloSottile - Christian Mehlmauer <FireFart@gmail.com> - wvu <wvu@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> - Sebastiano Di Paola - Tom Sellers - jjarmoc - Ben Buchanan - herself -
OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
Disclosure Date: 2014-04-07First seen: 2020-04-26auxiliary/server/openssl_heartbeat_client_memoryThis module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher. Authors: - Neel Mehta - Riku - Antti - Matti - hdm <x@hdm.io> -
Katello (Red Hat Satellite) users/update_roles Missing Authorization
Disclosure Date: 2014-03-24First seen: 2020-04-26auxiliary/admin/http/katello_satellite_priv_escThis module exploits a missing authorization vulnerability in the "update_roles" action of "users" controller of Katello and Red Hat Satellite (Katello 1.5.0-14 and earlier) by changing the specified account to an administrator account. Authors: - Ramon de C Valle <rcvalle@metasploit.com> -
Firefox WebIDL Privileged Javascript Injection
Disclosure Date: 2014-03-17First seen: 2020-04-26exploit/multi/browser/firefox_webidl_injectionThis exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com> -
Firefox WebIDL Privileged Javascript Injection
Disclosure Date: 2014-03-17First seen: 2020-04-26exploit/multi/browser/firefox_webidl_injectionThis exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com> -
Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection
Disclosure Date: 2013-11-12First seen: 2020-04-26auxiliary/admin/http/cfme_manageiq_evm_pass_resetThis module exploits a SQL injection vulnerability in the "explorer" action of "miq_policy" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier) by changing the password of the target account to the specified password. Authors: - Ramon de C Valle <rcvalle@metasploit.com> -
Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal
Disclosure Date: 2013-09-04First seen: 2020-04-26exploit/linux/http/cfme_manageiq_evm_upload_execThis module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.) Authors: - Ramon de C Valle <rcvalle@metasploit.com> -
Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment
Disclosure Date: 2013-06-06First seen: 2020-04-26auxiliary/admin/http/foreman_openstack_satellite_priv_escThis module exploits a mass assignment vulnerability in the 'create' action of 'users' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator account. For this exploit to work, your account must have 'create_users' permission (e.g., Manager role). Authors: - Ramon de C Valle <rcvalle@metasploit.com> -
Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection
Disclosure Date: 2013-06-06First seen: 2020-04-26exploit/linux/http/foreman_openstack_satellite_code_execThis module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier). Authors: - Ramon de C Valle <rcvalle@metasploit.com> -
MongoDB nativeHelper.apply Remote Code Execution
Disclosure Date: 2013-03-24First seen: 2020-04-26exploit/linux/misc/mongod_native_helperThis module exploits the nativeHelper feature from spiderMonkey which allows remote code execution by calling it with specially crafted arguments. This module has been tested successfully on MongoDB 2.2.3 on Ubuntu 10.04 and Debian Squeeze. Authors: - agix -
Firefox XMLSerializer Use After Free
Disclosure Date: 2013-01-08First seen: 2020-04-26exploit/windows/browser/mozilla_firefox_xmlserializerThis module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. Authors: - regenrecht - juan vazquez <juan.vazquez@metasploit.com> -
Firefox 17.0.1 Flash Privileged Code Injection
Disclosure Date: 2013-01-08First seen: 2020-04-26exploit/multi/browser/firefox_svg_pluginThis exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com> -
Java 7 Applet Remote Code Execution
Disclosure Date: 2012-08-26First seen: 2020-04-26exploit/multi/browser/java_jre17_execThe exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that's not always the case in JDK 6) in order to access Statement.acc's private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc. Authors: - Adam Gowdiak - James Forshaw - jduck <jduck@metasploit.com> - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details