Posts by: Marco Ivaldi (aka raptor)
CVE-2019-10149 exploit: local privilege escalation on Debian GNU/Linux via Exim
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution. (CVE-2019-10149) I have…
Raptor at INFILTRATE 2019
2019 marks 20 years of my professional career in information security. What better way to celebrate this milestone than to give a talk at INFILTRATE? For those who are not…
CVE-2019-2832 – Local privilege escalation via CDE dtprintinfo
A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to…
CVE-2018-14665 exploit: local privilege escalation on Solaris 11
I was investigating another 0day, when I noticed that Solaris 11 is also affected by the recent Xorg local privilege escalation vulnerability (CVE-2018-14665). For a number of reasons, finding a…
CVE-2018-14665 exploit: local privilege escalation on OpenBSD 6.3 and 6.4
This is my take on the recent Xorg vulnerability (CVE-2018-14665): "A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg.…
How a UNIX hacker discovered the Windows PowerShell
*** EDIT (2018-03-12): This script served me very well during these last months and I've finally decided to publish it. It is now included in my Tactical Exploitation Toolkit. As a…
A patch for PowerSploit’s Invoke-Shellcode.ps1
In my recent and somewhat surprising exploration of Windows PowerShell (stay tuned for a longer post on this subject) I have produced a patch for the Invoke-Shellcode cmdlet distributed with the…
In praise of tactical exploitation
Having honed my skills during the X.25 and Phreaking era, I've always been a vocal proponent of a tactical approach to penetration testing that does not focus on exploiting known software…