Menu: about me - exploit - PoC - shellcodes - tools - confs - papers - thanks

アンドレア 「ブンケル」 プリフィカト
Welcome to Rawlab, my personal page.
I don't know why you are here, but I'm sure you have your reasons for it.

I'm a Computer Security Enthusiast, born exactly 814374586 seconds ago in a banana republic called Italy.

I don't like to write thousand lines of code: programming, networking, cryptology and ham-radio technology skills are simply corrateral effects of my computer security interest. I'm a big fan of Ockham's razor.

I'm currently collaborating with NTT Security Limited and INPS as Senior Security Specialist. In the past, I was full time employed for Unidata S.p.A. and TelecomItalia S.p.A. as Ethical Hacker. My main activities include Penetration Testing, Information Security Auditing and a little bit of vulnerability researching when I have free time.

During my working experiences I have discovered and published some vulnerabilities (CVE-2007-2791, CVE-2007-0805, CVE-2007-0876, CVE-2008-0589, Oracle Portal XSS, Communigate Pro stored XSS), and developed many exploit codes.

There are upcoming alerts scheduled for a future disclosure: OracleAS IDs 10846253 and 10903225

• If you want to write me a super secret email, please use my gpg key:
  • andrea.purificato@gmail.com
  • a.purificato@uni.net, bunker@uni.net
• I'm linked in!
• If you want, you can leave a comment on my guestbook

[brainfuck]

+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.

Cross Site Scripting (XSS) Stored exploit

• communigate-pro-5.2.14-xss.txt - Stored XSS on Communigate Pro webmail (CVE-unknown) (new)

Cross Site Scripting (XSS) Reflected exploit

• xss_popup_name.txt - XSS on PORTAL.WWPOB_HOME_PAGE of Qracle Portal (CVE-unknown)
• qdig-1.2.9.3-dev.txt - XSS on Qdig Version 1.2.9.3 and -devel-20060624 (CVE-2007-0876)

Oracle Evil Views exploit

• bunkerview.sql - Evil Views exploit for Oracle 9i/10g (CVE-2007-3855)

Oracle Evil cursor injection exploit

• sys-lt-compressworkspacetreeV2.sql - perl version - SQL Inj in COMPRESSWORKSPACETREE V2 (11g/10g/9i) - Become DBA (CVE-unknown) (new)
• sys-lt-removeworkspaceV2.sql - perl version - SQL Inj in REMOVEWORKSPACE V2 (11g/10g/9i) - Become DBA (CVE-unknown) (new)
• sys-lt-mergeworkspaceV2.sql - perl version - SQL Inj in MERGEWORKSPACE (11g/10g/9i) - Become DBA (CVE-unknown) (new)
• sys-lt-findricsetV2.sql - perl version - SQL Inj in FINDRICSET V2 (11g/10g) - Become DBA (CVE-2007-5511, Oracle CPUOct2007)
• kupm-mcpmainV2.sql - perl version - SQL Inj in KUPM$MCP.MAIN V2 (10g) - Become DBA (CVE-unknown)
• dbms_cdc_subscribeV2.sql - perl version - SQL Inj in DBMS_CDC_SUBSCRIBE V2 (9i/10g) - Become DBA (CVE-2007-0269)
• dbms_meta_get_ddlV2.sql - perl version - SQL Inj in DBMS_METADATA V2 (9i/10g) - Become DBA (CVE-2006-0260)
• kupw-workerV2.sql - perl version - SQL Inj in KUPW$WORKER.MAIN V2 (10g) - Become DBA (CVE-2006-3698)
• kupv-ft_attach_jobV2.sql - perl version - SQL Inj in KUPV$FT.ATTACH_JOB V2 (10g) - Become DBA (CVE-2006-0586)

Oracle Classic SQL injection exploit

• sys-lt-compressworkspacetree.sql - perl version - SQL Inj in COMPRESSWORKSPACETREE (11g/10g/9i) - Become DBA (CVE-unknown) (new)
• sys-lt-removeworkspace.sql - perl version - SQL Inj in REMOVEWORKSPACE (11g/10g/9i) - Become DBA (CVE-unknown) (new)
• sys-lt-mergeworkspace.sql - perl version - SQL Inj in MERGEWORKSPACE (11g/10g/9i) - Become DBA (CVE-unknown) (new)
• sys-lt-findricset.sql - perl version - SQL Inj in FINDRICSET (11g/10g) - Become DBA (CVE-2007-5511)
• kupm-mcpmain.sql - perl version - SQL Inj in KUPM$MCP.MAIN.pl (10g) - Become DBA (CVE-unknown)
• dbms_cdc_subscribe.sql - perl version - SQL Inj in DBMS_CDC_SUBSCRIBE (9i/10g) - Become DBA (CVE-2007-0269)
• dbms_meta_get_ddl.sql - perl version - SQL Inj in DBMS_METADATA (9i/10g) - Become DBA (CVE-2006-0260)
• kupw-worker.sql - perl version - SQL Inj in KUPW$WORKER.MAIN (10g) - Become DBA (CVE-2006-3698)
• kupv-ft_attach_job.sql - perl version - SQL Inj in KUPV$FT.ATTACH_JOB (10g) - Become DBA (CVE-2006-0586)
• dbms_exp_ext.sql - perl version - SQL Inj in DBMS_EXPORT_EXTENSION (9i/10g) - Become DBA (CVE-2006-2081)

Tru64 exploit

• tru64-sshenum.pl - HP Tru64 UNIX v5.1B-3/4 Secure Shell user enumeration (CVE-2007-2791)
• osf1tru64ps.ksh - HP Tru64 Alpha OSF1 v5.1 "ps" information leak (CVE-2007-0805)

IBM AIX exploit

• ibmaixps.sh - IBM AIX 5.2, 5.3, 6.1 "ps" information leak (CVE-2008-0589)

Exploiting Linux/x86, beating stack randomization on 2.6

• exp_call_rand.pl - Exploit sample against stack randomization ("call *%edx" technique)
• exp_jmp_rand.pl - Exploit sample against stack randomization ("jmp *%esp" technique)

Advanced Buffer Overflow (abo) solutions

• exp_rand_abo4.pl - Linux/x86 exploit against stack randomization for abo4 (Perl language)
• exp_rand_abo3.pl - Linux/x86 exploit against stack randomization for abo3 (Perl language)
• exp_rand_abo1.pl - Linux/x86 exploit against stack randomization for abo1 (Perl language)
• exp-abo5.txt - Linux/x86 exploit n.1 for abo5 (cli + Perl).
• exp-abo4.txt - Linux/x86 exploit n.1 for abo4 (cli + Perl).
• exp-abo3.txt - Linux/x86 exploit n.1 for abo3 (cli + Perl).
• exp-abo1.txt - Linux/x86 exploit n.2 for abo1 (cli + Perl).
• exp-abo1.c - Linux/x86 exploit n.1 for abo1 (C language).

Solaris/sparc Shellcodes

• bunker_sparc_exec.c - Solaris/sparc shellcode that executes any command after setreuid.
• bunker_sparc_sc1.c - 56 bytes Solaris/sparc shellcode (setreuid + execve).

Linux/x86 Shellcodes

• bunker_exec.c - Linux/x86 shellcode that executes any command after setreuid.
• bunker_sc1.c - 32 bytes Linux/x86 shellcode (setreuid + execve).
• bunker_sc2.c - 30 bytes Linux/x86 shellcode (setuid + execve).
• bunkercode.c - Linux/x86 bytecode that prints "bunker was here!" on tty.

Blackhat Security tools

• perl-backdoor.pl - Advanced Perl backdoor.
• ora_exec_cmd.pl - Execute remote operating system commands from Oracle connection.
• get_oracle_hash.pl - Get Oracle hash in user:hash form. Ready to be cracked.
• proxytest.pl - Perl proxy tester. Report anonymous state and time response.
• nmapper.pl - Nmap wrapper for port-related host screening.
• ptcheck-0.2.tar.gz - Automagically Pentest Utility. It performs a lot of tasks on multiple target hosts.
• sshtiming-0.1.pl - Ssh remote timing tool.

Whitehat Security tools

• rc.cryptoswap - Encrypted swap partition (random key) - init script.
• rc.cryptospace - Encrypted data partition - init script.

Miscellaneous

• pancrazio.tar.gz - Funny modular irc perl bot.
• mand_julia-0.4.tar.gz - Fractal generator (julia1, julia2, mandelbrot samples)
• lsdevmod.sh - Displays required modules from a list of PCI-ids.
• wifi-up.sh - Startup wifi script (Prism54g and Orinoco cards).
• ajenda.sh - Bash script for managing notes.
• backuphome.sh - Automagically backup script.
• encrypt-backup.sh - Encrypts entire directory with gnupg and sends it via openssh.
• decrypt-backup.sh - Decrypts encrypted backup.
• bunker-one-xpm.tar.gz - My fluxbox style (xpm version).
• bunker-one-png.tar.gz - My fluxbox style (png version) - sshot.

• adblock.txt - Adblock filters.
• vimrc - Vimrc file.
• rc.firewall - Little script with netfilter rules.
• muttrc - Muttrc file.
• Xdefaults - Aterm configuration
• local.cf - Spamassassin rules.
• keys - Fluxbox key-bindings.

• subnb3350.php - Installing slackware on a Gateway Solo 3350 (also on tuxmobil)
• cantenna.php - Building cheaper self-made wireless cantenna - IT (also on repair4laptop)

Finally, I just want to say thank's to my friend Creator for his generosity in providing this excellent web service. Many thanks also to Pete Finnigan, raptor, Michal Zalewski, Fravia+, Alexander Kornbrust, Alessio Porcacchia, str0ke and all researchers in the wild...