A number of exploits and tools I've written for CVEs accredited to Marshall Whittaker/oxagast
OTHER License
Most of these CVEs are accreddited to oxagast as well
This exploit, lifts a Webmin cookie with a directory transversal and aritrary read exploit, then reuses the cookie to use an authenticated user exploit to get root remotely.
This exploit uploads a perl program via buggy perl open reads (|). After pushing the program it chmods and spawns a shell. Should work regaurdless if the server is firewalled or not.
Uses known telnet user and root pass to log in as root.
This is example code that crashes udisks2 via malformed filesystem label that when mounted then logged a string format vulnerability exists allowing arbitrary read/write of memory as root.
This code demonstrates crafted ioctl calls to the i915 garphics driver that allow overwrite of CR2 register in kernel space triggering a NULL pointer dereference.
This exploit recovers wallet.dat's that were loaded at the time of a crash from bitcoin-qt .core crash dump files by grepping for a magic string at the beginning of the wallet, calculating the offset, then reconstructing the wallet.dat(s) with xxd.
Incorrect santization of input leads to a remote code execution vulnerabilty within dbman.exe of the HP iMC PLAT 7.3 suite. Code execs with SYSTEM privileges.
A race condition exists in polkit where if you send dbus messages, then kill the process midway through, incorrect permissions are set on users that were never intended to be able to be created, with system priviledges. This leads to local root compromise.
If you can get an unsuspecting user to connect to an attacking machine, by maquorading it as a speaker (or whatever), you can inject HID codes and take control over the device, to the extent where you can blindly pop a shell if termux is installed, al-la rubber-ducky style. Working PoC and video included.
OpenSSHd 9.2 and below do not properly check permissions and ownership on files used as banners. If the banner is set to a user writeable file, this allows an attacker to remove the file, create a symbolic link to any root-only readable file on the system (like /etc/shadow for example), and it will be dumped on next connection to the sshd daemon. Successful login to sshd is not required for this to work.
This is a fuzzer, written in C++, designed to find bugs in C/C++ programs.
This is a tool for building wordlists out of things known about a user.
This tool creates a list of all suid 0 executables from apt archives.
A tool that builds metasploit resource scripts from nmap scans.