h00die

198 exploits Active since Jul 1997
CVE-2016-6253 EXPLOITDB HIGH ruby WORKING POC
NetBSD <7.0 - Local Privilege Escalation
mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user mailbox.
CVSS 7.8
CVE-2017-17562 EXPLOITDB HIGH ruby WORKING POC
Embedthis GoAhead <3.6.5 - Remote Code Execution
Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.
CVSS 8.1
CVE-2016-4997 EXPLOITDB HIGH ruby WORKING POC
Linux Kernel 4.6.3 Netfilter Privilege Escalation
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
CVSS 7.8
CVE-2020-3950 EXPLOITDB HIGH ruby WORKING POC
VMware Fusion <11.5.2 - Privilege Escalation
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) contain a privilege escalation vulnerability due to improper use of setuid binaries. Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed.
CVSS 7.8
CVE-2018-19518 EXPLOITDB HIGH ruby WORKING POC
University of Washington IMAP Toolkit 2007f - Command Injection
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
CVSS 7.5
EIP-2026-103180 EXPLOITDB ruby WORKING POC
op5 7.1.9 - Configuration Command Execution (Metasploit)
CVE-2018-6328 EXPLOITDB CRITICAL ruby WORKING POC
Kaseya Unitrends Backup < 10.1 - Unauthenticated Command Injection via /api/hosts Parameter
It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.
CVSS 9.8
CVE-2014-0038 EXPLOITDB ruby WORKING POC
Linux Kernel recvmmsg Privilege Escalation
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.
CVE-2016-4557 EXPLOITDB HIGH ruby WORKING POC
Linux BPF doubleput UAF Privilege Escalation
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
CVSS 7.8
CVE-2018-6329 EXPLOITDB CRITICAL ruby WORKING POC
Unitrends Backup < 10.1.10 - SQL Injection and Remote Code Execution via Authentication Bypass
It was discovered that the Unitrends Backup (UB) before 10.1.0 libbpext.so authentication could be bypassed with a SQL injection, allowing a remote attacker to place a privilege escalation exploit on the target system and subsequently execute arbitrary commands.
CVSS 9.8
CVE-2017-16995 EXPLOITDB HIGH ruby WORKING POC
Linux BPF Sign Extension Local Privilege Escalation
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
CVSS 7.8
CVE-2015-1328 EXPLOITDB HIGH ruby WORKING POC
Linux kernel <3.19.0-21.21 - Privilege Escalation
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.
CVSS 7.8
CVE-2017-1000112 EXPLOITDB HIGH ruby WORKING POC
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") on Oct 18 2005.
CVSS 7.0
EIP-2026-102634 EXPLOITDB perl WORKING POC
LinkLogger 2.4.10.15 - 'syslog' Denial of Service
CVE-2017-15889 EXPLOITDB HIGH ruby WORKING POC
Synology DiskStation Manager < 5.2-5967-5 - Authenticated Command Injection via smart.cgi Disk Field
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.
CVSS 8.8
EIP-2026-100979 EXPLOITDB bash WORKING POC
Addonics NAS Adapter - (Authenticated) Denial of Service
CVE-2009-4753 EXPLOITDB python WORKING POC
Addonics NASU2FW41 - Buffer Overflow
Multiple buffer overflows in the FTP server on the Addonics NAS Adapter NASU2FW41 with loader 1.17 allow remote attackers to cause a denial of service (TCP/IP outage) via long arguments to the (1) XRMD, (2) delete, (3) RNFR, or (4) RNTO command.
EIP-2026-100719 EXPLOITDB ruby WORKING POC
IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)
EIP-2026-100978 EXPLOITDB bash WORKING POC
Addonics NAS Adapter - 'bts.cgi' (Authenticated) Remote Denial of Service
EIP-2026-100718 EXPLOITDB ruby WORKING POC
IPFire - 'proxy.cgi' Remote Code Execution (Metasploit)
CVE-2014-6271 EXPLOITDB CRITICAL ruby WORKING POC
Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
CVSS 9.8
CVE-2017-13156 EXPLOITDB HIGH ruby WORKING POC
Android Janus APK Signature bypass
An elevation of privilege vulnerability in the Android system (art). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64211847.
CVSS 7.8
EIP-2026-100051 EXPLOITDB ruby WORKING POC
Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)