0xdeadbeef dot info | raptor's labs

0xdeadbeef dot info.

"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"The only limit to malloc exploitation is the imagination." -- Qualys Research Team
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous

Fnord!

[0x01] Who's Raptor?

I'm a seasoned security researcher and tech leader with 25 years of experience, specializing in offensive security, from old school X.25 to modern mobile apps. I work as technical director at HN Security, a boutique company I co-founded that provides tailored offensive security services.

As a hacker and polyglot programmer of weird machines, I study how things can go wrong. I'm a core developer of the Open Source Security Testing Methodology Manual (OSSTMM), the international standard for performing security testing. I've published articles on many computing magazines, including Phrack, and I've co-authored some books, such as the popular Hacking Exposed Linux. Back in the 1990s, I co-founded Linux&C, the first Italian magazine about Linux and the open source movement.

This is my personal homepage and playground. You can send your feedback to: Marco Ivaldi <raptor[at]0xdeadbeef.info> (PGP key).

[0x02] Publications

Books

OSSTMM. Since 2001, I'm a core developer of the Open Source Security Testing Methodology Manual.
L'arte dell'hacking. I did the technical review of the translation of Hacking: the art of exploitation, by Jon Erickson.
Vulnerabilità su Linux. I wrote the foreword for this practical exploitation guide by Enrico Feresin.
Hacking Exposed Linux. I wrote the VoIP chapter for the third edition of the HEL book, released by ISECOM.
Cyberworld. I co-authored this book sponsored by the Italian DoD's National Security Observatory.
CLUSIT Report 2016. I co-authored the e-commerce section of this year's annual CLUSIT ICT security report.
Hacker Highschool. I've contributed to this ISECOM project that promotes security awareness for teens.

Articles

L'anonimato su Internet. About anonymity and privacy on the Internet, appeared on Apogeonline in January 2000.
Qualcuno ci ascolta. About the ECHELON network (written in January 2000, not published elsewhere).
Introduzione al Quantum Computing. Introduction to QC, also released as an Apogeonline ebook in July 2002.
Sicurezza su reti X.25. White paper written for ITBH and released to the public in September 2002.
La metrica di sicurezza di OSSTMM. About the attack surface security metrics defined by OSSTMM (rav).
La Comunicazione. I wrote the article "ICT Security Certification with OSSTMM", published by ISCOM.
I cinque miti della sicurezza SCADA. Article discussing SCADA security myths and popular beliefs.
Protezione degli utenti VIP. Article about tailoring information security services for Top Managers.
Penetration Testing Guidelines. I co-authored these security testing guidelines by ISACA's Venice Chapter.
Security Testing with CPDLC. I co-authored this paper on Controller-Pilot Data Link Communications security.
Tracing Android and iOS apps. Blog post explaining how to use my raptor_frida_*_trace.js scripts.
In praise of tactical exploitation. Blog post introducing my new tactical exploitation toolkit.
How a UNIX hacker discovered PowerShell. Blog post covering my unexpected PowerShell journey.
Hello, world!. This is the first post on HN Security's blog, where I introduce my new project and team.
Exploiting a Format String Bug in Solaris CDE. It finally happened... I've been published in Phrack!
Letme.go. A minimalistic Go implementation of the staging protocols used by the Metasploit Framework.
Semgrep C/C++ rules. Introducing my Semgrep ruleset for C/C++ vulnerability research.
Multiple vulnerabilities in Zyxel zysh. Zyxel zysh CVE-2022-26531 and CVE-2022-26532 writeup.
Automating binary vulnerability discovery with Ghidra and Semgrep. Introducing my static analysis toolkit.
Nothing new under the Sun. Solaris dtprintinfo and libXm/libXpm vulnerabilities writeup.
Celebrating two years of HN Security. A summary of the first two years of the HN Security project.

Interviews and Mentions

Hacking Exposed Cisco Networks. My wardialer ward.c was featured in the Cisco Device Wardialing chapter.
Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
Materatown. I have been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
How Secure is Secure Enough?. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.
IBM: Yes, it's true. El Reg published an article on IBM's attempt to censor exploit information.
Beginners.re. I've been quoted on the cover of the Farsi translation of Beginners.re by Mohsen Mostafa Jokar.
DailyDave. Dave Aitel has posted a terrific announcement for my talk at INFILTRATE 2019. Thanks!
Security Conversations. Have I aged out of the infosec industry? Join the debate at INFILTRATE 2020;)
INFILTRATE Interview. I chatted with Dave Aitel about hacking stuff, while actually hacking stuff in the background.
Hands On Hacking. Matthew Hickey kindly mentioned me and my research in his new book.
Exploit Hall of Fame. Dragos Ruiu invited me to this Pwn2Own 2021 roundtable with some legendary hackers.
Sequoia. The awesome Qualys Research Team mentioned me in their CVE-2021-33909 advisory.

Related Works

Exploit #25. The 25th exploit ever added to the Exploit DB targets a vulnerability I discovered in 2003 in OpenSSH/PAM.
rLogin Buffer Overflow. This white paper was written by Juan Manuel Corredor Garcia for his GIAC GCIH practical.
Buffer Overflow in passwd(1). This white paper was written by Shaun McAdams for his GIAC GCIH practical.
The Internal Threat. This white paper was written by Jonathan Klein for his GIAC GCIH practical.
MySQL worm. The MySQL Bot/SpoolCLL Windows worm uses my UDF exploit to spread.
Exploiting UDFs in MySQL. This white paper was written by Matthew Zimmerman for his GIAC GCIH practical.
March Networks DVR-CCTV 3204. A comprehensive insecurity overview of a DVR by Alex Hernandez.
Whoppix-raptor. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.
Quelques astuces avec LD_PRELOAD. French hackin9 article by Stefan Klaas that analyzes a couple of my exploits.
Security Analysis of a Signal Protocol Implementation. This thesis uses my Frida scripts to analyze WhatsApp.
Hack the Puffy. OpenBSD advocacy through CTF, a presentation by Jason Testart.
SSH Enumusers. A Metasploit module that implements the time-based attack against SSH I discovered back in 2003.
Libnspr NSPR_LOG_FILE. A Metasploit module that reimplements my raptor_libnspr3 privilege escalation exploit.
Glibc LD_AUDIT. A Metasploit module that reimplements my raptor_ldaudit privilege escalation exploit.
Xorg X11 Suid Server. A Metasploit module that reimplements my raptor_xorgasm privilege escalation exploit.
Exim Wiz. A Metasploit module that reimplements my raptor_exim_wiz privilege escalation exploit.
Xscreensaver Log. A Metasploit module that reimplements my raptor_xscreensaver privilege escalation exploit.
OpenSMTPD RCE. A Metasploit module that reimplements my raptor_opensmtpd.pl remote code execution exploit.
BPFDoor. The BPFDoor malware uses my Solaris xscreensaver vulnerability to get root privileges.
Format Strings. This lesson by Joseph Hallett at the University of Bristol references my Phrack article.

[0x04] Presentations

Talks

Intrusioni di rete. Slides compiled for an Information Security Master at Milan University (December 2001).
ITBH events. Archived materials for all the events organized by the ITBH association (2001-2003).
ARES 2016. Security Testing With Controller-Pilot Data Link Communications.
Speaker Introduction. Amazing speaker introduction video for my talk at INFILTRATE 2019.
A bug's life: story of a Solaris 0day. Full video of my talk at INFILTRATE 2019.
INFILTRATE 2019 party pack. Slide deck, advisory, bonus 0day exploits, and other goodies.
The INFILTRATE effect: 6 bugs in 6 months. Full video of my talk at INFILTRATE 2020.
INFILTRATE 2020 party pack. Slide deck, advisories, and bonus 0day exploits.
Conosci il nemico. Video of my brief talk about attacker's motivations and techniques (slides: PPTX, PDF).
Know your enemy. English transcription of my talk about for the "Accademia del Cyber" (white paper: PDF).
My last Solaris talk (not your average keynote). Video of my keynote speech at RomHack 2021.
RomHack 2021 party pack. Slide deck, exploits, and other goodies.

[0x08] Vulnerabilities

Linux

CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.

Solaris

CVE-2019-2832. I (re)discovered and published this 0day local privilege escalation vulnerability in CDE.
CVE-2019-3010. I discovered and reported this local privilege escalation vulnerability in Solaris xscreensaver.
CVE-2020-2656. I discovered and reported this information disclosure via Solaris xlock.
CVE-2020-2696. I discovered and reported this local privilege escalation via CDE dtsession.
CVE-2020-2771. I discovered and reported this heap-based buffer overflow in Solaris whodo and w.
CVE-2020-2851. I discovered and reported this stack-based buffer overflow in CDE libDtSvc.
CVE-2020-2944. I discovered and reported this local privilege escalation via CDE sdtcm_convert.
CVE-2023-24039. I discovered and reported a buffer overflow in libXm.
CVE-2023-24040. I discovered and reported a CDE printer name injection and memory disclosure.

Zyxel

CVE-2022-26531. I discovered and reported multiple memory corruption bugs in Zyxel zysh.
CVE-2022-26532. I discovered and reported a command injection vulnerability in Zyxel zysh.

Zephyr

CVE-2023-3725. TBA.
CVE-2023-4257. TBA.
CVE-2023-4259 (new). I discovered and reported two buffer overflows in the Zephyr eS-WiFi driver.
CVE-2023-4260 (new). I discovered and reported an off-by-one buffer overflow in the Zephyr FS subsystem.
CVE-2023-4261. TBA.
CVE-2023-4262 (new). I discovered and reported multiple buffer overflows in the Zephyr Mgmt subsystem.
CVE-2023-4263. TBA.
CVE-2023-4264 (new). I discovered and reported multiple buffer overflows in the Zephyr Bluetooth subsystem.
CVE-2023-4265 (new). I discovered and reported two buffer overflows in Zephyr USB code.
CVE-2023-5139. TBA.
CVE-2023-5184. TBA.

OpenSSH

CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.

X.Org

CVE-2022-46285. I discovered and reported a vulnerability in handling XPM files in libXpm.

Others

smbfs/umount. I discovered and reported to Illumos a buffer overflow in smbfs/umount.
dhclient. I discovered and reported a format string bug in ISC DHCP configuration file handling.

[0x10] Exploits

Linux

raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard" Exim bug (CVE-2019-10149).

Solaris/SPARC

raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
raptor_dtprintname_sparc.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
raptor_dtprintname_sparc2.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).

Solaris/x86

raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
raptor_dtprintlibXmas.c. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).

AIX

raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.

OpenBSD

raptor_xorgasm. OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and cron.
raptor_opensmtpd.pl. OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's OpenSMTPD.

Zyxel

raptor_zysh_fhtagn.exp. Zyxel zysh (CVE-2022-26531). Remote code execution via multiple format string bugs.

Oracle

raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.

MySQL

raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").

Miscellaneous

raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.

[0x20] Tools

New School

tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
frida-scripts. A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
ghidra-scripts. A collection of my Ghidra scripts to facilitate reverse engineering and vulnerability research.
semgrep-rules. A collection of my Semgrep rules to facilitate vulnerability research.
Invoke-Shellcode.ps1. Updated cmdlet with -Stealth command line switch (see my pull request).
samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.

Old School

brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.

Exploitation

shellcode. A collection of my shellcode samples for various architectures and operating systems.
abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.

Esoteric

xchg rax,rax solutions. My attempt at tackling the x86_64 asm riddles in xorpd's xchg rax,rax book.
poly.tgz. An old collection of polyglots, programs that may be compiled in more than one language.

[0x40] Configurations

Packet Filters

rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.

Application Firewalls

modsecurity-2.6.8.conf. Sample configuration file for the ModSecurity application firewall v2.6.8.
modsecurity-2.5.12.conf. Sample configuration file for the ModSecurity application firewall v2.5.12.

Virtual Private Networks

torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.

[0x80] /dev/random

Random Stuff

Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
Ralphy. Ralphy the Raptor has been 0xdeadbeef dot info's mascot for at least a couple of decades.