andreas at strodl dot org andreas at strodl dot org
andreas at strodl dot org

exploits

hoagie_udp_sendmsg.c local linux kernel root exploit (udp_sendmsg)
CVE-2009-2698
hoagie_nginx.c remote/local nginx exploit (< 0.5.37, < 0.6.39, < 0.7.62, < 0.8.15)
CVE-2009-2629
hoagie_snoop.c remote snoop buffer overflow root exploit
CVE-2008-0964
hoagie_lighttpd.c remote lighttpd <= 1.4.17 header overflow exploit
CVE-2007-4727
hoagie_php_sscanf.php local php <= 5.1.4, 4.4.3 exploit
CVE-2006-4020
hoagie_lighttpd.c remote openftpd <= 0.30.2 format string exploit
CVE-2004-2523
hoagie_cups.c remote cups <= 1.1.17 integer overflow exploit
CVE-2002-1383
hoagie_solarisldap.c local solaris ldap library buffer overflow root exploit
CVE-2003-1055
hoagie_mysql.c remote mysql <= 3.23.53a privilege escalation exploit
CVE-2002-1374
hoagie_heartbeat.c remote heartbeat <= 0.4.9.1 buffer overflow exploit
CVE-2002-1215
hoagie_dhcpd.c remote isc dhcpd 3.0 format string exploit
CVE-2002-0702
hoagie_ntping.c local scotty/ntping <= 2.1.10 root exploit
CVE-2001-0764
hoagie_restore.c local restore <= 0.4b17 root exploit
CVE-2000-0520
hoagie_kdesud.c local kdesud 0.97 buffer overflow root exploit
CVE-2000-0460

papers

building_webapplication_firewalls.txt - Building state of the art webapplication firewalls
This paper describes a setup for webapplication firewalls with operating system hardening (SeLinux), Apache (mod_security, mod_evasive) and advanced XML filtering (schema validation)
p62-0x0a_Attacking_Apache_Modules.txt - Attacking Apache with builtin Modules in Multihomed Environments
This paper will show a simple way to modify the memory layout from an Apache process via PHP or mod_perl to get control of it. It uses the internal PHP function dl(). This kind of attack was used for the flame.php/flame.so attack. See Phrack 62.

reverse engineering

hoagie_twonky.c key generator for TwonkyMedia Server
hoagie_bluecoat.c key generator for Blue Coat Reporter
hoagie_xitnotes.c key generator for Xitnotes
hoagie_profense.c key generator for ArmorLogic Profense Webapplication Firewall
hoagie_tufin.c key generator for Tufin Secure Track
hoagie_zarafa_licensed.c license daemon for Zarafa groupware solution
hoagie_pnlicense.c key generator for Cisco Security Monitoring, Analysis and Response System / CS MARS

tools

wafbuilder - wafbuilder is a web based webapplication firewall rule builder. It supports mod_rewrite, mod_security and mod_evasive
inetdfun (old) - inetdfun is a simple ICMP based backdoor for inetd. It uses pattern inside ICMP packets for authentication and launches a process on the target system. Secret and process command are stored xor'ed in binary.
openbsdacl (old) - openbsdacl is a patch for the OpenBSD kernel to add additional acl for networking or any kernel based functions that can be used from userland. you can define which user/groups are allowed to bind or connect to a defined ip addresses (you can also allow a non-root user to bind a port lower than 1024).
openbsdpriv (old) - openbsdpriv patches a few system commands (like who, finger) and kernel (sysctl) to display only information for the current user - for example you can see only your processes.
linksys_mod - linksys_mod can be used to convert binary linksys configuration to ascii files (and vice versa) so you can modify them with a text based editor and update your system. It can be used to generate a lot of configuration files within provisioning systems.
zebrahead (old) - a very small dns server for generating special crafted dns replies (for example when exploiting applications that handles reverse lookup entries and so on).
Squid Tunnel Kit (old) - Tunnel TCP connections over a squid proxy server through an upstream server.

patches

modsecurity-apache_2.5.9-hpp.diff - HPP (HTTP Parameter Pollution) Patch for ModSecurity 2.5.9. HPP is a new kind of technique to exploit web applications as described at here. Basically this attack uses two variables for GET or POST requests with the same name. This patch detects requests that have two or more requests with the same name.
proftpd-1.2.5rc1-multiple-group.diff - Add multiple group support (LDAP) to proftpd (merged into version 2.8.3)
linux-2.6.11.10-grsecurity2.1.5-vserver1.9.5-unionfs-1.0.12a.diff.bz2 - Linux kernel patch that merges GrSecurity 2.1.5, VServer 1.9.5 and unionfs 1.0.12a
linux-2.6.11.10-grsecurity2.1.5-vserver1.9.5-unionfs-1.0.12a.diff.bz2 - Linux kernel patch for 2.6.11.10 that merges GrSecurity 2.1.5, VServer 1.9.5 and unionfs 1.0.12a
linux-2.4.30-grsecurity2.1.5-vs1.2.10-cryptoloopjari-reiserfsquota.diff.bz2 - Linux kernel patch for 2.4.30 that merges GrSecurity 2.1.5, VServer 1.2.10, Cryptolooop and Reiserfs Quota
linux-2.4.29-grsecurity2.1.1-vs1.2.10-cryptoloop.jari.diff.bz2 - Linux kernel patch for 2.4.29 that merges GrSecurity 2.1.1, VServer 1.2.10 and Cryptolooop

advisories

VSA0402_openftpd.txt OpenFTP is a free opensource FTP daemon that offers a lot of features (ratio, bandwith limits, ip address restrictions). The daemon has a format string bug in its internal message system
VSA0309_solarisldap.txt Solaris uses a LDAP Library for NSS requests. The library contains a buffer overflow in the hostname resolving routine
VSA0306_yabbse.txt YaBB SE SQL Injection Bugs