Hacker Fantastic @hackerfantastic@social.hackerfraternity.org

Multiple ZTE handsets Emode.APK local android.uid.system privilege escalation exploit https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/zte-emode.txt

AIX 5.3L libc locale environment handling local root exploit, 0day bought to you via the letters “su” ;) https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/aix53l-libc.c

AIX 5.3L local root 0day. Happy hax0ring. https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/aix53l-lquerypv.c

Exploiting Solaris 10 -11.0 SunSSH via libpam on x86 - a blog post from Hacker House https://hacker.house/lab/cve-2020-18471/

I added another target, Solaris 11 11/11 11.0 Sun_SSH_2.0 x86, to my PoC and discovered the execve() call has been replaced with a new execvex() that breaks all other shellcodes on 11.0 & up. It's relatively easy to fix as execvex() takes a flags argument now which can be set to NULL and it will work as before, this breaks all known public x86 shellcodes for Solaris 11 though so I will have to write a bind shell, put a basic execve() to demonstrate in the PoC.

I learnt a very fascinating thing, on Solaris if you call mprotect() it doesn’t care about the size argument, it’ll error but still map the available pages with the access requested. So you can do mprotect(0x08043000,0x41424344,0x7); and the stack will be rwx even tho the function errors. This is glorious.

Love when I need to jailbreak a phone, this custom boot splash from checkra1n always brings a smile to my face. This was by far the most devastating blow to Apples walled garden in the history of iDevices. I hope more iBoot & SEP bugs get found but stay private.

SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 - now supports 3 targets for Solaris 10 through 11 on x86. I added bind shells but any other shellcode can be swapped into the buffers place if you prefer a connect back. In the future I will add some SPARC targets, pty handler and a find socket payload. I may even add a few targets for Illumos based distributions. This issue can't be triggered on Solaris 11.1 & up nor does Solaris 9 ship vulnerable.

https://github.com/hackerhouse-opensource/exploits/blob/master/hfsunsshdx.tgz

SunSSH RCE PoC for x86, tested on Solaris 10. Technique works on x86 only, uses ROP to defeat nxstack and a shellcode stub to use msf payloads. Happy Hacking! https://github.com/hackerhouse-opensource/exploits/blob/master/hfsunsshdx.tgz