0xdeadbeef dot info.

[0x01] Who's Raptor?

As a professional hacker and polyglot programmer of weird machines, I study how things can go wrong. I'm a core developer of the Open Source Security Testing Methodology Manual (OSSTMM), the international standard for performing security testing. I've published articles on many computing magazines, including Phrack, and I've co-authored some books, such as the popular Hacking Exposed Linux. Back in the 1990s, I co-founded Linux&C, the first Italian magazine about Linux and the open source movement.

This is my personal homepage and playground. You can send your feedback to: Marco Ivaldi <raptor[at]0xdeadbeef.info> (PGP key).

[0x02] Publications

• OSSTMM. Since 2001, I'm a core developer of the Open Source Security Testing Methodology Manual.
• L'arte dell'hacking. I did the technical review of the translation of Hacking: the art of exploitation, by Jon Erickson.
• Vulnerabilità su Linux. I wrote the foreword for this practical exploitation guide by Enrico Feresin.
• Hacking Exposed Linux. I wrote the VoIP chapter for the third edition of the HEL book, released by ISECOM.
• Cyberworld. I co-authored this book sponsored by the Italian DoD's National Security Observatory.
• CLUSIT Report 2016. I co-authored the e-commerce section of this year's annual CLUSIT ICT security report.
• Hacker Highschool. I've contributed to this ISECOM project that promotes security awareness for teens.

• L'anonimato su Internet. About anonymity and privacy on the Internet, appeared on Apogeonline in January 2000.
• Qualcuno ci ascolta. About the ECHELON network (written in January 2000, not published elsewhere).
• Introduzione al Quantum Computing. Introduction to QC, also released as an Apogeonline ebook in July 2002.
• Sicurezza su reti X.25. White paper written for ITBH and released to the public in September 2002.
• La metrica di sicurezza di OSSTMM. About the attack surface security metrics defined by OSSTMM (rav).
• La Comunicazione. I wrote the article "ICT Security Certification with OSSTMM", published by ISCOM.
• I cinque miti della sicurezza SCADA. Article discussing SCADA security myths and popular beliefs.
• Protezione degli utenti VIP. Article about tailoring information security services for Top Managers.
• Penetration Testing Guidelines. I co-authored these security testing guidelines by ISACA's Venice Chapter.
• Security Testing with CPDLC. I co-authored this paper on Controller-Pilot Data Link Communications security.
• Tracing Android and iOS apps. Blog post explaining how to use my raptor_frida_*_trace.js scripts.
• In praise of tactical exploitation. Blog post introducing my new tactical exploitation toolkit.
• How a UNIX hacker discovered PowerShell. Blog post covering my unexpected PowerShell journey.
• Hello, world!. This is the first post on HN Security's blog, where I introduce my new project and team.
• Exploiting a Format String Bug in Solaris CDE. It finally happened... I've been published on Phrack!
• Letme.go. A minimalistic Go implementation of the staging protocols used by the Metasploit Framework.
• Semgrep C/C++ rules. Introducing my Semgrep ruleset for C/C++ vulnerability research.
• Multiple vulnerabilities in Zyxel zysh. Zyxel zysh CVE-2022-26531 and CVE-2022-26532 writeup.
• Automating binary vulnerability discovery with Ghidra and Semgrep. Introducing my static analysis toolkit.
• Nothing new under the Sun (new). Solaris dtprintinfo and libXm/libXpm vulnerabilities writeup.

• Hacking Exposed Cisco Networks. My wardialer ward.c was featured in the Cisco Device Wardialing chapter.
• Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
• Materatown. I have been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
• How Secure is Secure Enough?. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.
• IBM: Yes, it's true. El Reg published an article on IBM's attempt to censor exploit information.
• Beginners.re. I've been quoted on the cover of the Farsi translation of Beginners.re by Mohsen Mostafa Jokar.
• DailyDave. Dave Aitel has posted a terrific announcement for my talk at INFILTRATE 2019. Thanks!
• Security Conversations. Have I aged out of the infosec industry? Join the debate at INFILTRATE 2020;)
• INFILTRATE Interview. I chatted with Dave Aitel about hacking stuff, while actually hacking stuff in the background.
• Hands On Hacking. Matthew Hickey kindly mentioned me and my research in his new book.
• Exploit Hall of Fame. Dragos Ruiu invited me to this Pwn2Own 2021 roundtable with some legendary hackers.
• Sequoia. The awesome Qualys Research Team mentioned me in their CVE-2021-33909 advisory.

• Exploit #25. The 25th exploit ever added to the Exploit DB targets a vulnerability I discovered in 2003 in OpenSSH/PAM.
• rLogin Buffer Overflow. This white paper was written by Juan Manuel Corredor Garcia for his GIAC GCIH practical.
• Buffer Overflow in passwd(1). This white paper was written by Shaun McAdams for his GIAC GCIH practical.
• The Internal Threat. This white paper was written by Jonathan Klein for his GIAC GCIH practical.
• MySQL worm. The MySQL Bot/SpoolCLL Windows worm uses my UDF exploit to spread.
• Exploiting UDFs in MySQL. This white paper was written by Matthew Zimmerman for his GIAC GCIH practical.
• March Networks DVR-CCTV 3204. A comprehensive insecurity overview of a DVR by Alex Hernandez.
• Whoppix-raptor. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.
• Quelques astuces avec LD_PRELOAD. French hackin9 article by Stefan Klaas that analyzes a couple of my exploits.
• Security Analysis of a Signal Protocol Implementation. This thesis uses my Frida scripts to analyze WhatsApp.
• Hack the Puffy. OpenBSD advocacy through CTF, a presentation by Jason Testart.
• SSH Enumusers. A Metasploit module that implements the time-based attack against SSH I discovered back in 2003.
• Libnspr NSPR_LOG_FILE. A Metasploit module that reimplements my raptor_libnspr3 privilege escalation exploit.
• Glibc LD_AUDIT. A Metasploit module that reimplements my raptor_ldaudit privilege escalation exploit.
• Xorg X11 Suid Server. A Metasploit module that reimplements my raptor_xorgasm privilege escalation exploit.
• Exim Wiz. A Metasploit module that reimplements my raptor_exim_wiz privilege escalation exploit.
• Xscreensaver Log. A Metasploit module that reimplements my raptor_xscreensaver privilege escalation exploit.
• OpenSMTPD RCE. A Metasploit module that reimplements my raptor_opensmtpd.pl remote code execution exploit.
• BPFDoor. The BPFDoor malware uses my Solaris xscreensaver vulnerability to get root privileges.
• Format Strings. This lesson by Joseph Hallett at the University of Bristol references my Phrack article.

[0x04] Presentations

• Intrusioni di rete. Slides compiled for an Information Security Master at Milan University (December 2001).
• ITBH events. Archived materials for all the events organized by the ITBH association (2001-2003).
• ARES 2016. Security Testing With Controller-Pilot Data Link Communications.
• Speaker Introduction. Amazing speaker introduction video for my talk at INFILTRATE 2019.
• A bug's life: story of a Solaris 0day. Full video of my talk at INFILTRATE 2019.
• INFILTRATE 2019 party pack. Slide deck, advisory, bonus 0day exploits, and other goodies.
• The INFILTRATE effect: 6 bugs in 6 months. Full video of my talk at INFILTRATE 2020.
• INFILTRATE 2020 party pack. Slide deck, advisories, and bonus 0day exploits.
• Conosci il nemico. Video of my brief talk about attacker's motivations and techniques (slides: PPTX, PDF).
• Know your enemy. English transcription of my talk about for the "Accademia del Cyber" (white paper: PDF).
• My last Solaris talk (not your average keynote). Video of my keynote speech at RomHack 2021.
• RomHack 2021 party pack. Slide deck, exploits, and other goodies.

[0x08] Vulnerabilities

• CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.

• CVE-2019-2832. I (re)discovered and published this 0day local privilege escalation vulnerability in CDE.
• CVE-2019-3010. I discovered and reported this local privilege escalation vulnerability in Solaris xscreensaver.
• CVE-2020-2656. I discovered and reported this information disclosure via Solaris xlock.
• CVE-2020-2696. I discovered and reported this local privilege escalation via CDE dtsession.
• CVE-2020-2771. I discovered and reported this heap-based buffer overflow in Solaris whodo and w.
• CVE-2020-2851. I discovered and reported this stack-based buffer overflow in CDE libDtSvc.
• CVE-2020-2944. I discovered and reported this local privilege escalation via CDE sdtcm_convert.
• CVE-2023-24039 (new). I discovered and reported a buffer overflow in libXm.
• CVE-2023-24040 (new). I discovered and reported a CDE printer name injection and memory disclosure.

• smbfs/umount. I discovered and reported to Illumos a buffer overflow in smbfs/umount.

• CVE-2022-26531. I discovered and reported multiple memory corruption bugs in Zyxel zysh.
• CVE-2022-26532. I discovered and reported a command injection vulnerability in Zyxel zysh.

• CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
• CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.

• CVE-2022-46285 (new). I discovered and reported a vulnerability in handling XPM files in libXpm.

[0x10] Exploits

• raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
• raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
• raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
• raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
• raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
• raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
• raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard" Exim bug (CVE-2019-10149).

• raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
• raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
• raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
• raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
• raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
• raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
• raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
• raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
• raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
• raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
• raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
• raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
• raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
• raptor_dtprintname_sparc.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
• raptor_dtprintname_sparc2.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
• raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
• raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
• raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
• raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).

• raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
• raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
• raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
• raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
• raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
• raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
• raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
• raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
• raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
• raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
• raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
• raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
• raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
• raptor_dtprintlibXmas.c (new). Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).

• raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.

• raptor_xorgasm. OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and cron.
• raptor_opensmtpd.pl. OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's OpenSMTPD.

• raptor_zysh_fhtagn.exp. Zyxel zysh (CVE-2022-26531). Remote code execution via multiple format string bugs.

• raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
• raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
• raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.

• raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
• raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
• raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").

• raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
• raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
• raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.

[0x20] Tools

• tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
• frida-scripts. A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
• ghidra-scripts. A collection of my Ghidra scripts to facilitate reverse engineering and vulnerability research.
• semgrep-rules. A collection of my Semgrep rules to facilitate vulnerability research.
• Invoke-Shellcode.ps1. Updated cmdlet with -Stealth command line switch (see my pull request).
• samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
• mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
• havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
• ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
• orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
• scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
• sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
• p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.

• brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
• ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
• rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
• bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
• x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
• psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
• backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
• autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.

• shellcode. A collection of my shellcode samples for various architectures and operating systems.
• abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
• fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
• vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
• linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
• solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
• libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.

• xchg rax,rax solutions. My attempt at tackling the x86_64 asm riddles in xorpd's xchg rax,rax book.
• poly.tgz. An old collection of polyglots, programs that may be compiled in more than one language.

[0x40] Configurations

• rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
• pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.

• modsecurity-2.6.8.conf. Sample configuration file for the ModSecurity application firewall v2.6.8.
• modsecurity-2.5.12.conf. Sample configuration file for the ModSecurity application firewall v2.5.12.

• torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
• openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.

[0x80] /dev/random

• Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
• 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
• Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
• Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
• Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
• Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
• This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
• Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!