|
0xdeadbeef dot info.
|
"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"The only limit to malloc exploitation is the imagination." -- Qualys Research Team
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous
I'm Marco Ivaldi, a seasoned security researcher and tech leader with over 25 years
in offensive security. As a polyglot programmer of weird machines, I study
how things can go wrong. I've hacked on everything from old-school X.25 networks to modern mobile apps.
These days I'm the technical director and co-founder of HN Security, a boutique firm specializing in
tailored security assessments.
My journey began in the '90s, when I co-founded Linux&C, the very first Italian magazine about Linux and open source.
Along the way, I've contributed to the OSSTMM,
published in magazines like Phrack, co-authored several books including
Hacking Exposed Linux, and presented my research at international conferences such as
Infiltrate. In recognition of my contributions I was recently named a
Most Valuable Security Researcher by Microsoft and have competed as a
Zero Day Quest hacker.
This is my personal homepage. Feedback is welcome at <raptor[at]0xdeadbeef.info> (PGP key).
Books
Articles
- 2000-2009
- 2010-2019
- 2020-now
Honors and Awards
Related Works
- 2000-2009
- 2010-2019
- 2020-now
Presentations
- 2000-2009
- Intrusioni di rete. Slides compiled for an Information Security Master at Milan University (December 2001).
- ITBH events. Archived materials for all the events organized by the ITBH association (2001-2003).
- 2010-2019
- 2020-now
Interviews
- 2010-2019
- Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
- Materatown. I've been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
- How Secure is Secure Enough?. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.
- IBM: Yes, it's true. El Reg published an article on IBM's attempt to censor exploit information.
- 2020-now
Linux
- CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
OpenSSH
- CVE-2003-0190. I discovered and published this OpenSSH/PAM delay information disclosure vulnerability.
- CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.
X.Org
Azure
Solaris
Zyxel
Zephyr
RT-Thread
ThreadX
RIOT
Others
- smbfs/umount. I discovered and reported to Illumos a buffer overflow in smbfs/umount.
- dhclient. I discovered and reported a format string bug in ISC DHCP configuration file handling.
- coturn. I discovered and reported some security issues in the coturn TURN server.
- FreeRTOS. I discovered and reported some security issues and other bugs in FreeRTOS.
- lwIP/httpclient. I discovered and reported an integer wraparound and heap buffer overflow.
- lwIP/makefsdata. I discovered and reported an integer underflow and static buffer overflow.
- CVE-2023-49287. I discovered and reported some buffer overflow vulnerabilities in TinyDir.
Linux
- raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
- raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
- raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
- raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
- raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
- raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
- raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard"
Exim bug (CVE-2019-10149).
Solaris/SPARC
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
- raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
- raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
- raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
- raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via
Xorg -logfile and inittab.
- raptor_dtprintname_sparc.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
- raptor_dtprintname_sparc2.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
- raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
- raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).
Solaris/x86
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
- raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
- raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
- raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
- raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
- raptor_dtprintlibXmas.c. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).
AIX
- raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.
OpenBSD
Zyxel
Oracle
- raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
- raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
- raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.
MySQL
- raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
- raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
- raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").
Miscellaneous
- raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
- raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
- raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.
Vulnerability Research
New School
- tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
- backdoo-rs. Rust implementation of the main staging protocols used by the Metasploit Framework.
- blindsight. Red teaming tool to dump LSASS memory, bypassing basic countermeasures.
- samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
- mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
- havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
- ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
- orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
- scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
- sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
- p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
Old School
- brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
- ward.c. Fast wardialer for Unix systems, it scans a list of phone numbers hunting for active modems.
- rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
- bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
- x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
- psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
- backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
- autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.
Other Rust Stuff
Exploitation
- shellcode. A collection of my shellcode samples for various architectures and operating systems.
- Ao64A. NASM macOS translation of code listings distributed with the Art of 64-bit Assembly Language.
- abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
- fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
- vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
- linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
- solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
- libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.
Esoteric
Packet Filters
- rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
- pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.
Application Firewalls
Virtual Private Networks
- torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
- openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.
Random Stuff
- Ralphy. Ralphy the Raptor has been 0xdeadbeef dot info's mascot for at least a couple of decades.
- Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
- 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
- Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
- Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
- Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
- Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
- This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
- Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
- Sploits. My 2006 work was featured in a Russian hacking group ("They used to be good at sploits").
Copyright (c) 1998-2025* Marco Ivaldi at 0xdeadbeef dot info.
Icons by Icons8.
*27
years #StillHacking!