CVE-2025-27591

This PoC exploits a privilege escalation vulnerability (CVE-2025-27591) in the Below service by manipulating a world-writable directory to create a symlink attack, allowing an attacker to append a malicious entry to /etc/passwd and gain root access.

This exploit leverages a world-writable log file vulnerability in 'below' versions < v0.9.0 to create a symlink to /etc/ld.so.preload, enabling arbitrary shared library injection for local privilege escalation (LPE). The PoC includes a reverse shell payload and cleanup routines to cover tracks.

This exploit leverages a symlink attack on the 'below' monitoring tool to overwrite /etc/passwd, injecting a malicious root user for privilege escalation. It requires sudo access to 'below' and exploits world-writable log directories.

This repository contains a functional privilege escalation exploit for CVE-2025-27591, targeting the `below` system monitoring tool. The exploit leverages a world-writable log directory to create a symlink attack, allowing an attacker to overwrite `/etc/passwd` and gain root access.

This exploit leverages a world-writable log directory in Below <= v0.8.1 to create a symlink to /etc/passwd, which is then modified to add a root-privileged user when Below is executed with sudo.

This exploit leverages a world-writable log file in the 'below' tool to create a symlink to /etc/passwd, allowing an attacker to inject a new root user entry via crafted input. It requires sudo access to execute the 'below' command.

The repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate the vulnerabilities with clear technical details and executable scripts.

This exploit leverages a symlink attack in Below's world-writable log directory to overwrite /etc/passwd, enabling privilege escalation to root. The PoC script automates the creation of a malicious user entry and triggers the vulnerability via sudo access to 'below'.

The repository contains a functional Bash script that exploits a local privilege escalation vulnerability (CVE-2025-27519) in the 'below' logging utility. The exploit abuses a world-writable log directory to create a symlink from a log file to /etc/passwd, allowing an attacker to insert a fake root user entry.

This repository contains a functional privilege escalation exploit for CVE-2025-27591, targeting the 'below' performance monitoring tool. The exploit abuses a world-writable log directory via symlink manipulation to append a malicious entry to /etc/passwd, enabling root access.

This PoC exploits a symlink attack in Below < v0.9.0, where a world-writable /var/log/below directory allows unprivileged users to overwrite /etc/passwd via a symlink, escalating privileges to root.

This repository contains a functional privilege escalation exploit for CVE-2025-27591, leveraging a world-writable directory symlink attack to manipulate /etc/passwd and escalate to root. The exploit script automates the creation of a symlink and triggers the vulnerable service to write to the targeted file.

This is a Bash-based privilege escalation exploit for CVE-2025-27591, targeting a symlink vulnerability in the 'below' system performance monitoring tool. It automates the creation of a root user in /etc/passwd by leveraging world-writable log directories.

This is a functional privilege escalation exploit for CVE-2025-27591, targeting a race condition in the 'below' utility's log file handling. It abuses symlink manipulation to inject a malicious user into /etc/passwd, granting root access.

This repository contains a functional privilege escalation exploit for CVE-2025-27591, leveraging a world-writable directory symlink attack to manipulate /etc/passwd. The exploit creates a symlink in /var/log/below and triggers a log write via the 'below' service to escalate privileges.

This exploit leverages a world-writable directory vulnerability in the Below service (<v0.9.0) to perform a symlink attack, allowing local privilege escalation by manipulating /etc/passwd to add a root-level user.

The repository contains a functional exploit for CVE-2025-27591, a symlink-based local privilege escalation vulnerability in Meta's 'below' system resource monitor. The exploit leverages improper symlink handling in the logging mechanism to overwrite arbitrary files as root, demonstrated by modifying /etc/passwd to gain root access.

This exploit leverages a symlink attack to manipulate file permissions of /etc/passwd, allowing an unprivileged user to escalate privileges by removing the root password. It targets a world-writable directory and a service that incorrectly handles file permissions.

This PoC exploits a symlink attack in the 'below' system monitor tool (CVE-2025-27591) to inject a malicious user into /etc/passwd, enabling local privilege escalation to root. The exploit creates a symlink from a log file to /etc/passwd, triggers the vulnerable service, and appends a root-level user entry.

This PoC exploits CVE-2025-27591 by leveraging a symlink attack on a world-writable log directory to append a malicious line to /etc/passwd, granting root access via a new user. The exploit requires local access and sudo privileges to execute 'below record'.

This PoC exploits a local privilege escalation vulnerability in Below < v0.9.0 by leveraging a symlink attack on a world-writable log directory to overwrite /etc/passwd and gain root access.