Slackware Linux 3.4 makebootdisk temporary file Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/78/info makebootdisk creates the file /tmp/return insecurely and follows symbolic links. An attacker can create a symbolic link from /tmp/return to any file and wait for root to run the program. This will clober the targe...

Linux 3.4+ - Arbitrary write with CONFIG_X86_X32

No description provided by source. / Local root exploit for CVE-2014-0038. https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c Bug: The X86X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pass a pointer to a kernel address as...

Linux 3.4+ recvmmsg x32 compat Proof of Concept

Exploit for linux platform in category dos / poc / PoC trigger for the linux 3.4+ recvmmsg x32 compat bug, based on the manpage https://code.google.com/p/chromium/issues/detail?id=338594 $ while true; do echo $RANDOM /dev/udp/127.0.0.1/1234; sleep 0.25; done / define GNUSOURCE include include...

Sandbox Escape: Linux 3.4+: arbitrary write with CONFIG_X86_X32

asmlinkage long compatsysrecvmmsgint fd, struct compatmmsghdr user mmsg, unsigned int vlen, unsigned int flags, struct compattimespec user timeout int datagrams; struct timespec ktspec; if flags & MSGCMSGCOMPAT return -EINVAL; if COMPATUSE64BITTIME return sysrecvmmsgfd, struct mmsghdr user mmsg,...