Exploits and Misc Code

Capturing NTLM Hashes Like Pokemon!

Exploit Framework Modules

I really like exploit frameworks for writing exploit codes. Combined with a good debugger I can usually whip up an exploit in half and hour for the easier things. Most of the time developing exploits is finding the vuln software, installing it, finding where the error occurs, writing the proof code and making the exploit code stable. Metasploit is awesome, Canvas is awesome, CORE Impact is expensive. :(

Here are just some of the current code I'm permitted to share:
Exploit Description Framework Rel Date
3Com TFTP Service Overflow - another one is in MSF3 but it doesn't hurt to have more. metasploit3 03/07/2007
Cisco IOS HTTP Enable "level 16" access. I'm working on a better msf3 one. metasploit2 2006ish

Auxiliary msf3 modules for various Cisco vulnerabilities - you may need to make the directories
Cisco IOS HTTP Enable "level 16" - put into the modules/auxiliary/cisco directory metasploit3 04/25/2007
Cisco IOS HTTP Percent DoS - put into the modules/dos/cisco directory metasploit3 04/25/2007
Cisco IOS HTTP Question DoS - put into the modules/dos/cisco directory metasploit3 04/25/2007
Cisco Catalyst SSH DoS - put into the modules/dos/cisco directory metasploit3 04/25/2007

Services, Misc other codes, etc
Allaire/Macromedia JRun 3.1 ISAPI Filter - Old but fun! metasploit3 canvas 03/07/2007
SMB Sniffer for Metasploit 2.7 that uses the the preset challenge key from the Free Rainbowtables HALFLMCHALL tables. Will output to a PWdump format that can be imported to Cain and Abel for cryptanalysis.
metasploit2 04/24/2007

Miscellanous Security Code

Various other bits of scripts and code I've written over the last few years.

ColdFusion CFEXECUTE script - When you have upload privs to a ColdFusion box, use this to run commands in the privilege of the ColdFusion service.

ColdFusion MX Admin Password - For pre-7 I think. Attempts to get the password for /CFIDE/Administrator -- use it with CFEXECUTE script for super happy fun ^__^

ColdFusion/WSFTP.INI Password Decoder - Kinda says it all.

WebSphere Password Decoder - Based upon a review of the Base64, WebSphere uses a single {Xor} key when storing passwords in its config files. Paper here: http://www.encodegroup.com/pdf/esp0302.pdf


Mar 7, 07 - First post! Woohoo!
Apr 24, 07 - Added smb_sniffer.
Apr 25, 07 - Rest of the cisco msf3 auxiliary stuff and page cleanup
Oct 12, 07 - NTLM Pokemon