HaxenCode
This is the personal website of Ronald Volgers. There's not much on here at the moment.
My interests include programming in C, Rust, Python or even PHP, doing strange and unnatural things with other people's binaries, and occasionally having some fun with HTML, Javascript and CSS.
As a part of the Eindbazen CTF team I play CTFs (organised hacking competitions).
I currently work as a security specialist at Computest. Things I post on this website are not related to my work.
Security issues
Links to some public security issues I have found and reported. I do not posts the exploits here.
| Identifier(s) | Description |
|---|---|
| CVE-2009-2415 | Remote code execution (as root on Debian Etch) using integer overflows in memcached. |
| CVE-2009-2906 | Debian local root using race condition in Samba's mount.cifs setuid binary. |
| CVE-2010-0393 | Debian local root using an untrusted locale file leading to a format string exploit in CUPS lppasswd setuid binary. |
| CVE-2013-0132 & CVE-2013-0133 | Multi-step local root using insecure custom suexec setuid binary and administrative scripts installed by Plesk Panel. |
| Salt 25.2.19.1.2 | Salt Stack generated all RSA keys with an exponent of 1 (i.e., no encryption). |
| Salt 25.2.19.1.1 | A path traversal bug allowed anyone to connect as a minion to a Salt master. |
| Salt 25.2.19.1.3 | A logic bug allowed any minion to run commands as root on the Salt master. |
CTF writeups
Some of my writeups of interesting challenges I've solved during various CTFs with our Dutch CTF team, the Eindbazen. Unfortunately we haven't been playing as much recently as everyone is busy with other things, but in 2012 and 2013 we were ranked third in the world.
"Harry Potter" from PlaidCTF 2014
Exploit a network buffer overflow. Bypass stack smashing protection using C++ exceptions.
"Kappa" from PlaidCTF 2014
Reverse engineering a network service, find and exploiting a type confusion vulnerability, using information leaks to resolve libc symbols.
"ropasaurusrex" from PlaidCTF 2013
Very basic stack buffer overflow exploit using 2-stage ROP exploit for NX and ASLR bypass.
"pyjail" from PlaidCTF 2013
Getting a shell from Python eval(), with a very restricted set of allowed characters, a low character count limit, and a nearly empty environment.
"shop" from 29C3 CTF
Recovering plaintext from an AES-OFB encrypted value using a padding oracle.
"Web 42" from 29C3 CTF
Reverse engineering obfuscated Python bytecode.
"servr" from PlaidCtf 2013
Remotely exploiting a Linux kernel heap overflow.
"giga" from PlaidCTF 2013
Recovering RSA private keys when a low-entropy random number generator is used, determining the public key using an oracle.
"dethstarr" from SecuInside 2012
Reverse engineering, multi-stage ROP with tight buffer size constraints.
"RSA" from PlaidCTF 2012
Decrypting 4096 bit RSA using bruteforce (possible because the plaintext is short and unpadded, and the RSA public exponent is 3).
"Khazad" from Ghost in the Shellcode 2012 finals
Reverse engineering and exploiting a backdoor hidden in the DWARF exception unwinding metadata of a C++ binary.
"ps3game" from RWTHCTF 2011
Reverse engineering and bypassing a kernel module that validates network traffic using an RSA/TEA based cryptographic signature scheme.
Contact
Email: ronald@v0lg3rs.nl (GPG key available on request)