Random links

Grey Goo, a tiny, available and reliable remote command execution server and client for emergency situations.

Embracing modern technologies, I now have a blog.

Mips xor encoder, compiled dynamically within Metasploit using Metasm and sample exploit for Linksys WRT54G.

TTYtools some tty-related tools for pen-testers: a generic backdoor for programs asking interactively for a password such as sudo and a program to steal a tty from running processes.

SSTIC 2008, a short talk ("rump session") Raphaël Rigo, Romain Raboin and I gave in French about the tools we wrote after the OpenSSL/Debian advisory to remotely discover vulnerable keys in authorized_keys files, decipher SSH traffic and retrieve DSA private keys (even from non weak keys). Some of the tools are available here. We also wrote an article in this MISC issue (french).

MISC issue where Stephane Duverger and I wrote about Linux kernel exploitation (remote and local).

Meterpretux, a Unix implementation of a Meterpreter-like for Metasploit.

kernelsec, a Debian/Ubuntu repository with grsecurity kernel packages.

metasm, a Ruby assembler/disassembler/linker/compiler/debugger. Now part of Metasploit 3.

Madwifi remote Linux kernel exploit, a very reliable remote kernel exploit for the Madwifi linux kernel driver.

SSTIC 2007 presentation on Wifi fuzzing: how we found this Madwifi security flaw (CVE-2006-6332) (and 3 others in other vendors drivers) and wrote a reliable remote kernel exploit for it (French). We also gave a follow-up talk at hack.lu where we focused on access point security flaws (read from slide 41)

crctools, some tool to compensate a CRC. Give it a file and a target CRC and it'll patch the file so that the new CRC of the file matches. In other words it can generate a preimage for any given CRC which implies it can generate collisions.

Slipfest, a Windows HIPS evaluation suite. Tool and CanSecWest slides.

obsdretf, PoC: how to bypass W^X in OpenBSD < 3.9 by returning to a far ret. 'Advisory'. I wrote a challenge for Securitech 2006 and the 2006 edition of HITB capture the flag where one of the challenges was to use this attack on this target. The solution to this challenge is explained here (in French). I also wrote a few lines about this attack in an article about address space protection in this MISC issue. Three years later it has been made available here.

mipsfencoder, a NUL-free shellcode encoder for MIPS architecture (little endian and big endian) and a MIPS shellforge loader. It is now integrated into Metasploit, don't use this version.

mips.elf.external.resolution.txt, a few notes on Linux MIPS reverse engineering. I did some reverse engineering and exploitation of MIPS embedded devices. Raphael Rigo wrote this useful MIPS IDA plugin as my trainee.

dtdumper, a small utility to dump GDT/LDT and IDT tables on Linux and BSD.

SSTIC 2005, a short talk ("rump session") I gave in June 2005 where I spoke about local vulnerabilities in GNU/Linux, esp. NULL pointer dereferences in the Linux Kernel (in French).

Security CA, collection of various GPG keys.

ASLR26, the first security patch for the 2.6 kernel (DEPRECATED, use PaX or grsecurity).

PaX obscurity patch (Not maintained).

Not so random links

a few vulnerabilities

contact me, you can use my gpg key

About Julien Tinnes

I am currently working at Google.

Previously, I was a security engineer and technical project manager at Orange Labs, formerly France Telecom R&D. I was responsible for the conception and development of security tools and infrastructures for penetration tests and security evaluations. Our targets included embedded devices, operating systems, regular applications and web applications.

I am also a part-time lecturer for various French Grandes Ecoles: ENST (Ecole Nationale Superieure des Télécommunications - Now Telecom ParisTech), INT (Institut National des Télécommunications - Now Telecom SudParis) and ECE (Ecole Centrale d'Électronique).
I give lectures about system architectures and various security-related topics.

Valid XHTML 1.1!