Linux Kernel - 'BadIRET' Local Privilege Escalation

CVE-2014-9322 PoC for Linux kernel CVE-2014-9322 a.k.a BadIRET proof of concept for Linux kernel. This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls. Raw Linux Threads via System Calls Usage $ make badiret.elf is an ELF executable...

Linux Kernel - BadIRET Local Privilege Escalation

Linux Kernel - BadIRET Local Privilege Escalation CVE-2014-9322 PoC for Linux kernel CVE-2014-9322 a.k.a BadIRET proof of concept for Linux kernel. This PoC uses only syscalls not any libraries, like pthread. Threads are implemented using raw Linux syscalls. Raw Linux Threads via System Calls Usa...

Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) -

Exploit for linux platform in category local exploits / Linuxldsohwcap64.c for CVE-2017-1000366, CVE-2017-1000379 Copyright C 2017 Qualys, Inc. myimportanthwcaps adapted from elf/dl-hwcaps.c, part of the GNU C Library: Copyright C 2012-2017 Free Software Foundation, Inc. This program is free...

CVE-2016-8649

CVE-2016-8649 affects the LXC project: vulnerable in lxc-attach within LXC before 1.0.9 and 2.x before 2.0.6, allowing an unprivileged container to escape to the host filesystem via an inherited host /proc fd. Underlying issue is a guest escape Vulnerability via ptrace of lxc-attach. Affected ver...

CVE-2016-8649

lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat family of syscalls...

DEBIAN-CVE-2017-7616

Incorrect error handling in the setmempolicy and mbind compat syscalls in mm/mempolicy.c in the Linux kernel through 4.10.9 allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation...

CVE-2017-7616

CVE-2017-7616 affects the Linux kernel (mm/mempolicy.c) where incorrect error handling in set_mempolicy/mbind compat syscalls can leak uninitialized stack data to local attackers. The issue is documented across multiple advisories (e.g., Debian, CentOS, Cloud Foundry) and is mitigated by updating...

Windows 10 x64 - Egghunter Shellcode (45 bytes)

Windows 10 x64 - Egghunter Shellcode 45 bytes. Shellcode exploit for Winx86-64 platform PUBLIC Win10egghunterx64 .code Win10egghunterx64 PROC start: push 7fh pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls setup: inc rdi ; parameter 1 - lpAddress - counter mov r9b,40h ;...

Windows 10 x64 - Egghunter Shellcode (45 bytes)

PUBLIC Win10egghunterx64 .code Win10egghunterx64 PROC start: push 7fh pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls setup: inc rdi ; parameter 1 - lpAddress - counter mov r9b,40h ; parameter 3 - flNewProtect - 0x40 PAGEEXECUTEREADWRITE pop rsi ; Stack alignment before the...

Linux Kernel 2.6.32 Privilege Escalation

Source: http://www.halfdog.net/Security/2011/SuidBinariesAndProcInterface/ proc Handling of Already Opened Files: Subvert The Stack Base Address Randomization With Suid-Binaries Problem description: Latest ubuntu lucid stock kernel 2.6.32-27-generic contains a bug that allows to keep attached to...

Virtuozzo 7 : readykernel-patch (VZA-2017-007)

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A double free vulnerability was found in netlinkdump, which could cause a denial of service or possibly other...

UBUNTU-CVE-2017-6874

Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 allows local users to cause a denial of service use-after-free and system crash or possibly have unspecified other impact via crafted system calls that leverage certain decrement behavior that causes incorrect interaction betwee...

Kernel security update: Virtuozzo ReadyKernel patch 11.0 for kernel 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3)

The cumulative Virtuozzo ReadyKernel patch updated with security fixes as well as a usability bug fix. The patch applies to Virtuozzo 7.0.3. Vulnerability id: CVE-2016-9806 A double free vulnerability was found in netlinkdump, which could cause a denial of service or possibly other unspecified...

Linux Kernel 2.6.32-rc1 x86_64 Register Leak Exploit

Linux kernel version 2.6.32-rc1 x8664 register leak proof of concept code. / written by Ingo Molnar -- it's true because this comment says the exploit was written by him! / include include unsigned int r81; unsigned int r82; unsigned int r91; unsigned int r92; unsigned int r101; unsigned int r102...

Linux Kernel 2.6.32-rc1 x86_64 Register Leak

/ written by Ingo Molnar -- it's true because this comment says the exploit was written by him! / include include unsigned int r81; unsigned int r82; unsigned int r91; unsigned int r92; unsigned int r101; unsigned int r102; unsigned int r111; unsigned int r112; unsigned int r121; unsigned int r12...

CVE-2016-8645

It was discovered that the Linux kernel since 3.6-rc1 with 'net.ipv4.tcpfastopen' set to 1 can hit BUG statement in tcpcollapse function after making a number of certain syscalls leading to a possible system crash...

Linux/x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password Shellcode (172

include include // Exploit Title: Continuously-Probing Reverse Shell via Socket + port-range + password 172 bytes // Date: 07/10/2016 // Exploit Author: CripSlick // Tested on: Kali 2.0 // Version: No program being used or exploited; I only relied on syscalls...

Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes

Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes. Shellcode exploit for linx86-64 platform include include // Exploit Title: Continuously-Probing Reverse Shell via Socket + port-range + password 172 bytes // Date: 07/10/2016 // Exploit Author: CripSli...

Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (1) (122 bytes)

/--------------------------------------------------------------------------------------------------------------------- / Title: tcp reverse shell with password polymorphic version 122 bytes Author: Sathish kumar Contact: https://www.linkedin.com/in/sathish94 Copyright: c 2016 iQube. http://iQube....

Linux/x86 - execve "/bin/sh" Shellcode (24 bytes)

/ ; Title: Linux/x86 execve "/bin/sh" - shellcode 24 byte ; Platform: linux/x86 ; Date: 2015-01-03 ; Author: Dennis 'dhn' Herrmann ; Website: https://zer0-day.pw BITS 32 global start section .text ; syscalls kernel SYSEXECVE equ 0x0b start: ; execve"/bin//sh", 0, 0; push SYSEXECVE ; SYSEXECVE = 1...