Twenty Year Anniversary
Showing 1 - 25 of 44 RSS Feed

Files from Marco Ivaldi

Email addressraptor at 0xdeadbeef.info
First Active2000-02-23
Last Active2018-03-30
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
IBM AIX 5.6/6.1 File Overwrite
Posted Sep 11, 2009
Authored by Marco Ivaldi

IBM AIX versions 5.6 and 6.1 _LIB_INIT_DBG arbitrary file overwrite via libc debug.

tags | exploit, arbitrary
systems | aix
MD5 | 5bcd0d88111ef5c026fe3db1b99f1796
solaris-memleak.txt
Posted Mar 13, 2008
Authored by Marco Ivaldi

Exploit that demonstrates how an integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative value to the I_PEEK ioctl.

tags | exploit, local, memory leak
systems | solaris
advisories | CVE-2007-5225
MD5 | 8d609ea4015453829d85d3f773acd6a3
04042007-raptor_truecrypt.tgz
Posted Apr 5, 2007
Authored by Marco Ivaldi

Local privilege escalation exploit for TrueCrypt versions 4.3 and below.

tags | exploit, local
advisories | CVE-2007-1738
MD5 | cd1e1044ff594f332e39690fe831cb33
lotus.sh.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Lotus Domino versions R6 and below Webmail remote password hash dumper exploit.

tags | exploit, remote
MD5 | 2d50a561beba95bd4cb07456f3325e8d
openssh-timing.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Portable OpenSSH versions 3.6.1p-PAM / 4.1-SUSE and below timing attack exploit.

tags | exploit
systems | linux, suse
MD5 | 293040e79450f8a12b90cd78eb7f3bc6
02062007-raptor_winudf.tgz
Posted Feb 8, 2007
Authored by Marco Ivaldi

This is a MySQL backdoor kit for Windows based on the UDFs (User Defined Functions) mechanism. It can be used to spawn a reverse shell (netcat UDF on port 80/tcp) or to execute single OS commands (exec UDF). Tested on MySQL 4.0.18-win32 (running on Windows XP SP2), MySQL 4.1.22-win32 (running on Windows XP SP2), MySQL 5.0.27-win32 (running on Windows XP SP2).

tags | exploit, shell, tcp
systems | windows, 32, xp
MD5 | 7c61df06ad51543872d66efc84c7858c
raptor_orafile.sql.txt
Posted Dec 22, 2006
Authored by Marco Ivaldi

Oracle 9i and 10g file system access via utl_file exploit.

tags | exploit
MD5 | 56e606239e1ef343d372aa608fb5f43e
raptor_oraextproc.sql.txt
Posted Dec 22, 2006
Authored by Marco Ivaldi

This PL/SQL code exploits the Oracle extproc directory traversal bug to remotely execute arbitrary OS commands with the privileges of the DBMS user. All versions of Oracle 9i are susceptible. Oracle 10g versions prior to 10.1.0.3 are susceptible.

tags | exploit, arbitrary
advisories | CVE-2004-1364
MD5 | fbd3fbf823f6068de990e2bfdae52223
raptor_libnspr
Posted Oct 20, 2006
Authored by Marco Ivaldi | Site 0xdeadbeef.info

raptor_libnspr - Solaris 10 libnspr oldschool local root exploit. Exploits the design error vulnerability in NSPR.

tags | exploit, local, root
systems | solaris
advisories | CVE-2006-4842
MD5 | 9de41a358bf1c1b092c82f43d9033503
sshtime.txt
Posted Oct 13, 2006
Authored by Marco Ivaldi | Site 0xdeadbeef.info

sshtime v0.1 is a simple OpenSSH timing attack tool based on expect meant to remotely analyze timing differences in sshd "Permission denied" replies. Depending on OpenSSH version and configuration, it may lead to disclosure of valid usernames.

systems | unix
MD5 | b51722d1efa1aaaf9438ec4899fc55ca
raptor_xkb.c
Posted Sep 14, 2006
Authored by Marco Ivaldi

X11R6 versions 6.4 and below XKEYBOARD local buffer overflow exploit for Solaris on Sparc.

tags | exploit, overflow, local
systems | solaris
MD5 | e6ebb1bba91c4d89a82f920ecd3acec6
sysinforaptor.txt
Posted Aug 27, 2006
Authored by Marco Ivaldi

Solaris 10 sysinfo(2) local kernel memory disclosure exploit.

tags | exploit, kernel, local
systems | solaris
MD5 | 3f2a80eef57cc64cba6d66b054507363
psraptor.txt
Posted Aug 27, 2006
Authored by Marco Ivaldi

Solaris 8/9 /usr/ucb/ps local information leak exploit.

tags | exploit, local
systems | solaris
MD5 | de664dbbe6cbb73ad55c79eb8cbde8eb
stdinreopen.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

Local shellcode for stdin re-open and /bin/sh exec. It closes stdin descriptor and re-opens /dev/tty, then does an execve() of /bin/sh. Useful to exploit some gets() buffer overflows in an elegant way.

tags | overflow, local, shellcode
MD5 | 8daecb38244b0718f9acb1eb01ea18f3
16-reuse.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

16 byte linux/x86 re-use of /bin/sh string in .rodata shellcode.

tags | x86, shellcode
systems | linux
MD5 | e76a96888522ad50a73af95b324f138c
30-setuidexec.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

30 byte linux/x86 setuid(0) and /bin/sh execve() shellcode.

tags | x86, shellcode
systems | linux
MD5 | a28408279594abbceee55a56bb402a44
96-setuidportbind.txt
Posted Jul 26, 2006
Authored by Marco Ivaldi

96 byte linux/x86 shellcode that binds a setuid(0) shell on tcp/31337.

tags | shell, x86, tcp, shellcode
systems | linux
MD5 | d0c4d50f411be4073b0db1be7494c579
Linux 2.6.17.4 logrotate prctl() Local Root
Posted Jul 18, 2006
Authored by Marco Ivaldi

Linux kernel versions 2.6.13 through 2.6.17.4 logrotate prctl() local root exploit.

tags | exploit, kernel, local, root
systems | linux
advisories | CVE-2006-2451
MD5 | 2617471896a58436836002bb0321695d
Linux 2.6.x suid_dumpable Local Root
Posted Jul 13, 2006
Authored by Marco Ivaldi

The suid_dumpable support in Linux kernel 2.6.13 up to versions before 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial of service (disk consumption) and POSSIBLY gain privileges via the PR_SET_DUMPABLE argument of the prctl function and a program that causes a core dump file to be created in a directory for which the user does not have permissions.

tags | exploit, denial of service, kernel, local
systems | linux
advisories | CVE-2006-2451
MD5 | c684f55c19b4e26224e783f2d74c9e43
mysql-4x50.c
Posted Feb 26, 2006
Authored by Marco Ivaldi

Local privilege escalation exploit for MySQL 4.x and 5.0 that makes use of UDFs.

tags | exploit, local
MD5 | 80e3856c846d6dcafeb92c1d3ef8eecf
raptor_udf.c
Posted Dec 31, 2004
Authored by Marco Ivaldi | Site 0xdeadbeef.info

Local root exploit that makes use of the dynamic library for do_system() in MySQL UDF. Tested on MySQL 4.0.17.

tags | exploit, local, root
MD5 | 3793c024d44ae4873abb9da8a046b264
raptor_rlogin.c
Posted Dec 31, 2004
Authored by Marco Ivaldi | Site 0xdeadbeef.info

Remote root exploit for rlogin on Solaris/SPARC 2.5.1/2.6/7/8. This remote root exploit uses the (old) System V based /bin/login vulnerability via the rlogin attack vector, returning into the .bss section to effectively bypass the non-executable stack protection (noexec_user_stack=1 in /etc/system).

tags | exploit, remote, root
systems | solaris
advisories | CVE-2001-0797
MD5 | e6308246578fe5d9eb5dcd19eee0b260
raptor_passwd.c
Posted Dec 31, 2004
Authored by Marco Ivaldi | Site 0xdeadbeef.info

Local root exploit for a vulnerability in the passwd circ() function under Solaris/SPARC 8/9. This exploit uses the ret-into-ld.so technique, to effectively bypass the non-executable stack protection (noexec_user_stack=1 in /etc/system).

tags | exploit, local, root
systems | solaris
advisories | CVE-2004-0360
MD5 | 9d4de237075ceb5ffa390f845ff73748
Page 1 of 2
Back12Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    16 Files
  • 17
    Aug 17th
    22 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close