An information disclosure vulnerability exists in the manner that Microsoft LDAP server responds when binding to the LDAP server. In the case when an invalid password is provided, the server will respond with result code 49 (invalidCredentials) and an error message. A different error message is returned if an invalid username is provided.

You may have seen the news concerning Metasploit 3.2’s planned features. Now I want to show the Windows users out there how they can get a sneak peek too. Just follow these steps and you’ll have Metasploit 3.2 GUI running in no time.

来源于EMM's Exp,以socket方式重放攻击。
本机可为任意平台，从这个角度讲成功率稍高于EMM'S exp。
原版不成功时，可以试试这个。

This is because it depends on the state of the stack prior to the "overflow".
You need a slash on the stack prior to the input buffer.

There is some fuss about RPC on Windows platforms.[1] As usual, I recommend to disable RPC temporarily from starting up when Windows boots. RPC is nasty and yet again a severe flaw has been found that attackers can abuse to take over a remote PC, and it doesn't require user interaction. An attacker can just send a RPC request remotely and take over your PC, including but not limited to use it to spread worms. It's highly recommended that you temporarily turn RPC off if you didn't already do that. I wrote a small script that can do it for you in Internet Explorer, if you trust me of course! If you haven't got Internet Explorer you can do it manually as well.

Tr4c3注:  还是Token Kidnapping

An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB.