The Linux kernel function do_brk(), which handles the brk() syscall used by programs to increase or decrease the amount of heap memory they are using, does not sanity-check its argument. This module exploits this bug and writes to kernel memory in order to execute privileged code. This bug can even be exploited on a hardened Linux kernel, patched with PaX or grsecurity for instance.

This module exploits a privilege escalation vulnerability in the Linux Kernel. The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace and allows a local attacker to escalate privileges.

The "compat_alloc_user_space" function, which belongs to the 32-bit compatibility layer for 64-bit versions of Linux, can produce a stack pointer underflow when it's called with an arbitrary length input. This vulnerability can be used by local unprivileged users to corrupt the kernel memory in order to gain root privileges.

The Composite extension for the X.org X11 server before 1.4 is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. The error is located in the compNewPixmap function. This module triggers the overflow while creating a window with a high bit depth and a second child window with a lower bit depth. The overflow is only possible when windows of different depth can be created on the display, so most servers on 24 or 32 bit modes are not vulnerable, because the X server usually stores 24 bit pixels in 4 bytes. After successful exploitation an agent will be installed.

This module exploits a vulnerability in the Linux apport application. The apport application can be forced to drop privileges to uid 0 and write a corefile anywhere on the system. This can be used to write a corefile with crafted contents in a suitable location to gain root privileges.

This module exploits a buffer overflow vulnerability in linuxconf. The vulnerability is due to insufficient bounds checking of the LINUXCONF_LANG environment variable.

Libdbus 1.5.x and earlier, when used in setuid processes not clearing the environment variables, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. This module exploits the vulnerability as present on the Xorg setuid binary and installs an agent with root privileges.

There is an exploitable buffer overflow in the SSINC.DLL file used by Microsoft IIS 5.0. The problem is triggered while including long enough filenames in any ASP file. After successful exploitation an agent will be installed. The process being exploited is usually run as an IUSR or IWAM user, specially created for IIS to answer anonymous requests. If this condition is present, the newly deployed agent will run with an unprivileged user. In most cases, the RevertToSelf Win32 API call can be used, available with the RevertToSelf module (see "RevertToSelf") to replace the current process access token with the saved one, usually SYSTEM, thus, effectively gaining full control of the target host.

IBM Director is prone to a privilege-escalation vulnerability that affects the CIM server. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of the CIM server process.

The GNU C dynamic linker (ld.so) is prone to a local privilege-escalation vulnerability. This module exploits the vulnerability to create a world writable file in the /etc/cron.d directory. Then it uses the file to install an agent with root privileges. Finally the world writable file is deleted.