4 matches found
io_uring Same Type Object Reuse Priv Esc
This module exploits a bug in iouring leading to an additional putcred that can be exploited to hijack credentials of other processes. We spawn SUID programs to get the free'd cred object reallocated by a privileged process and abuse them to create a SUID root binary ourselves that'll pop a shell...
vmwgfx Driver File Descriptor Handling Priv Esc
If the vmwgfx driver fails to copy the 'fencerep' object to userland, it tries to recover by deallocating the already populated file descriptor. This is wrong, as the fd gets released via putunusedfd which shouldn't be used, as the fd table slot was already populated via the previous call to...
io_uring Same Type Object Reuse Privilege Escalation Exploit
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'iouring Same Type Object Reuse Priv Esc', 'Description' = %q This module exploits a bug in iouring leading to an additional putcred that can be...
vmwgfx Driver File Descriptor Handling Privilege Escalation Exploit
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'vmwgfx Driver File Descriptor Handling Priv Esc', 'Description' = %q If the vmwgfx driver fails to copy the 'fencerep' object to userland, it tri...