This module exploits an argument injection vulnerability in PHP up to version 5.3.12 and 5.4.2 when running as a standalone CGI processor and takes advantage of the -d flag to achieve remote code execution.
This exploit abuses an integer overflow condition present in sshd's authentication for bsdauth and skey authentication modes. After successful exploitation an agent will be deployed. The agent will be installed with root privileges. Tests performed in our lab required up to 1 hour to find the needed address in the raw brute forcing mode.
This module exploits a command injection error in the function _AddPrinterW in Samba 3, reached through an AddPrinter remote request. For this exploit to work, the "addprinter command" option must be enabled on smb.conf, the samba configuration file. The agent will normally run as the "nobody" user, and will have limited capabilities.
By exploiting this vulnerability, the return address in the stack can be arbitrarily altered, allowing the auditor to gain control of the target host. After successful exploitation an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the user used to login to the FTP server (for example, ftp). However, the UID (as opposite to the EUID) of the agent will be that of the super user in most cases (usually 0), and it can be changed by using the setuid module (see "setuid"). When an anonymous user is used, or if the server is configured to do this for other users, the deployed agent will be running inside a chroot jail. This situation does not prevent the use of the agent, and after setting the EUID to that of the super user, the chroot breaker module (see "chroot breaker") can be used to escape the chroot jail. As a side effect of this exploit execution, two new directories will be created on the target host, namely 'A' and 'AAAAAAAAA...' inside the former. They can be deleted after the module finishes execution.
The OpenBSD IPv6 Stack is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as kernel. This bug can be exploited remotely. The attack must be issued from the same local net of the target host. If the attack is used more than once, it may crash the target host.
This module exploits a nameserver vulnerability that occurs when processing a maliciously crafted T_NXT resource record received in a DNS reply message. After successful exploitation, an agent will be deployed. This agent will inherit the user identity and capabilities of the abused service, usually those of the user used to run the bind daemon. However, the uid (as opposite to the euid) of the agent will be that of the super user in most cases (usually '0'). Note that the deployed might be running in a chroot jail. This situation doesn't prevent the agent to be used, and after setting the user id to that of the super user, the chroot breaker module (see "chroot breaker" module documentation) can be used to escape the chroot jail.
Exploits a missing verification of the path in the command "sudoedit", provided by the sudo package. This can be exploited to e.g. execute any command as root including a shell, allowing an unprivileged process to elevate privileges to root.
In the kernel code for the setitimer() system call the 'which' parameter (which is a signed integer) is validated with the mistaken assumption that the value cannot be negative. Passing a negative value for this parameter results in writing into an array indexed with the 'which' parameter and overwriting memory outside the array. This exploit overwrites the current credential structure of the current process to set the user id to 0 (root) then launches a new agent.
The nfds (number of file descriptors) argument to the select() system call is a signed integer. Bounds checking code in the kernel evaluates this argument in a signed context. By passing negative arguments it is possible to cause the kernel to copy a large amount of data from userspace into a buffer on the stack, overflowing the allocated space. This module exploits the vulnerability to lower the system security level to -1 and launches an agent with root privileges.
Subscribe to OpenBSD