Multiple ZTE handsets Emode.APK local android.uid.system privilege escalation exploit https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/zte-emode.txt
AIX 5.3L libc locale environment handling local root exploit, 0day bought to you via the letters “su” ;) https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/aix53l-libc.c
AIX 5.3L local root 0day. Happy hax0ring. https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/aix53l-lquerypv.c
How Ryuk Ransomware operators made $34 million from one victim https://www.bleepingcomputer.com/news/security/how-ryuk-ransomware-operators-made-34-million-from-one-victim/
Exploiting Solaris 10 -11.0 SunSSH via libpam on x86 - a blog post from Hacker House https://hacker.house/lab/cve-2020-18471/
German prosecutors tried to prove that a ransomware attack on a hospital was to blame for someone losing their life. Their story is a warning https://www.wired.co.uk/article/ransomware-hospital-death-germany
I added another target, Solaris 11 11/11 11.0 Sun_SSH_2.0 x86, to my PoC and discovered the execve() call has been replaced with a new execvex() that breaks all other shellcodes on 11.0 & up. It's relatively easy to fix as execvex() takes a flags argument now which can be set to NULL and it will work as before, this breaks all known public x86 shellcodes for Solaris 11 though so I will have to write a bind shell, put a basic execve() to demonstrate in the PoC.
I learnt a very fascinating thing, on Solaris if you call mprotect() it doesn’t care about the size argument, it’ll error but still map the available pages with the access requested. So you can do mprotect(0x08043000,0x41424344,0x7); and the stack will be rwx even tho the function errors. This is glorious.
SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 - now supports 3 targets for Solaris 10 through 11 on x86. I added bind shells but any other shellcode can be swapped into the buffers place if you prefer a connect back. In the future I will add some SPARC targets, pty handler and a find socket payload. I may even add a few targets for Illumos based distributions. This issue can't be triggered on Solaris 11.1 & up nor does Solaris 9 ship vulnerable.
SunSSH RCE PoC for x86, tested on Solaris 10. Technique works on x86 only, uses ROP to defeat nxstack and a shellcode stub to use msf payloads. Happy Hacking! https://github.com/hackerhouse-opensource/exploits/blob/master/hfsunsshdx.tgz
Recording the police is a crucial (and sometimes the only) way of ensuring police accountability. You also have a constitutional right to do it. https://www.eff.org/deeplinks/2020/06/you-have-first-amendment-right-record-police
"If you have stalkerware on your phone, it can be really difficult to know whether or not it's there. And one of the reasons for that is because antivirus companies often don't recognize stalkerware as malicious." https://www.eff.org/deeplinks/2020/05/watch-eff-cybersecurity-director-eva-galperins-ted-talk-about-stalkerware
Hackers.town radio Deepest Darkest Halloween for the next 24 hours.
Team https://hacker.house cyber security assurance services and professional training ~ UNIX Hacker's Fraternity president https://hackerfraternity.org ~ Author of ISBN
9781119561453, a book on professional computer hacking.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!