exploit the possibilities
Showing 1 - 25 of 51 RSS Feed

Files from Marco Ivaldi

Email addressraptor at 0xdeadbeef.info
First Active2000-02-23
Last Active2019-08-23
Exim 4.91 Local Privilege Escalation
Posted Aug 23, 2019
Authored by Marco Ivaldi, Dennis Herrmann, Guillaume Andre, Qualys | Site metasploit.com

This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.

tags | exploit, root
advisories | CVE-2019-10149
MD5 | 7e40628c1d0b1ff1461825cb7e5d4b58
Exim 4.91 Local Privilege Escalation
Posted Jun 17, 2019
Authored by Marco Ivaldi

Exim versions 4.87 through 4.91 suffer from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2019-10149
MD5 | 1d5aa0f1d059b2ed175b1fa8c14d897f
Common Desktop Environment 2.3.0 dtprintinfo Privilege Escalation
Posted May 17, 2019
Authored by Marco Ivaldi

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program.

tags | exploit, overflow, local, root
systems | solaris
advisories | CVE-2019-2832
MD5 | ea6e7c2d1a9b43266fe95e8a9d5cbc8a
xorg-x11-server Local Privilege Escalation
Posted Jan 14, 2019
Authored by Marco Ivaldi

xorg-x11-server versions prior to 1.20.3 Solaris 11 inittab local privilege escalation exploit.

tags | exploit, local
systems | solaris
advisories | CVE-2018-14665
MD5 | c844abebb3b3d8d2300403bc8e829523
xorg-x11-server modulepath Local Privilege Escalation
Posted Dec 1, 2018
Authored by Marco Ivaldi

xorg-x11-server versions prior to 1.20.3 modulepath local privilege escalation exploit.

tags | exploit, local
advisories | CVE-2018-14665
MD5 | 80445e564990e8da300a87c47e6f140d
xorg-x11-server 1.20.3 Privilege Escalation
Posted Oct 31, 2018
Authored by Marco Ivaldi

xorg-x11-server version 1.20.3 privilege escalation exploit.

tags | exploit
advisories | CVE-2018-14665
MD5 | e106256ec1e7e4b84876da3a1c8e1272
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
Posted Sep 18, 2018
Authored by Marco Ivaldi, Brendan Coles | Site metasploit.com

This Metasploit module exploits an arbitrary file write vulnerability in the Netscape Portable Runtime library (libnspr) on unpatched Solaris systems prior to Solaris 10u3 which allows users to gain root privileges. libnspr versions prior to 4.6.3 allow users to specify a log file with the `NSPR_LOG_FILE` environment variable. The log file is created with the privileges of the running process, resulting in privilege escalation when used in combination with a SUID executable. This Metasploit module writes a shared object to the trusted library directory `/usr/lib/secure` and runs the specified SUID binary with the shared object loaded using the `LD_LIBRARY_PATH` environment variable. This Metasploit module has been tested successfully with libnspr version 4.5.1 on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).

tags | exploit, arbitrary, x86, root
systems | solaris
advisories | CVE-2006-4842
MD5 | 0f80a93992c7fdfbc617a2b680a3059e
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
IBM AIX 5.6/6.1 File Overwrite
Posted Sep 11, 2009
Authored by Marco Ivaldi

IBM AIX versions 5.6 and 6.1 _LIB_INIT_DBG arbitrary file overwrite via libc debug.

tags | exploit, arbitrary
systems | aix
MD5 | 5bcd0d88111ef5c026fe3db1b99f1796
solaris-memleak.txt
Posted Mar 13, 2008
Authored by Marco Ivaldi

Exploit that demonstrates how an integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative value to the I_PEEK ioctl.

tags | exploit, local, memory leak
systems | solaris
advisories | CVE-2007-5225
MD5 | 8d609ea4015453829d85d3f773acd6a3
04042007-raptor_truecrypt.tgz
Posted Apr 5, 2007
Authored by Marco Ivaldi

Local privilege escalation exploit for TrueCrypt versions 4.3 and below.

tags | exploit, local
advisories | CVE-2007-1738
MD5 | cd1e1044ff594f332e39690fe831cb33
lotus.sh.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Lotus Domino versions R6 and below Webmail remote password hash dumper exploit.

tags | exploit, remote
MD5 | 2d50a561beba95bd4cb07456f3325e8d
openssh-timing.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Portable OpenSSH versions 3.6.1p-PAM / 4.1-SUSE and below timing attack exploit.

tags | exploit
systems | linux, suse
MD5 | 293040e79450f8a12b90cd78eb7f3bc6
02062007-raptor_winudf.tgz
Posted Feb 8, 2007
Authored by Marco Ivaldi

This is a MySQL backdoor kit for Windows based on the UDFs (User Defined Functions) mechanism. It can be used to spawn a reverse shell (netcat UDF on port 80/tcp) or to execute single OS commands (exec UDF). Tested on MySQL 4.0.18-win32 (running on Windows XP SP2), MySQL 4.1.22-win32 (running on Windows XP SP2), MySQL 5.0.27-win32 (running on Windows XP SP2).

tags | exploit, shell, tcp
systems | windows, 32, xp
MD5 | 7c61df06ad51543872d66efc84c7858c
raptor_orafile.sql.txt
Posted Dec 22, 2006
Authored by Marco Ivaldi

Oracle 9i and 10g file system access via utl_file exploit.

tags | exploit
MD5 | 56e606239e1ef343d372aa608fb5f43e
raptor_oraextproc.sql.txt
Posted Dec 22, 2006
Authored by Marco Ivaldi

This PL/SQL code exploits the Oracle extproc directory traversal bug to remotely execute arbitrary OS commands with the privileges of the DBMS user. All versions of Oracle 9i are susceptible. Oracle 10g versions prior to 10.1.0.3 are susceptible.

tags | exploit, arbitrary
advisories | CVE-2004-1364
MD5 | fbd3fbf823f6068de990e2bfdae52223
raptor_libnspr
Posted Oct 20, 2006
Authored by Marco Ivaldi | Site 0xdeadbeef.info

raptor_libnspr - Solaris 10 libnspr oldschool local root exploit. Exploits the design error vulnerability in NSPR.

tags | exploit, local, root
systems | solaris
advisories | CVE-2006-4842
MD5 | 9de41a358bf1c1b092c82f43d9033503
sshtime.txt
Posted Oct 13, 2006
Authored by Marco Ivaldi | Site 0xdeadbeef.info

sshtime v0.1 is a simple OpenSSH timing attack tool based on expect meant to remotely analyze timing differences in sshd "Permission denied" replies. Depending on OpenSSH version and configuration, it may lead to disclosure of valid usernames.

systems | unix
MD5 | b51722d1efa1aaaf9438ec4899fc55ca
raptor_xkb.c
Posted Sep 14, 2006
Authored by Marco Ivaldi

X11R6 versions 6.4 and below XKEYBOARD local buffer overflow exploit for Solaris on Sparc.

tags | exploit, overflow, local
systems | solaris
MD5 | e6ebb1bba91c4d89a82f920ecd3acec6
sysinforaptor.txt
Posted Aug 27, 2006
Authored by Marco Ivaldi

Solaris 10 sysinfo(2) local kernel memory disclosure exploit.

tags | exploit, kernel, local
systems | solaris
MD5 | 3f2a80eef57cc64cba6d66b054507363
psraptor.txt
Posted Aug 27, 2006
Authored by Marco Ivaldi

Solaris 8/9 /usr/ucb/ps local information leak exploit.

tags | exploit, local
systems | solaris
MD5 | de664dbbe6cbb73ad55c79eb8cbde8eb
stdinreopen.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

Local shellcode for stdin re-open and /bin/sh exec. It closes stdin descriptor and re-opens /dev/tty, then does an execve() of /bin/sh. Useful to exploit some gets() buffer overflows in an elegant way.

tags | overflow, local, shellcode
MD5 | 8daecb38244b0718f9acb1eb01ea18f3
16-reuse.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

16 byte linux/x86 re-use of /bin/sh string in .rodata shellcode.

tags | x86, shellcode
systems | linux
MD5 | e76a96888522ad50a73af95b324f138c
30-setuidexec.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

30 byte linux/x86 setuid(0) and /bin/sh execve() shellcode.

tags | x86, shellcode
systems | linux
MD5 | a28408279594abbceee55a56bb402a44
Page 1 of 3
Back123Next

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close