Metasploit modules that can be used to exploit Canonical » Ubuntu Linux » 6.06 lts
-
2021 Ubuntu Overlayfs LPE
Disclosure Date: 2021-04-12First seen: 2022-12-23exploit/linux/local/cve_2021_3493_overlayfsThis module exploits a vulnerability in Ubuntu's implementation of overlayfs. The vulnerability is the result of failing to verify the ability of a user to set the attributes in a running executable. Specifically, when Overlayfs sends the set attributes data to the underlying file system via `vfs_setxattr`, it fails to first verify the data by calling `cap_convert_nscap`. This vulnerability was patched by moving the call to `cap_convert_nscap` into the `vfs_setxattr` function that sets the attribute, forcing verification every time the `vfs_setxattr` is called rather than trusting the data was already verified. Authors: - ssd-disclosure - bwatters-r7 -
Overlayfs Privilege Escalation
Disclosure Date: 2015-06-16First seen: 2020-04-26exploit/linux/local/overlayfs_priv_escThis module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested) Authors: - h00die <mike@shorebreaksecurity.com> - rebel -
VSFTPD 2.3.2 Denial of Service
Disclosure Date: 2011-02-03First seen: 2023-09-11auxiliary/dos/ftp/vsftpd_232This module triggers a Denial of Service condition in the VSFTPD server in versions before 2.3.3. So far, it has been tested on 2.3.0, 2.3.1, and 2.3.2. Authors: - Nick Cottrell (Rad10Logic) <ncottrellweb@gmail.com> - Anna Graterol <annagraterol95@gmail.com> - Mana Mostaani <mana.mostaani@gmail.com> - Maksymilian Arciemowicz -
Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
Disclosure Date: 2010-10-20First seen: 2020-04-26exploit/linux/local/rds_rds_page_copy_user_priv_escThis module exploits a vulnerability in the `rds_page_copy_user` function in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on: Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE; and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic. Authors: - Dan Rosenberg - bcoles <bcoles@gmail.com> -
Samba chain_reply Memory Corruption (Linux x86)
Disclosure Date: 2010-06-16First seen: 2020-04-26exploit/linux/samba/chain_replyThis exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration. Authors: - Jun Mao - jduck <jduck@metasploit.com> -
MySQL yaSSL CertDecoder::GetName Buffer Overflow
Disclosure Date: 2010-01-25First seen: 2020-04-26exploit/linux/mysql/mysql_yassl_getnameThis module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL. Authors: - jduck <jduck@metasploit.com> -
Linux udev Netlink Local Privilege Escalation
Disclosure Date: 2009-04-16First seen: 2020-04-26exploit/linux/local/udev_netlinkVersions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. Authors: - kcope - Jon Oberheide - egypt <egypt@metasploit.com> -
MySQL yaSSL SSL Hello Message Buffer Overflow
Disclosure Date: 2008-01-04First seen: 2020-04-26exploit/linux/mysql/mysql_yassl_helloThis module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code. Authors: - MC <mc@metasploit.com> -
MySQL yaSSL SSL Hello Message Buffer Overflow
Disclosure Date: 2008-01-04First seen: 2020-04-26exploit/windows/mysql/mysql_yassl_helloThis module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier) implementation bundled with MySQL <= 6.0. By sending a specially crafted Hello packet, an attacker may be able to execute arbitrary code. Authors: - MC <mc@metasploit.com> -
Apache Module mod_rewrite LDAP Protocol Buffer Overflow
Disclosure Date: 2006-07-28First seen: 2020-04-26exploit/windows/http/apache_mod_rewrite_ldapThis module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations. Authors: - aushack <patrick@osisecurity.com.au> -
OpenSSL DTLS ChangeCipherSpec Remote DoS
Disclosure Date: 2000-04-26First seen: 2020-04-26auxiliary/dos/ssl/dtls_changecipherspecThis module performs a Denial of Service Attack against Datagram TLS in OpenSSL version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a ChangeCipherspec Datagram before a ClientHello. Authors: - Jon Oberheide <jon@oberheide.org> - theLightCosine <theLightCosine@metasploit.com>
11 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details