Marco Ivaldi - Security Researcher - Exploit Intelligence Platform

CVE-2006-4842 METASPLOIT ruby WORKING POC

Netscape Portable Runtime (NSPR) API <4.6.3 - Local File Creation

The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

View Code

CVE-2019-3010 METASPLOIT HIGH ruby WORKING POC

Oracle Solaris 11 - Privilege Escalation in XScreenSaver

Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS 8.8

View Code

CVE-2010-3856 METASPLOIT ruby WORKING POC

glibc < 2.11.3 and 2.12.x < 2.12.2 - Privilege Escalation via LD_AUDIT Environment Variable

ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.

View Code

CVE-2019-10149 METASPLOIT CRITICAL ruby WORKING POC

Exim 4.87 - 4.91 Local Privilege Escalation

A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.

CVSS 9.8

View Code

EIP-2026-118939 EXPLOITDB text WORKING POC

MySQL 4.x/5.0 (Windows) - User-Defined Function Command Execution

View Code

CVE-2007-0977 EXPLOITDB bash WORKING POC

IBM Lotus Domino R5-R6 WebMail - Info Disclosure

IBM Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores HTTPPassword hashes from names.nsf in a manner accessible through Readviewentries and OpenDocument requests to the defaultview view, a different vector than CVE-2005-2428.

View Code

CVE-2007-1738 EXPLOITDB text WORKING POC

TrueCrypt 4.3 - Privilege Escalation or Denial of Service via Crafted Volume Mount

TrueCrypt 4.3, when installed setuid root, allows local users to cause a denial of service (filesystem unavailability) or gain privileges by mounting a crafted TrueCrypt volume, as demonstrated using (1) /usr/bin or (2) another user's home directory, a different issue than CVE-2007-1589.

View Code

CVE-2004-0360 EXPLOITDB c WORKING POC

Solaris 8.0-9.0 - Privilege Escalation

Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors.

View Code

CVE-2020-2944 EXPLOITDB HIGH c WORKING POC

Oracle Solaris <11 - Privilege Escalation

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Common Desktop Environment). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS 8.8

View Code

CVE-2006-4842 EXPLOITDB ruby WORKING POC

Netscape Portable Runtime (NSPR) API <4.6.3 - Local File Creation

The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

View Code

EIP-2026-114721 EXPLOITDB c WORKING POC

Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)

View Code

EIP-2026-114722 EXPLOITDB c WORKING POC

Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2)

View Code

EIP-2026-114723 EXPLOITDB c WORKING POC

Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3)

View Code

EIP-2026-114724 EXPLOITDB c WORKING POC

Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)

View Code

EIP-2026-114725 EXPLOITDB c WORKING POC

Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

View Code

EIP-2026-114728 EXPLOITDB c WORKING POC

Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation (1)

View Code

CVE-2006-4842 EXPLOITDB bash WORKING POC

Netscape Portable Runtime (NSPR) API <4.6.3 - Local File Creation

The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

View Code

CVE-2006-4842 EXPLOITDB bash WORKING POC

Netscape Portable Runtime (NSPR) API <4.6.3 - Local File Creation

The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

View Code

CVE-2006-4842 EXPLOITDB bash WORKING POC

Netscape Portable Runtime (NSPR) API <4.6.3 - Local File Creation

The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

View Code

EIP-2026-114729 EXPLOITDB c WORKING POC

Solaris 10 libXm - Buffer overflow Local privilege escalation

View Code

CVE-2006-3824 EXPLOITDB c WORKING POC

Sun Solaris - Kernel Memory Exposure via sysinfo System Call

systeminfo.c for Sun Solaris allows local users to read kernel memory via a 0 variable count argument to the sysinfo system call, which causes a -1 argument to be used by the copyout function. NOTE: this issue has been referred to as an integer overflow, but it is probably more like a signedness error or integer underflow.

View Code

CVE-2019-3010 EXPLOITDB HIGH text WORKING POC

Oracle Solaris 11 - Privilege Escalation in XScreenSaver

Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS 8.8

View Code

CVE-2003-0609 EXPLOITDB c WORKING POC

Solaris 2.6-9 - Local Privilege Escalation via LD_PRELOAD Environment Variable

Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.

View Code

EIP-2026-114734 EXPLOITDB c WORKING POC

Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)

View Code

EIP-2026-114735 EXPLOITDB c WORKING POC

Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)

View Code