Peter Teoh tthtlc

## Awesome checklist of rootkit techniques

https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/000/039/original/dimva16_graziano.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20180612%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180612T004713Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=5793b3c9302c7fff46d7ae9987eb0b2659d05bcaa40d1320d18e0cac276e327b

https://www.giac.org/paper/gsec/3768/windows-rootkits/106071

http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/seminari2008-09/seminario_neri/seminario_neri.pdf

https://indigo.uic.edu/bitstream/handle/10027/9493/Bianchi_Antonio.pdf?sequence=1

http://www.co-c.net/repository-securite-informatique/Papers/SMM-Rootkits-Securecom08.pdf

## gist:0ed4b2075609c812fb814dc6c3e95d7e
https://docs.oracle.com/cd/B19306_01/server.102/b14237/initparams161.htm#REFRN10254
https://galobalda.wordpress.com/2014/02/17/sql-developers-plsql-debugger-and-oracle-12c/
https://www.thatjeffsmith.com/archive/2012/05/using-sql-developer-to-debug-your-anonymous-plsql-blocks/
https://www.thatjeffsmith.com/archive/2014/02/how-to-start-the-plsql-debugger/
www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/prod/appdev/sqldev/plsql_debug/plsql_debug_otn.htm#t4


## gist:acfd88df7f0ccce768e4e723c11136df
Result of "git clone https://github.com/oracle/docker-images.git"

/home/tteikhua/docker-images/OracleDatabase/SingleInstance>tree
.
├── COPYRIGHT
├── dockerfiles
│   ├── 11.2.0.2
│   │   ├── checkDBStatus.sh
│   │   ├── Checksum.xe
│   │   ├── Dockerfile.xe

## Result of "docker run -it <image_id>" first time
ORACLE PASSWORD FOR SYS, SYSTEM AND PDBADMIN: g+sLX461IxI=1

LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 25-JUL-2018 03:41:07

Copyright (c) 1991, 2016, Oracle.  All rights reserved.

Starting /opt/oracle/product/12.2.0.1/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.2.0.1.0 - Production
System parameter file is /opt/oracle/product/12.2.0.1/dbhome_1/network/admin/listener.ora

## gist:a75e1baa90a2392cf90a41a071d35ca2
./tensorflow/tools/ci_build/builds/user_ops/cuda_op_kernel.cc:
class AddOneOp : public OpKernel {

./tensorflow/tools/ci_build/builds/user_ops/zero_out_op_kernel_1.cc:
class ZeroOutOp : public OpKernel {

./tensorflow/examples/adding_an_op/cuda_op_kernel.cc:
class AddOneOp : public OpKernel {

./tensorflow/examples/adding_an_op/zero_out_op_kernel_1.cc:

## ssh.py
import subprocess
import sys

HOST="root@172.17.0.2"
# Ports are handled in ~/.ssh/config since we use OpenSSH
COMMAND="uname -a"
COMMAND="ls  -axpt"

ssh = subprocess.Popen(["ssh", "%s" % HOST, COMMAND],
                       shell=False,

## paramiko_ssh.py
import paramiko

ssh = paramiko.SSHClient()
key = paramiko.RSAKey.from_private_key_file("id_rsa.pem")

###openssl rsa -in /path/to/encrypted/key -out /paht/to/decrypted/key
### remember to decrypt as it is encrypted by default (output as id_rsa.pem)
#key = paramiko.DSSKey.from_private_key_file(keyfilename)

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

## gist:ac9dec6cb7a9ae63ee66dbdda93c6987
/* CVE-2014-0196 DOS PoC [Written May 5th, 2014]
 *    by DigitalCold <digitalcold0@gmail.com>
 *
 * Note: this crashes my i686 Gentoo system running 3.12.14
 * and an old Backtrack 5r3 running 3.2.6. Any advice on how to gain
 * code exec would be greatly appreciated.
 *
 * Usage: gcc -O2 -o pty pty.c -lutil && ./pty
 *
 * CVE: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0196.html

## gist:74c2f71f3d023b385ce6ccde072dd03f
//source: http://www.vsecurity.com/resources/advisory/20101019-1/

/*
 * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
 * CVE-2010-3904
 * by Dan Rosenberg <drosenberg@vsecurity.com>
 *
 * Copyright 2010 Virtual Security Research, LLC
 *
 * The handling functions for sending and receiving RDS messages

## sockex2_user.c
// SPDX-License-Identifier: GPL-2.0
#include <stdio.h>
#include <assert.h>
#include <linux/bpf.h>
#include <bpf/bpf.h>
#include "bpf_load.h"
#include "sock_example.h"
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/resource.h>

	https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/000/039/original/dimva16_graziano.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20180612%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180612T004713Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=5793b3c9302c7fff46d7ae9987eb0b2659d05bcaa40d1320d18e0cac276e327b

	https://www.giac.org/paper/gsec/3768/windows-rootkits/106071

	http://www.dmi.unipg.it/bista/didattica/sicurezza-pg/seminari2008-09/seminario_neri/seminario_neri.pdf

	https://indigo.uic.edu/bitstream/handle/10027/9493/Bianchi_Antonio.pdf?sequence=1

	http://www.co-c.net/repository-securite-informatique/Papers/SMM-Rootkits-Securecom08.pdf
	https://docs.oracle.com/cd/B19306_01/server.102/b14237/initparams161.htm#REFRN10254
	https://galobalda.wordpress.com/2014/02/17/sql-developers-plsql-debugger-and-oracle-12c/
	https://www.thatjeffsmith.com/archive/2012/05/using-sql-developer-to-debug-your-anonymous-plsql-blocks/
	https://www.thatjeffsmith.com/archive/2014/02/how-to-start-the-plsql-debugger/
	www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r2/prod/appdev/sqldev/plsql_debug/plsql_debug_otn.htm#t4
	Result of "git clone https://github.com/oracle/docker-images.git"

	/home/tteikhua/docker-images/OracleDatabase/SingleInstance>tree
	.
	├── COPYRIGHT
	├── dockerfiles
	│ ├── 11.2.0.2
	│ │ ├── checkDBStatus.sh
	│ │ ├── Checksum.xe
	│ │ ├── Dockerfile.xe
	ORACLE PASSWORD FOR SYS, SYSTEM AND PDBADMIN: g+sLX461IxI=1

	LSNRCTL for Linux: Version 12.2.0.1.0 - Production on 25-JUL-2018 03:41:07

	Copyright (c) 1991, 2016, Oracle. All rights reserved.

	Starting /opt/oracle/product/12.2.0.1/dbhome_1/bin/tnslsnr: please wait...

	TNSLSNR for Linux: Version 12.2.0.1.0 - Production
	System parameter file is /opt/oracle/product/12.2.0.1/dbhome_1/network/admin/listener.ora
	./tensorflow/tools/ci_build/builds/user_ops/cuda_op_kernel.cc:
	class AddOneOp : public OpKernel {

	./tensorflow/tools/ci_build/builds/user_ops/zero_out_op_kernel_1.cc:
	class ZeroOutOp : public OpKernel {

	./tensorflow/examples/adding_an_op/cuda_op_kernel.cc:
	class AddOneOp : public OpKernel {

	./tensorflow/examples/adding_an_op/zero_out_op_kernel_1.cc:
	import subprocess
	import sys

	HOST="root@172.17.0.2"
	# Ports are handled in ~/.ssh/config since we use OpenSSH
	COMMAND="uname -a"
	COMMAND="ls -axpt"

	ssh = subprocess.Popen(["ssh", "%s" % HOST, COMMAND],
	shell=False,
	import paramiko

	ssh = paramiko.SSHClient()
	key = paramiko.RSAKey.from_private_key_file("id_rsa.pem")

	###openssl rsa -in /path/to/encrypted/key -out /paht/to/decrypted/key
	### remember to decrypt as it is encrypted by default (output as id_rsa.pem)
	#key = paramiko.DSSKey.from_private_key_file(keyfilename)

	ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
	/* CVE-2014-0196 DOS PoC [Written May 5th, 2014]
	* by DigitalCold <digitalcold0@gmail.com>
	*
	* Note: this crashes my i686 Gentoo system running 3.12.14
	* and an old Backtrack 5r3 running 3.2.6. Any advice on how to gain
	* code exec would be greatly appreciated.
	*
	* Usage: gcc -O2 -o pty pty.c -lutil && ./pty
	*
	* CVE: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0196.html
	//source: http://www.vsecurity.com/resources/advisory/20101019-1/

	/*
	* Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
	* CVE-2010-3904
	* by Dan Rosenberg <drosenberg@vsecurity.com>
	*
	* Copyright 2010 Virtual Security Research, LLC
	*
	* The handling functions for sending and receiving RDS messages
	// SPDX-License-Identifier: GPL-2.0
	#include <stdio.h>
	#include <assert.h>
	#include <linux/bpf.h>
	#include <bpf/bpf.h>
	#include "bpf_load.h"
	#include "sock_example.h"
	#include <unistd.h>
	#include <arpa/inet.h>
	#include <sys/resource.h>