Posts by: Marco Ivaldi (aka raptor)

CVE-2018-14665 exploit: local privilege escalation on Solaris 11

• On 25 Nov, 2018
• By Marco Ivaldi (aka raptor)

I was investigating another 0day, when I noticed that Solaris 11 is also affected by the recent Xorg local privilege escalation vulnerability (CVE-2018-14665). For a number of reasons, finding a…

CVE-2018-14665 exploit: local privilege escalation on OpenBSD 6.3 and 6.4

• On 27 Oct, 2018
• By Marco Ivaldi (aka raptor)

This is my take on the recent Xorg vulnerability (CVE-2018-14665): "A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg.…

How a UNIX hacker discovered the Windows PowerShell

• On 13 Nov, 2017
• By Marco Ivaldi (aka raptor)

*** EDIT (2018-03-12): This script served me very well during these last months and I've finally decided to publish it. It is now included in my Tactical Exploitation Toolkit. As a…

A patch for PowerSploit’s Invoke-Shellcode.ps1

• On 9 Nov, 2017
• By Marco Ivaldi (aka raptor)

In my recent and somewhat surprising exploration of Windows PowerShell (stay tuned for a longer post on this subject) I have produced a patch for the Invoke-Shellcode cmdlet distributed with the…

In praise of tactical exploitation

• On 27 Oct, 2017
• By Marco Ivaldi (aka raptor)

Having honed my skills during the X.25 and Phreaking era, I've always been a vocal proponent of a tactical approach to penetration testing that does not focus on exploiting known software…

Tracing arbitrary Methods and Function calls on Android and iOS

• On 8 Sep, 2017
• By Marco Ivaldi (aka raptor)

I have published two new Frida instrumentation scripts to facilitate reverse engineering of mobile apps. They can be found on GitHub. Let's take raptor_frida_ios_trace.js for a ride against our favorite target…

CVE-2010-3856 Exploit

• On 4 Feb, 2011
• By Marco Ivaldi (aka raptor)

ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared…

CVE-2009-2669 Exploit

• On 29 Jan, 2010
• By Marco Ivaldi (aka raptor)

A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which allows local users to gain privileges by…

CVE-2003-0190 PoC

• On 1 Jan, 2008
• By Marco Ivaldi (aka raptor)

Proof of Concept for CVE-2003-0190: timing attack on OpenSSH-portable <= 3.6.1p1 with PAM. http://lab.mediaservice.net/code/ssh_brute.c MD5: 4fbc9a1fb23e828b1fe42ff7cc65d1c1 SHA-1: b57f20c0a86c20cda82e8dc169923452fc50225c http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff MD5: de3bc1148b93ddb427f6fc721d08a1c0 SHA-1: 9cf2b8a9bcb5e526c071f18e4bd3be5c5b716e35

CVE-2006-5229

• On 10 Oct, 2006
• By Marco Ivaldi (aka raptor)

OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses…

• 1
• 2
• »