HAXX.IN

Exploits

Some (public) software exploit code I wrote over the years.

  • gnu-acme.py

    • Linux local privilege escalation exploit for the “Looney Tunables” (CVE-2023-4911) vulnerability in GNU libc’s ld.so. Based on the exploitation approach as outlined in the Qualys writeup. Works on x86(_64) and aarch64 and can be extended with new target offsets.

  • sonos

    • While investigating the Sonos One (2nd generation) smart speaker for a potential entry into the Pwn2Own 2022 Toronto competition I got slightly (ahem) sidetracked in a small adventure relating to the bootchain of the AMLogic A113 family of chips. In the github repo linked above you will find exploit for a EL3 vulnerability that allows dumping the eFUSE/OTP data aswell as the BootROM. Furthermore some tooling is provided to decrypt Sonos NAND flash images and OTA updates offline. Probably useful if you want to attempt some Sonos vulnerability research.

  • lexmark

    • I made an entry for Pwn2Own Toronto 2022, that magically failed during the actual competition. ZDI offered to buy the bug(s) anyway for a laughable monetary amount and I promptly forgot about their offer. In the github repo linked above you will find all exploit & tool code aswell as a writeup for the logic bug chain I used.

  • dirtypipez.c

    • Linux local privilege escalation exploit for the “Dirty Pipe” vulnerability (CVE-2022-0847). Cobbled together exploit released shortly after the disclosure of “Dirty Pipe” by Max Kellermann.

  • blasty-vs-pkexec2.c

    • Linux local privilege escalation exploit for polkit’s pkexec (CVE-2021-4034). Another fine bug discovered by the people at Qualys (and others much much earlier).

  • blasty-vs-tipc.c

    • Linux local privilege escalation exploit for CVE-2021-43267. Heap overflow in the TIPC subsystem.

  • sudo-hax-me-a-sandwich

    • Linux local privilege escalation exploit for sudo CVE-2021-3156. Originally Found by Qualys, and dubbed ‘Baron Samedit’.

  • blasty-vs-ebpf.c

    • Linux local privilege escalation exploit for CVE-2020-27194. Bypasses the eBPF bytecode verifier in order to gain arbitrary read/write primitive in kernel land.

  • blasty-vs-zte-upnpd.py

    • LAN RCE for ZTE DSL modems. These things are a-plenty in my country and ISP’s/vendors don’t care enough to actually patch up these holes.

  • blasty-vs-dir850l.py

    • I entered SSD’s hack2win competition with this RCE exploit. Bypasses authentication and (ab)uses a very limited command injection vulnerability to stitch together a connectback ELF.

  • blasty-vs-exim.sh

    • Exim is the gift that keeps on giving, check out this ridiculously simple and reliable method for getting uid0 with CVE-2016-1531.

  • upc_keys.c

    • WPA2 passphrase recovery tool for broadom based UPC cable modems. A fun journey in eCos reverse engineering.

  • blasty-vs-netusb.py

    • A remote Linux (MIPS) kernel exploit for NETGEAR WiFi routers.

  • blasty-vs-samba.py

    • Someone once leaked me some info on a juicy samba vuln (CVE-2012-1182), I wrote a shitty exploit. Has since been ported to a metasploit module by some people.

  • blasty-vs-nagios.py

    • An exploit for a buffer overflow in Nagios3’s history.cgi.

  • blasty-vs-zyxel.py

    • WAN exploit for buffer overflow vulnerability in ZyXEl DSL modems.

  • blasty-vs-php.php

    • Breaking out of the PHP sandbox (bypassing disable_functions etc.) using (one of many) vulnerabilities disclosed to php.net a long time ago, which remained unfixed for a long while.