what you don't know can hurt you
Showing 1 - 25 of 61 RSS Feed

Files from Marco Ivaldi

Email addressraptor at 0xdeadbeef.info
First Active2000-02-23
Last Active2021-02-02
Solaris 10 1/13 dtprintinfo Local Privilege Escalation
Posted Feb 2, 2021
Authored by Marco Ivaldi

This archive contains five proof of concept exploits that leverage a dtprintinfo vulnerability in Solaris 10 1/13. It contains three exploits for SPARC and two for Intel.

tags | exploit, proof of concept
systems | solaris
MD5 | 5d45b904e4f7ccb20cdd07d038f881b2
Oracle Solaris 11.x / 10 whodo / w Buffer Overflow
Posted Apr 17, 2020
Authored by Marco Ivaldi

A difficult to exploit heap-based buffer overflow in setuid root whodo and w binaries distributed with Solaris allows local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges.

tags | exploit, overflow, arbitrary, local, root
systems | solaris
advisories | CVE-2020-2771
MD5 | 126e62d56e5dfaefeb640c1b3525eab4
Common Desktop Environment 2.3.1 / 1.6 libDtSvc Buffer Overflow
Posted Apr 17, 2020
Authored by Marco Ivaldi

A difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges via a long X11 display name. The vulnerable function is located in the libDtSvc library and can be reached by executing the setuid program dtsession. Versions 2.3.1 and below as well as 1.6 and earlier are affected.

tags | exploit, overflow, arbitrary, local
systems | solaris
advisories | CVE-2020-2851
MD5 | c7348e1fb04cdcfdbe4ecfb089b5825b
Common Desktop Environment 1.6 Local Privilege Escalation
Posted Apr 17, 2020
Authored by Marco Ivaldi

A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. Versions 1.6 and below are affected.

tags | exploit, overflow, local, root
systems | solaris
advisories | CVE-2020-2944
MD5 | a52155188d9d9476faa2c94dc62f2069
OpenSMTPD 6.6.1 Local Privilege Escalation
Posted Feb 11, 2020
Authored by Marco Ivaldi

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell meta-characters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

tags | exploit, remote, arbitrary, shell, root
systems | openbsd
advisories | CVE-2020-7247
MD5 | a5d9222315a88dc369bf246ac8d4d034
Common Desktop Environment 2.3.1 Buffer Overflow
Posted Jan 17, 2020
Authored by Marco Ivaldi

A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based.

tags | exploit, overflow, local, root
systems | solaris
advisories | CVE-2020-2696
MD5 | f61714fa339de224c3899e225d64a420
Solaris xlock Information Disclosure
Posted Jan 17, 2020
Authored by Marco Ivaldi

A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely.

tags | exploit, local, root, info disclosure
systems | solaris
advisories | CVE-2020-2656
MD5 | d43954458731660f576f082539a29af3
SunOS 5.10 Generic_147148-26 Local Privilege Escalation
Posted Jan 15, 2020
Authored by Marco Ivaldi

SunOS version 5.10 Generic_147148-26 local privilege escalation exploit. A buffer overflow in the CheckMonitor() function in the Common Desktop Environment versions 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.

tags | exploit, overflow, local, root
systems | solaris
advisories | CVE-2020-2696
MD5 | 55c1e1683127ba3a3c82c35279e5e6db
Solaris xscreensaver Privilege Escalation
Posted Oct 23, 2019
Authored by Marco Ivaldi, Brendan Coles | Site metasploit.com

This Metasploit module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version 5.06. This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable. This module has been tested successfully on xscreensaver version 5.15 on Solaris 11.1 (x86) and xscreensaver version 5.15 on Solaris 11.3 (x86).

tags | exploit, x86, root
systems | solaris
advisories | CVE-2019-3010
MD5 | 6839e7bec0a8edd74031049d0e2ff4f0
Solaris 11.4 xscreensaver Privilege Escalation
Posted Oct 16, 2019
Authored by Marco Ivaldi

Solaris version 11.4 xscreensaver local privilege escalation exploit.

tags | exploit, local
systems | solaris
MD5 | 70e56cdc262b3313173bbedcba447cba
Exim 4.91 Local Privilege Escalation
Posted Aug 23, 2019
Authored by Marco Ivaldi, Dennis Herrmann, Guillaume Andre, Qualys | Site metasploit.com

This Metasploit module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges.

tags | exploit, root
advisories | CVE-2019-10149
MD5 | 7e40628c1d0b1ff1461825cb7e5d4b58
Exim 4.91 Local Privilege Escalation
Posted Jun 17, 2019
Authored by Marco Ivaldi

Exim versions 4.87 through 4.91 suffer from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2019-10149
MD5 | 1d5aa0f1d059b2ed175b1fa8c14d897f
Common Desktop Environment 2.3.0 dtprintinfo Privilege Escalation
Posted May 17, 2019
Authored by Marco Ivaldi

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program.

tags | exploit, overflow, local, root
systems | solaris
advisories | CVE-2019-2832
MD5 | ea6e7c2d1a9b43266fe95e8a9d5cbc8a
xorg-x11-server Local Privilege Escalation
Posted Jan 14, 2019
Authored by Marco Ivaldi

xorg-x11-server versions prior to 1.20.3 Solaris 11 inittab local privilege escalation exploit.

tags | exploit, local
systems | solaris
advisories | CVE-2018-14665
MD5 | c844abebb3b3d8d2300403bc8e829523
xorg-x11-server modulepath Local Privilege Escalation
Posted Dec 1, 2018
Authored by Marco Ivaldi

xorg-x11-server versions prior to 1.20.3 modulepath local privilege escalation exploit.

tags | exploit, local
advisories | CVE-2018-14665
MD5 | 80445e564990e8da300a87c47e6f140d
xorg-x11-server 1.20.3 Privilege Escalation
Posted Oct 31, 2018
Authored by Marco Ivaldi

xorg-x11-server version 1.20.3 privilege escalation exploit.

tags | exploit
advisories | CVE-2018-14665
MD5 | e106256ec1e7e4b84876da3a1c8e1272
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
Posted Sep 18, 2018
Authored by Marco Ivaldi, Brendan Coles | Site metasploit.com

This Metasploit module exploits an arbitrary file write vulnerability in the Netscape Portable Runtime library (libnspr) on unpatched Solaris systems prior to Solaris 10u3 which allows users to gain root privileges. libnspr versions prior to 4.6.3 allow users to specify a log file with the `NSPR_LOG_FILE` environment variable. The log file is created with the privileges of the running process, resulting in privilege escalation when used in combination with a SUID executable. This Metasploit module writes a shared object to the trusted library directory `/usr/lib/secure` and runs the specified SUID binary with the shared object loaded using the `LD_LIBRARY_PATH` environment variable. This Metasploit module has been tested successfully with libnspr version 4.5.1 on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).

tags | exploit, arbitrary, x86, root
systems | solaris
advisories | CVE-2006-4842
MD5 | 0f80a93992c7fdfbc617a2b680a3059e
glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
IBM AIX 5.6/6.1 File Overwrite
Posted Sep 11, 2009
Authored by Marco Ivaldi

IBM AIX versions 5.6 and 6.1 _LIB_INIT_DBG arbitrary file overwrite via libc debug.

tags | exploit, arbitrary
systems | aix
MD5 | 5bcd0d88111ef5c026fe3db1b99f1796
solaris-memleak.txt
Posted Mar 13, 2008
Authored by Marco Ivaldi

Exploit that demonstrates how an integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative value to the I_PEEK ioctl.

tags | exploit, local, memory leak
systems | solaris
advisories | CVE-2007-5225
MD5 | 8d609ea4015453829d85d3f773acd6a3
04042007-raptor_truecrypt.tgz
Posted Apr 5, 2007
Authored by Marco Ivaldi

Local privilege escalation exploit for TrueCrypt versions 4.3 and below.

tags | exploit, local
advisories | CVE-2007-1738
MD5 | cd1e1044ff594f332e39690fe831cb33
lotus.sh.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Lotus Domino versions R6 and below Webmail remote password hash dumper exploit.

tags | exploit, remote
MD5 | 2d50a561beba95bd4cb07456f3325e8d
openssh-timing.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Portable OpenSSH versions 3.6.1p-PAM / 4.1-SUSE and below timing attack exploit.

tags | exploit
systems | linux, suse
MD5 | 293040e79450f8a12b90cd78eb7f3bc6
02062007-raptor_winudf.tgz
Posted Feb 8, 2007
Authored by Marco Ivaldi

This is a MySQL backdoor kit for Windows based on the UDFs (User Defined Functions) mechanism. It can be used to spawn a reverse shell (netcat UDF on port 80/tcp) or to execute single OS commands (exec UDF). Tested on MySQL 4.0.18-win32 (running on Windows XP SP2), MySQL 4.1.22-win32 (running on Windows XP SP2), MySQL 5.0.27-win32 (running on Windows XP SP2).

tags | exploit, shell, tcp
systems | windows, 32, xp
MD5 | 7c61df06ad51543872d66efc84c7858c
Page 1 of 3
Back123Next

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close