• Local Privilege Escalation in polkits pkexec
    Disclosure Date: 2022-01-25
    First seen: 2022-12-23
    exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
    A bug exists in the polkit pkexec binary in how it processes arguments. If the binary is provided with no arguments, it will continue to process environment variables as argument variables, but without any security checking. By using the execve call we can specify a null argument list and populate the proper environment variables. This exploit is architecture independent. Authors: - Qualys Security - Andris Raugulis - Dhiraj Mishra - bwatters-r7
  • Xorg X11 Server SUID modulepath Privilege Escalation
    Disclosure Date: 2018-10-25
    First seen: 2020-04-26
    exploit/multi/local/xorg_x11_suid_server_modulepath
    This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with CentOS 7 (1708). CentOS default install will require console auth for the users session. Xorg must have SUID permissions and may not start if running. On successful exploitation artifacts will be created consistant with starting Xorg. Authors: - Narendra Shinde - Aaron Ringo
  • Xorg X11 Server SUID logfile Privilege Escalation
    Disclosure Date: 2018-10-25
    First seen: 2020-04-26
    exploit/multi/local/xorg_x11_suid_server
    This module attempts to gain root privileges with SUID Xorg X11 server versions 1.19.0 < 1.20.3. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS and RHEL systems requires console auth for the user's session to start the Xorg server. Cron launches the payload, so if SELinux is enforcing, exploitation may still be possible, but the module will bail. Xorg must have SUID permissions and may not start if already running. On exploitation a crontab.old backup file will be created by Xorg. This module will remove the .old file and restore crontab after successful exploitation. Failed exploitation may result in a corrupted crontab. On successful exploitation artifacts will be created consistant with starting Xorg and running a cron. Authors: - Narendra Shinde - Raptor - 0xdea - Aaron Ringo - bcoles <bcoles@gmail.com>
  • Xorg X11 Server Local Privilege Escalation
    Disclosure Date: 2018-10-25
    First seen: 2020-04-26
    exploit/aix/local/xorg_x11_server
    WARNING: Successful execution of this module results in /etc/passwd being overwritten. This module is a port of the OpenBSD X11 Xorg exploit to run on AIX. A permission check flaw exists for -modulepath and -logfile options when starting Xorg. This allows unprivileged users that can start the server the ability to elevate privileges and run arbitrary code under root privileges. This module has been tested with AIX 7.1 and 7.2, and should also work with 6.1. Due to permission restrictions of the crontab in AIX, this module does not use cron, and instead overwrites /etc/passwd in order to create a new user with root privileges. All currently logged in users need to be included when /etc/passwd is overwritten, else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user. The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX, and is replaced by '-config', in conjuction with ANSI-C quotes to inject newlines when overwriting /etc/passwd. Authors: - Narendra Shinde - Zack Flack <dzflack@gmail.com>
  • Malicious Git HTTP Server For CVE-2018-17456
    Disclosure Date: 2018-10-05
    First seen: 2020-04-26
    exploit/multi/http/git_submodule_url_exec
    This module exploits CVE-2018-17456, which affects Git versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower. When a submodule url which starts with a dash e.g "-u./payload" is passed as an argument to git clone, the file "payload" inside the repository is executed. This module creates a fake git repository which contains a submodule containing the vulnerability. The vulnerability is triggered when the submodules are initialised (e.g git clone --recurse-submodules URL) Authors: - timwr
  • Ghostscript Failed Restore Command Execution
    Disclosure Date: 2018-08-21
    First seen: 2020-04-26
    exploit/multi/fileformat/ghostscript_failed_restore
    This module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick. Authors: - Tavis Ormandy - wvu <wvu@metasploit.com>
  • glibc 'realpath()' Privilege Escalation
    Disclosure Date: 2018-01-16
    First seen: 2020-04-26
    exploit/linux/local/glibc_realpath_priv_esc
    This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1. Authors: - halfdog - bcoles <bcoles@gmail.com>
  • Evince CBT File Command Injection
    Disclosure Date: 2017-07-13
    First seen: 2020-04-26
    exploit/multi/fileformat/evince_cbt_cmd_injection
    This module exploits a command injection vulnerability in Evince before version 3.24.1 when opening comic book `.cbt` files. Some file manager software, such as Nautilus and Atril, may allow automatic exploitation without user interaction due to thumbnailer preview functionality. Note that limited space is available for the payload (<256 bytes). Reverse Bash and Reverse Netcat payloads should be sufficiently small. This module has been tested successfully on evince versions: 3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6; 3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04. Authors: - Felix Wilhelm - Sebastian Krahmer - Matlink - bcoles <bcoles@gmail.com>
  • Mercurial Custom hg-ssh Wrapper Remote Code Exec
    Disclosure Date: 2017-04-18
    First seen: 2020-04-26
    exploit/linux/ssh/mercurial_ssh_exec
    This module takes advantage of custom hg-ssh wrapper implementations that don't adequately validate parameters passed to the hg binary, allowing users to trigger a Python Debugger session, which allows arbitrary Python code execution. Authors: - claudijd
  • Firefox nsSMILTimeContainer::NotifyTimeChange() RCE
    Disclosure Date: 2016-11-30
    First seen: 2020-04-26
    exploit/windows/browser/firefox_smil_uaf
    This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows. Authors: - Anonymous Gaijin - William Webb <william_webb@rapid7.com>
  • Adobe Flash opaqueBackground Use After Free
    Disclosure Date: 2015-07-06
    First seen: 2020-04-26
    exploit/multi/browser/adobe_flash_opaque_background_uaf
    This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling the opaqueBackground property 7 setter of the flash.display.DisplayObject class. This module is an early release tested on: Windows XP SP3, IE8 and Flash 18.0.0.194, Windows XP SP3, IE 8 and Flash 18.0.0.203, Windows XP SP3, Firefox and Flash 18.0.0.203, Windows Vista SP2 + IE 9 and Flash 18.0.0.203, Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203, Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203, Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194 Windows 10 Build 10240 (32-bit) IE11, Firefox 39.0 and Adobe Flash 18.0.0.203 Authors: - Unknown - juan vazquez <juan.vazquez@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • OpenSSL Heartbeat (Heartbleed) Information Leak
    Disclosure Date: 2014-04-07
    First seen: 2020-04-26
    auxiliary/scanner/ssl/openssl_heartbleed
    This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several actions, allowing for scanning, dumping of memory contents to loot, and private key recovery. The LEAK_COUNT option can be used to specify leaks per SCAN or DUMP. The repeat command can be used to make running the SCAN or DUMP many times more powerful. As in: repeat -t 60 run; sleep 2 To run every two seconds for one minute. Authors: - Neel Mehta - Riku - Antti - Matti - Jared Stafford <jspenguin@jspenguin.org> - FiloSottile - Christian Mehlmauer <FireFart@gmail.com> - wvu <wvu@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> - Sebastiano Di Paola - Tom Sellers - jjarmoc - Ben Buchanan - herself
  • OpenSSL Heartbeat (Heartbleed) Client Memory Exposure
    Disclosure Date: 2014-04-07
    First seen: 2020-04-26
    auxiliary/server/openssl_heartbeat_client_memory
    This module provides a fake SSL service that is intended to leak memory from client systems as they connect. This module is hardcoded for using the AES-128-CBC-SHA1 cipher. Authors: - Neel Mehta - Riku - Antti - Matti - hdm <x@hdm.io>
  • Firefox WebIDL Privileged Javascript Injection
    Disclosure Date: 2014-03-17
    First seen: 2020-04-26
    exploit/multi/browser/firefox_webidl_injection
    This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com>
  • Firefox WebIDL Privileged Javascript Injection
    Disclosure Date: 2014-03-17
    First seen: 2020-04-26
    exploit/multi/browser/firefox_webidl_injection
    This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com>
15 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!