Distcc, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks. This module exploits the vulnerability to install an agent.
ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13 contain an exploitable buffer overflow. This exploit, abuses the buffer overflow to create a format string like vulnerability, which in turn is used to write all the agent code to a known location and then overwrite a GOT entry with a pointer to that code. The dhcpd service doesn't fork, hence, if any of the numbers which must be guessed are missed, the service will die. There are mainly two values which must be guessed: The direct parameter access number for the format string, which is hardcoded to 42, and if wrong will surely make the service crash, and the GOT address, which if missed may make the service crash, but more likely will just make the exploit fail. This exploit first tries all the known GOT addresses corresponding to default installations and RPMs (see supported system notes). If this addresses fail to install the agent, the exploit will finish unsuccessfully.
This module exploits the random number generator in Debian's OpenSSL package being predictable. This vulnerability is used to generate SSH keys and to install an agent into the target host. The exploit will generate the complete vulnerable keyspace, and will try to log as the provided user. If the user is root, the agent will have superuser capabilities.
When the option imapmagicplus is activated on a Cyrus IMAP server the PROXY and LOGIN commands suffer a standard stack overflow, because the username is not checked against a maximum length when it is copied into a temporary stack buffer. This bug is exploited by this module to install an agent. Cyrus 2.2.8 and prior are vulnerable.
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is processed by the unserialize function, as demonstrated by modifying the file_map cache to execute arbitrary local files.
This module exploits a nameserver vulnerability that occurs when processing a maliciously crafted T_NXT resource record received in a DNS reply message. After successful exploitation, an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the user used to run the bind daemon. However, the uid (as opposite to the euid) of the agent will be that of the super user in most cases (usually '0'). Note that the deployed might be running in a chroot jail. This situation doesn't prevent the agent to be used, and after setting the user id to that of the super user, the chroot breaker module (see "chroot breaker" module documentation) can be used to escape the chroot jail.
A vulnerability in GNU Bash when processing trailing strings after function definitions in the values of environment variables allows remote attackers to execute arbitrary code via a crafted environment. This vulnerability can be leveraged to bypass restricted SSH access (i.e. when the SSH server forces the execution of a specific command, ignoring any command supplied by the client, either by specifying a 'ForceCommand' directive in the 'sshd_config' file, or by using the 'command' keyword in the 'authorized_keys' file) when the default shell for the user is Bash, allowing the remote attacker to execute arbitrary commands on the vulnerable system.
Subscribe to Linux