Sudo Baron Samedit Exploit

Overview

CVE-2021-3156 (Sudo Baron Samedit)

This repository is CVE-2021-3156 exploit targeting Linux x64. For writeup, please visit https://datafarm-cybersecurity.medium.com/exploit-writeup-for-cve-2021-3156-sudo-baron-samedit-7a9a4282cb31
Credit to Braon Samedit of Qualys for the original advisory.


Files

Exploit on glibc with tcache
  • exploit_nss.py auto detect all requirements and number of entries in /etc/nsswitch.conf
  • exploit_nss_manual.py simplified version of exploit_nss.py for better exploit understanding
  • exploit_timestamp_race.c overwrite def_timestamp and race condition to modify /etc/passwd
Exploit on glibc without tcache
  • exploit_defaults_mailer.py the exploit overwrite struct defaults to modify mailer binary path. It requires sudo compiled without disable-root-mailer such as CentOS 6 and 7.
  • exploit_userspec.py the exploit overwrite struct userspec to bypass authentication and add a new user in /etc/passwd. Support only sudo version 1.8.9-1.8.23.
  • exploit_cent7_userspec.py simplified version of exploit_userspec.py for understanding but target only CentOS 7 with default configuration
  • exploit_nss_d9.py overwrite struct service_user on Debian 9 but support only default /etc/nsswith.conf
  • exploit_nss_u16.py overwrite struct service_user on Ubuntu 16.04 but support only default /etc/nsswith.conf
  • exploit_nss_u14.py overwrite struct service_user on Ubuntu 14.04 but support only default /etc/nsswith.conf
Others
  • asm/ tinyelf library and executable for embedded in python exploit
  • gdb/ scripts that used for debugging sudo heap

Choosing exploit

For Linux distributions that glibc has tcache support and enabled (CentOS 8, Ubuntu >= 17.10, Debian 10):

  • try exploit_nss.py first
  • If an error is not glibc tcache related, you can try exploit_timestamp_race.c next

For Linux distribution that glibc has no tcache support:

  • if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first
  • next, try exploit_defaults_mailer.py. If you know a target sudo is compiled with --disable-root-mailer, you can skip this exploit. The exploit attempt to check root mailer flag from sudo binary. But sudo permission on some Linux distribution is 4711 (srwx--x--x) which is impossible to check on target system. (Known work OS is CentOS 6 and 7)
  • last, try exploit_userspec.py
Comments
  • Exploitation on CentOS 6.10 (Final)

    Exploitation on CentOS 6.10 (Final)

    Hi @worawit

    I tried the exploit code exploit_defaults_mailer.py on CentOS 6.10, and got some error messages as the following.

    Cannot determine disble-root-mailer flag
    
    curr size: 0x1600
    
    exit code: 11
    
    
    curr size: 0x1100
    *** glibc detected *** sudoedit: malloc(): memory corruption: 0x00005654d9e3d630 ***
    ======= Backtrace: =========
    /lib64/libc.so.6(+0x39ff475e5e)[0x2b2a32c83e5e]
    /lib64/libc.so.6(+0x39ff47a41a)[0x2b2a32c8841a]
    /lib64/libc.so.6(__libc_malloc+0x5c)[0x2b2a32c88b1c]
    /usr/libexec/sudoers.so(+0x2f558)[0x2b2a331e2558]
    /usr/libexec/sudoers.so(+0x29e52)[0x2b2a331dce52]
    /usr/libexec/sudoers.so(+0x10d9d)[0x2b2a331c3d9d]
    /usr/libexec/sudoers.so(+0xffda)[0x2b2a331c2fda]
    /usr/libexec/sudoers.so(+0x124b0)[0x2b2a331c54b0]
    /usr/libexec/sudoers.so(+0x13b4e)[0x2b2a331c6b4e]
    sudoedit(+0xe8fc)[0x5654d966a8fc]
    /lib64/libc.so.6(__libc_start_main+0x100)[0x2b2a32c2cd20]
    sudoedit(+0x3ef9)[0x5654d965fef9]
    ======= Memory map: ========
    2b2a321a0000-2b2a321c0000 r-xp 00000000 08:02 139429                     /lib64/ld-2.12.so
    2b2a321c0000-2b2a321c1000 rw-p 00000000 00:00 0 
    2b2a323c0000-2b2a323c1000 r--p 00020000 08:02 139429                     /lib64/ld-2.12.so
    2b2a323c1000-2b2a323c2000 rw-p 00021000 08:02 139429                     /lib64/ld-2.12.so
    2b2a323c2000-2b2a323c3000 rw-p 00000000 00:00 0 
    2b2a323c3000-2b2a323db000 r-xp 00000000 08:02 139463                     /lib64/libaudit.so.1.0.0
    2b2a323db000-2b2a325da000 ---p 00018000 08:02 139463                     /lib64/libaudit.so.1.0.0
    2b2a325da000-2b2a325dc000 r--p 00017000 08:02 139463                     /lib64/libaudit.so.1.0.0
    2b2a325dc000-2b2a325e7000 rw-p 00019000 08:02 139463                     /lib64/libaudit.so.1.0.0
    2b2a325e7000-2b2a32604000 r-xp 00000000 08:02 139436                     /lib64/libselinux.so.1
    2b2a32604000-2b2a32803000 ---p 0001d000 08:02 139436                     /lib64/libselinux.so.1
    2b2a32803000-2b2a32804000 r--p 0001c000 08:02 139436                     /lib64/libselinux.so.1
    2b2a32804000-2b2a32805000 rw-p 0001d000 08:02 139436                     /lib64/libselinux.so.1
    2b2a32805000-2b2a32807000 rw-p 00000000 00:00 0 
    2b2a32807000-2b2a32809000 r-xp 00000000 08:02 130443                     /lib64/libutil-2.12.so
    2b2a32809000-2b2a32a08000 ---p 00002000 08:02 130443                     /lib64/libutil-2.12.so
    2b2a32a08000-2b2a32a09000 r--p 00001000 08:02 130443                     /lib64/libutil-2.12.so
    2b2a32a09000-2b2a32a0a000 rw-p 00002000 08:02 130443                     /lib64/libutil-2.12.so
    2b2a32a0a000-2b2a32a0c000 r-xp 00000000 08:02 139435                     /lib64/libdl-2.12.so
    2b2a32a0c000-2b2a32c0c000 ---p 00002000 08:02 139435                     /lib64/libdl-2.12.so
    2b2a32c0c000-2b2a32c0d000 r--p 00002000 08:02 139435                     /lib64/libdl-2.12.so
    2b2a32c0d000-2b2a32c0e000 rw-p 00003000 08:02 139435                     /lib64/libdl-2.12.so
    2b2a32c0e000-2b2a32d99000 r-xp 00000000 08:02 139430                     /lib64/libc-2.12.so
    2b2a32d99000-2b2a32f98000 ---p 0018b000 08:02 139430                     /lib64/libc-2.12.so
    2b2a32f98000-2b2a32f9c000 r--p 0018a000 08:02 139430                     /lib64/libc-2.12.so
    2b2a32f9c000-2b2a32f9e000 rw-p 0018e000 08:02 139430                     /lib64/libc-2.12.so
    2b2a32f9e000-2b2a32fa5000 rw-p 00000000 00:00 0 
    2b2a32fa5000-2b2a32fb2000 r-xp 00000000 08:02 130339                     /lib64/libnss_files-2.12.so
    2b2a32fb2000-2b2a331b1000 ---p 0000d000 08:02 130339                     /lib64/libnss_files-2.12.so
    2b2a331b1000-2b2a331b2000 r--p 0000c000 08:02 130339                     /lib64/libnss_files-2.12.so
    2b2a331b2000-2b2a331b3000 rw-p 0000d000 08:02 130339                     /lib64/libnss_files-2.12.so
    2b2a331b3000-2b2a331f9000 r-xp 00000000 08:02 678288                     /usr/libexec/sudoers.so
    2b2a331f9000-2b2a333f8000 ---p 00046000 08:02 678288                     /usr/libexec/sudoers.so
    2b2a333f8000-2b2a333f9000 r--p 00045000 08:02 678288                     /usr/libexec/sudoers.so
    2b2a333f9000-2b2a333fb000 rw-p 00046000 08:02 678288                     /usr/libexec/sudoers.so
    2b2a333fb000-2b2a33401000 rw-p 00000000 00:00 0 
    2b2a3340d000-2b2a33419000 r-xp 00000000 08:02 139464                     /lib64/libpam.so.0.82.2
    2b2a33419000-2b2a33619000 ---p 0000c000 08:02 139464                     /lib64/libpam.so.0.82.2
    2b2a33619000-2b2a3361a000 r--p 0000c000 08:02 139464                     /lib64/libpam.so.0.82.2
    2b2a3361a000-2b2a3361b000 rw-p 0000d000 08:02 139464                     /lib64/libpam.so.0.82.2
    2b2a3361b000-2b2a33669000 r-xp 00000000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
    2b2a33669000-2b2a33868000 ---p 0004e000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
    2b2a33868000-2b2a3386a000 r--p 0004d000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
    2b2a3386a000-2b2a3386c000 rw-p 0004f000 08:02 130729                     /lib64/libldap-2.4.so.2.10.3
    2b2a3386c000-2b2a33881000 r-xp 00000000 08:02 139437                     /lib64/libz.so.1.2.3
    2b2a33881000-2b2a33a80000 ---p 00015000 08:02 139437                     /lib64/libz.so.1.2.3
    2b2a33a80000-2b2a33a81000 r--p 00014000 08:02 139437                     /lib64/libz.so.1.2.3
    2b2a33a81000-2b2a33a82000 rw-p 00015000 08:02 139437                     /lib64/libz.so.1.2.3
    2b2a33a82000-2b2a33a89000 r-xp 00000000 08:02 130312                     /lib64/libcrypt-2.12.so
    2b2a33a89000-2b2a33c89000 ---p 00007000 08:02 130312                     /lib64/libcrypt-2.12.so
    2b2a33c89000-2b2a33c8a000 r--p 00007000 08:02 130312                     /lib64/libcrypt-2.12.so
    2b2a33c8a000-2b2a33c8b000 rw-p 00008000 08:02 130312                     /lib64/libcrypt-2.12.so
    2b2a33c8b000-2b2a33cb9000 rw-p 00000000 00:00 0 
    2b2a33cb9000-2b2a33cc7000 r-xp 00000000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
    2b2a33cc7000-2b2a33ec6000 ---p 0000e000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
    2b2a33ec6000-2b2a33ec7000 r--p 0000d000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
    2b2a33ec7000-2b2a33ec8000 rw-p 0000e000 08:02 139470                     /lib64/liblber-2.4.so.2.10.3
    2b2a33ec8000-2b2a33ede000 r-xp 00000000 08:02 139451                     /lib64/libresolv-2.12.so
    2b2a33ede000-2b2a340de000 ---p 00016000 08:02 139451                     /lib64/libresolv-2.12.so
    2b2a340de000-2b2a340df000 r--p 00016000 08:02 139451                     /lib64/libresolv-2.12.so
    2b2a340df000-2b2a340e0000 rw-p 00017000 08:02 139451                     /lib64/libresolv-2.12.so
    2b2a340e0000-2b2a340e2000 rw-p 00000000 00:00 0 
    2b2a340e2000-2b2a340fb000 r-xp 00000000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
    2b2a340fb000-2b2a342fa000 ---p 00019000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
    2b2a342fa000-2b2a342fb000 r--p 00018000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
    2b2a342fb000-2b2a342fc000 rw-p 00019000 08:02 683479                     /usr/lib64/libsasl2.so.2.0.23
    2b2a342fc000-2b2a34350000 r-xp 00000000 08:02 683482                     /usr/lib64/libssl3.so
    2b2a34350000-2b2a3454f000 ---p 00054000 08:02 683482                     /usr/lib64/libssl3.so
    exit code: 6
    
    
    curr size: 0x1380
    
    exit code: 11
    
    
    curr size: 0x1240
    
    exit code: 11
    
    
    curr size: 0x11a0
    
    exit code: 11
    
    
    curr size: 0x1150
    
    exit code: 256
    sudoedit: no askpass program specified, try setting SUDO_ASKPASS
    
    
    curr size: 0x1160
    
    exit code: 11
    
    found cmnd size: 0x1150
    
    cmnd size: 0x1150
    offset to defaults: 0x0
    invalid offset. exit code: 256
    

    $ sudo -V Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3

    $ ldd --version ldd (GNU libc) 2.12

    $ uname -r 2.6.32-754.el6.x86_64

    After running the exploit, the folder 'gg' was added in /tmp folder. drwxrwxrwt. 19 root root 4096 Jul 20 19:36 . -rwxr-xr-x. 1 user user 97 Jul 20 19:36 gg

    Also, CentOS 6.10 was installed on VMware.

    Thanks, Any ideas would be appreciated.

    opened by tachibanakanade 3
  • Can you make Exploit code in 32bit? (no tcache)

    Can you make Exploit code in 32bit? (no tcache)

    Hi!, I want to make exploit code in 32 bit environment.

    There have been various attempts, but the most fundamental problem is that there is only one space(Unsorted bin) in the bins just before the overflow buffer is allocated.

    image

    Is there any way to increase this? (i want to use small bins, fast bins... but always Only unsorted bins remain.)

    **

    opened by BruteKoon 2
  • About Ubuntu 14.04 or 16.04 without tcache.

    About Ubuntu 14.04 or 16.04 without tcache.

    In the exploit code: exploit_nss_u14.py or exploit_nss_u16.py, you wrote "the glibc with tcache" in the beginning comment. However, In the README.md, you wrote "For Linux distribution that glibc has no tcache support". Which one is typo? By the way, can you tell me the glibc version that you tested of Ubuntu 14.04 and 16.04? Thanks for your sharing.

    #!/usr/bin/python
    '''
    Exploit for CVE-2021-3156 on Ubuntu 16.04 by sleepya
    This exploit requires:
    - glibc with tcache
    
    For Linux distribution that glibc has no tcache support:
    
    if a target is Debian 9, Ubuntu 16.04, or Ubuntu 14.04, try exploit_nss_xxx.py for specific version first
    
    opened by greg-workspace 1
  • Add a BSD 3-clause license

    Add a BSD 3-clause license

    This adds a license file to the project, specifically the BSD 3-clause license. I'm hoping to have this incorporated into Metasploit via rapid7/metasploit-framework#15146 which would require that it be under a compatible license such as this.

    If you'd prefer a different license just let me know and I can get it changed over to whatever you'd prefer.

    opened by zeroSteiner 0
  • 'AssertionError' feedback

    'AssertionError' feedback

    hi,worawit. I've learned a lot about heap overflow from your project.But I have a new error during my VMs testing, the size parameter of cmnd function can not be obtained accurately all the time. Here is the 'Error Message' below

    [test@localhost tmp]$ python exploit_userspec.py
    
    curr size: 0x1600
    
    exit code: 11
    
    
    curr size: 0x1100
    
    exit code: 11
    
    
    curr size: 0xe80
    
    exit code: 11
    
    
    curr size: 0xd40
    
    exit code: 11
    
    
    curr size: 0xca0
    
    exit code: 11
    
    
    curr size: 0xc50
    
    exit code: 11
    
    
    curr size: 0xc20
    
    exit code: 11
    
    
    curr size: 0xc10
    
    exit code: 11
    
    Traceback (most recent call last):
      File "exploit_userspec.py", line 736, in <module>
        main()
      File "exploit_userspec.py", line 652, in main
        cmnd_size = find_cmnd_size()
      File "exploit_userspec.py", line 154, in find_cmnd_size
        assert size_min == 0x2000 - 0x10
    AssertionError
    

    And,here is the version below:

    [test@localhost tmp]$ sudo -V
    Sudo version 1.8.23
    Sudoers policy plugin version 1.8.23
    Sudoers file grammar version 46
    Sudoers I/O plugin version 1.8.23
    [test@localhost tmp]$ hostnamectl
      Static hostname:  localhost
             Icon name: computer-vm
               Chassis: vm
            Machine ID: 71a7851c7f64482cad825974248cc902
               Boot ID: d6b64d7f01684b8ca51f807d08079a03
        Virtualization: vmware
      Operating System: CentOS Linux 7 (Core)
           CPE OS Name: cpe:/o:centos:centos:7
                Kernel: Linux 3.10.0-957.21.3.el7.x86_64
    [test@localhost tmp]$ python -V
    Python 2.7.5
    [test@localhost tmp]$ sysctl -a --pattern randomiz
    kernel.randomize_va_space = 2
    [test@localhost tmp]$ ldd --version
    ldd (GNU libc) 2.17
    Copyright (C) 2012 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    Written by Roland McGrath and Ulrich Drepper.
    

    Also, I tried manually getting specific parameter values and specifying specific inputs(Some python code i've changed with local debugging)

    exploit_userspec.py 0x2000 0
    exploit_defaults_mailer.py 0x2000 0
    
    The Error code still exists
    Traceback (most recent call last):
      File "exploit_userspec.py", line 736, in <module>
        main()
      File "exploit_userspec.py", line 652, in main
        cmnd_size = find_cmnd_size()
      File "exploit_userspec.py", line 154, in find_cmnd_size
        assert size_min == 0x2000 - 0x10
    AssertionError
    
    opened by yasooknigth 1
  • invalid offset. exit code: 256 (Cnetos 6.9 / libc 2.12 )

    invalid offset. exit code: 256 (Cnetos 6.9 / libc 2.12 )

    Hi @worawit

    Use exploit: exploit_defaults_mailer.py

    does this mean that this configuration is not usable or needs some work? End output:

    cmnd size: 0x1150 offset to defaults: 0x0 sudoedit: option `mail_always' does not take a value sudoedit: you are not permitted to use the -C option invalid offset. exit code: 256

    $ sudo -V

    Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3

    $ uname -r

    2.6.32-696.16.1.el6.x86_64

    $ ldd --version

    ldd (GNU libc) 2.12 Copyright (C) 2010 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.

    opened by secrzd 0
  • remove pwned file in case it already exists

    remove pwned file in case it already exists

    Hello, this pull requests makes sure the pwned file does not exist prior exploitation.

    I've just experienced one case like that, and obviously the condition os.stat(PWNED_PATH).st_uid != 0 gave a false positive.

    opened by HynekPetrak 0
  • Centos 8 can be used, but some configuration needs to be modified

    Centos 8 can be used, but some configuration needs to be modified

    exploit_nss.py文件的187行 proc = subprocess.Popen(['ip', 'addr'], stdout=subprocess.PIPE, bufsize=1, universal_newlines=True)

    Generally, ip addr cannot be used directly under low authority. It can be modified to /sbin/ip and modified to ['/sbin/ip','addr']

    opened by s1g0day 0
  • invalid offset. exit code: 256 (Amazon Linux AMI release 2017.09 / libc 2.17 )

    invalid offset. exit code: 256 (Amazon Linux AMI release 2017.09 / libc 2.17 )

    Hi @worawit

    does this mean that this configuration is not usable or needs some work? End output:

    offset to defaults: 0x60 sudoedit: option `mail_always' does not take a value sudoedit: you are not permitted to use the -C option invalid offset. exit code: 256

    $ sudo -V

    Sudo version 1.8.6p3 Sudoers policy plugin version 1.8.6p3 Sudoers file grammar version 42 Sudoers I/O plugin version 1.8.6p3

    $ uname -r

    4.9.75-25.55.amzn1.x86_64

    $ ldd --version

    ldd (GNU libc) 2.17 Copyright (C) 2012 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper.

    opened by secrzd 0
Owner
Worawit Wang
Worawit Wang
Log4Shell RCE Exploit - fully independent exploit does not require any 3rd party binaries.

Log4Shell RCE Exploit fully independent exploit does not require any 3rd party binaries. The exploit spraying the payload to all possible logged HTTP

null 258 Jan 2, 2023
log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

说明 about author: 我超怕的 blog: https://www.cnblogs.com/iAmSoScArEd/ github: https://github.com/iAmSOScArEd/ date: 2021-12-20 log4j2 dos exploit log4j2 do

null 3 Aug 13, 2022
Tinyman exploit finder - Tinyman exploit finder for python

tinyman_exploit_finder There was a big tinyman exploit. You can read about it he

fish.exe 9 Dec 27, 2022
Discord-email-spammer-exploit - A discord email spammer exploit with python

Discord-email-spammer-exploit was made by Love ❌ code ✅ ?? ・Description First it

Rdimo 25 Aug 13, 2022
Exploit for CVE-2021-3129

laravel-exploits Exploit for CVE-2021-3129

Ambionics Security 228 Nov 25, 2022
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

null 44 Nov 15, 2022
Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

Horizon 3 AI Inc 210 Dec 31, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
cve-2021-21985 exploit

cve-2021-21985 exploit 0x01 漏洞点 分析可见: https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis 0x02 exploit 对beans对象进行重新构

xnianq 105 Nov 22, 2022
RCE Exploit for Gitlab < 13.9.4

GitLab-Wiki-RCE RCE Exploit for Gitlab < 13.9.4 RCE via unsafe inline Kramdown options when rendering certain Wiki pages Allows any user with push acc

Enox 52 Nov 9, 2022
Phoenix Framework is an environment for writing, testing and using exploit code.

Phoenix Framework is an environment for writing, testing and using exploit code. ?? Screenshots ?? Community PwnWiki Forums ?? Licen

null 42 Aug 9, 2022
ProxyShell POC Exploit : Exchange Server RCE (ACL Bypass + EoP + Arbitrary File Write)

ProxyShell Install git clone https://github.com/ktecv2000/ProxyShell cd ProxyShell virtualenv -p $(which python3) venv source venv/bin/activate pip3 i

Poming huang 312 Dec 9, 2022
Automatic ProxyShell Exploit

proxyshell-auto usage: proxyshell.py [-h] -t T Automatic Exploit ProxyShell optional arguments: -h, --help show this help message and exit -t T

lulz 93 Jan 5, 2023
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

null 136 Jan 2, 2023
Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

BoofGang 10 Dec 21, 2021
A Python replicated exploit for Webmin 1.580 /file/show.cgi Remote Code Execution

CVE-2012-2982 John Hammond | September 4th, 2021 Checking searchsploit for Webmin 1.580 I only saw a Metasploit module for the /file/show.cgi Remote C

John Hammond 25 Dec 8, 2022
This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit

CVE-2021-40444 builders This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit. This repo is just for testing, re

ASL IT Security 168 Nov 9, 2022
Discord exploit allowing you to be unbannable.

Discord-Ban-Immunity Discord exploit allowing you to be unbannable. 9/3/2021 Found in late August. Found by Passive and Me. Explanation If a user gets

orlando 9 Nov 23, 2022
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 231 Nov 12, 2022