Daily Archives: November 3, 2016

Home » November 2016 » Archives for November 3, 2016

Linux Kernel (Ubuntu / Fedora / Redhat) – ‘Overlayfs’ Privilege Escalation Exploit – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require “msf/core”
 
class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking
 
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
        ‘Name’           => ‘Overlayfs Privilege Escalation’,
        ‘Description’    => %q{
          This module attempts to exploit two different CVEs related to overlayfs.
          CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
                                            3.16.0-25 […]

By |November 3rd, 2016|Exploits|

MySQL / MariaDB / PerconaDB – ‘root’ Privilege Escalation Vulnerability – Metasploit Code

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

Credits: Dawid
I. VULNERABILITY
————————-
 
MariaDB / MySQL / PerconaDB   –   Root Privilege Escalation
 
MySQL 
    <= 5.5.51
    <= 5.6.32
    <= 5.7.14
 
MariaDB
    All current
 
Percona Server
    < 5.5.51-38.2
    < 5.6.32-78-1
    < 5.7.14-8
 
Percona XtraDB Cluster
    < 5.6.32-25.17
    < 5.7.14-26.17
    < 5.5.41-37.0
 
 
II. BACKGROUND
————————-
 
MySQL:
 
“MySQL is the world’s most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL […]

By |November 3rd, 2016|Exploits|

NVIDIA Driver – NvStreamKms Stack Buffer Overflow in PsSetCreateProcessNotifyRoutineEx Callback Priv

Ethical Hacking Training Institute
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
 
In this particular routine,
 
if ( cur->image_names_count > 0 ) {
  // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
  image_filename = info_->ImageFileName;
  buf = image_filename->Buffer;
  if ( buf )
  {
    if ( !v5 )
    {
      i = 0i64;
      num_chars = image_filename->Length […]

By |November 3rd, 2016|Exploits|