bcoles

168 exploits Active since Mar 1998
CVE-2012-10039 METASPLOIT CRITICAL ruby WORKING POC
ZEN Load Balancer <3.0-rc1 - Command Injection
ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor.
CVE-2012-10041 METASPLOIT CRITICAL ruby WORKING POC
WAN Emulator 2.3 - Unauthenticated OS Command Injection via result.php pc Parameter
WAN Emulator v2.3 contains two unauthenticated command execution vulnerabilities. The result.php script calls shell_exec() with unsanitized input from the pc POST parameter, allowing remote attackers to execute arbitrary commands as the www-data user. The system also includes a SUID-root binary named dosu, which is vulnerable to command injection via its first argument. An attacker can exploit both flaws in sequence to achieve full remote code execution and escalate privileges to root.
CVE-2016-8655 EXPLOITDB HIGH c WORKING POC
AF_PACKET chocobo_root Privilege Escalation
Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.
CVSS 7.8
CVE-2018-11479 EXPLOITDB HIGH ruby WORKING POC
Windscribe 1.81 - Unauthenticated Privilege Escalation via Named Pipe Command Injection
The VPN component in Windscribe 1.81 uses the OpenVPN client for connections. Also, it creates a WindScribeService.exe system process that establishes a \\.\pipe\WindscribeService named pipe endpoint that allows the Windscribe VPN process to connect and execute an OpenVPN process or other processes (like taskkill, etc.). There is no validation of the program name before constructing the lpCommandLine argument for a CreateProcess call. An attacker can run any malicious process with SYSTEM privileges through this named pipe.
CVSS 7.8
CVE-2019-15742 EXPLOITDB HIGH ruby WORKING POC
Poly Plantronics Hub <3.14 - Privilege Escalation
A local privilege-escalation vulnerability exists in the Poly Plantronics Hub before 3.14 for Windows client application. A local attacker can exploit this issue to gain elevated privileges.
CVSS 7.8
EIP-2026-112932 EXPLOITDB python WORKING POC
Useresponse 1.0.2 - Privilege Escalation / Remote Code Execution
CVE-2019-9194 EXPLOITDB CRITICAL ruby WORKING POC
elFinder < 2.1.48 - OS Command Injection in PHP Connector
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
CVSS 9.8
CVE-2019-19726 EXPLOITDB HIGH ruby WORKING POC
OpenBSD Dynamic Loader chpass Privilege Escalation
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
CVSS 7.8
CVE-2016-2056 EXPLOITDB HIGH ruby WORKING POC
Xymon 4.1.x-4.3.x - Authenticated Command Injection via adduser_name Argument
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.
CVSS 8.8
EIP-2026-103764 EXPLOITDB bash WORKING POC
ASAN/SUID - Local Privilege Escalation
CVE-2019-11409 EXPLOITDB HIGH ruby WORKING POC
FusionPBX 4.4.3 - Command Injection
app/operator_panel/exec.php in the Operator Panel module in FusionPBX 4.4.3 suffers from a command injection vulnerability due to a lack of input validation that allows authenticated non-administrative attackers to execute commands on the host. This can further lead to remote code execution when combined with an XSS vulnerability also present in the FusionPBX Operator Panel module.
CVSS 8.8
CVE-2020-8657 EXPLOITDB CRITICAL ruby WORKING POC
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
CVSS 9.8
CVE-2017-4915 EXPLOITDB HIGH bash WORKING POC
VMware Workstation Pro/Player - Privilege Escalation
VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.
CVSS 7.8
CVE-2019-12181 EXPLOITDB HIGH bash WORKING POC
Serv-U FTP Server prepareinstallation Privilege Escalation
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
CVSS 8.8
CVE-2017-5899 EXPLOITDB HIGH bash WORKING POC
s-nail < 14.8.5 - Path Traversal via randstr Argument
Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.
CVSS 7.0
EIP-2026-103772 EXPLOITDB bash WORKING POC
Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation
CVE-2019-16662 EXPLOITDB CRITICAL ruby WORKING POC
rconfig 3.9.2 - OS Command Injection via ajaxServerSettingsChk.php rootUname Parameter
An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.
CVSS 9.8
CVE-2019-13272 EXPLOITDB HIGH c WORKING POC
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
CVSS 7.8
CVE-2010-4170 EXPLOITDB ruby WORKING POC
SystemTap 1.3 - Privilege Escalation via MODPROBE_OPTIONS Environment Variable
The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.
CVE-2019-12181 EXPLOITDB HIGH ruby WORKING POC
Serv-U FTP Server prepareinstallation Privilege Escalation
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
CVSS 8.8
EIP-2026-102980 EXPLOITDB ruby WORKING POC
Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit)
CVE-2019-9213 EXPLOITDB MEDIUM ruby WORKING POC
Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task.
CVSS 5.5
EIP-2026-102959 EXPLOITDB ruby WORKING POC
ptrace - Sudo Token Privilege Escalation (Metasploit)
EIP-2026-102958 EXPLOITDB ruby WORKING POC
ptrace - Sudo Token Privilege Escalation (Metasploit)
CVE-2019-13272 EXPLOITDB HIGH ruby WORKING POC
Linux Polkit pkexec helper PTRACE_TRACEME local root exploit
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
CVSS 7.8