/exploits

A handy collection of my public exploits, all in one place.

Primary LanguageCMIT LicenseMIT

exploits

"You can't argue with a root shell."

-- Felix "FX" Lindner

Linux

  • raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
  • raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
  • raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
  • raptor_truecrypt. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
  • raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
  • raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
  • raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard" Exim bug (CVE-2019-10149).

Solaris

  • raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
  • raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
  • raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Buffer overflow in the runtime linker ld.so.1.
  • raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo.
  • raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack.
  • raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Buffer overflow in the circ() function of passwd(1).
  • raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
  • raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
  • raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
  • raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
  • raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
  • raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
  • raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
  • raptor_dtprintname_sparc.c. Solaris 7-9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
  • raptor_dtprintname_sparc2.c. Solaris 7-9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
  • raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
  • raptor_dtprintname_intel.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
  • raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
  • raptor_session_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession (Intel, NX).
  • raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert (Intel, NX).
  • raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
  • raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
  • raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC, NX).
  • raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).
  • raptor_dtprintlibXmas.c. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).

AIX

  • raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.

OpenBSD

  • raptor_xorgasm. OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and cron.
  • raptor_opensmtpd.pl. OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's OpenSMTPD.

Zyxel

Oracle

  • raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
  • raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
  • raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.

MySQL

  • raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
  • raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
  • raptor_winudf. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").

Miscellaneous

  • raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
  • raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
  • raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.