
Posts by: Marco Ivaldi (aka raptor)


A patch for PowerSploit’s Invoke-Shellcode.ps1
In my recent and somewhat surprising exploration of Windows PowerShell (stay tuned for a longer post on this subject) I have produced a patch for the Invoke-Shellcode cmdlet distributed with the…
In praise of tactical exploitation
Having honed my skills during the X.25 and Phreaking era, I've always been a vocal proponent of a tactical approach to penetration testing that does not focus on exploiting known software…
Tracing arbitrary Methods and Function calls on Android and iOS
I have published two new Frida instrumentation scripts to facilitate reverse engineering of mobile apps. They can be found on GitHub. Let's take raptor_frida_ios_trace.js for a ride against our favorite target…
CVE-2010-3856 Exploit
ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared…
CVE-2009-2669 Exploit
A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which allows local users to gain privileges by…
CVE-2003-0190 PoC
Proof of Concept for CVE-2003-0190: timing attack on OpenSSH-portable <= 3.6.1p1 with PAM. http://lab.mediaservice.net/code/ssh_brute.c MD5: 4fbc9a1fb23e828b1fe42ff7cc65d1c1 SHA-1: b57f20c0a86c20cda82e8dc169923452fc50225c http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff MD5: de3bc1148b93ddb427f6fc721d08a1c0 SHA-1: 9cf2b8a9bcb5e526c071f18e4bd3be5c5b716e35
CVE-2006-5229
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses…
CVE-2006-1242
The ip_push_pending_frames function in Linux 2.4.x and 2.6.x before 2.6.16 increments the IP ID field when sending a RST after receiving unsolicited TCP SYN-ACK packets, which allows remote attackers to…