|
0xdeadbeef dot info.
|
"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"The only limit to malloc exploitation is the imagination." -- Qualys Research Team
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous
I'm a seasoned security researcher and tech leader with 25 years
of experience, specializing in offensive security, from old school X.25 to modern mobile apps. I work as technical director at
HN Security, a boutique company I co-founded that provides tailored offensive
security services.
As a professional hacker and polyglot programmer of
weird machines, I study how things can go wrong. I'm a
core developer of the Open Source Security Testing Methodology Manual
(OSSTMM), the international standard for performing security testing. I've published articles on many
computing magazines, including Phrack, and I've co-authored some books, such as the
popular Hacking Exposed Linux. Back in the 1990s, I co-founded
Linux&C, the first Italian magazine about Linux and the open source movement.
This is my personal homepage and playground. You can send your feedback to: Marco
Ivaldi <raptor[at]0xdeadbeef.info> (PGP key).
Books
Articles
Interviews and Mentions
Related Works
Talks
Linux
- CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
Solaris
Illumos
Zyxel
OpenSSH
- CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
- CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.
X.Org
ISC DHCP
- dhclient (new). I discovered and reported a format string bug in configuration file handling.
Linux
- raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
- raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
- raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
- raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
- raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
- raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
- raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard"
Exim bug (CVE-2019-10149).
Solaris/SPARC
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
- raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
- raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
- raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
- raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via
Xorg -logfile and inittab.
- raptor_dtprintname_sparc.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
- raptor_dtprintname_sparc2.c. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
- raptor_dtprintname_sparc3.c. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtprintcheckdir_sparc.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
- raptor_dtprintcheckdir_sparc2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).
Solaris/x86
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
- raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
- raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
- raptor_dtprintcheckdir_intel.c. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
- raptor_dtprintcheckdir_intel2.c. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
- raptor_dtprintlibXmas.c. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).
AIX
- raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.
OpenBSD
Zyxel
Oracle
- raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
- raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
- raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.
MySQL
- raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
- raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
- raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").
Miscellaneous
- raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
- raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
- raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.
New School
- tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
- frida-scripts. A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
- ghidra-scripts. A collection of my Ghidra scripts to facilitate reverse engineering and vulnerability research.
- semgrep-rules. A collection of my Semgrep rules to facilitate vulnerability research.
- Invoke-Shellcode.ps1. Updated cmdlet with -Stealth command line switch (see my pull request).
- samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
- mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
- havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
- ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
- orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
- scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
- sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
- p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
Old School
- brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
- ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
- rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
- bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
- x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
- psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
- backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
- autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.
Exploitation
- shellcode. A collection of my shellcode samples for various architectures and operating systems.
- abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
- fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
- vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
- linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
- solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
- libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.
Esoteric
Packet Filters
- rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
- pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.
Application Firewalls
Virtual Private Networks
- torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
- openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.
Random Stuff
- Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
- 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
- Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
- Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
- Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
- Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
- This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
- Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
Copyright (c) 1998-2023* Marco Ivaldi at 0xdeadbeef dot info *celebrating
25
years!