h00die

191 exploits Active since Jul 1997
CVE-2022-0492 METASPLOIT HIGH ruby WORKING POC
Docker cgroups Container Escape
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
CVSS 7.8
CVE-2022-37706 METASPLOIT HIGH ruby WORKING POC
Ubuntu Enlightenment Mount Priv Esc
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
CVSS 7.8
CVE-2017-1000112 METASPLOIT HIGH ruby WORKING POC
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
CVSS 7.0
CVE-2023-34039 METASPLOIT CRITICAL ruby WORKING POC
VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure
Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
CVSS 9.8
CVE-2020-3950 METASPLOIT HIGH ruby WORKING POC
VMware Fusion <11.5.2 - Privilege Escalation
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.
CVSS 7.8
CVE-1978-1234 METASPLOIT ruby WORKING POC
Sample Linux Priv Esc
This exploit module illustrates how a vulnerability could be exploited in an linux command for priv esc.
CVE-1978-1234 METASPLOIT ruby WORKING POC
Sample Linux Priv Esc
This exploit module illustrates how a vulnerability could be exploited in an linux command for priv esc.
CVE-1978-1234 METASPLOIT ruby WORKING POC
Sample Linux Priv Esc
This exploit module illustrates how a vulnerability could be exploited in an linux command for priv esc.
CVE-2023-20887 METASPLOIT CRITICAL ruby WORKING POC
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
CVSS 9.8
CVE-2018-1335 EXPLOITDB HIGH ruby WORKING POC
Apache Tika <1.18 - Command Injection
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
CVSS 8.1
EIP-2026-114665 EXPLOITDB ruby WORKING POC
Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)
EIP-2026-114801 EXPLOITDB ruby WORKING POC
Polycom Shell HDX Series - Traceroute Command Execution (Metasploit)
EIP-2026-114798 EXPLOITDB ruby WORKING POC
pfSense - (Authenticated) Group Member Remote Command Execution (Metasploit)
EIP-2026-114674 EXPLOITDB ruby WORKING POC
Werkzeug - Debug Shell Command Execution (Metasploit)
EIP-2026-106553 EXPLOITDB text WRITEUP
dotProject 2.1.3 - Cross-Site Scripting / Improper Permissions
EIP-2026-105863 EXPLOITDB text WRITEUP
CiviCRM 3.1 < Beta 5 - Multiple Cross-Site Scripting Vulnerabilities
EIP-2026-105352 EXPLOITDB text WORKING POC
B-Hind CMS (tiny_mce) - Arbitrary File Upload
CVE-2020-11108 EXPLOITDB HIGH ruby WORKING POC
Pi-Hole heisenbergCompensator Blocklist OS Command Execution
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to escalate privileges to root.) The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.
CVSS 8.8
CVE-2016-6253 EXPLOITDB HIGH ruby WORKING POC
NetBSD <7.0 - Local Privilege Escalation
mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user mailbox.
CVSS 7.8
CVE-2017-17562 EXPLOITDB HIGH ruby WORKING POC
Embedthis GoAhead <3.6.5 - Remote Code Execution
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
CVSS 8.1
CVE-2016-4997 EXPLOITDB HIGH ruby WORKING POC
Linux Kernel 4.6.3 Netfilter Privilege Escalation
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
CVSS 7.8
CVE-2020-3950 EXPLOITDB HIGH ruby WORKING POC
VMware Fusion <11.5.2 - Privilege Escalation
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.
CVSS 7.8
EIP-2026-103180 EXPLOITDB ruby WORKING POC
op5 7.1.9 - Configuration Command Execution (Metasploit)
CVE-2018-6328 EXPLOITDB CRITICAL ruby WORKING POC
Kaseya Unitrends Backup < 10.1 - Authentication Bypass
It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.
CVSS 9.8
CVE-2018-19518 EXPLOITDB HIGH ruby WORKING POC
University of Washington IMAP Toolkit 2007f - Command Injection
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
CVSS 7.5