Localroot Collection ✨

Linux

2001 //

• CVE N/A | Sudo prompt overflow in v1.5.7 to 1.6.5p2

2002 //

• CVE-2003-0961 | Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation

2003 //

• CVE-2003-0127 | Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation
• CVE-2003-0961 | Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)

2004 //

• CVE-2004-0077 | Linux Kernel 2.2.25/2.4.24/2.6.2 - 'mremap()' Local Privilege Escalation
• CVE-2004-1235 | Linux Kernel 2.4.29-rc2 - 'uselib()' Local Privilege Escalation (1)
• CVE N/A | Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation

2005 //

• CVE-2005-0736 | Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation
• CVE-2005-1263 | Linux Kernel 2.2.x/2.3.x/2.4.x/2.5.x/2.6.x - ELF Core Dump Local Buffer Overflow

2006 //

• CVE-2006-2451 | Linux Kernel 2.6.13 < 2.6.17.4 - 'logrotate prctl()' Local Privilege Escalation
• CVE-2006-3626 | Linux Kernel 2.6.17.4 - 'proc' Local Privilege Escalation

2007 //

• CVE N/A | Compress v4.2.4 local test exploit
• CVE N/A | Local GNU Awk 3.1.0-x proof of concept exploit
• EDB-ID-4756 | Linux Kernel < 2.6.11.5 Bluetooth Stack Localroot Exploit

2008 //

• CVE-2008-0600 | Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice' Local Privilege Escalation (1)
• CVE-2008-0900 | Linux Kernel 2.6.17 < 2.6.24.1 - 'vmsplice' Local Privilege Escalation (2)
• CVE-2008-4210 | Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation

2009 //

• CVE-2009-1185 | Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1)
• CVE-2009-1337 | Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation
• CVE-2009-2692 | Linux Kernel 2.x (RedHat) - 'sock_sendpage()' Ring0 Privilege Escalation (1)
• CVE-2009-2698 | Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
• CVE-2009-3547 | Linux 2.6.x fs/pipe.c Local Privilege Escalation

2010 //

• CVE-2010-1146 | ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Local Privilege Escalation
• CVE-2010-2959 | Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalation
• CVE-2010-3081 | Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation
• CVE-2010-3301 | Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
• CVE-2010-3437 | Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosure
• CVE-2010-3904 | Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation
• CVE-2010-4073 | Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation
• CVE-2010-4258 | Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation
• CVE-2010-4347 | Linux Kernel < 2.6.37-rc2 ACPI custom_method Privilege Escalation

2011 //

• CVE-2011-1021 | Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation
• CVE-2011-2777 | Acpid 1:2.0.10-1ubuntu2 (Ubuntu 11.04/11.10) - Boundary Crossing Privilege Escalation
• CVE-2011-1485 | pkexec - Race Condition Privilege Escalation
• EDB-ID-18071 | Calibre E-Book Reader - Local Privilege Escalation
• EDB-ID-17391 | Linux Kernel 2.6.28/3.0 (DEC Alpha Linux) - Local Privilege Escalation
• EDB-ID-15944 | Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escalation (2)

2012 //

• CVE-2012-0056 | Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation
• CVE-2012-3524 | libdbus - 'DBUS_SYSTEM_BUS_ADDRESS' Local Privilege Escalation
• CVE-2012-0809 | sudo 1.8.0 < 1.8.3p1 - Format String

2013 //

• CVE-2013-0268 | Linux Kernel 3.7.6 (RedHat x86/x64) - 'MSR' Driver Privilege Escalation
• CVE-2013-1763 | Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Privilege Escalation (3)
• CVE-2013-1858 | Linux Kernel 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation
• CVE-2013-2094 | Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege Escalation (2)

2014 //

• CVE-2014-0038 | Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)
• CVE-2014-0196 | Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation
• CVE-2014-3153 | Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation
• CVE-2014-4014 | Linux Kernel 3.13 - SGID Privilege Escalation
• CVE-2014-4699 | Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
• CVE-2014-5284 | OSSEC 2.8 - 'hosts.deny' Local Privilege Escalation

2015 //

• CVE-2015-1328 | Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
• CVE-2015-7547 | glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)

2016 //

• CVE-2016-0728 | Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)
• CVE-2016-2384 | Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / Fedora 22) - Double-free usb-midi SMEP Privilege Escalation
• CVE-2016-5195 | Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
• CVE-2016-8655 | Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)
• CVE-2016-9793 | Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' / 'SO_RCVBUFFORCE' Local Privilege Escalation

2017 //

• CVE-2017-5123 | Linux Kernel 4.14.0-rc4+ - 'waitid()' Local Privilege Escalation
• CVE-2017-6074 | Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation
• CVE-2017-7308 | Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation
• CVE-2017-7494 | Samba 3.5.0 - Remote Code Execution
• CVE-2017-7533 | Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation
• CVE-2017-16939 | Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
• CVE-2017-16995 | Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation
• CVE-2017-1000112 | Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
• CVE-2017-1000367 | Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation

2018 //

• CVE-2018-1000001 | glibc < 2.26 - 'getcwd()' Local Privilege Escalation

2019 //

• CVE-2019-7304 | snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)
• CVE-2019-13272 | Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation

2021 //

• CVE-2021-22555 | Linux Kernel Netfilter Heap Out-Of-Bounds Write
• CVE-2021-3560 | Polkit-exploit
• CVE-2021-4034 | Pkexec Local Privilege Escalation

2022 //

• CVE-2022-0847 | DirtyPipe-Exploits
• CVE-2022-2639 | Linux kernel openvswitch local privilege escalation
• CVE-2022-37706 | LPE enligtment Privilege escalation

Default

This exploit uses the pokemon exploit of the dirtycow vulnerability as a base and automatically generates a new passwd line. The user will be prompted for the new password when the binary is run. The original /etc/passwd file is then backed up to /tmp/paww.bak and overwrites the root account with the generated line. After running the exploit you should be able to login with the newly created user.

IBM AIX

• CVE-2013-4011 - IBM AIX 6.1 / 7.1 Localroot Privilege Escalation

FreeBSD

2005 //

• EDB-ID-1311 | FreeBSD 4.x / < 5.4 - 'master.passwd' Disclosure

2008 //

• CVE-2008-3531 | FreeBSD 7.0/7.1 - 'vfs.usermount' Local Privilege Escalation
• CVE-2008-5736 | FreeBSD 6.4 - Netgraph Privilege Escalation

2009 //

• CVE-2009-3527 | FreeBSD 6.4 - 'pipeclose()'/'knlist_cleardel()' Race Condition
• CVE-2009-4146 | FreeBSD 8.0 Run-Time Link-Editor (RTLD) - Local Privilege Escalation
• EDB-ID-9860 | FreeBSD 7.2 - VFS/devfs Race Condition

2010 //

• CVE-2010-2020 | FreeBSD 8.0/7.3/7.2 - 'nfs_mount()' Local Privilege Escalation
• CVE-2010-2693 | FreeBSD - 'mbufs()' sendfile Cache Poisoning Privilege Escalation
• CVE-2010-4210 | FreeBSD - 'pseudofs' Null Pointer Dereference Privilege Escalation

2011 //

• CVE-2011-4062 | FreeBSD - UIPC socket heap Overflow (PoC)
• CVE-2011-4122 | OpenPAM - 'pam_start()' Local Privilege Escalation
• CVE-2011-4862 | TelnetD encrypt_keyid - Function Pointer Overwrite

2012 //

• CVE-2012-0217 | FreeBSD 8.3 - 9.0 amd64 Privilege Escalation
• EDB-ID-28718 | FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation

2013 //

• CVE-2013-2171 | FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation