computers & stuff


Some (public) software exploit code I wrote over the years.

  • dirtypipez.c

    • Linux local privilege escalation exploit for the “Dirty Pipe” vulnerability (CVE-2022-0847). Cobbled together exploit released shortly after the disclosure of “Dirty Pipe” by Max Kellermann.
  • blasty-vs-pkexec2.c

    • Linux local privilege escalation exploit for polkit’s pkexec (CVE-2021-4034). Another fine bug discovered by the people at Qualys (and others much much earlier).
  • blasty-vs-tipc.c

    • Linux local privilege escalation exploit for CVE-2021-43267. Heap overflow in the TIPC subsystem.
  • sudo-hax-me-a-sandwich

    • Linux local privilege escalation exploit for sudo CVE-2021-3156. Originally Found by Qualys, and dubbed ‘Baron Samedit’.
  • blasty-vs-ebpf.c

    • Linux local privilege escalation exploit for CVE-2020-27194. Bypasses the eBPF bytecode verifier in order to gain arbitrary read/write primitive in kernel land.
  • blasty-vs-zte-upnpd.py

    • LAN RCE for ZTE DSL modems. These things are a-plenty in my country and ISP’s/vendors don’t care enough to actually patch up these holes.
  • blasty-vs-dir850l.py

    • I entered SSD’s hack2win competition with this RCE exploit. Bypasses authentication and (ab)uses a very limited command injection vulnerability to stitch together a connectback ELF.
  • blasty-vs-exim.sh

    • Exim is the gift that keeps on giving, check out this ridiculously simple and reliable method for getting uid0 with CVE-2016-1531.
  • upc_keys.c

    • WPA2 passphrase recovery tool for broadom based UPC cable modems. A fun journey in eCos reverse engineering.
  • blasty-vs-netusb.py

    • A remote Linux (MIPS) kernel exploit for NETGEAR WiFi routers.
  • blasty-vs-samba.py

    • Someone once leaked me some info on a juicy samba vuln (CVE-2012-1182), I wrote a shitty exploit. Has since been ported to a metasploit module by some people.
  • blasty-vs-nagios.py

    • An exploit for a buffer overflow in Nagios3’s history.cgi.
  • blasty-vs-zyxel.py

    • WAN exploit for buffer overflow vulnerability in ZyXEl DSL modems.
  • blasty-vs-php.php

    • Breaking out of the PHP sandbox (bypassing disable_functions etc.) using (one of many) vulnerabilities disclosed to php.net a long time ago, which remained unfixed for a long while.