Awesome Open Source
Awesome Open Source

Local Exploits

Various local exploits


root66 OpenBSD 6.6 OpenSMTPD 6.6 local root exploit.

Code mostly taken from Qualys PoCs (2020-01-28) for CVE-2020-7247.

OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted MAIL FROM address.


openbsd-dynamic-loader-chpass OpenBSD local root exploit.

Code mostly taken from Qualys PoCs (2019-12-11) for CVE-2019-19726.

OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.


openbsd-authroot OpenBSD local root exploit.

Code mostly taken from Qualys PoCs (2019-12-04) for CVE-2019-19520 / CVE-2019-19522.

xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen. OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.


GNU Mailutils 2.0 <= 3.7 maidag url local root.

Based on Mike Gualtieri's research and PoC (2019-11-11) for CVE-2019-18862.

maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.


Local root exploit for Serv-U FTP Server versions prior to 15.1.7

Bash variant of Guy Levin's Serv-U FTP Server exploit (2019-06-13) for CVE-2019-12181.

A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.


S-nail local root exploit.

Wrapper for @wapiflapi's s-nail-privget.c local root exploit (2017-01-27) for CVE-2017-5899.

Directory traversal vulnerability in the setuid root helper binary in S-nail (later S-mailx) before 14.8.16 allows local users to write to arbitrary files and consequently gain root privileges via a .. (dot dot) in the randstr argument.


VMWare Workstation / Player local root exploit.

Based on Jann Horn's PoC (2017-05-21) for CVE-2017-4915.

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.


ktsuss <= 1.4 setuid local root exploit.

Wrapper for John Lightsey's PoC (2011-08-13) for CVE-2011-2921.

Independently rediscovered CVE-2011-2921 while auditing SparkyLinux.

The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges.

SparkyLinux 2019.08 and prior package a vulnerable version of ktsuss installed by default.


InterNetNews (inn) rnews file disclosure exploit.

Based on Paul "IhaQueR" Starzetz's advisory (2002-04-11) for for CVE-2002-0526.

Independently rediscovered CVE-2002-0526 on Debian 10 / Ubuntu 20.04 in 2020 (!)

INN (InterNetNews) could allow a local attacker to obtain sensitive information. The rnews binaries fail to drop privileges. A local attacker could exploit this vulnerability to gain unauthorized access to sensitive configuration files.


antiX / MX Linux default sudo configuration persist-config local root exploit.

antiX / MX Linux default sudo configuration permits users in the users group to execute /usr/local/bin/persist-config as root without providing a password, resulting in trivial privilege escalation.

Execution via sudo requires users group privileges. By default, the first user created on the system is a member of the users group.


Local root exploit for SUID executables compiled with AddressSanitizer (ASan).

Based on 0x27's exploit (2016-02-18) for Szabolcs Nagy's Address Sanitizer local root PoC (2016-02-17).

Use of ASan configuration related environment variables is not restricted when executing setuid executables built with ASan. The log_path option can be set using the ASAN_OPTIONS environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user.


Emmabuntüs default sudo configuration local root exploit.

Emmabuntüs default sudo configuration permits any user to execute /usr/bin/ as root without providing a password.

The script calls cp with user supplied arguments, resulting in trivial privilege escalation.


lastore-daemon local root exploit.

Based on King's Way's exploit (2016-02-10).

The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any user in the sudo group to install arbitrary packages without providing a password, resulting in code execution as root. By default, the first user created on the system is a member of the sudo group.


sudo-blkid-root local root exploit.

The default sudo configuration on some Linux distributions permits low-privileged users to execute blkid as root. This configuration is unsafe, as blkid allows users to specify the -c flag to write cache data to file, allowing clobbering of arbitrary files.


sudo-chkrootkit-root local root exploit.

Sometimes administrators allow users to execute chkrootkit via sudo, as chkrootkit requires root privileges.

This is unsafe, as chkrootkit offers a -p flag to specify a path to trusted system utilities (system utilities may have been compromised), allowing execution of arbitrary executables with root privileges.

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
shell (10,401
linux (2,512
exploit (223
root (34
local (23