|
0xdeadbeef dot info.
|
"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"The only limit to malloc exploitation is the imagination." -- Qualys Security Advisory
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous
I'm a seasoned information security researcher and consultant with
20+ years
of experience, specializing in offensive security,
from old school X.25 to modern mobile apps. I work as Offensive Security Manager at
@Mediaservice.net,
a leading security advisory firm based in Italy, where I'm in charge of project and
team management, red teaming, penetration testing, vulnerability research, and
exploit development. Basically, I'm a professional hacker and project manager.
As a hacker and
polyglot programmer of
weird machines, I study how
things can go wrong.
As member of the
ISECOM Core Team,
I'm involved in the development of the Open Source Security Testing
Methodology Manual (OSSTMM), the
international standard for performing security testing. I'm also
contributing to the Hacker Highscool
(HHS), another ISECOM project
promoting security awareness for teens. As a technical writer, I've published
articles on many computing magazines and I've co-authored some books, such as
the popular
Hacking Exposed Linux. Back in the 1990s, I co-founded
Linux&C (the first Italian
magazine about Linux and open source), Linux Pratico, and H&C.
This is my personal homepage and playground. Take a look below for
(new) stuff. Send your feedback to: Marco
Ivaldi
<raptor[at]0xdeadbeef.info>
(PGP key).
Books
Articles
Talks
Advisories
- CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
- CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
- CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.
- CVE-2019-2832. I (re)discovered and published this 0day local privilege escalation vulnerability in CDE.
- Illumos smbfs/umount. I discovered and reported to Illumos a buffer overflow in smbfs/umount.
- CVE-2019-3010. I discovered and reported this local privilege escalation vulnerability in Solaris xscreensaver.
- CVE-2020-2656. I discovered and reported this information disclosure via Solaris xlock.
- CVE-2020-2696. I discovered and reported this local privilege escalation via CDE dtsession.
- CVE-2020-2771. I discovered and reported this heap-based buffer overflow in Solaris whodo and w.
- CVE-2020-2851. I discovered and reported this stack-based buffer overflow in CDE libDtSvc.
- CVE-2020-2944. I discovered and reported this local privilege escalation via CDE sdtcm_convert.
Interviews and Mentions
Related Works
Linux
- raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
- raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
- raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
- raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
- raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
- raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
- raptor_exim_wiz. Local privilege escalation via "The Return of the WIZard" Exim bug (CVE-2019-10149).
Solaris/SPARC
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
- raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
- raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
- raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack version.
- raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
- raptor_dtprintname_sparc.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
- raptor_dtprintname_sparc2.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, non-exec stack).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
Solaris/x86
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
- raptor_solgasm. Solaris 11 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and inittab.
- raptor_dtprintname_intel.c. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, non-exec stack).
- raptor_xscreensaver. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
- raptor_dtsession_ipa.c. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
- raptor_sdtcm_conv.c. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
AIX
- raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.
OpenBSD
- raptor_xorgasm. OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via Xorg -logfile and cron.
- raptor_opensmtpd.pl. OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's OpenSMTPD.
Oracle
- raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
- raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
- raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.
MySQL
- raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
- raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
- raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").
Miscellaneous
- raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
- raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
- raptor_xorgy. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.
New School
- tactical-exploitation. A modern tactical exploitation toolkit to assist penetration testers.
- frida-scripts. A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
- ghidra-scripts (new). A collection of my Ghidra scripts to facilitate reverse engineering and vulnerability research.
- Invoke-Shellcode.ps1. Updated cmdlet with -Stealth command line switch (see my pull request).
- samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
- mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
- havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
- ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
- orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
- scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
- sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
- p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
Old School
- brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
- ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
- rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
- bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
- x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
- psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
- backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
- autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.
Exploitation
- abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
- fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
- vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
- linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
- solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
- shellcode.tgz. An old collection of Linux and BSD shellcode, illustrating different concepts and techniques.
- libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.
Esoteric
Packet Filters
- rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
- pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.
Application Firewalls
Virtual Private Networks
- torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
- openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.
Random Stuff
- Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
- 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
- Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
- Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
- Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
- Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
- This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
- Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
Copyright (c) 1998-2021* Marco Ivaldi at 0xdeadbeef dot info *celebrating 23 years!