• 2021 Ubuntu Overlayfs LPE
    Disclosure Date: 2021-04-12
    First seen: 2022-12-23
    This module exploits a vulnerability in Ubuntu's implementation of overlayfs. The vulnerability is the result of failing to verify the ability of a user to set the attributes in a running executable. Specifically, when Overlayfs sends the set attributes data to the underlying file system via `vfs_setxattr`, it fails to first verify the data by calling `cap_convert_nscap`. This vulnerability was patched by moving the call to `cap_convert_nscap` into the `vfs_setxattr` function that sets the attribute, forcing verification every time the `vfs_setxattr` is called rather than trusting the data was already verified. Authors: - ssd-disclosure - bwatters-r7
  • Overlayfs Privilege Escalation
    Disclosure Date: 2015-06-16
    First seen: 2020-04-26
    This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested) Authors: - h00die <mike@shorebreaksecurity.com> - rebel
  • Apache Range Header DoS (Apache Killer)
    Disclosure Date: 2011-08-19
    First seen: 2020-04-26
    The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, exploit called "Apache Killer" Authors: - Kingcope - Masashi Fujiwara - Markus Neis <markus.neis@gmail.com>
  • VSFTPD 2.3.2 Denial of Service
    Disclosure Date: 2011-02-03
    First seen: 2023-09-11
    This module triggers a Denial of Service condition in the VSFTPD server in versions before 2.3.3. So far, it has been tested on 2.3.0, 2.3.1, and 2.3.2. Authors: - Nick Cottrell (Rad10Logic) <ncottrellweb@gmail.com> - Anna Graterol <annagraterol95@gmail.com> - Mana Mostaani <mana.mostaani@gmail.com> - Maksymilian Arciemowicz
  • Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation
    Disclosure Date: 2010-10-20
    First seen: 2020-04-26
    This module exploits a vulnerability in the `rds_page_copy_user` function in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8 to execute code as root (CVE-2010-3904). This module has been tested successfully on: Fedora 13 (i686) kernel version; and Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic. Authors: - Dan Rosenberg - bcoles <bcoles@gmail.com>
  • Samba chain_reply Memory Corruption (Linux x86)
    Disclosure Date: 2010-06-16
    First seen: 2020-04-26
    This exploits a memory corruption vulnerability present in Samba versions prior to 3.3.13. When handling chained response packets, Samba fails to validate the offset value used when building the next part. By setting this value to a number larger than the destination buffer size, an attacker can corrupt memory. Additionally, setting this value to a value smaller than 'smb_wct' (0x24) will cause the header of the input buffer chunk to be corrupted. After close inspection, it appears that 3.0.x versions of Samba are not exploitable. Since they use an "InputBuffer" size of 0x20441, an attacker cannot cause memory to be corrupted in an exploitable way. It is possible to corrupt the heap header of the "InputBuffer", but it didn't seem possible to get the chunk to be processed again prior to process exit. In order to gain code execution, this exploit attempts to overwrite a "talloc chunk" destructor function pointer. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the nx memory protection. NOTE: It is possible to make exploitation attempts indefinitely since Samba forks for user sessions in the default configuration. Authors: - Jun Mao - jduck <jduck@metasploit.com>
  • MySQL yaSSL CertDecoder::GetName Buffer Overflow
    Disclosure Date: 2010-01-25
    First seen: 2020-04-26
    This module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier) implementation bundled with MySQL. By sending a specially crafted client certificate, an attacker can execute arbitrary code. This vulnerability is present within the CertDecoder::GetName function inside "taocrypt/src/asn.cpp". However, the stack buffer that is written to exists within a parent function's stack frame. NOTE: This vulnerability requires a non-default configuration. First, the attacker must be able to pass the host-based authentication. Next, the server must be configured to listen on an accessible network interface. Lastly, the server must have been manually configured to use SSL. The binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing on Windows XP SP3, these protections successfully prevented exploitation. Testing was also done with mysql on Ubuntu 9.04. Although the vulnerable code is present, both version 5.5.0-m2 built from source and version 5.0.75 from a binary package were not exploitable due to the use of the compiler's FORTIFY feature. Although suse11 was mentioned in the original blog post, the binary package they provide does not contain yaSSL or support SSL. Authors: - jduck <jduck@metasploit.com>
  • Linux udev Netlink Local Privilege Escalation
    Disclosure Date: 2009-04-16
    First seen: 2020-04-26
    Versions of udev < 1.4.1 do not verify that netlink messages are coming from the kernel. This allows local users to gain privileges by sending netlink messages from userland. Authors: - kcope - Jon Oberheide - egypt <egypt@metasploit.com>
  • OpenSSL DTLS ChangeCipherSpec Remote DoS
    Disclosure Date: 2000-04-26
    First seen: 2020-04-26
    This module performs a Denial of Service Attack against Datagram TLS in OpenSSL version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a ChangeCipherspec Datagram before a ClientHello. Authors: - Jon Oberheide <jon@oberheide.org> - theLightCosine <theLightCosine@metasploit.com>
9 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!