,,,,,,,,                               ,,                   $$      Andrea         
  $$     $$                              $$                   $$       Purificato     
 ,$"     $$   ,$"""$,   $$    $$    $$  ,$"        ,$"""$,    $$"""$,             .0. 
 $$,,,,,$"    ,,,,,$$   "$,  $"$,  $$   $$         ,,,,,$$   $$     $$            ..0 
,$"  "$,    ,$""   ,$"   $$ $" $$ $$   ,$"       ,$""   ,$" ,$"     $$            000 
$$     "$,  $$    ,$$    "$$"  "$,$    $$        $$    ,$$  $$    ,$"                 
""       ""  """"" ""     ""    ""     """""""""  """"" ""  """""""               # cd

Excuse: we are Microsoft. What you are experiencing is not a problem; it is an undocumented feature.

0xbfff About me

アンドレア 「ブンケル」 プリフィカト
Welcome to Rawlab, my personal page.
I don't know why you are here, but I'm sure you have your reasons for it.

I'm a Computer Security Enthusiast, born exactly 754572220 seconds ago in a banana republic called Italy.

I don't like to write thousand lines of code: programming, networking, cryptology and ham-radio technology skills are simply corrateral effects of my computer security interest. I'm a big fan of Ockham's razor.

I'm currently full time working for Unidata S.p.A. and TelecomItalia S.p.A. as Ethical Hacker. My main activities include Penetration Testing, Information Security Auditing and a little bit of vulnerability researching when I have free time.

During my work experience I have discovered and published some vulnerabilities (CVE-2007-2791, CVE-2007-0805, CVE-2007-0876, CVE-2008-0589, Oracle Portal XSS), and developed many exploit codes.

Upcoming alerts: OracleAS (id 10846253, 10903225).

I also like to practice aikido (it), listen good hi-fi music and play piano and Hammond organ with my band.

• If you want to write me a super secret email, please use my gpg key:
  • andrea.purificato@gmail.com
  • a.purificato@uni.it, bunker@uni.it
• UIN: 9098571 and jabber id: bunker@jabber.linux.it. Skype and MSN are not my friends.
• I'm linked in!
• See my house from sat: here - Aerial: north, south, west, east.
• If you want, you can leave a comment on my guestbook

If you are searching for crazy people try to join #alcool channel on irc.freenode.org.

Sometimes I'm astonished by the human stupidity, irrecuperable losses of infantile minds, so I hold a personal /dev/null as reminder...

[brainfuck]

+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.

0xbffe Codes

My poor codes/works/tools.

Exploits

Tru64 exploit

• tru64-sshenum.pl - HP Tru64 UNIX v5.1B-3/4 Secure Shell user enumeration (CVE-2007-2791)
• osf1tru64ps.ksh - HP Tru64 Alpha OSF1 v5.1 "ps" information leak (CVE-2007-0805)

IBM AIX exploit

• ibmaixps.sh - IBM AIX 5.2, 5.3, 6.1 "ps" information leak (CVE-2008-0589) (new)

Oracle database exploit (recently updated with PLSQL version)

Evil Views

• bunkerview.sql - Evil Views exploit for Oracle 9i/10g (CVE-2007-3855)

Evil cursor injection

• sys-lf-findricsetV2.sql, sys-lf-findricsetV2.pl - SQL Inj in SYS.LT.FINDRICSET V2 (11g/10g) - Become DBA (CVE-unknown, Oracle CPUOct2007)
• kupm-mcpmainV2.sql, kupm-mcpmainV2.pl - SQL Inj in KUPM$MCP.MAIN.pl V2 (10g) - Become DBA (CVE-unknown)
• dbms_cdc_subscribeV2.sql, dbms_cdc_subscribeV2.pl - SQL Inj in DBMS_CDC_SUBSCRIBE V2 (9i/10g) - Become DBA (CVE-2007-0269)
• dbms_meta_get_ddlV2.sql, dbms_meta_get_ddlV2.pl - SQL Inj in DBMS_METADATA V2 (9i/10g) - Become DBA (CVE-2006-0260)
• kupw-workerV2.sql, kupw-workerV2.pl - SQL Inj in KUPW$WORKER.MAIN V2 (10g) - Become DBA (CVE-2006-3698)
• kupv-ft_attach_jobV2.sql, kupv-ft_attach_jobV2.pl - SQL Inj in KUPV$FT.ATTACH_JOB V2 (10g) - Become DBA (CVE-2006-0586)

Classic SQL injection

• sys-lf-findricset.sql, sys-lf-findricset.pl - SQL Inj in SYS.LT.FINDRICSET (11g/10g) - Become DBA (CVE-unknown)
• kupm-mcpmain.sql, kupm-mcpmain.pl - SQL Inj in KUPM$MCP.MAIN.pl (10g) - Become DBA (CVE-unknown)
• dbms_cdc_subscribe.sql, dbms_cdc_subscribe.pl - SQL Inj in DBMS_CDC_SUBSCRIBE (9i/10g) - Become DBA (CVE-2007-0269)
• dbms_meta_get_ddl.sql, dbms_meta_get_ddl.pl - SQL Inj in DBMS_METADATA (9i/10g) - Become DBA (CVE-2006-0260)
• kupw-worker.sql, kupw-worker.pl - SQL Inj in KUPW$WORKER.MAIN (10g) - Become DBA (CVE-2006-3698)
• kupv-ft_attach_job.sql, kupv-ft_attach_job.pl - SQL Inj in KUPV$FT.ATTACH_JOB (10g) - Become DBA (CVE-2006-0586)
• dbms_exp_ext.sql, dbms_exp_ext.pl - SQL Inj in DBMS_EXPORT_EXTENSION (9i/10g) - Become DBA (CVE-2006-2081)

Cross Site Scripting (XSS) exploit

• xss_popup_name.txt - XSS on PORTAL.WWPOB_HOME_PAGE of Qracle Portal (CVE-unknown)
• qdig-1.2.9.3-dev.txt - XSS on Qdig Version 1.2.9.3 and -devel-20060624 (CVE-2007-0876)

Exploiting Linux/x86
Beating stack randomization on linux 2.6

• exp_call_rand.pl - Exploit sample against stack randomization ("call *%edx" technique)
• exp_jmp_rand.pl - Exploit sample against stack randomization ("jmp *%esp" technique)

Advanced Buffer Overflow (abo) solutions

• exp_rand_abo4.pl - Linux/x86 exploit against stack randomization for abo4 (Perl language)
• exp_rand_abo3.pl - Linux/x86 exploit against stack randomization for abo3 (Perl language)
• exp_rand_abo1.pl - Linux/x86 exploit against stack randomization for abo1 (Perl language)
• exp-abo5.txt - Linux/x86 exploit n.1 for abo5 (cli + Perl).
• exp-abo4.txt - Linux/x86 exploit n.1 for abo4 (cli + Perl).
• exp-abo3.txt - Linux/x86 exploit n.1 for abo3 (cli + Perl).
• exp-abo1.txt - Linux/x86 exploit n.2 for abo1 (cli + Perl).
• exp-abo1.c - Linux/x86 exploit n.1 for abo1 (C language).

Shellcodes

Solaris/sparc

• bunker_sparc_exec.c - Solaris/sparc shellcode that executes any command after setreuid.
• bunker_sparc_sc1.c - 56 bytes Solaris/sparc shellcode (setreuid + execve).

Linux/x86

• bunker_exec.c - Linux/x86 shellcode that executes any command after setreuid.
• bunker_sc1.c - 32 bytes Linux/x86 shellcode (setreuid + execve).
• bunker_sc2.c - 30 bytes Linux/x86 shellcode (setuid + execve).
• bunkercode.c - Linux/x86 bytecode that prints "bunker was here!" on tty.

Security tools

Blackhat

• perl-backdoor.pl - Advanced Perl backdoor.
• ora_exec_cmd.pl - Execute remote operating system commands from Oracle connection.
• get_oracle_hash.pl - Get Oracle hash in user:hash form. Ready to be cracked.
• proxytest.pl - Perl proxy tester. Report anonymous state and time response.
• nmapper.pl - Nmap wrapper for port-related host screening.
• ptcheck-0.2.tar.gz - Automagically Pentest Utility. It performs a lot of tasks on multiple target hosts.
• sshtiming-0.1.pl - Ssh remote timing tool.

Whitehat

• rc.cryptoswap - Encrypted swap partition (random key) - init script.
• rc.cryptospace - Encrypted data partition - init script.

Miscellaneous

• pancrazio.tar.gz - Funny modular irc perl bot.
• mand_julia-0.4.tar.gz - Fractal generator (julia1, julia2, mandelbrot samples)
• lsdevmod.sh - Displays required modules from a list of PCI-ids.
• wifi-up.sh - Startup wifi script (Prism54g and Orinoco cards).
• ajenda.sh - Bash script for managing notes.
• backuphome.sh - Automagically backup script.
• encrypt-backup.sh - Encrypts entire directory with gnupg and sends it via openssh.
• decrypt-backup.sh - Decrypts encrypted backup.
• bunker-one-xpm.tar.gz - My fluxbox style (xpm version).
• bunker-one-png.tar.gz - My fluxbox style (png version) - sshot.

0xbffd Configuration files

• adblock.txt - Adblock filters.
• vimrc - Vimrc file.
• rc.firewall - Little script with netfilter rules.
• muttrc - Muttrc file.
• Xdefaults - Aterm configuration
• local.cf - Spamassassin rules.
• keys - Fluxbox key-bindings.

0xbffc Papers

• subnb3350.php - Installing slackware on a Gateway Solo 3350 (also on tuxmobil)
• cantenna.php - Building cheaper self-made wireless cantenna - IT (also on repair4laptop)

Finally, I just want to say thank's to my friend Creator for his generosity in providing this excellent web service.
Many thanks also to Pete Finnigan, raptor, Michal Zalewski, Fravia+, Alexander Kornbrust, Alessio Porcacchia, str0ke and all researchers in the wild...

[090551] Hand Made™ [Valid XHTML 1.0, Valid CSS] Last modified: Jul 19, 2008, 02:13pm