Embedthis GoAhead before 3.6.5 and after 2.5.0 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
This module exploits a vulnerability in Apache Struts 2. The specific vulnerability relies on the Struts 1 plugin which might allow remote attackers to execute arbitrary code via a malicious field value passed in a raw message to the ActionMessage.
The waitid implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation.
This module exploits an arbitrary file upload in DotCMS to install an agent.
This module exploits a command injection vulnerability in REDDOXX Appliance to install an agent. The deployed agent will run with ROOT privileges.
This module exploits a memory corruption vulnerability in the Linux kernel. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption that can be used by an attacker to escalate privileges.
Apache Tomcat allows the upload of JSP files to unauthenticated users via a specially crafted request when the readonly initialization parameter of the Default servlet is set to false.
CMS Made Simple is prone to an OS command injection which allows attackers the execution of system commands.
This module exploits a signedness error condition in the Linux Kernel via PACKET_RX_RING option on an AF_PACKET socket with a TPACKET_V3 ring buffer version enabled. The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to escalate privileges.
This module exploits a double-free vulnerability in the Linux Kernel. The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to escalate privileges via an application that makes an IPV6_RECVPKTINFO setsockopt system call.