-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
614 lines (544 loc) · 69.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-118641666-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-118641666-1');
</script>
<title>0xdeadbeef dot info | raptor's labs</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png?v=QEM9w8Kqgq">
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png?v=QEM9w8Kqgq">
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png?v=QEM9w8Kqgq">
<link rel="manifest" href="/manifest.json?v=QEM9w8Kqgq">
<link rel="mask-icon" href="/safari-pinned-tab.svg?v=QEM9w8Kqgq" color="#5bbad5">
<link rel="shortcut icon" href="/favicon.ico?v=QEM9w8Kqgq">
<meta name="apple-mobile-web-app-title" content="0xdeadbeef.info">
<meta name="application-name" content="0xdeadbeef.info">
<meta name="theme-color" content="#ffffff">
<meta name="author" content="Marco Ivaldi">
<meta name="keywords" content="Marco Ivaldi, raptor, 0xdeadbeef, 0dd, antifork, exploits, hacking, infosec">
<meta name="description" content="Security researcher and hacker Marco Ivaldi shares his exploits, tools, and publications.">
</head>
<body bgcolor="#e0e0e0" text="#000000" link="blue" vlink="navy" alink="#ff8080">
<table width="100%">
<tr><td>
<center><img src="raptor.png" alt="Raptor" height="100" width="500"></center>
</td></tr>
<tr bgcolor="navy"><td>
<center><font color="#e0e0e0">0xdeadbeef dot info.</font></center>
</td></tr>
</table>
<center><i><br>
"A chain is only as strong as its weakest link." -- Charles A. Lindbergh<br>
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK<br>
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra<br>
"The enemy knows the system." -- Claude E. Shannon<br>
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery<br>
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle<br>
"You can't argue with a root shell." -- Felix "FX" Lindner<br>
"The only limit to malloc exploitation is the imagination." -- Qualys Research Team<br>
"Never whistle while you're pissing." -- Hagbard Celine<br>
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous<br>
<br></i></center>
<!-(2002)
Choose Windows. Choose the eXPerience.
Choose flashy menus on your fucking server.
Choose Exchange. Choose IIS.
Choose Code Red, Nimda, the Lovebug, and a sexy Melissa...
Choose Outlook and end up wondering where your stupid .docs are.
Choose not to choose. Let Micro$oft do it for you.
But why would I want to do a thing like that?
I choose not to be chosen: I choose something else.
The reasons? There are too many reasons.
And who needs reasons when you've got Linux?
->
<!-(2000)
Choose Windows. Choose the Millennium.
Choose engineering with a fucking mouse.
Choose IIS. Choose SQL Server.
Choose VB, IE, ASP, and a fucking big NT...
Choose SMB and end up wondering why your passwords are on that shitty site.
Choose not to choose. Let Micro$oft do it for you.
But why would I want to do a thing like that?
I choose not to be chosen: I choose something else.
The reasons? There are too many reasons.
And who needs reasons when you've got Linux?
->
<!-(1998)
Choose Windows. Choose 95.
Choose a fucking debugging career.
Choose IIS. Choose a big NT workstation.
Choose VB, IE, ActiveX players and electrical tin openers...
Choose VISA and end up wondering who the fuck you are on a Sunday morning.
Choose a future. Choose Micro$oft!
But why would I want to do a thing like that?
I choose not to choose: I choose something else.
And the reasons? There are too many reasons.
Who needs reasons when you've got Linux?
->
<table width="100%">
<tr bgcolor="navy"><td>
<center><font color="navy">Fnord!</font></center>
</td></tr>
</table>
<h2><a name="raptor"><font color="navy">[0x01] Who's raptor?</font></a></h2>
I'm Marco Ivaldi, a seasoned security researcher and tech leader with <a href="https://packetstormsecurity.com/files/author/191/">25+ years</a>
of experience, specializing in offensive security, from old school X.25 to modern mobile apps. I work as technical director at
<a href="https://security.humanativaspa.it/">HN Security</a>, a boutique company I co-founded that provides tailored offensive
security services.<p>
As a polyglot <a href="https://github.com/search?q=%22marco+ivaldi%22&type=code">programmer</a> of
<a href="https://www.exploit-db.com/?author=315">weird machines</a>, I study <a href="https://how.complexsystems.fail/">how things can go wrong</a>.
I'm a <a href="https://www.isecom.org/about.html">core developer</a> of the <a href="http://www.osstmm.org/">OSSTMM</a>, the international standard
for security testing. I've published many articles in various computing magazines, including
<a href="http://phrack.org/issues/70/13.html#article">Phrack</a>, and I've co-authored some books, such as the popular
<a href="https://www.amazon.com/Hacking-Exposed-Linux/dp/0072262575">Hacking Exposed Linux</a>. I've presented my research at prestigious international
conferences, including <a href="https://web.archive.org/web/20230601160755/https://infiltratecon.com/">Infiltrate</a>. I've recently earned the title of
<a href="https://www.credly.com/users/raptor">Most Valuable Security Researcher</a> from Microsoft. Back in the 90s, I co-founded
<a href="stuff/lc0.jpg">Linux&C</a>, the first Italian magazine about Linux and the open source movement.<p>
I write code in Rust, C, Assembly, Python, Java, C++, Go, JavaScript, Perl, Shell, and more... This is my personal homepage. Please send your
feedback to <<a href="mailto:raptor[at]0xdeadbeef.info">raptor[at]0xdeadbeef.info</a>> (<a href="raptor.asc">PGP key</a>).<p>
<h2><a name="papers"><font color="navy">[0x02] Publications</font></a></h2>
<b>Books</b>
<ul>
<li>2000-2009
<ul>
<li><a href="http://www.osstmm.org/">OSSTMM</a>. Since 2001, I'm a core developer of the Open Source Security Testing Methodology Manual.
<li><a href="https://www.apogeonline.com/libri/arte-hacking-volume-1-jon-erickson/">L'arte dell'hacking</a>. I did the technical review of the translation of <a href="https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441">Hacking: the art of exploitation</a>, by Jon Erickson.
<li><a href="https://www.amazon.it/Vulnerabilit%C3%A0-Linux-pratica-tecniche-exploiting/dp/888150099X/">Vulnerabilità su Linux</a>. I wrote the foreword for this practical exploitation guide by Enrico Feresin.
<li><a href="https://www.amazon.com/Hacking-Exposed-Linux/dp/0072262575">Hacking Exposed Linux</a>. I wrote the VoIP chapter for the third edition of the HEL book, curated by <a href="https://www.isecom.org/">ISECOM</a>.
</ul>
<li>2010-2019
<ul>
<li><a href="https://www.hoepli.it/libro/cyberworld/9788820356927.html">Cyberworld</a>. I co-authored this book sponsored by the Italian DoD's <a href="http://www.difesa.it/">National Security Observatory</a>.
<li><a href="https://clusit.it/wp-content/uploads/download/Rapporto_Clusit%202016.pdf">CLUSIT Report 2016</a>. I co-authored the e-commerce section of this edition of the annual <a href="https://clusit.it/">CLUSIT</a> ICT security report.
<li><a href="https://www.hackerhighschool.org/">Hacker Highschool</a>. I've contributed to this ISECOM project that promotes security awareness for teens.
</ul>
</ul>
<b>Articles</b>
<ul>
<li>2000-2009
<ul>
<li><a href="papers/anonimato_su_internet.html">L'anonimato su Internet</a>. About <a href="https://www.freehaven.net/anonbib/">anonymity</a> and privacy on the Internet, appeared on <a href="https://www.apogeonline.com/articoli/lanonimato-su-internet-marco-ivaldi/">Apogeonline</a> in January 2000.
<li><a href="papers/echelon.html">Qualcuno ci ascolta</a>. About the ECHELON network (written in January 2000, not published elsewhere).
<li><a href="papers/quantum.html">Introduzione al Quantum Computing</a>. Introduction to QC, also released as an <a href="papers/44352633-Introduzione-Al-Quantum-Computing.pdf">Apogeonline ebook</a> in July 2002.
<li><a href="papers/x25.pdf">Sicurezza su reti X.25</a>. Whitepaper written for <a href="https://web.archive.org/web/20131001085035/http://www.blackhats.it/">ITBH</a> and released to the public in September 2002.
</ul>
<li>2010-2019
<ul>
<li><a href="https://web.archive.org/web/20200513032849/https://www.mediaservice.net/news/496/la-metrica-di-sicurezza-di-osstmm">La metrica di sicurezza di OSSTMM</a>. About the attack surface security metrics defined by the OSSTMM (rav).
<li><a href="papers/2013_05_43-50_certificazione_sicurezza_osstmm.pdf">La Comunicazione</a>. I wrote the article "ICT Security Certification with the OSSTMM", published by <a href="http://www.isticom.it/">ISCOM</a>.
<li><a href="https://web.archive.org/web/20200513023305/https://www.mediaservice.net/news/504/i-cinque-miti-della-sicurezza-scada">I cinque miti della sicurezza SCADA</a>. Article discussing SCADA security myths and popular beliefs.
<li><a href="https://web.archive.org/web/20160810140112/https://www.mediaservice.net/news/518/protezione-degli-utenti-vip">Protezione degli utenti VIP</a>. Article about tailoring information security services for Top Managers.
<li><a href="papers/ISACA_VENICE_QUADERNI_01_PENTEST_%202014.pdf">Penetration Testing Guidelines</a>. I co-authored these security testing guidelines by <a href="https://www.isaca.org/">ISACA</a>'s Venice Chapter.
<li><a href="https://ieeexplore.ieee.org/document/7784615/">Security Testing with CPDLC</a>. I co-authored this paper on Controller-Pilot Data Link Communications security.
<li><a href="https://web.archive.org/web/20200623001844/https://techblog.mediaservice.net/2017/09/tracing-arbitrary-methods-and-function-calls-on-android-and-ios/">Tracing Android and iOS apps</a>. Blog post explaining how to use my raptor_frida_*_trace.js <a href="https://github.com/0xdea/frida-scripts/">scripts</a>.
<li><a href="https://web.archive.org/web/20200509050017/https://techblog.mediaservice.net/2017/10/in-praise-of-tactical-exploitation/">In praise of tactical exploitation</a>. Blog post introducing my tactical exploitation <a href="https://github.com/0xdea/tactical-exploitation">toolkit</a>.
<li><a href="https://web.archive.org/web/20200702153318/https://techblog.mediaservice.net/2017/11/how-a-unix-hacker-discovered-the-windows-powershell/">How a UNIX hacker discovered PowerShell</a>. Blog post covering my unexpected PowerShell journey.
</ul>
<li>2020-now
<ul>
<li><a href="https://security.humanativaspa.it/hello-world/">Hello, world!</a>. This is the first post on HN Security's blog, where I introduce my new project and team.
<li><a href="http://phrack.org/issues/70/13.html#article">Exploiting a Format String Bug in Solaris CDE</a>. It finally happened... I've been published in Phrack!
<li><a href="https://security.humanativaspa.it/letme-go-a-minimalistic-meterpreter-stager-written-in-go/">Letme.go</a>. A minimalistic Go implementation of the staging protocols used by the Metasploit Framework.
<li><a href="https://security.humanativaspa.it/semgrep-ruleset-for-c-c-vulnerability-research/">Semgrep C/C++ rules</a>. Introducing my Semgrep ruleset for C/C++ vulnerability research.
<li><a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/">Multiple vulnerabilities in Zyxel zysh</a>. Zyxel zysh CVE-2022-26531 and CVE-2022-26532 writeup.
<li><a href="https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/">Automating binary vulnerability discovery with Ghidra and Semgrep</a>. Introducing my static analysis toolkit.
<li><a href="https://security.humanativaspa.it/nothing-new-under-the-sun/">Nothing new under the Sun</a>. Solaris dtprintinfo and libXm/libXpm vulnerabilities writeup.
<li><a href="https://security.humanativaspa.it/two-years-of-hn-security/">Celebrating two years of HN Security</a>. A summary of the first two years of the HN Security project.
<li><a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">OST2, Zephyr RTOS, and a bunch of CVEs</a>. <a href="https://www.zephyrproject.org/">Zephyr RTOS</a> multiple vulnerabilities writeup.
<li><a href="https://security.humanativaspa.it/big-update-to-my-semgrep-c-cpp-ruleset/">Big update to my Semgrep C/C++ ruleset</a>. Introducing new tooling to hunt for bugs in large codebases.
<li><a href="https://security.humanativaspa.it/a-collection-of-weggli-patterns-for-c-cpp-vulnerability-research/">Weggli patterns</a>. Introducing my collection of weggli patterns for C/C++ vulnerability research.
<li><a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">Multiple vulnerabilities in RT-Thread RTOS</a>. <a href="https://www.rt-thread.io/">RT-Thread RTOS</a> multiple vulnerabilities writeup.
<li><a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">Multiple vulnerabilities in RIOT OS</a>. <a href="https://www.riot-os.org/">RIOT OS</a> multiple vulnerabilities writeup.
<li><a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-eclipse-threadx/">Multiple vulnerabilities in Eclipse ThreadX</a>. <a href="https://threadx.io/">Eclipse ThreadX</a> multiple vulnerabilities writeup.
<li><a href="https://security.humanativaspa.it/learning-rust-for-fun-and-backdoo-rs/">Learning Rust for fun and backdoo-rs</a>. It's 2024 and it's high time to learn Rust for offensive operations.
<li><a href="https://security.humanativaspa.it/an-offensive-rust-encore/">An offensive Rust encore</a> <font color="red">(new)</font>. Bring your offensive Rust skills to the next level.
</ul>
</ul>
<b>Honors and Awards</b>
<ul>
<li>2020-now
<ul>
<li><a href="https://www.zyxel.com/global/en/support/security-hall-of-fame">Zyxel Hall of Fame 2022</a>. <a href="https://www.zyxel.com/">Zyxel</a> recognized me in their Hall of Fame for CVE-2022-26531 and CVE-2022-26532.
<li><a href="https://msrc.microsoft.com/blog/2024/01/congratulations-to-the-top-msrc-2023-q4-security-researchers/">MSRC 2023 Q4 Leaderboard</a>. I've made <a href="https://www.microsoft.com/en-us/msrc/researcher-recognition-program">Microsoft Researcher Recognition Program</a>'s 2023 Q4 leaderboard.
<li><a href="https://msrc.microsoft.com/blog/2024/04/congratulations-to-the-top-msrc-2024-q1-security-researchers/">MSRC 2024 Q1 Leaderboard</a>. I've made <a href="https://www.microsoft.com/en-us/msrc/researcher-recognition-program">Microsoft Researcher Recognition Program</a>'s 2024 Q1 leaderboard.
<li><a href="https://msrc.microsoft.com/blog/2024/08/congratulations-to-the-msrc-2024-most-valuable-security-researchers/">MSRC 2024 MVR Leaderboard</a>. I made 25th place in MSRC 2024 Most Valuable Security Researcher <a href="https://msrc.microsoft.com/leaderboard">leaderboard</a>.
</ul>
</ul>
<b>Related Works</b>
<ul>
<li>2000-2009
<ul>
<li><a href="https://www.exploit-db.com/exploits/25">Exploit #25</a>. The 25th exploit ever added to the Exploit DB targets a vulnerability I discovered in 2003 in OpenSSH/PAM.
<li><a href="https://www.giac.org/paper/gcih/695/rlogin-buffer-overflow-vulnerability-solaris/106945">rLogin Buffer Overflow</a>. This whitepaper was written by Juan Manuel Corredor Garcia for his GIAC GCIH practical.
<li><a href="https://www.giac.org/paper/gcih/700/local-privilege-escalation-solaris-8-solaris-9-buffer-overflow-passwd1/105309">Buffer Overflow in passwd(1)</a>. This whitepaper was written by Shaun McAdams for his GIAC GCIH practical.
<li><a href="https://www.giac.org/paper/gcih/713/internal-threat/107123">The Internal Threat</a>. This whitepaper was written by Jonathan Klein for his GIAC GCIH practical.
<li><a href="https://www.amazon.com/Hacking-Exposed-Cisco-Networks-Solutions/dp/0072259175">Hacking Exposed Cisco Networks</a>. My wardialer ward.c was featured in the Cisco Device Wardialing chapter.
<li><a href="https://www.cnet.com/news/privacy/mysql-worm-hits-windows-systems/">MySQL worm</a>. The MySQL Bot/SpoolCLL Windows worm used my <a href="exploits/raptor_udf.c">UDF exploit</a> to spread.
<li><a href="https://www.giac.org/paper/gcih/759/exploiting-user-defined-functions-mysql/104815">Exploiting UDFs in MySQL</a>. This whitepaper was written by Matthew Zimmerman for his GIAC GCIH practical.
<li><a href="http://eks0.free.fr/whax-demos/?f=raptor_config.xml">Whoppix-raptor</a>. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.
<li><a href="https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/Quelques%20astuces%20avec%20LD_PRELOAD.pdf">Quelques astuces avec LD_PRELOAD</a>. French hackin9 article by Stefan Klaas that analyzes a couple of my exploits.
<li><a href="https://dl.packetstormsecurity.net/papers/attack/dvr-cctv.pdf">March Networks DVR-CCTV 3204</a>. A comprehensive insecurity overview of a DVR by Alex Hernandez.
<li><a href="https://hovav.net/ucsd/dist/rop.pdf">Return Oriented Programming</a>. My SPARC return-into-libc exploits were cited in the seminal paper on ROP from 2008.
<li><a href="https://cseweb.ucsd.edu/~savage/papers/CCS08GoodInstructions.pdf">Return Oriented Programming on RISC</a>. Another academic paper on ROP that cites my SPARC exploits.
<li><a href="https://web.archive.org/web/20240616125334/https://doc.lagout.org/security/SQL%20Injection%20Attacks%20and%20Defense.pdf">SQL Injection Attacks and Defense</a>. My Oracle database exploits were featured in this book published by Syngress.
<li><a href="https://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf">Advanced SQL injection to OS full control</a>. Bernardo Damele's Black Hat presentation on SQL injection exploitation.
</ul>
<li>2010-2019
<ul>
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssh/ssh_enumusers.rb">SSH Enumusers</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that implements the time-based attack against SSH I discovered back in 2003.
<li><a href="https://books.google.it/books?id=9469BwAAQBAJ">Web Security: A White Hat Perspective</a>. My <a href="exploits/raptor_udf2.c">MySQL UDF2 exploit</a> is mentioned among the database attack techniques.
<li><a href="https://sigarra.up.pt/flup/pt/pub_geral.show_file?pi_doc_id=187282">Security Analysis of a Signal Protocol Implementation</a>. This thesis uses my <a href="https://github.com/0xdea/frida-scripts">Frida scripts</a> to analyze WhatsApp.
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/local/libnspr_nspr_log_file_priv_esc.rb">Libnspr NSPR_LOG_FILE</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that reimplements my <a href="https://0xdeadbeef.info/exploits/raptor_libnspr3">raptor_libnspr3</a> privilege escalation exploit.
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb">Glibc LD_AUDIT</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that reimplements my <a href="https://0xdeadbeef.info/exploits/raptor_ldaudit">raptor_ldaudit</a> privilege escalation exploit.
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/local/xorg_x11_suid_server.rb">Xorg X11 Suid Server</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that reimplements my <a href="https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm">raptor_xorgasm</a> privilege escalation exploit.
<li><a href="papers/beginners.re.pdf">Beginners.re</a>. I've been quoted on the cover of the Farsi translation of <a href="https://beginners.re/">Beginners.re</a> by <a href="https://ir.linkedin.com/in/jokar">Mohsen Mostafa Jokar</a>.
<li><a href="papers/dailydave2019.pdf">DailyDave</a>. Dave Aitel has <a href="http://lists.immunityinc.com/pipermail/dailydave/2019-January/001535.html">posted</a> a terrific announcement for my talk at <a href="https://web.archive.org/web/20230601160755/https://infiltratecon.com/info/archives.html#archive-year-2019">INFILTRATE 2019</a>. Thanks!
<li><a href="https://www.bsdcan.org/2019/schedule/attachments/494_Hack%20the%20Puffy.pdf">Hack the Puffy</a>. OpenBSD advocacy through CTF, a presentation by Jason Testart.
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb">Exim Wiz</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that reimplements my <a href="https://github.com/0xdea/exploits/blob/master/linux/raptor_exim_wiz">raptor_exim_wiz</a> privilege escalation exploit.
<li><a href="https://assets.bishopfox.com/prod-1437/Documents/Presentations/200608-BsidesLV-2019_Priyank_RE_Mobile_Transit_Final.pdf">Reverse Engineering Mobile Apps</a>. My <a href="https://github.com/0xdea/frida-scripts">Frida scripts</a> are referenced in this <a href="https://bsideslv.org/">BSides Las Vegas</a> presentation by <a href="https://bishopfox.com/">Bishop Fox</a>.
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/solaris/local/xscreensaver_log_priv_esc.rb">Xscreensaver Log</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that reimplements my <a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver">raptor_xscreensaver</a> privilege escalation exploit.
</ul>
<li>2020-now
<ul>
<li><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb">OpenSMTPD RCE</a>. A <a href="https://www.metasploit.com/">Metasploit</a> module that reimplements my <a href="https://github.com/0xdea/exploits/blob/master/openbsd/raptor_opensmtpd.pl">raptor_opensmtpd.pl</a> remote code execution exploit.
<li><a href="https://securityconversations.fireside.fm/dave-aitel-immunity?t=889">Security Conversations</a>. Have I aged out of the infosec industry? Join the debate at <a href="https://web.archive.org/web/20230601160755/https://infiltratecon.com/">INFILTRATE 2020</a>;)
<li><a href="https://twitter.com/0xdea/status/1304382287312756736">Hands On Hacking</a>. Matthew Hickey kindly mentioned me and my research in his new <a href="https://www.hackerhousebook.com/">book</a>.
<li><a href="https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt">Sequoia</a>. The awesome Qualys Research Team mentioned me in their <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909">CVE-2021-33909</a> advisory.
<li><a href="https://digitalcommons.usf.edu/cgi/viewcontent.cgi?article=1084&context=mca">Offensive Cyber Operations</a>. My SPARC security research is mentioned in this whitepaper by <a href="https://www.atlanticcouncil.org/expert/jd-work/">JD Work</a>.
<li><a href="https://cs-uob.github.io/COMS20012/slides/coms20012-week2-format-strings.pdf">Format Strings</a>. This lesson by Joseph Hallett at the University of Bristol references my <a href="http://phrack.org/issues/70/13.html#article">Phrack article</a>.
<li><a href="https://ost2.fyi/">OST2</a>. My <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">Zephyr research</a> is mentioned in the <a href="https://ost2.fyi/Vulns1001">Vulns1001</a> and <a href="https://ost2.fyi/Vulns1002">Vulns1002</a> training courses (much recommended!).
<li><a href="https://www.bleepingcomputer.com/news/security/bpfdoor-malware-uses-solaris-vulnerability-to-get-root-privileges/">BPFDoor</a>. The BPFDoor malware used my Solaris <a href="https://github.com/0xdea/advisories/blob/master/2019-02-solaris-xscreensaver.txt">xscreensaver vulnerability</a> to get root privileges.
<li><a href="https://appsec.guide/docs/static-analysis/semgrep/resources/">Trail of Bits Testing Handbook</a>. My <a href="https://github.com/0xdea/semgrep-rules">Semgrep ruleset</a> is mentioned among the suggested rules in this awesome <a href="https://appsec.guide/">handbook</a>.
<li><a href="https://github.com/e-m-b-a/emba">EMBA</a>. The firmware security analyzer is one of <a href="https://github.com/JetP1ane/Callisto">the</a> <a href="https://github.com/20urc3/Sekiryu">many</a> <a href="https://github.com/Vu1nT0tal/Vehicle-Security-Toolkit">cool</a> <a href="https://pypi.org/project/semgrep_rules_manager/">projects</a> that use my vulnerability research tooling.
<li><a href="https://arxiv.org/abs/2406.15103">Finding (and exploiting) vulnerabilities on IP Cameras</a>. The tool developed by the authors is based on my <a href="https://github.com/0xdea/ghidra-scripts">Ghidra scripts</a>.
<li><a href="https://www.linkedin.com/posts/raptor_hd-moore-hdminfosecexchange-activity-7227586834204114945-ZERH/">SSHamble</a>. <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190">My</a> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229">work</a> of 2 decades ago inspired the timing attack features of <a href="https://www.runzero.com/sshamble/">sshamble</a> by <a href="https://en.wikipedia.org/wiki/H._D._Moore">HD Moore</a>.
<li><a href="https://github.com/xorpse/parascope">Parascope</a> <font color="red">(new)</font>. This vulnerability scanner for binaries and source code and its <a href="https://github.com/xorpse/weggli-ruleset">ruleset utility</a> reference my <a href="https://github.com/0xdea/weggli-patterns">weggli patterns</a>.
</ul>
</ul>
<h2><a name="talks"><font color="navy">[0x04] Talks</font></a></h2>
<b>Presentations</b>
<ul>
<li>2000-2009
<ul>
<li><a href="papers/intrusioni-di-rete.ppt">Intrusioni di rete</a>. Slides compiled for an Information Security Master at Milan University (December 2001).
<li><a href="https://web.archive.org/web/20100213123010/http://www.blackhats.it/en/events.html">ITBH events</a>. Archived materials for all the events organized by the <a href="https://web.archive.org/web/20131001085035/http://www.blackhats.it/">ITBH</a> association (2001-2003).
</ul>
<li>2010-2019
<ul>
<li><a href="https://web.archive.org/web/20230402162631/https://www.ares-conference.eu/ares2016/www.ares-conference.eu/conference/wp-content/uploads/2016/08/Webseite-Komplett-Program-ARES-2016.pdf">ARES 2016</a>. Security Testing With Controller-Pilot Data Link Communications.
<li><a href="https://vimeo.com/312131029">Speaker Introduction</a>. Amazing speaker introduction video for my talk at <a href="https://web.archive.org/web/20230601160755/https://infiltratecon.com/info/archives.html#archive-year-2019">INFILTRATE 2019</a>.
<li><a href="https://vimeo.com/335197685">A bug's life: story of a Solaris 0day</a>. Full video of my <a href="https://web.archive.org/web/20200518045907/https://techblog.mediaservice.net/2019/05/raptor-at-infiltrate-2019/">talk</a> at <a href="https://web.archive.org/web/20230601160755/https://infiltratecon.com/info/archives.html#archive-year-2019">INFILTRATE 2019</a>.
<li><a href="https://github.com/0xdea/raptor_infiltrate19">INFILTRATE 2019 party pack</a>. Slide deck, advisory, bonus 0day exploits, and other goodies.
</ul>
<li>2020-now
<ul>
<li><a href="https://vimeo.com/474793702">The INFILTRATE effect: 6 bugs in 6 months</a>. Full video of my <a href="https://security.humanativaspa.it/the-infiltrate-effect-6-bugs-in-6-months/">talk</a> at <a href="https://web.archive.org/web/20230601160755/https://www.infiltratecon.com/conference/briefings/the-infiltrate-effect-6-bugs-in-6-months.html">INFILTRATE 2020</a>.
<li><a href="https://github.com/0xdea/raptor_infiltrate20">INFILTRATE 2020 party pack</a>. Slide deck, advisories, and bonus 0day exploits.
<li><a href="https://www.youtube.com/watch?v=GHpWYAeE02c#t=26m22s">Conosci il nemico</a>. Video of my brief talk about attacker's motivations and techniques (slides: <a href="/papers/nemico.pptx">PPTX</a>, <a href="/papers/nemico.pdf">PDF</a>).
<li><a href="https://humanativaspa.it/en/know-your-enemy/">Know your enemy</a>. English transcription of my talk about attacker's motivations and techniques (<a href="/papers/Accademia%20del%20Cyber_White%20paper.pdf">whitepaper</a>).
<li><a href="https://youtu.be/Nc9ZLTb2hQ8">My last Solaris talk (not your average keynote)</a>. Video of my keynote <a href="https://security.humanativaspa.it/my-last-solaris-talk-not-your-average-keynote/">speech</a> at <a href="https://romhack.io/">RomHack 2021</a>.
<li><a href="https://github.com/0xdea/raptor_romhack21">RomHack 2021 party pack</a>. Slide deck, exploits, and other goodies.
</ul>
</ul>
<b>Interviews</b>
<ul>
<li>2010-2019
<ul>
<li><a href="https://www.newsweek.com/stealing-minutes-95749">Stealing Minutes</a>. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
<li><a href="https://web.archive.org/web/20160629085153/http://www.materatown.net/2012/04/materatown-vocat-magister-respondet/">Materatown</a>. I've been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
<li><a href="papers/CG1210-magazine.pdf">How Secure is Secure Enough?</a>. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.
<li><a href="https://www.theregister.com/2016/10/14/ibm_asked_security_researcher_to_pull_exploit_code/">IBM: Yes, it's true</a>. El Reg published an article on IBM's attempt to censor exploit information.
</ul>
<li>2020-now
<ul>
<li><a href="https://vimeo.com/442583799">INFILTRATE Interview</a>. I chatted with Dave Aitel about hacking stuff, while actually hacking stuff in the background.
<li><a href="https://vimeo.com/447602353">My hardest challenge</a>. A short excerpt from my INFILTRATE interview with Dave Aitel.
<li><a href="https://www.youtube.com/watch?v=6FYfUv1pwAg&t=343m51s">Exploit</a> <a href="https://www.youtube.com/watch?v=6FYfUv1pwAg&t=388m42s">Hall of</a> <a href="https://www.youtube.com/watch?v=cnG7CXyz1SI">Fame</a>. <a href="https://twitter.com/dragosr">Dragos Ruiu</a> invited me to this <a href="https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results">Pwn2Own 2021</a> roundtable <a href="https://twitter.com/ivansprundel">with</a> <a href="https://twitter.com/searchio">some</a> <a href="https://twitter.com/nudehaberdasher">legendary</a> <a href="https://twitter.com/esizkur">hackers</a>.
<li><a href="https://youtu.be/nLH731xkftg">Seemposium Podcast</a>. Hacking in the 90s: prepare for a trip down memory lane (in Italian)!
</ul>
</ul>
<h2><a name="advisories"><font color="navy">[0x08] Vulnerabilities</font></a></h2>
<b>Linux</b>
<ul>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1242">CVE-2006-1242</a>. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
</ul>
<b>OpenSSH</b>
<ul>
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190">CVE-2003-0190</a>. I discovered and published this OpenSSH/PAM delay information disclosure vulnerability.
<li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229">CVE-2006-5229</a>. I discovered and published yet another OpenSSH information disclosure via timing leak.
</ul>
<b>X.Org</b>
<ul>
<li><a href="https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt">CVE-2022-46285</a>. I <a href="https://security.humanativaspa.it/nothing-new-under-the-sun/">discovered</a> and <a href="https://lists.x.org/archives/xorg-announce/2023-January/003312.html">reported</a> a vulnerability in handling XPM files in libXpm.
</ul>
<b>Azure</b>
<ul>
<li><a href="https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg">CVE-2024-29195</a>. I discovered and reported an integer wraparound in <a href="https://github.com/Azure/azure-c-shared-utility">Azure C SDK</a>.
</ul>
<b>Solaris</b>
<ul>
<li><a href="https://github.com/0xdea/advisories/blob/master/2019-01-cde-dtprintinfo.txt">CVE-2019-2832</a>. I (re)discovered and published this 0day local privilege escalation vulnerability in CDE.
<li><a href="https://github.com/0xdea/advisories/blob/master/2019-02-solaris-xscreensaver.txt">CVE-2019-3010</a>. I <a href="https://web.archive.org/web/20200518233611/https://techblog.mediaservice.net/2019/10/local-privilege-escalation-on-solaris-11-x-via-xscreensaver/">discovered</a> and reported this local privilege escalation vulnerability in Solaris xscreensaver.
<li><a href="https://github.com/0xdea/advisories/blob/master/2020-01-solaris-xlock.txt">CVE-2020-2656</a>. I discovered and reported this information disclosure via Solaris xlock.
<li><a href="https://github.com/0xdea/advisories/blob/master/2020-02-cde-dtsession.txt">CVE-2020-2696</a>. I <a href="https://web.archive.org/web/20200617023709/https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/">discovered</a> and reported this local privilege escalation via CDE dtsession.
<li><a href="https://github.com/0xdea/advisories/blob/master/2020-07-solaris-whodo-w.txt">CVE-2020-2771</a>. I discovered and reported this heap-based buffer overflow in Solaris whodo and w.
<li><a href="https://github.com/0xdea/advisories/blob/master/2020-06-cde-libDtSvc.txt">CVE-2020-2851</a>. I discovered and reported this stack-based buffer overflow in CDE libDtSvc.
<li><a href="https://github.com/0xdea/advisories/blob/master/2020-05-cde-sdtcm_convert.txt">CVE-2020-2944</a>. I <a href="https://web.archive.org/web/20200513194744/https://techblog.mediaservice.net/2020/04/cve-2020-2944-local-privilege-escalation-via-cde-sdtcm_convert/">discovered</a> and reported this local privilege escalation via CDE sdtcm_convert.
<li><a href="https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt">CVE-2023-24039</a>. I <a href="https://security.humanativaspa.it/nothing-new-under-the-sun/">discovered</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24039">reported</a> a buffer overflow in libXm.
<li><a href="https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt">CVE-2023-24040</a>. I <a href="https://security.humanativaspa.it/nothing-new-under-the-sun/">discovered</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24040">reported</a> a CDE printer name injection and memory disclosure.
</ul>
<b>Zyxel</b>
<ul>
<li><a href="https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt">CVE-2022-26531</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/">discovered</a> and <a href="https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps">reported</a> multiple memory corruption bugs in Zyxel zysh.
<li><a href="https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt">CVE-2022-26532</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/">discovered</a> and <a href="https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps">reported</a> a command injection vulnerability in Zyxel zysh.
</ul>
<b>Zephyr</b>
<ul>
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2g3m-p6c7-8rr3">CVE-2023-3725</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> a buffer overflow in the Zephyr CANbus subsystem.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-853q-q69w-gf5j">CVE-2023-4257</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> unchecked user input length in the Zephyr WiFi shell.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gghm-c696-f4j4">CVE-2023-4259</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> two buffer overflows in the Zephyr eS-WiFi driver.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gj27-862r-55wh">CVE-2023-4260</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> an off-by-one buffer overflow in the Zephyr FS subsystem.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5954-jcv4-7rvm">CVE-2023-4261</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> a buffer overflow in the Zephyr IPC subsystem.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-56p9-5p3v-hhrc">CVE-2023-4262</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> multiple buffer overflows in the Zephyr Mgmt subsystem.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rf6q-rhhp-pqhf">CVE-2023-4263</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> a buffer overflow in the Zephyr IEEE 802.15.4 driver.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rgx6-3w4j-gf5j">CVE-2023-4264</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> multiple buffer overflows in the Zephyr Bluetooth subsystem.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vgv-5r6q-r6xh">CVE-2023-4265</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> two buffer overflows in Zephyr USB code.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rhrc-pcxp-4453">CVE-2023-5139</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> a buffer overflow in the Zephyr STM32 Crypto driver.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8x3p-q3r5-xh9g">CVE-2023-5184</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> two signed/unsigned conversion errors in the Zephyr IPM driver.
<li><a href="https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hmpr-px56-rvww">CVE-2023-5753</a>. I <a href="https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-03-zephyr.txt">reported</a> additional buffer overflows in the Zephyr Bluetooth subsystem.
</ul>
<b>RT-Thread</b>
<ul>
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8271">CVE-2024-24335</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> a buffer overflow in RT-Thread dfs_v2/romfs.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8282">CVE-2024-24334</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> some heap buffer overflows in RT-Thread dfs_v2/dfs_file.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8283">CVE-2024-25389</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> the use of a weak random source in the RT-Thread rt_random driver.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8285">CVE-2024-25388</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> a heap buffer overflow in the RT-Thread wlan driver.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8286">CVE-2024-25390</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> some heap buffer overflows in the RT-Thread finsh component.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8287">CVE-2024-25391</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> a stack buffer overflow in RT-Thread IPC.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8288">CVE-2024-25393</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> a stack buffer overflow in RT-Thread AT server.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8289">CVE-2024-25395</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> a static buffer overflow in the RT-Thread rt-link utility.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8290">CVE-2024-25392</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> an out-of-bounds array access in the RT-Thread var_export utility.
<li><a href="https://github.com/RT-Thread/rt-thread/issues/8291">CVE-2024-25394</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-05-rt-thread.txt">reported</a> multiple vulnerabilities in the RT-Thread ymodem utility.
</ul>
<b>ThreadX</b>
<ul>
<li><a href="https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-v9jj-7qjg-h6g6">CVE-2024-2212</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-eclipse-threadx/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-06-threadx.txt">reported</a> some heap buffer overflows in Eclipse ThreadX.
<li><a href="https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-vmp6-qhp9-r66x">CVE-2024-2214</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-eclipse-threadx/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-06-threadx.txt">reported</a> a static buffer overflow in Eclipse ThreadX.
<li><a href="https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-h963-7vhw-8rpx">CVE-2024-2452</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-eclipse-threadx/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-06-threadx.txt">reported</a> some heap buffer overflows in Eclipse ThreadX NetX Duo.
</ul>
<b>RIOT</b>
<ul>
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2572-7q7c-3965">CVE-2024-31225</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> a buffer overflow in RIOT cord.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-v97j-w9m6-c4h3">CVE-2024-32017</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> some buffer overflows in RIOT GCoAP.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-899m-q6pp-hmp3">CVE-2024-32018</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an ineffective size check due to assert() in RIOT NimBLE.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-x3j5-hfrr-5x6q">GHSA-x3j5-hfrr-5x6q</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an out-of-bounds memory access in RIOT ESP.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-pw2r-pp35-xfmj">GHSA-pw2r-pp35-xfmj</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an ineffective size check due to assert() in RIOT BLE.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c4p4-vv7v-3hx8">GHSA-c4p4-vv7v-3hx8</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an ineffective size check due to assert() in RIOT SUIT.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-r87w-9vw9-f7cx">GHSA-r87w-9vw9-f7cx</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an integer wraparound in RIOT mtd_emulated.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-2hx7-c324-3rxv">GHSA-2hx7-c324-3rxv</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an off-by-one and an unterminated string in RIOT lwext4.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-frp5-4gfp-84j3">GHSA-frp5-4gfp-84j3</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> an out-of-bounds memory access in RIOT shell.
<li><a href="https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-x27v-gqp4-7jq3">GHSA-x27v-gqp4-7jq3</a>. I <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/">discovered</a> and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2024-07-riot.txt">reported</a> some buffer overflows in RIOT emCute.
</ul>
<b>Others</b>
<ul>
<li><a href="https://www.illumos.org/issues/11618">smbfs/umount</a>. I discovered and reported to <a href="https://illumos.org/">Illumos</a> a buffer overflow in smbfs/umount.
<li><a href="https://gitlab.isc.org/isc-projects/dhcp/-/issues/280">dhclient</a>. I discovered and reported a format string bug in <a href="https://www.isc.org/dhcp/">ISC DHCP</a> configuration file handling.
<li><a href="https://github.com/coturn/coturn/pulls?q=is%3Apr+0xdea">coturn</a>. I discovered and reported some security issues in the <a href="https://github.com/coturn/coturn/">coturn</a> TURN server.
<li><a href="https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/pull/1017">FreeRTOS</a>. I discovered and reported some security issues and other <a href="https://github.com/FreeRTOS/FreeRTOS/pull/1104">bugs</a> in <a href="https://www.freertos.org/">FreeRTOS</a>.
<li><a href="https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=ee1523630a81fffa6b7d93dd0c7a6191de5856cd">lwIP/httpclient</a>. I discovered and reported an integer wraparound and heap buffer overflow.
<li><a href="https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=b413b040936f48d4cd9ed632ac579542c710efae">lwIP/makefsdata</a>. I discovered and reported an integer underflow and static buffer overflow.
<li><a href="https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf">CVE-2023-49287</a>. I discovered and <a href="https://github.com/0xdea/advisories/blob/master/HNS-2023-04-tinydir.txt">reported</a> some buffer overflow vulnerabilities in TinyDir.
</ul>
<h2><a name="exploits"><font color="navy">[0x10] Exploits</font></a></h2>
<b>Linux</b>
<ul>
<li><a href="exploits/raptor_chown.c">raptor_chown.c</a>. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
<li><a href="exploits/raptor_prctl.c">raptor_prctl.c</a>. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
<li><a href="exploits/raptor_prctl2.c">raptor_prctl2.c</a>. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
<li><a href="exploits/raptor_truecrypt.tgz">raptor_truecrypt.tgz</a>. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
<li><a href="exploits/raptor_ldaudit">raptor_ldaudit</a>. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
<li><a href="exploits/raptor_ldaudit2">raptor_ldaudit2</a>. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
<li><a href="https://github.com/0xdea/exploits/blob/master/linux/raptor_exim_wiz">raptor_exim_wiz</a>. Local privilege escalation via "The Return of the WIZard"
<a href="https://web.archive.org/web/20201201233544/https://techblog.mediaservice.net/2019/06/cve-2019-10149-exploit-local-privilege-escalation-on-debian-gnu-linux-via-exim/">Exim bug</a> (CVE-2019-10149).
</ul>
<b>Solaris/SPARC</b>
<ul>
<li><a href="exploits/raptor_ucbps">raptor_ucbps</a>. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
<li><a href="exploits/raptor_rlogin.c">raptor_rlogin.c</a>. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
<li><a href="exploits/raptor_ldpreload.c">raptor_ldpreload.c</a>. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
<li><a href="exploits/raptor_libdthelp.c">raptor_libdthelp.c</a>. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
<li><a href="exploits/raptor_libdthelp2.c">raptor_libdthelp2.c</a>. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack (NX) version.
<li><a href="exploits/raptor_passwd.c">raptor_passwd.c</a>. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
<li><a href="exploits/raptor_sysinfo.c">raptor_sysinfo.c</a>. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
<li><a href="exploits/raptor_xkb.c">raptor_xkb.c</a>. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
<li><a href="exploits/raptor_libnspr">raptor_libnspr</a>. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
<li><a href="exploits/raptor_libnspr2">raptor_libnspr2</a>. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
<li><a href="exploits/raptor_libnspr3">raptor_libnspr3</a>. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
<li><a href="exploits/raptor_peek.c">raptor_peek.c</a>. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm">raptor_solgasm</a>. Solaris 11 (CVE-2018-14665). Local privilege escalation via
<a href="https://web.archive.org/web/20201130200729/https://techblog.mediaservice.net/2018/11/cve-2018-14665-exploit-local-privilege-escalation-on-solaris-11/">Xorg -logfile and inittab</a>.
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_sparc.c">raptor_dtprintname_sparc.c</a>. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_sparc2.c">raptor_dtprintname_sparc2.c</a>. Solaris 7, 8, 9 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_sparc3.c">raptor_dtprintname_sparc3.c</a>. Solaris 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (SPARC, NX).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver">raptor_xscreensaver</a>. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_sparc.c">raptor_dtprintcheckdir_sparc.c</a>. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC PoC).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_sparc2.c">raptor_dtprintcheckdir_sparc2.c</a>. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (SPARC, NX).
</ul>
<b>Solaris/x86</b>
<ul>
<li><a href="exploits/raptor_ucbps">raptor_ucbps</a>. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
<li><a href="exploits/raptor_sysinfo.c">raptor_sysinfo.c</a>. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
<li><a href="exploits/raptor_libnspr">raptor_libnspr</a>. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
<li><a href="exploits/raptor_libnspr2">raptor_libnspr2</a>. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
<li><a href="exploits/raptor_libnspr3">raptor_libnspr3</a>. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
<li><a href="exploits/raptor_peek.c">raptor_peek.c</a>. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm">raptor_solgasm</a>. Solaris 11 (CVE-2018-14665). Local privilege escalation via <a href="https://web.archive.org/web/20201130200729/https://techblog.mediaservice.net/2018/11/cve-2018-14665-exploit-local-privilege-escalation-on-solaris-11/">Xorg -logfile and inittab</a>.
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintname_intel.c">raptor_dtprintname_intel.c</a>. Solaris 7, 8, 9, 10 (CVE-2019-2832). Buffer overflow in CDE dtprintinfo (Intel, NX).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver">raptor_xscreensaver</a>. Solaris 11.x (CVE-2019-3010). Local privilege escalation via xscreensaver.
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtsession_ipa.c">raptor_dtsession_ipa.c</a>. Solaris 10 (CVE-2020-2696). Local privilege escalation via CDE dtsession.
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_sdtcm_conv.c">raptor_sdtcm_conv.c</a>. Solaris 10 (CVE-2020-2944). Local privilege escalation via CDE sdtcm_convert.
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_intel.c">raptor_dtprintcheckdir_intel.c</a>. Solaris 10 (CVE-2022-43752). Another buffer overflow in CDE dtprintinfo (Intel, NX).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintcheckdir_intel2.c">raptor_dtprintcheckdir_intel2.c</a>. Solaris 10 (CVE-2022-43752). Format string bug in CDE dtprintinfo (Intel, NX).
<li><a href="https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c">raptor_dtprintlibXmas.c</a>. Solaris 10 (CVE-2023-24039). Buffer overflow in libXm via CDE dtprintinfo (Intel, NX).
</ul>
<b>AIX</b>
<ul>
<li><a href="exploits/raptor_libC">raptor_libC</a>. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.
</ul>
<b>OpenBSD</b>
<ul>
<li><a href="https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm">raptor_xorgasm</a>. OpenBSD 6.3, 6.4 (CVE-2018-14665). Local privilege escalation via <a href="https://web.archive.org/web/20201201235526/https://techblog.mediaservice.net/2018/10/cve-2018-14665-exploit-local-privilege-escalation-on-openbsd-6-3-and-6-4/">Xorg -logfile and cron</a>.
<li><a href="https://github.com/0xdea/exploits/blob/master/openbsd/raptor_opensmtpd.pl">raptor_opensmtpd.pl</a>. OpenBSD 6.4, 6.5, 6.6 (CVE-2020-7247). LPE and RCE in OpenBSD's <a href="https://web.archive.org/web/20200804230646/https://techblog.mediaservice.net/2020/02/cve-2020-7247-exploit-lpe-and-rce-in-openbsd-opensmtpd/">OpenSMTPD</a>.
</ul>
<b>Zyxel</b>
<ul>
<li><a href="https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp">raptor_zysh_fhtagn.exp</a>. Zyxel zysh (CVE-2022-26531). Remote code execution via multiple <a href="https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/">format string bugs</a>.
</ul>
<b>Oracle</b>
<ul>
<li><a href="exploits/raptor_oraextproc.sql">raptor_oraextproc.sql</a>. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
<li><a href="exploits/raptor_oraexec.sql">raptor_oraexec.sql</a>. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
<li><a href="exploits/raptor_orafile.sql">raptor_orafile.sql</a>. File system access suite for Oracle based on the utl_file package, to read/write files.
</ul>
<b>MySQL</b>
<ul>
<li><a href="exploits/raptor_udf.c">raptor_udf.c</a>. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
<li><a href="exploits/raptor_udf2.c">raptor_udf2.c</a>. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
<li><a href="exploits/raptor_winudf.zip">raptor_winudf.zip</a>. MySQL UDF backdoor kit for M$ Windows (<a href="https://twitter.com/0xdea/status/801200868343193600">ZIP password</a> is "0xdeadbeef").
</ul>
<b>Miscellaneous</b>
<ul>
<li><a href="exploits/raptor_sshtime">raptor_sshtime</a>. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
<li><a href="exploits/raptor_dominohash">raptor_dominohash</a>. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
<li><a href="https://github.com/0xdea/exploits/blob/master/misc/raptor_xorgy">raptor_xorgy</a>. Xorg 1.19.0 - 1.20.2 (CVE-2018-14665). Local privilege escalation via Xorg -modulepath.
</ul>
<h2><a name="code"><font color="navy">[0x20] Tools</font></a></h2>
<b>Vulnerability Research</b>
<ul>
<li><a href="https://lib.rs/rhabdomancer">rhabdomancer</a> <font color="red">(new)</font>. Vulnerability research assistant that locates calls to insecure API functions in a binary.
<li><a href="https://lib.rs/haruspex">haruspex</a> <font color="red">(new)</font>. Vulnerability research assistant that extracts pseudo-code from the IDA Hex-Rays decompiler.
<li><a href="https://github.com/binarly-io/idalib">idalib</a> <font color="red">(new)</font>. I'm a <a href="https://github.com/binarly-io/idalib/pulls?q=author%3A0xdea">contributor</a> to these idiomatic Rust bindings for the IDA SDK.
<li><a href="https://github.com/0xdea/semgrep-rules">semgrep-rules</a>. A collection of my <a href="https://semgrep.dev/">Semgrep</a> rules to facilitate vulnerability research.
<li><a href="https://github.com/0xdea/weggli-patterns">weggli-patterns</a>. A collection of my <a href="https://github.com/weggli-rs/weggli">weggli</a> patterns to facilitate vulnerability research.
<li><a href="https://github.com/0xdea/frida-scripts">frida-scripts</a>. A collection of my <a href="https://frida.re/">Frida.re</a> instrumentation scripts to facilitate reverse engineering.
<li><a href="https://github.com/0xdea/ghidra-scripts">ghidra-scripts</a>. A collection of my <a href="https://ghidra-sre.org/">Ghidra</a> scripts to facilitate reverse engineering and vulnerability research.
</ul>
<b>New School</b>
<ul>
<li><a href="https://github.com/0xdea/tactical-exploitation">tactical-exploitation</a>. A modern tactical exploitation toolkit to assist penetration testers.
<li><a href="https://github.com/0xdea/backdoo-rs">backdoo-rs</a>. Rust implementation of the main staging protocols used by the <a href="https://www.metasploit.com/">Metasploit Framework</a>.
<li><a href="https://github.com/0xdea/blindsight">blindsight</a> <font color="red">(new)</font>. Red teaming tool to dump LSASS memory, bypassing common countermeasures.
<li><a href="code/samba-hax0r">samba-hax0r</a>. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
<li><a href="code/mssql-hax0r">mssql-hax0r</a>. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
<li><a href="code/havoc-0.1d.tgz">havoc-0.1d.tgz</a>. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
<li><a href="code/ikenum">ikenum</a>. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
<li><a href="code/orabackdoor.sql">orabackdoor.sql</a>. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
<li><a href="code/scan-tools.tgz">scan-tools.tgz</a>. A collection of easily customizable bash scripts for network scanning purposes.
<li><a href="code/sequel.tgz">sequel.tgz</a>. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
<li><a href="code/p2s.c">p2s.c</a>. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
</ul>
<b>Old School</b>
<ul>
<li><a href="code/brutus.pl">brutus.pl</a>. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
<li><a href="code/ward.c">ward.c</a>. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
<li><a href="code/rasbrute.bat">rasbrute.bat</a>. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
<li><a href="code/bounce.c">bounce.c</a>. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
<li><a href="code/x25-tools.tgz">x25-tools.tgz</a>. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
<li><a href="code/psibrute.com">psibrute.com</a>. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
<li><a href="code/backdoor.bas">backdoor.bas</a>. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
<li><a href="code/autoscan.pl">autoscan.pl</a>. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.
</ul>
<b>Exploitation</b>
<ul>
<li><a href="https://github.com/0xdea/shellcode">shellcode</a>. A collection of my shellcode samples for various architectures and operating systems.
<li><a href="https://github.com/0xdea/Ao64A">Ao64A</a>. NASM macOS translation of code listings distributed with the <a href="https://artofasm.randallhyde.com/">Art of 64-bit Assembly Language</a>.
<li><a href="code/abo-exploits.tgz">abo-exploits.tgz</a>. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
<li><a href="code/fs-exploits.tgz">fs-exploits.tgz</a>. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
<li><a href="code/vulndev-exploits.tgz">vulndev-exploits.tgz</a>. Exploit code for <a href="https://seclists.org/vuln-dev/">vuln-dev</a> challenges. Currently, there are 2 accomplished challenges.
<li><a href="code/linux-x86-exploits.tgz">linux-x86-exploits.tgz</a>. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
<li><a href="code/solaris-sparc-exploits.tgz">solaris-sparc-exploits.tgz</a>. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
<li><a href="code/libc-search.c">libc-search.c</a>. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.
</ul>
<b>Esoteric</b>
<ul>
<li><a href="https://github.com/0xdea/xorpd-solutions">xchg rax,rax solutions</a>. My attempt at tackling the x86_64 asm riddles in xorpd's <a href="https://www.xorpd.net/pages/xchg_rax/snip_00.html">xchg rax,rax</a> book.
<li><a href="code/poly.tgz">poly.tgz</a>. An old collection of polyglots, programs that may be compiled in more than one language.
</ul>
<b>Miscellaneous</b>
<ul>
<li><a href="https://github.com/0xdea/raptor-rust-template">raptor-rust-template</a> <font color="red">(new)</font>. My template for starting a Rust project, meant to be used with <a href="https://lib.rs/cargo-generate">cargo-generate</a>.
<li><a href="https://github.com/0xdea/aoc-2024-in-rust">aoc-2024-in-rust</a> <font color="red">(new)</font>. My solutions to <a href="https://adventofcode.com/">Advent of Code</a> 2024 in Rust.
<li><a href="https://github.com/0xdea/zero2prod">zero2prod</a> <font color="red">(new)</font>. My code for <a href="https://www.zero2prod.com/">Zero To Production In Rust</a>, a book by <a href="https://github.com/LukeMathWalker">Luca Palmieri</a>.
</ul>
<h2><a name="config"><font color="navy">[0x40] Configurations</font></a></h2>
<b>Packet Filters</b>
<ul>
<li><a href="https://github.com/0xdea/configurations/blob/master/firewall/rc.iptables">rc.iptables</a>. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
<li><a href="https://github.com/0xdea/configurations/blob/master/firewall/pf.conf">pf.conf</a>. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.
</ul>
<b>Application Firewalls</b>
<ul>
<li><a href="conf/modsecurity-2.6.8.conf">modsecurity-2.6.8.conf</a>. Sample configuration file for the ModSecurity application firewall v2.6.8.
<li><a href="conf/modsecurity-2.5.12.conf">modsecurity-2.5.12.conf</a>. Sample configuration file for the ModSecurity application firewall v2.5.12.
</ul>
<b>Virtual Private Networks</b>
<ul>
<li><a href="https://github.com/0xdea/configurations/blob/master/tor/torrc">torrc</a>. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
<li><a href="https://github.com/0xdea/configurations/tree/master/vpn">openvpn-*.conf</a>. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.
</ul>
<h2><a name="stuff"><font color="navy">[0x80] /dev/random</font></a></h2>
<b>Random Stuff</b>
<ul>
<li><a href="stuff/ralphy.jpg">Ralphy</a>. Ralphy the Raptor has been 0xdeadbeef dot info's mascot for at least a couple of decades.
<li><a href="stuff/raptor.jpg">Utah Bengaled Raptor</a>. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
<li><a href="stuff/defaced.html">0xdefaced</a>. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
<li><a href="stuff/voodoo.jpg">Voodoo</a>. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
<li><a href="stuff/insert-coin.jpg">Insert Coin</a>. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
<li><a href="stuff/itapac.jpg">Control Room</a>. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
<li><a href="stuff/sidecar.jpg">Sidecar Wardriving</a>. Funny picture of a l33t wardriving session on an original <a href="http://www.ural.com/">Ural</a> sidecar.
<li><a href="stuff/blocked.jpg">This Site is Blocked</a>. A screenshot of UAE's Internet Access Management Policy in action.
<li><a href="stuff/vault7.png">Vault 7</a>. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
<li><a href="stuff/sploits.jpg">Sploits</a>. My 2006 work was featured in a Russian hacking group ("They used to be good at sploits").
</ul>
<hr>
<a href="http://www.linkedin.com/in/raptor"><img src="linkedin.png" width="48" height="48" border="0" alt="View Marco Ivaldi's profile on LinkedIn"></a>
<a href="http://twitter.com/0xdea"><img src="twitter.png" width="48" height="48" border="0" alt="Follow @0xdea on Twitter"></a>
<a rel="me" href="https://infosec.exchange/@raptor"><img src="mastodon.png" width="48" height="48" border="0" alt="@raptor@infosec.exchange on Mastodon"></a>
<a href="https://www.reddit.com/user/0xdea/"><img src="reddit.png" width="48" height="48" border="0" alt="@0xdea on Reddit"></a>
<a href="https://github.com/0xdea"><img src="github.png" width="48" height="48" border="0" alt="@0xdea on GitHub"></a>
<a href="https://www.credly.com/users/raptor"><img src="credly.png" width="48" height="48" border="0" alt="Marco Ivaldi on Credly"></a>
<br>
<font size=2>
Copyright (c) 1998-2024<font color="red">*</font> Marco Ivaldi at 0xdeadbeef dot info.
All icons by <a target="_blank" href="https://icons8.com">Icons8</a>.
<font color="red">*</font><a href="https://web.archive.org/web/19990427024425/http://www.dislessici.org:80/">26</a>
<a href="https://antifork.org/">years</a> and counting!
</font>
</body>
</html>