As an exploit writer of Core Security, I have discovered and exploited some security bugs. My specialty is open-source software vulnerabilities:
* ProFTPD "mod_ctrld" privilege scalation
* Synce Remote command Injection (Oren Isacson did the exploit in this one)
* Firebird Multiple Vulnerabilities (Did some research to help Damian Frizza in this one)
* MPlayer 1.0rc2 buffer overflow vulnerability (Together with Damian Frizza too)
* GNU ED heap buffer overflow (It was hard, considering the small source code of ED )
* GNU Make heap buffer overflow (Actually, it was already reported, and the exploitability was minimal )
* Vinagre "vinagre_utils_show_error()" Format String Vulnerability
* Qemu and KVM VNC server remote DoS
* Amaya multiple Stack buffer overflows : Dan Crowley found the first bug, I just did the detailed analysis and found a couple of additional bugs (more like 50 overflows), most of them still exists. I recommend Amaya as a tutorial for vulnerability research, because is written very very badly.
* Multiple VNC Clients Multiple Integer Overflow Vulnerabilities I just did a small analysis for this bug, the credit must remain on Futo and Fernando, they did most of the work.
* And my "Attention whore" bugs :)
o OpenBSD's IPv6 mbufs remote kernel buffer overflow (Gerardo Richarte did much of the exploit design) (It made to slashdot!)
o Multiple vulnerabilities in Google's Android SDK (This was a hard one) (It made to slashdot too!)
o NASA CDF stack overflow: Simple bug, but very fun!
o NASA BigView stack overflow: I don't think that this one is "Highly critical" but anyway, it was a little hard to exploit.
o BIOS Rootkit Attack (With Anibal Sacco) Yess! another hit on Slashdot. This is not even a vulnerability, but hey, we made the PoC, it really works, and was the result of two research weeks of pure fun.
+ Deactivate the Rootkit (Also with my pal Anibal Sacco) You never know what you are going to find lurking in unexplored places in software, and this is a great example. While trying to insert our own rootkit in a notebook, we found one already there! well in fact, is not initially a rootkit but an Anti-Theft device, but many security vulnerabilities make it behave that way. Also on your Slashdot.
