ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for February, 2000 Section.
Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: File Size.

File Name Downloads File Size Last Modified
0002-exploits.tgz4635118734Mar 1 00:31:58 2000
Packet Storm new exploits for February, 2000.
rfp2k01.txt751525154Feb 3 12:44:31 2000
"How I hacked PacketStorm Forums" - A look at hacking wwwthreads via SQL. This is more of a technical paper than an advisory, but it does explain how I used a vulnerability in the wwwthreads package to gain administrative access and some 800 passwords to PacketStorm's discussion forum. Homepage here. By Rain Forrest Puppy
outblaze.htm197023975Feb 23 12:25:20 2000
Remote vulnerabilies in the popular free email software Outblaze - By using authentication strings in the URL after logging in to a mailbox, Outblaze-powered e-mail accounts are left vulnerable to unauthorized access. Anyone who discovers that string before a login session expires can gain full access to any Outblaze-powered e-mail account. By including HTML tags in an e-mail message, one can easily obtain the authorization string for a login session. HTML can also be embedded within a subject so that the victim need not even view the e-mail to be vulnerable. By Sozni
css.htm160718590Feb 17 11:56:25 2000
Cross Site Scripting Summary - Malicious HTML tags (especially scripting tags) can be embedded in client web requests. Homepage here.
qpop-list.c63314543Feb 22 01:03:00 2000
Qpop3.0b30 and below buffer overflow exploit. Remote, but requires username and password. Homepage here. By Portal
fw-13.htm190414200Feb 17 11:56:25 2000
Checkpoint-1 and other firewall vulnerability - The low-down of it is fooling a firewall into opening "a TCP port of your choice" against an FTP server. Or, if you're running an evil FTP server, having it open ports against clients accessing the server. Homepage here.
qpop-xtnd.c63413794Feb 11 01:06:00 2000
Linux x86 exploit for Qualcomm Popper 3.0b?? (was fixed silently) Remote, but requires username / password. Homepage here. By Portal
newsbug.txt212110480Feb 28 16:36:47 2000
Netscape and Outlook are vulnerable to a DoS attack involving bogus news group file entries. Demonstration page here. During testing in approximately 50% of the time OE would crash before it could be stopped. Another bug, similar to Georgi Guninskis' word pad code execution but it uses a .shs (scrap file) is also described, demonstration available here. Homepage here. By Sugien
ebpd.tgz19199084Feb 22 10:45:05 2000
This script sniffs traffic on the network watching for ebay userids and passwords. This is only possible because (as of this writing), ebay does not encrypt passwords -- they are sent in the clear. Homepage here. By Richard Fromm
tinyftpd.exploit.txt26348578Feb 1 13:04:33 2000
Tiny FTPd 0.52 beta3 (Windows FTP Server) has remotely exploitable buffer overflow vulnerabilities. Even anonymous users can execute code. Exploit tested on Windows98(+IE5.01). Homepage here. By Unyun courtesy of Bugtraq
stream2.c8817152Jun 21 11:23:40 2000
stream2.c is a remote dos attack which uses ACK packets to consume large amounts of CPU. This DoS targets FreeBSD, Linux, and Solaris.
inetserv-3.0.c21837108Feb 10 13:52:42 2000
InetServ 3.0 remote DoS exploit. Homepage here. By Dr. Fdisk
proftp_ppc.c36687046Feb 11 13:50:35 2000
Proftpd (<= pre6) linux ppc remote exploit. By Lamagra.
rcgixploit.c.txt42056883Feb 16 13:13:37 2000
Remote CGI exploit - Attempts to exploit five common CGI bugs and retrieve /etc/passwd. By Zinc_Sh
fw1-ftp.txt38716405Feb 10 18:28:46 2000
FireWall-1 FTP Server Vulnerability Background Paper #1 - The basic idea of the described attack is to subvert the security policy implemented by a stateful firewall. This is done by triggering the generation of a TCP packet that, when inspected by the firewall, will change the firewall's internal state such that an attacker is able to establish a TCP connection to a filtered port through the firewall. This packet is the server response to a PASV user request during a FTP session. By John McDonald courtesy of Bugtraq
mmsu-dos.c22026176Feb 25 15:43:56 2000
Microsoft Media Server 4.1 - Denial of Service exploit. This code will crash the Microsoft Media Unicast Server for Windows NT. We have tested this against machines running SP4 and SP6. Exploits the bug in ms00-013 Homepage here. By Kit Knox
microsoft.vm.java.tx..>36606131Feb 1 13:48:04 2000
Another security hole in Microsoft Virtual Machine for Java has been discovered that allows a java applet to read any file on the system. This vulnerability is quite dangerous and immediate de-activation of the IE Java function provided by Microsoft is highly recommended. By Dr. Hiromitsu Takagi courtesy of Bugtraq
instructor.c13775709Feb 1 23:02:22 2000
instructor.c is an OpenBSD 2.5 DoS attack which attempts to execute every 32 bit instruction. It is useful for people who are trying to find hidden features, or hidden bugs in their hardware or operating system. Many "features" have been found with this program. Homepage here. By David Goldsmith
cfing.c26245625Feb 10 18:19:11 2000
Cfingerd 1.3.3 (*BSD) local root buffer overflow exploit. By Babica Padlina
sco.snmpd.txt31185519Feb 9 16:04:44 2000
The default configuration of SCO OpenServer 5.0.5 allows local users read/write access to SNMPD via a default writable community string. This configuration has been verified on SCO OpenServer 5.0.5 and may be present in earlier versions. By Shawn Bracken courtesy of Bugtraq
mysql.txt48685341Feb 9 16:02:40 2000
There exists a vulnerability in the password checking routines in the latest versions of the MySQL server, that allows any user on a host that is allowed to connect to the server, to skip password authentication, and access databases. All versions of MySQL up to 3.22.26a are vulnerable. By Emphyrio courtesy of Bugtraq
twinge.c58505267Feb 10 18:19:11 2000
Crashes almost any Windows box on your local network. Compiles on linux. Cycles through many different types of ICMP packets. By Sinkhole courtesy of Bugtraq
slzbserv.c12885202Feb 2 23:49:08 2000
slzbserv.c - local/remote exploit for ZBServer PRO 1.50-r1x (WinNT). ZBServer PRO 1.50-r1x exploit gets remote servers's full control, allows you to run arbitrary code. Tested on debian. By Zan
rpcclnt.htm16385159Feb 17 11:56:25 2000
When an NT 4.0 workstation or backup domain controller is joined to a domain, the trust account password is set to a well-known initial value. If you are concerned about internal network security, this is not really an acceptable risk. Homepage here.
amd.tgz30425129Feb 8 10:18:54 2000
rpc.amd remote exploit with spoofed source address. Homepage here. By Lamagra
snmp10.htm15404911Feb 17 11:56:25 2000
Monty originally cobbled this together to keep the network admins he worked with from doing annoying things like keeping tftp daemons running on his Unix hosts for weeks on end. Its pretty handy for that too. May this script (grabrtrconf.sh) help make SNMP die the sad lonely death it deserves once and for all! Homepage here.
fbsd-ping.txt22524809Feb 24 13:59:11 2000
FreeBSD is vulnerable to a DoS vulnerability involving high speed pinging with packets over 8184 bytes. Unofficial patch included. Homepage here. By Omachonu Ogali
SHGetPathFromIDList...>33004293Feb 4 13:17:45 2000
Windows Api SHGetPathFromIDList Buffer Overflow - All Structure lengths, or Length of string, can be a modified or altered and cause whatever handles the shortcuts to crash. By Underground Security Systems Research
warftpd-dos.c38054192Feb 2 16:12:51 2000
War-ftpd for Windows95/98/NT is vulnerable to a buffer overflow in the MKD/CWD commands until version 1.71-0. DoS exploit included. By Toshimi Makino
cern-pss.txt28914163Feb 4 13:43:58 2000
CERN 3.0A Heap overflow advisory - There is a heap overflow that wastes memory space in the CERN/3.0A webserver. Close to 50000 bytes of the heap will be ruined! DoS example included. By Scrippie
sshd.locked-accts.tx..>24423850Feb 16 14:51:08 2000
In some cases where a system must be configured so that specific users only have access to POP, FTP, or restricted shell, the addition of the SSH protocol server (sshd) may create a security hole allowing the user to make tcp connections appearing to be from root at the attacked host. By Marc Schaefer courtesy of Bugtraq
ftp-ozone.c.txt22793410Feb 22 10:36:09 2000
Exploit for recent FW-1 FTP problems - Demonstrate a basic layer violation in "stateful" firewall inspection of application data (ftp within IP packets). Checkpoint alert about this vulnerability here. Homepage here. By Dug Song
iplanet.dos.txt19393357Feb 23 22:06:09 2000
Sun iPlanet Web Server, Enterprise Edition 4.1 on Linux is vulnerable to a remote DoS attack. Many GET requests cause a kernel panic. By Eiji Ohki courtesy of Bugtraq
linux.2.2.x.icmp.dos..>19453277Feb 17 00:54:42 2000
Redhat Linux 6.0 icmp DOS.
bordermanager-dos.tx..>37452811Feb 9 15:54:56 2000
Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS. After 2 days, the firewall will deny all requests, and eventually crash completely. By Chicken Man courtesy of Bugtraq
snmp.writable.txt29122636Feb 18 12:01:37 2000
Many devices come from the manufacturer configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it. This is a list of devices with default writable configurations. By Michal Zalewski courtesy of Bugtraq
Xitami-2.4d4.dos.txt23052408Feb 29 15:40:19 2000
The Xitami Windows 95/98 webserver is vulnerable to a remote DoS attack. Homepage here. By Nemesystm
asp.runtime-error.tx..>45142406Feb 10 18:22:00 2000
Active server pages (ASP) with runtime errors expose a security hole that publishes the full source code name to the caller. If these scripts are published on the internet before they are debugged by the programmer, the major search engines index them. These indexed ASP pages can be then located with a simple search. The search results publish the full path and file name for the ASP scripts. This URL can be viewed in a browser and may reveal full source code with details of business logic, database location and structure. Homepage here. By Jerry Walsh courtesy of Bugtraq
fw1-pasv.txt35652291Feb 10 18:16:32 2000
It is possible to cause certain firewalls to open up any TCP port of your choice against FTP servers that are "protected" by those firewalls. This is done by fooling the FTP server into echoing "227 PASV" commands out through the firewall. Firewall-1 v3 and v4 are known to be affected. Homepage here. By Mikael Olsson courtesy of Bugtraq
zeus.null.txt36422277Feb 9 15:58:55 2000
The Zeus Web Server does not parse null terminated strings properly, and can reveal the source to CGI scripts under certain circumstances. By Julian Midgley courtesy of Bugtraq
surfcontrol.txt35902238Feb 3 15:37:22 2000
surfCONTROL SuperScout 2.6.1.6 allows web users to view websites blocked by the classification database. By Mike C courtesy of Bugtraq
ssh-xauth.txt29732004Feb 25 15:36:21 2000
If X11forwarding is turned on, and remote xauth is patched, sshing into a compromised server can allow programs to be run on under your ssh client. This is turned on by default in ssh1, ssh2, and openssh. By Brian Caswell courtesy of Bugtraq
apcd.c5451990Feb 10 18:19:11 2000
Debian 2.1 local root exploit - A vulnerability exists in the apcd package shipped with Debian 2.1. By WC
Linbert.txt22821944Feb 16 12:45:23 2000
Linberto v1.0.2 (Q-Bert linux clone) can overwrite any file on the system, via insecure use of /tmp. By Grampa Elite
axis700.txt52841906Feb 9 16:06:56 2000
Bypassing authentication on Axis 700 Network Scanner - By modifying an URL, outsiders can access administrator URLs without entering username and password. Tested on Axis 700 Network Scanner Server version 1.12. By Ian Vitek courtesy of Bugtraq
umount.c25331880Feb 10 18:19:11 2000
FreeBSD 3.3-RELEASE /sbin/umount local exploit. By Babica Padlina
linux-dump.txt23451826Feb 29 16:46:59 2000
/sbin/dump on Linux is vulnerable to a local buffer overflow attack. Patch included. Homepage here. By Kim Yong-jun courtesy of Bugtraq
microsoft-install.tx..>19811826Feb 22 16:17:24 2000
An ActiveX control shipped with IE can be used to install software components signed by Microsoft without prompting the user. This of course raises trust issues. Someone, not necessarily Microsoft, could use this control to install a Microsoft signed component in your system. By Juan Carlos Garcia Cuartango courtesy of Bugtraq
poorman.txt29861787Feb 7 12:05:19 2000
It is possible to cause the BeOS PoorMan webserver to crash (remotly) by sending a given URL to the server. By Jonathan Provencher
doscmd.c25751781Feb 10 18:19:11 2000
FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit. By Babica Padlina
serv-u.25b.txt52491717Feb 4 12:01:41 2000
Serv-u FTP-Server v2.5b for Win9x/WinNTFTP-Server v2.5b will crash if you upload a malformed link file and type the ftp command LIST, due to overflow in Windows API SHGetPathFromIDList. By Underground Security Systems Research
ultimatebb.txt55051607Feb 16 14:47:24 2000
The Ultimate Bulletin Board has remote vulnerabilities, shell commands can be executed. By Sergei A. Golubchik courtesy of Bugtraq
wordpad-ie.txt26361507Feb 23 22:13:36 2000
Georgi Guninski security advisory #7 - There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x. Demonstration which starts AUTOEXEC.BAT available here. Homepage here. By Georgi Guninski"> courtesy of Bugtraq
redhat-man.c26461430Feb 28 16:04:16 2000
Redhat /usr/bin/man exploit (gid=15 leads to potential root compromise). Homepage here. By Przemyslaw Frasunek
outlook5.vuln.txt36301354Feb 1 16:40:23 2000
Georgi Guninski security advisory #6 - Outlook Express 5.01 and Internet Explorer 5.01 under Windows 95 (others too) allow reading subsequently opened email messages after a hostile message is opened. Exploit code included. Workaround: Disable Active Scripting. Homepage here. By Georgi Guninski courtesy of Bugtraq
anywhere-3.1.3.txt25931247Feb 10 18:14:02 2000
Anywhere Mail Server Ver.3.1.3 for Windows contains a remote DoS vulnerability, via a long RETR string over port 110. Also multiple connections will kill the sendmail server. By Nobuo Miwa courtesy of Bugtraq
ignite.htm14031186Feb 17 11:56:25 2000
Ignite-UX bug in HP-9000 Series700/800 running release HP-UX 11.X only. Each password field in /etc/passwd should be "*" in a trusted system. This is normally handled automatically. One way for the password field to be set to a blank is to create a system image of a trusted system with Ignite-UX and not save /etc/passwd. Homepage here.
sambar.bat.txt35901002Feb 23 22:16:53 2000
All versions of Sambar server running under Windows NT and 2000 (95/98 not vulnerable) have vulnerabilities which allow remote command execution. By Georgi Chorbadzhiyski courtesy of Bugtraq
asmon.sh14691001Feb 22 23:22:12 2000
asmon.sh - A vulnerability exists in both the ascpu and asmon ports to FreeBSD. Local root overflow. FreeBSD 3.4, 3.3, 3.2, 3.1, and 3.0 are affected.
aix-snmp.txt2356924Feb 18 12:11:42 2000
On AIX 4.2 and 4.3, the SNMP daemon is enabled by default and two community names are enabled with read/write privileges. The community names are "private" and "system", but are only allowed from localhost connections. Nevertheless, a local user may install an SNMP client, and modify sensitive variables. By Harikiri courtesy of Bugtraq
frontpage.doubledot...>5400887Feb 18 12:17:13 2000
Frontpage-PWS32/3.0.2.926 (probably others) allows reading of any file on the system by putting /.../ into the url. By Jan van de Rijt courtesy of Bugtraq
apcd.sh1449787Feb 23 05:13:20 2000
Debian 2.1 local exploit - A vulnerability exists in the apcd package shipped with Debian 2.1.
win2k.install.txt6781701Feb 18 12:05:52 2000
During the installation process of Windows 2000 professionnal anyone can connect to the ADMIN$ share as ADMINISTRATOR whithout any password. By Stephane Aubert courtesy of Bugtraq
flexlm.sh2364490Feb 22 23:18:30 2000
Solaris (x86/7.0/2.6) local exploit for Sun's WorkShop 5.0 compilers and other products which use the FlexLM license management system.
kppp-1.6.14.txt2507236Feb 10 14:06:53 2000
Kppp 1.6.14 has a vulnerability that allows a local user to display the saved PPP password. By Rarez