https://github.com/0xdea/exploits

A handy collection of my public exploits, all in one place.
https://github.com/0xdea/exploits

aix buffer-overflow exploits linux mysql openbsd oracle solaris zyxel

Last synced: 3 months ago
JSON representation

A handy collection of my public exploits, all in one place.

• Host: GitHub
• URL: https://github.com/0xdea/exploits
• Owner: 0xdea
• License: mit
• Created: 2017-07-12T14:40:55.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2024-01-04T15:41:23.000Z (6 months ago)
• Last Synced: 2024-01-22T03:44:24.762Z (5 months ago)
• Topics: aix, buffer-overflow, exploits, linux, mysql, openbsd, oracle, solaris, zyxel
• Language: C
• Homepage: https://0xdeadbeef.info
• Size: 436 KB
• Stars: 569
• Watchers: 49
• Forks: 116
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Lists

• awesome-security-collection - **281**星
• awesome-stars - exploits
• awesome-cyber-security - **276**星

README

        
# exploits

[![](https://img.shields.io/github/stars/0xdea/exploits.svg?style=flat&color=yellow)](https://github.com/0xdea/exploits)

[![](https://img.shields.io/github/forks/0xdea/exploits.svg?style=flat&color=green)](https://github.com/0xdea/exploits)

[![](https://img.shields.io/github/watchers/0xdea/exploits.svg?style=flat&color=red)](https://github.com/0xdea/exploits)

[![](https://img.shields.io/badge/twitter-%400xdea-blue.svg)](https://twitter.com/0xdea)

[![](https://img.shields.io/badge/mastodon-%40raptor-purple.svg)](https://infosec.exchange/@raptor)

> "You can't argue with a root shell." 

>

> -- Felix "FX" Lindner

## Linux

* [**raptor_chown.c**](https://github.com/0xdea/exploits/blob/master/linux/raptor_chown.c). Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.

* [**raptor_prctl.c**](https://github.com/0xdea/exploits/blob/master/linux/raptor_prctl.c). Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.

* [**raptor_prctl2.c**](https://github.com/0xdea/exploits/blob/master/linux/raptor_prctl2.c). Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).

* [**raptor_truecrypt**](https://github.com/0xdea/exploits/tree/master/linux/raptor_truecrypt). TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.

* [**raptor_ldaudit**](https://github.com/0xdea/exploits/blob/master/linux/raptor_ldaudit). Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).

* [**raptor_ldaudit2**](https://github.com/0xdea/exploits/blob/master/linux/raptor_ldaudit2). Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).

* [**raptor_exim_wiz**](https://github.com/0xdea/exploits/blob/master/linux/raptor_exim_wiz). Local privilege escalation via "The Return of the WIZard" Exim bug (CVE-2019-10149).

## Solaris

* [**raptor_ucbps**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_ucbps). Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.

* [**raptor_rlogin.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_rlogin.c). Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.

* [**raptor_ldpreload.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_ldpreload.c). Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Buffer overflow in the runtime linker ld.so.1.

* [**raptor_libdthelp.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_libdthelp.c). Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo.

* [**raptor_libdthelp2.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_libdthelp2.c). Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack.

* [**raptor_passwd.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_passwd.c). Solaris 8, 9 (CVE-2004-0360). Buffer overflow in the circ() function of passwd(1).

* [**raptor_sysinfo.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_sysinfo.c). Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.

* [**raptor_xkb.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_xkb.c). Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.

* [**raptor_libnspr**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_libnspr). Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.

* [**raptor_libnspr2**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_libnspr2). Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.

* [**raptor_libnspr3**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_libnspr3). Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.

* [**raptor_peek.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_peek.c). Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).

* [**raptor_solgasm**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm). Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.

* [**raptor_dtprintname_sparc.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_sparc.c). Solaris 7-9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).

* [**raptor_dtprintname_sparc2.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_sparc2.c). Solaris 7-9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).

* [**raptor_dtprintname_sparc3.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_sparc3.c). Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).

* [**raptor_dtprintname_intel.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_intel.c). Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).

* [**raptor_xscreensaver**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver). Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.

* [**raptor_session_ipa.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtsession_ipa.c). Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession (Intel, NX).

* [**raptor_sdtcm_conv.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_sdtcm_conv.c). Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert (Intel, NX).

* [**raptor_dtprintcheckdir_intel.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_intel.c). Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).

* [**raptor_dtprintcheckdir_intel2.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_intel2.c). Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).

* [**raptor_dtprintcheckdir_sparc.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_sparc.c). Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC, NX).

* [**raptor_dtprintcheckdir_sparc2.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_sparc2.c). Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).

* [**raptor_dtprintlibXmas.c**](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c). Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).

## AIX

* [**raptor_libC**](https://github.com/0xdea/exploits/blob/master/aix/raptor_libC). AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.

## OpenBSD

* [**raptor_xorgasm**](https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm). OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and cron.

* [**raptor_opensmtpd.pl**](https://github.com/0xdea/exploits/blob/master/openbsd/raptor_opensmtpd.pl). OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's OpenSMTPD.

## Zyxel

* [**raptor_zysh_fhtagn.exp**](https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp). Zyxel zysh (CVE-2022-26531). Remote code execution via multiple format string bugs.

## Oracle

* [**raptor_oraextproc.sql**](https://github.com/0xdea/exploits/blob/master/oracle/raptor_oraextproc.sql). Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.

* [**raptor_oraexec.sql**](https://github.com/0xdea/exploits/blob/master/oracle/raptor_oraexec.sql). Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.

* [**raptor_orafile.sql**](https://github.com/0xdea/exploits/blob/master/oracle/raptor_orafile.sql). File system access suite for Oracle based on the utl_file package, to read/write files.

## MySQL

* [**raptor_udf.c**](https://github.com/0xdea/exploits/blob/master/mysql/raptor_udf.c). Helper dynamic library for local privilege escalation through MySQL run with root privileges.

* [**raptor_udf2.c**](https://github.com/0xdea/exploits/blob/master/mysql/raptor_udf2.c). Slight modification of raptor_udf.c, it works with recent versions of the open source database.

* [**raptor_winudf**](https://github.com/0xdea/exploits/tree/master/mysql/raptor_winudf). MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").

## Miscellaneous

* [**raptor_sshtime**](https://github.com/0xdea/exploits/blob/master/misc/raptor_sshtime). OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.

* [**raptor_dominohash**](https://github.com/0xdea/exploits/blob/master/misc/raptor_dominohash). Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.

* [**raptor_xorgy**](https://github.com/0xdea/exploits/blob/master/misc/raptor_xorgy). Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.