0xdeadbeef dot info.

[0x01] Who's raptor?

My journey began in the '90s, when I co-founded Linux&C, the very first Italian magazine about Linux and open source. Along the way, I've contributed to the OSSTMM, published in magazines like Phrack, co-authored several books including Hacking Exposed Linux, and presented my research at international conferences such as Infiltrate. In recognition of my contributions I was recently named a Most Valuable Security Researcher by Microsoft and have competed as a Zero Day Quest hacker.

This is my personal homepage. Feedback is welcome at <raptor[at]0xdeadbeef.info> (PGP key).

[0x02] Publications

• 2000-2009
  • OSSTMM. Since 2001, I'm a core developer of the Open Source Security Testing Methodology Manual.
  • L'arte dell'hacking. I did the technical review of the translation of Hacking: the art of exploitation, by Jon Erickson.
  • Vulnerabilità su Linux. I wrote the foreword for this practical exploitation guide by Enrico Feresin.
  • Hacking Exposed Linux. I wrote the VoIP chapter for the third edition of the HEL book, curated by ISECOM.
• 2010-2019
  • Cyberworld. I co-authored this book sponsored by the Italian DoD's National Security Observatory.
  • CLUSIT Report 2016. I co-authored the e-commerce section of this edition of the annual CLUSIT ICT security report.
  • Hacker Highschool. I've contributed to this ISECOM project that promotes security awareness for teens.

• 2000-2009
  • L'anonimato su Internet. About anonymity and privacy on the Internet, appeared on Apogeonline in January 2000.
  • Qualcuno ci ascolta. About the ECHELON network (written in January 2000, not published elsewhere).
  • Introduzione al Quantum Computing. Introduction to QC, also released as an Apogeonline ebook in July 2002.
  • Sicurezza su reti X.25. Whitepaper written for ITBH and released to the public in September 2002.
• 2010-2019
  • La metrica di sicurezza di OSSTMM. About the attack surface security metrics defined by the OSSTMM (rav).
  • La Comunicazione. I wrote the article "ICT Security Certification with the OSSTMM", published by ISCOM.
  • I cinque miti della sicurezza SCADA. Article discussing SCADA security myths and popular beliefs.
  • Protezione degli utenti VIP. Article about tailoring information security services for Top Managers.
  • Penetration Testing Guidelines. I co-authored these security testing guidelines by ISACA's Venice Chapter.
  • Security Testing with CPDLC. I co-authored this paper on Controller-Pilot Data Link Communications security.
  • Tracing Android and iOS apps. Blog post explaining how to use my raptor_frida_*_trace.js scripts.
  • In praise of tactical exploitation. Blog post introducing my tactical exploitation toolkit.
  • How a Unix hacker discovered PowerShell. Blog post covering my unexpected PowerShell journey.
• 2020-now
  • Hello, world!. This is the first post on HN Security's blog, where I introduce my new project and team.
  • Exploiting a Format String Bug in Solaris CDE. It finally happened... I've been published in Phrack!
  • Letme.go. A minimalistic Go implementation of the staging protocols used by the Metasploit Framework.
  • Semgrep C/C++ rules. Introducing my Semgrep ruleset for C/C++ vulnerability research.
  • Multiple vulnerabilities in Zyxel zysh. Zyxel zysh CVE-2022-26531 and CVE-2022-26532 writeup.
  • Automating binary vulnerability discovery with Ghidra and Semgrep. Introducing my static analysis toolkit.
  • Nothing new under the Sun. Solaris dtprintinfo and libXm/libXpm vulnerabilities writeup.
  • Celebrating two years of HN Security. A summary of the first two years of the HN Security project.
  • OST2, Zephyr RTOS, and a bunch of CVEs. Zephyr RTOS multiple vulnerabilities writeup.
  • Big update to my Semgrep C/C++ ruleset. Introducing new tooling to hunt for bugs in large codebases.
  • Weggli patterns. Introducing my collection of weggli patterns for C/C++ vulnerability research.
  • Multiple vulnerabilities in RT-Thread RTOS. RT-Thread RTOS multiple vulnerabilities writeup.
  • Multiple vulnerabilities in RIOT OS. RIOT OS multiple vulnerabilities writeup.
  • Multiple vulnerabilities in Eclipse ThreadX. Eclipse ThreadX multiple vulnerabilities writeup.
  • Learning Rust for fun and backdoo-rs. It's 2024 and it's high time to learn Rust for offensive operations.
  • An offensive Rust encore. Bring your offensive Rust skills to the next level.
  • Streamlining vulnerability research with IDA Pro and Rust. Introducing my Rust vuln-dev toolkit.
  • Aiding reverse engineering with Rust and a local LLM. Introducing my oneiromancer tool.
  • Local privilege escalation on Zyxel USG FLEX H Series. Writeup for CVE-2025-1731.
  • My Zero Day Quest & BlueHat Podcast. My experience at the Zero Day Quest and at the BlueHat Podcast.

• 2020-now
  • Zyxel Hall of Fame 2022, 2025. Zyxel recognized me for CVE-2022-26531, CVE-2022-26532, and CVE-2025-1731.
  • MSRC 2023 Q4 Leaderboard. I've made Microsoft Researcher Recognition Program's 2023 Q4 leaderboard.
  • MSRC 2024 Q1 Leaderboard. I've made Microsoft Researcher Recognition Program's 2024 Q1 leaderboard.
  • MSRC 2024 MVR Leaderboard. I made 25th place in MSRC 2024 Most Valuable Security Researcher leaderboard.
  • Microsoft Zero Day Quest 2025. I've been invited to the inaugural Zero Day Quest event in Redmond, USA.

• 2000-2009
  • Exploit #25. The 25th exploit ever added to the Exploit DB targets a vulnerability I discovered in 2003 in OpenSSH/PAM.
  • rLogin Buffer Overflow. This whitepaper was written by Juan Manuel Corredor Garcia for his GIAC GCIH practical.
  • Buffer Overflow in passwd(1). This whitepaper was written by Shaun McAdams for his GIAC GCIH practical.
  • The Internal Threat. This whitepaper was written by Jonathan Klein for his GIAC GCIH practical.
  • Hacking Exposed Cisco Networks. My wardialer ward.c was featured in the Cisco Device Wardialing chapter.
  • MySQL worm. The MySQL Bot/SpoolCLL Windows worm used my UDF exploit to spread.
  • Exploiting UDFs in MySQL. This whitepaper was written by Matthew Zimmerman for his GIAC GCIH practical.
  • Whoppix-raptor. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.
  • Quelques astuces avec LD_PRELOAD. French hackin9 article by Stefan Klaas that analyzes a couple of my exploits.
  • March Networks DVR-CCTV 3204. A comprehensive insecurity overview of a DVR by Alex Hernandez.
  • Return Oriented Programming. My SPARC return-into-libc exploits were cited in the seminal paper on ROP from 2008.
  • Return Oriented Programming on RISC. Another academic paper on ROP that cites my SPARC exploits.
  • SQL Injection Attacks and Defense. My Oracle database exploits were featured in this book published by Syngress.
  • Advanced SQL injection to OS full control. Bernardo Damele's Black Hat presentation on SQL injection exploitation.
• 2010-2019
  • SSH Enumusers. A Metasploit module that implements the time-based attack against SSH I discovered back in 2003.
  • Web Security: A White Hat Perspective. My MySQL UDF2 exploit is mentioned among the database attack techniques.
  • Security Analysis of a Signal Protocol Implementation. This thesis uses my Frida scripts to analyze WhatsApp.
  • Libnspr NSPR_LOG_FILE. A Metasploit module that reimplements my raptor_libnspr3 privilege escalation exploit.
  • Glibc LD_AUDIT. A Metasploit module that reimplements my raptor_ldaudit privilege escalation exploit.
  • Xorg X11 Suid Server. A Metasploit module that reimplements my raptor_xorgasm privilege escalation exploit.
  • Beginners.re. I've been quoted on the cover of the Farsi translation of Beginners.re by Mohsen Mostafa Jokar.
  • DailyDave. Dave Aitel has posted a terrific announcement for my talk at INFILTRATE 2019. Thanks!
  • Hack the Puffy. OpenBSD advocacy through CTF, a presentation by Jason Testart.
  • Exim Wiz. A Metasploit module that reimplements my raptor_exim_wiz privilege escalation exploit.
  • Reverse Engineering Mobile Apps. My Frida scripts are referenced in this BSides Las Vegas presentation by Bishop Fox.
  • Xscreensaver Log. A Metasploit module that reimplements my raptor_xscreensaver privilege escalation exploit.
• 2020-now
  • OpenSMTPD RCE. A Metasploit module that reimplements my raptor_opensmtpd.pl remote code execution exploit.
  • Security Conversations. Have I aged out of the infosec industry? Join the debate at INFILTRATE 2020;)
  • Hands On Hacking. Matthew Hickey kindly mentioned me and my research in his new book.
  • Sequoia. The awesome Qualys Research Team mentioned me in their CVE-2021-33909 advisory.
  • Offensive Cyber Operations. My SPARC security research is mentioned in this whitepaper by JD Work.
  • Format Strings. This lesson by Joseph Hallett at the University of Bristol references my Phrack article.
  • OST2. My Zephyr research is mentioned in the Vulns1001 and Vulns1002 training courses (much recommended!).
  • BPFDoor. The BPFDoor malware used my Solaris xscreensaver vulnerability to get root privileges.
  • Trail of Bits Testing Handbook. My Semgrep ruleset is mentioned among the suggested rules in this awesome handbook.
  • EMBA. The firmware security analyzer is one of the many cool projects that use my vulnerability research tooling.
  • Finding (and exploiting) vulnerabilities on IP Cameras. The tool developed by the authors is based on my Ghidra scripts.
  • SSHamble. My work of 2 decades ago inspired the timing attack features of sshamble by HD Moore.
  • Parascope. This vulnerability scanner for binaries and source code and its ruleset utility reference my weggli patterns.
  • Golem (new). C/C++ vulnerability discovery automation with Semgrep + LLVM + LLM based on my semgrep ruleset.
  • Hex-Rays Blog (new). My vulnerability research tools based on idalib got a special mention in the official Hex-Rays blog.
  • Uncovering memory corruption in NVIDIA Triton (new). My semgrep ruleset helped find some cool vulnerabilities.
  • Phrack #72 (new). The legendary Orange Tsai thanked me in his 40th anniversary Phrack article!

[0x04] Talks

• 2000-2009
  • Intrusioni di rete. Slides compiled for an Information Security Master at Milan University (December 2001).
  • ITBH events. Archived materials for all the events organized by the ITBH association (2001-2003).
• 2010-2019
  • ARES 2016. Security Testing With Controller-Pilot Data Link Communications.
  • Speaker Introduction. Amazing speaker introduction video for my talk at INFILTRATE 2019.
  • A bug's life: story of a Solaris 0day. Full video of my talk at INFILTRATE 2019.
  • INFILTRATE 2019 party pack. Slide deck, advisory, bonus 0day exploits, and other goodies.
• 2020-now
  • The INFILTRATE effect: 6 bugs in 6 months. Full video of my talk at INFILTRATE 2020.
  • INFILTRATE 2020 party pack. Slide deck, advisories, and bonus 0day exploits.
  • Conosci il nemico. Video of my brief talk about attacker's motivations and techniques (slides: PPTX, PDF).
  • Know your enemy. English transcription of my talk about attacker's motivations and techniques (whitepaper).
  • My last Solaris talk (not your average keynote). Video of my keynote speech at RomHack 2021.
  • RomHack 2021 party pack. Slide deck, exploits, and other goodies.

• 2010-2019
  • Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
  • Materatown. I've been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
  • How Secure is Secure Enough?. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.
  • IBM: Yes, it's true. El Reg published an article on IBM's attempt to censor exploit information.
• 2020-now
  • INFILTRATE Interview. I chatted with Dave Aitel about hacking stuff, while actually hacking stuff in the background.
  • My hardest challenge. A short excerpt from my INFILTRATE interview with Dave Aitel.
  • Exploit Hall of Fame. Dragos Ruiu invited me to this Pwn2Own 2021 roundtable with some legendary hackers.
  • Seemposium Podcast. Hacking in the '90s: prepare for a trip down memory lane (in Italian)!
  • BlueHat Podcast. Evolutions in the last 30 years of hacking, with yours truly.

[0x08] Vulnerabilities

• CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.

• CVE-2003-0190. I discovered and published this OpenSSH/PAM delay information disclosure vulnerability.
• CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.

• CVE-2022-46285. I discovered and reported a vulnerability in handling XPM files in libXpm.

• CVE-2024-29195. I discovered and reported an integer wraparound in the Azure C SDK.
• azure-c-shared-utility. I discovered and reported several other vulnerabilities in the Azure C SDK.
• azure-iot-sdk-c. I discovered and reported several vulnerabilities in Azure IoT C SDKs and libraries.
• azure-osconfig. I discovered and reported a vulnerability in Azure OSConfig.
• azure-uamqp-c. I discovered and reported several vulnerabilities in the uAMQP C library.
• azure-uhttp-c. I discovered and reported a vulnerability in the uHTTP C library.
• c-util. I discovered and reported a vulnerability in the C util library.
• sonic-buildimage-msft. I discovered and reported several vulnerabilities in Microsoft's fork of SONiC.

• CVE-2019-2832. I (re)discovered and published this 0day local privilege escalation vulnerability in CDE.
• CVE-2019-3010. I discovered and reported this local privilege escalation vulnerability in Solaris xscreensaver.
• CVE-2020-2656. I discovered and reported this information disclosure via Solaris xlock.
• CVE-2020-2696. I discovered and reported this local privilege escalation via CDE dtsession.
• CVE-2020-2771. I discovered and reported this heap-based buffer overflow in Solaris whodo and w.
• CVE-2020-2851. I discovered and reported this stack-based buffer overflow in CDE libDtSvc.
• CVE-2020-2944. I discovered and reported this local privilege escalation via CDE sdtcm_convert.
• CVE-2023-24039. I discovered and reported a buffer overflow in libXm.
• CVE-2023-24040. I discovered and reported a CDE printer name injection and memory disclosure.

• CVE-2022-26531. I discovered and reported multiple memory corruption bugs in Zyxel zysh.
• CVE-2022-26532. I discovered and reported a command injection vulnerability in Zyxel zysh.
• CVE-2025-1731. I discovered and reported a local privilege escalation in Zyxel uOS.
• CVE-2025-1732. I discovered a local privilege escalation via the Zyxel Recovery Manager.

• CVE-2023-3725. I discovered and reported a buffer overflow in the Zephyr CANbus subsystem.
• CVE-2023-4257. I discovered and reported unchecked user input length in the Zephyr WiFi shell.
• CVE-2023-4259. I discovered and reported two buffer overflows in the Zephyr eS-WiFi driver.
• CVE-2023-4260. I discovered and reported an off-by-one buffer overflow in the Zephyr FS subsystem.
• CVE-2023-4261. I discovered and reported a buffer overflow in the Zephyr IPC subsystem.
• CVE-2023-4262. I discovered and reported multiple buffer overflows in the Zephyr Mgmt subsystem.
• CVE-2023-4263. I discovered and reported a buffer overflow in the Zephyr IEEE 802.15.4 driver.
• CVE-2023-4264. I discovered and reported multiple buffer overflows in the Zephyr Bluetooth subsystem.
• CVE-2023-4265. I discovered and reported two buffer overflows in Zephyr USB code.
• CVE-2023-5139. I discovered and reported a buffer overflow in the Zephyr STM32 Crypto driver.
• CVE-2023-5184. I discovered and reported two signed/unsigned conversion errors in the Zephyr IPM driver.
• CVE-2023-5753. I discovered and reported additional buffer overflows in the Zephyr Bluetooth subsystem.

• CVE-2024-24335. I discovered and reported a buffer overflow in RT-Thread dfs_v2/romfs.
• CVE-2024-24334. I discovered and reported some heap buffer overflows in RT-Thread dfs_v2/dfs_file.
• CVE-2024-25389. I discovered and reported the use of a weak random source in the RT-Thread rt_random driver.
• CVE-2024-25388. I discovered and reported a heap buffer overflow in the RT-Thread wlan driver.
• CVE-2024-25390. I discovered and reported some heap buffer overflows in the RT-Thread finsh component.
• CVE-2024-25391. I discovered and reported a stack buffer overflow in RT-Thread IPC.
• CVE-2024-25393. I discovered and reported a stack buffer overflow in RT-Thread AT server.
• CVE-2024-25395. I discovered and reported a static buffer overflow in the RT-Thread rt-link utility.
• CVE-2024-25392. I discovered and reported an out-of-bounds array access in the RT-Thread var_export utility.
• CVE-2024-25394. I discovered and reported multiple vulnerabilities in the RT-Thread ymodem utility.

• CVE-2024-2212. I discovered and reported some heap buffer overflows in Eclipse ThreadX.
• CVE-2024-2214. I discovered and reported a static buffer overflow in Eclipse ThreadX.
• CVE-2024-2452. I discovered and reported some heap buffer overflows in Eclipse ThreadX NetX Duo.

• CVE-2024-31225. I discovered and reported a buffer overflow in RIOT cord.
• CVE-2024-32017. I discovered and reported some buffer overflows in RIOT GCoAP.
• CVE-2024-32018. I discovered and reported an ineffective size check due to assert() in RIOT NimBLE.
• GHSA-x3j5-hfrr-5x6q. I discovered and reported an out-of-bounds memory access in RIOT ESP.
• GHSA-pw2r-pp35-xfmj. I discovered and reported an ineffective size check due to assert() in RIOT BLE.
• GHSA-c4p4-vv7v-3hx8. I discovered and reported an ineffective size check due to assert() in RIOT SUIT.
• GHSA-r87w-9vw9-f7cx. I discovered and reported an integer wraparound in RIOT mtd_emulated.
• GHSA-2hx7-c324-3rxv. I discovered and reported an off-by-one and an unterminated string in RIOT lwext4.
• GHSA-frp5-4gfp-84j3. I discovered and reported an out-of-bounds memory access in RIOT shell.
• GHSA-x27v-gqp4-7jq3. I discovered and reported some buffer overflows in RIOT emCute.

• smbfs/umount. I discovered and reported to Illumos a buffer overflow in smbfs/umount.
• dhclient. I discovered and reported a format string bug in ISC DHCP configuration file handling.
• coturn. I discovered and reported some security issues in the coturn TURN server.
• FreeRTOS. I discovered and reported some security issues and other bugs in FreeRTOS.
• lwIP/httpclient. I discovered and reported an integer wraparound and heap buffer overflow.
• lwIP/makefsdata. I discovered and reported an integer underflow and static buffer overflow.
• CVE-2023-49287. I discovered and reported some buffer overflow vulnerabilities in TinyDir.

[0x10] Exploits

• raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
• raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
• raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
• raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
• raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
• raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
• raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard" Exim bug (CVE-2019-10149).

• raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
• raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
• raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
• raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
• raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
• raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
• raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
• raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
• raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
• raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
• raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
• raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
• raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
• raptor_dtprintname_sparc.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
• raptor_dtprintname_sparc2.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
• raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
• raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
• raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
• raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).

• raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
• raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
• raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
• raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
• raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
• raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
• raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
• raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
• raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
• raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
• raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
• raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
• raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
• raptor_dtprintlibXmas.c. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).

• raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.

• raptor_xorgasm. OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and cron.
• raptor_opensmtpd.pl. OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's OpenSMTPD.

• raptor_zysh_fhtagn.exp. Zyxel zysh (CVE-2022-26531). Remote code execution via multiple format string bugs.
• raptor_fermion. Zyxel uOS (CVE-2025-1731). Local privilege escalation via fermion-wrapper.

• raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
• raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
• raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.

• raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
• raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
• raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").

• raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
• raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
• raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.

[0x20] Tools

• rhabdomancer. Vulnerability research assistant that locates calls to insecure API functions in a binary.
• haruspex. Vulnerability research assistant that extracts pseudo-code from the IDA Hex-Rays decompiler.
• augur. Reverse engineering assistant that extracts strings and related pseudo-code from a binary file.
• oneiromancer. Reverse engineering assistant that uses a locally running LLM to aid with pseudo-code analysis.
• idalib. I'm a contributor to these award-winning idiomatic Rust bindings for the IDA SDK.
• semgrep-rules. A collection of my Semgrep rules to facilitate vulnerability research.
• weggli-patterns. A collection of my weggli patterns to facilitate vulnerability research.
• frida-scripts. A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
• ghidra-scripts. A collection of my Ghidra scripts to facilitate reverse engineering and vulnerability research.
• from-day-zero-to-zero-day (new). My code and notes for From Day Zero to Zero Day, a book by Eugene Lim.

• tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
• backdoo-rs. Rust implementation of the main staging protocols used by the Metasploit Framework.
• blindsight. Red teaming tool to dump LSASS memory, bypassing basic countermeasures.
• samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
• mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
• havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
• ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
• orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
• scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
• sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
• p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.

• brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
• ward.c. Fast wardialer for Unix systems, it scans a list of phone numbers hunting for active modems.
• rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
• bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
• x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
• psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
• backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
• autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.

• jiggy. A minimalistic cross-platform mouse jiggler written in Rust.
• raptor-rust-template. My template for starting a Rust project, meant to be used with cargo-generate.
• aoc-2024-in-rust. My solutions to Advent of Code 2024 in Rust.
• rust_os (new). My code for Writing an OS in Rust, a book by Philipp Oppermann.
• zero2prod. My code for Zero To Production In Rust, a book by Luca Palmieri.

• shellcode. A collection of my shellcode samples for various architectures and operating systems.
• Ao64A. NASM macOS translation of code listings distributed with the Art of 64-bit Assembly Language.
• abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
• fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
• vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
• linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
• solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
• libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.

• xchg rax,rax solutions. My attempt at tackling the x86_64 asm riddles in xorpd's xchg rax,rax book.
• poly.tgz. An old collection of polyglots, programs that may be compiled in more than one language.

[0x40] Configurations

• rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
• pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.

• modsecurity-2.6.8.conf. Sample configuration file for the ModSecurity application firewall v2.6.8.
• modsecurity-2.5.12.conf. Sample configuration file for the ModSecurity application firewall v2.5.12.

• torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
• openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.

[0x80] /dev/random

• Ralphy. Ralphy the Raptor has been 0xdeadbeef dot info's mascot for at least a couple of decades.
• Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
• 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
• Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
• Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
• Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
• Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
• This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
• Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
• Sploits. My 2006 work was featured in a Russian hacking group ("They used to be good at sploits").