|
0xdeadbeef dot info.
|
"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"The only limit to malloc exploitation is the imagination." -- Qualys Research Team
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous
I'm Marco Ivaldi, a seasoned security researcher and tech leader with 25+ years
of experience, specializing in offensive security, from old school X.25 to modern mobile apps. I work as technical director at
HN Security, a boutique company I co-founded that provides tailored offensive
security services.
As a polyglot programmer of
weird machines, I study how things can go wrong.
I'm a core developer of the OSSTMM, the international standard
for security testing. I've published many articles in various computing magazines, including
Phrack, and I've co-authored some books, such as the popular
Hacking Exposed Linux. I've presented my research at prestigious international
conferences, including Infiltrate. I've recently earned the title of
Most Valuable Security Researcher from Microsoft. Back in the 90s, I co-founded
Linux&C, the first Italian magazine about Linux and the open source movement.
I write code in Rust, C, Assembly, Python, Java, C++, Go, JavaScript, Perl, Shell, and more... This is my personal homepage. Please send your
feedback to <raptor[at]0xdeadbeef.info> (PGP key).
Books
Articles
- 2000-2009
- 2010-2019
- 2020-now
Honors and Awards
Related Works
- 2000-2009
- 2010-2019
- 2020-now
Presentations
- 2000-2009
- Intrusioni di rete. Slides compiled for an Information Security Master at Milan University (December 2001).
- ITBH events. Archived materials for all the events organized by the ITBH association (2001-2003).
- 2010-2019
- 2020-now
Interviews
- 2010-2019
- Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
- Materatown. I've been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
- How Secure is Secure Enough?. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.
- IBM: Yes, it's true. El Reg published an article on IBM's attempt to censor exploit information.
- 2020-now
Linux
- CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
OpenSSH
- CVE-2003-0190. I discovered and published this OpenSSH/PAM delay information disclosure vulnerability.
- CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.
X.Org
Azure
Solaris
Zyxel
Zephyr
RT-Thread
ThreadX
RIOT
Others
- smbfs/umount. I discovered and reported to Illumos a buffer overflow in smbfs/umount.
- dhclient. I discovered and reported a format string bug in ISC DHCP configuration file handling.
- coturn. I discovered and reported some security issues in the coturn TURN server.
- FreeRTOS. I discovered and reported some security issues and other bugs in FreeRTOS.
- lwIP/httpclient. I discovered and reported an integer wraparound and heap buffer overflow.
- lwIP/makefsdata. I discovered and reported an integer underflow and static buffer overflow.
- CVE-2023-49287. I discovered and reported some buffer overflow vulnerabilities in TinyDir.
Linux
- raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
- raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
- raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
- raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
- raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
- raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
- raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard"
Exim bug (CVE-2019-10149).
Solaris/SPARC
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
- raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
- raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
- raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
- raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via
Xorg -logfile and inittab.
- raptor_dtprintname_sparc.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
- raptor_dtprintname_sparc2.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
- raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
- raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).
Solaris/x86
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
- raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
- raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
- raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
- raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
- raptor_dtprintlibXmas.c. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).
AIX
- raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.
OpenBSD
Zyxel
Oracle
- raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
- raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
- raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.
MySQL
- raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
- raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
- raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").
Miscellaneous
- raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
- raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
- raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.
Rust
New School
- frida-scripts. A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
- ghidra-scripts. A collection of my Ghidra scripts to facilitate reverse engineering and vulnerability research.
- semgrep-rules. A collection of my Semgrep rules to facilitate vulnerability research.
- weggli-patterns. A collection of my weggli patterns to facilitate vulnerability research.
- tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
- Invoke-Shellcode.ps1. Updated cmdlet with -Stealth command line switch (see my pull request).
- samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
- mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
- havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
- ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
- orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
- scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
- sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
- p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
Old School
- brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
- ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
- rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
- bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
- x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
- psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
- backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
- autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.
Exploitation
- shellcode. A collection of my shellcode samples for various architectures and operating systems.
- Ao64A. NASM macOS translation of code listings distributed with the Art of 64-bit Assembly Language.
- abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
- fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
- vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
- linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
- solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
- libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.
Esoteric
Packet Filters
- rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
- pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.
Application Firewalls
Virtual Private Networks
- torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
- openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.
Random Stuff
- Ralphy. Ralphy the Raptor has been 0xdeadbeef dot info's mascot for at least a couple of decades.
- Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
- 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
- Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
- Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
- Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
- Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
- This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
- Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
- Sploits. My 2006 work was featured in a Russian hacking group ("They used to be good at sploits").
Copyright (c) 1998-2024* Marco Ivaldi at 0xdeadbeef dot info.
All icons by Icons8.
*26
years and counting!