ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for March, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Downloads.

File Name Downloads File Size Last Modified
win98-con.txt67881463Mar 3 18:58:58 2000
Many Windows programs crash if they access c:/con/con. IE and servU-FTP v 2.4a among others are vulnerable. By Zoa_Chien
AIM-dos.txt63041178Mar 3 20:17:18 2000
AOL Instant Messenger can be crashed remotely with upper ascii symbols, version 3.5 tested, others most likely vulnerable. Unofficial patch available on the homepage, here. By Cruz courtesy of Bugtraq
NXT-Howto.txt555614093Mar 30 00:24:56 2000
BIND 8.2 - 8.2.2 remote root exploit how-to. Explains how to manipulate DNS records on a primary name server to exploit this vulnerability. Homepage here. By E-Mind
win98-con-lan.txt5441784Mar 24 21:04:48 2000
A windows 9x machine that shares any of its files, even read only, can be crashed remotely via the con/con issue. By Toxic Waste
sXe.c49717898Mar 3 22:31:34 2000
sXe sends IGMP packets, denying service to windows machines. If you can figure out how to use this, you can create quite an effective attack from even a 14kbs modem. Homepage here. By l-n1nja
iis-enumerate.txt39171267Mar 9 11:25:07 2000
Another new way to find the web root directory of an IIS 4.0 webserver, if it is run on a share, by requesting a .idq file. By Jason Lutz
ms-clipart.txt385810793Mar 9 11:25:25 2000
L0pht Research Labs Advisory - Microsoft ClipArt Gallery Overflow. An attacker can seize control of a Windows 95, 98, NT, or 2000 machine via any HTML source, including Microsoft Outlook e-mail. Proof of conccept exploit included. Homepage here. By Dildog
htdig.txt35461348Mar 1 00:55:59 2000
Htdig 3.1.4 search engine allows any file on the system to be read via CGI binary htsearch. Exploit information included. By Geoff Hutchison courtesy of Bugtraq
ie5-chm.txt35141258Mar 2 13:31:46 2000
Georgi Guninski security advisory #8 - There is a vulnerability in IE 5.x for Win95/WinNT (probably others) which allows executing arbitrary programs using .chm files. Microsoft Networking must be installed. Demonstration which starts wordpad here. Homepage here. By Georgi Guninski"> courtesy of Bugtraq
binds.c35046923Mar 3 22:35:39 2000
IRIX 5.3 and 6.2 remote bind iquery overflow. Homepage here. By LSD
bsd-sm884.c33903055Mar 2 10:24:08 2000
FreeBSD Sendmail 8.8.4 mime 7to8 remote exploit. Homepage here.
unsigned.cab.exploit..>336219089Mar 2 13:42:15 2000
Vulnerability details and example exploit for Microsoft Active Setup control's unsigned CAB file execution vulnerability. Patched in November, 1999, the vulnerability was so severe that almost any kind of break-in was possible into unpatched IE client machines. By Mukand
flog.c33072961Mar 7 04:40:35 2000
Flog.c crashes Win95/98/se webservers by sending GET /con/con HTTP/1.0. Changes: This one works. By Infernal Pulse
SCX-SA-01.txt32767855Mar 6 12:48:32 2000
Securax Advisory - Many windows applications can be made to blue screen upon parsing special crafted path-strings refering to device drivers.
getpop3.txt32172827Mar 1 20:33:20 2000
Getpop3 POP client for linux local root exploit - make any local file world writable. Homepage here. By r3p3nt
officescan.txt30468966Mar 3 20:12:33 2000
Trendmicro Officescan 3.5 has severe remote vulnerabilities, allowing a malicious user to remotely uninstall the anti virus, remotely stop the scan, remotely make the anti virus inefficient by modifying the scan configuration file through the network on the target pc, and finally, remotely write anywhere on the target file system! Includes exploit instructions. Homepage here. By Gregory Duchemin"> courtesy of Bugtraq
mailer.c29805441Mar 2 10:18:39 2000
Remote exploit for Mailer 4.3 - Win 9x/NT. Homepage here. By Cybz
win98-bluescreen.txt29361876Apr 20 13:59:44 2000
More ways to abuse c|/con/con - In mail with html tags, in normal html, serv-u ftp, and win registry. By RUBINHO
infradig_1225_5-3-00..>29331464Mar 6 12:49:12 2000
Infradig 1.225 for Windows remote security hole - The administration server on port 81 allows anyone to edit accounts, add users, and set all kinds of things. Homepage here. By Nemesystm
redhat-printtool.txt2861850Mar 9 12:28:40 2000
By default, printtool leaves world readable printer passwords on Redhat 6.1 and 6.2B. By Cho Kyong-won courtesy of Bugtraq
irix-infosrch.cgi.tx..>2777550Mar 3 20:20:40 2000
Irix 6.5 InfoSearch is a web-based interface to books, manpages, and relnotes, distributed by SGI. infosrch.cgi can execute commands remotely. By Jared courtesy of Bugtraq
pam-mdk.c27351588Mar 21 14:22:00 2000
PAM/userhelper exploit - Ported to Mandrake 6.1. Also works on Red Hat 6.0 and 6.1, gives uid 0. By Paulo Ribeiro
spoon.c27095033Mar 21 03:41:56 2000
spoon.c - (ab)use dig.cgi to proxy DNS dig requests. Useful to request a zone transfer without revealing your IP. Homepage here. By Obecian
pocsag.txt26081029Mar 9 11:25:00 2000
Pocsag v2.05, a popular pager decoding software by default accepts connections on port 8000 with a default password, even remote access is not enabled, allowing anyone to view the decoded data. By Kuji courtesy of Bugtraq
manxpl.c25811178Mar 1 00:55:59 2000
Linux x86 man exploit - exploits the stack overflow in man (PAGER env var) yielding egid man. Tested on Redhat 6.2. By Anathema
sps3.c25722086Mar 3 18:17:18 2000
sps3.c - Spaghetti Proxy Server 3.0 DoS attack. It does not appear as though arbitrary code could be execute using this vulnerability. Homepage here. By Chopsui-cide
0003-exploits.tgz252494501May 19 10:55:38 2000
Packet Storm new exploits for March, 2000.
gpm-root.sh2486931Mar 20 13:04:00 2000
A vulnerability exists in the gpm-root program, part of the gpm package. A local console user can obtain root. Tested under RedHat Linux (6.2 / 6.1 / 6.0 / 6.0 / 5.2 / 5.1) and Debian Linux (2.2 / 2.1 / 2.0). Homepage here.
Infosec.20000229.axi..>24722242Mar 1 01:24:30 2000
Infosec Security Vulnerability Report - Bypassing authentication on Axis StorPoint CD. By modifying an URL, outsiders can access administrator URLs without entering username and password, allowing unauthorized access. By Ian Vitek courtesy of Bugtraq
win98_con_exploit.ht..>24211408Mar 3 01:24:18 2000
Variation of the win98 con exploit that crashes netscape as well. Homepage here. By Neonlenz
xterm-logfile.txt22581173Mar 1 01:10:46 2000
It used to be Well Known that xterm's way of opening a log file was insecure. Well, that was 5+ years ago so I decided to take a look at the current state of affairs. Things have changed, but mostly to "different" rather than "better". Symlink attack can overwrite any file with the UID of the xterm process. By Morten Welinder courtesy of Bugtraq
netscape-wp.dir-list22512619Mar 23 23:59:17 2000
ZSH Advisory - Netscape WebPublisher Allows Directory Listing and Access. Netscape Webpublisher is an addon to Netscape's Enterprise webserver which allows remote file modifications, uploads and downloads. A third party user can access the WebPublisher via downloading a number of java applets and the webserver's directory structure without having a valid account on the system. Netscape v3.5.1 / 3.6 SP1-3 under solaris are vulnerable. Homepage here. By F0bic
ftpwarez.c22475614Mar 15 13:04:00 2000
wu-ftpd beta17 remote root overflow (non-chroot). By Anathema
hp-omniback.pl21811803Mar 1 01:17:49 2000
HP Openview Omniback software listens to port 5555, can be caused to run out of memory. Demonstration exploit in perl included. By Jon Hittner courtesy of Bugtraq
icadecrypt.c.txt21471800Mar 31 23:29:07 2000
icadecrypt cracks the weak hash encryption on stored Citrix ICA passwords (in appsrv.ini). Homepage here. By Dug Song
rpc.AMD.FreeBSD3.2RE..>20142924Apr 1 14:09:54 2000
FreeBSD 3.2-REL AMD remote root exploit. By Anathema
dosemu.sh1964948Mar 1 15:53:52 2000
Corel Linux dosemu config error. Local root compromise. By Suid
domain-socket.c1882871Mar 26 13:04:00 2000
Domain Socket Denial of Service Vulnerability affecting Linux kernel 2.3.99-pre2, Linux kernel 2.2.14, Linux kernel 2.2.12, RedHat Linux 6.2, RedHat Linux 6.1 sparc, RedHat Linux 6.1 i386, and RedHat Linux 6.1 alpha. Homepage here.
setxconf.sh1877303Mar 1 15:52:54 2000
Corel xconf utils local root (among others) vulnerability. By Suid
position.c17761976Mar 28 16:21:43 2000
Overflows the -position arg buffer in wmcdplay due to a bad sprintf call. Homepage here. By Larry W. Cashdollar
RLbison.tgz17192279Mar 6 03:27:29 2000
Roses Labs has discovered a remote buffer overflow in BisonWare FTP Server. Includes DoS exploit, remote code execution may be possible. English and spanish versions included. Homepage here. By Conde Vampiro
wmcdplay-exp.c170210904Mar 23 22:11:48 2000
5 exploits for wmcdplay (A cd player designed for WindowMaker - Release 1.0 Beta1) Tested on Mandrake 7.0. Homepage here. By Larry W. Cashdollar
irix-objectserver.c167219212Apr 3 19:11:51 2000
SGI IRIX objectserver remote exploit - Remotely adds account to the IRIX system. Patched February, 1998. Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2. By Marcy
browser-bug.txt16592905Mar 25 20:41:56 2000
Linux web browsers are affected by accessing devices, this bug may be considered similar to the \con\con bug except that the technological superiority of Linux will prevent a system crash. Homepage here. By SET
spawncmd.pl16261270Mar 20 13:04:00 2000
Spawn a command shell on remote host with MSADC. Homepage here.
Flying.txt1607837Mar 10 12:39:48 2000
Vulnerability in the game Flying rev 6.20 - read any file on the system. Tested on Redhat 5.2, possibly others. By Grampa Elite
ircii_exploit.txt14987942Apr 19 19:14:41 2000
Two exploits are included in this. It is a dcc chat buffer overflow in seperate exploits for linux and mirc. By bladi & aLmUDeNa.
ass.pl13471488Mar 31 13:04:00 2000
Halloween linux 4 local root exploit script for atsadc. Other distributions may be vulnerable. Homepage here. By S. Krahmer
reset_state.c131910605Mar 20 13:04:00 2000
reset_state.c exploits a recent bug in pix firewalls which drops an entry in the state table when a rst packet is received. By Andrew Alston
printtool.sh1249822Mar 20 13:04:00 2000
printtool is an X11 printer configuration tool shipped with RedHat Linux and possibly other linux distributions. When configuring a printer with printtool, the permissions of the config file are set world-readable. When this happens, this script will kick in and give you the password. Homepage here. By Phonic
kreatur.pl12371622Mar 28 16:28:34 2000
kreatecd local root-exploit helper script - Halloween Linux 4.0 and SuSE 6.0 - 6.3. Homepage here or here.
winmail305.txt12091008Mar 29 13:04:00 2000
Winmail 3.05 for Windows NT allows any file on the system to be read. Exploit code included. By Frankie Zie courtesy of Bugtraq
imexp.c12052630Mar 20 13:04:00 2000
Halloween 4 local root exploit for imwheel-solo. Other distros maybe affected as well. Homepage here. By S. Krahmer & Stealth
led_color.c11871965Mar 20 13:04:00 2000
Overflows the -l arg buffer in wmcdplay due to a bad sprintf call. Tested on Mandrake. Homepage here. By Larry W. Cashdollar
wmexp.c11832315Mar 20 13:04:00 2000
Halloween Linux 4.0 and Debian Linux 2.1 local root exploit for wmcdplay. Other distros are maybe affected as well. Homepage here. By S. Krahmer & Stealth
unpassworded.dsl.rou..>11533779Mar 11 04:14:00 2000
In the deployment of the Cayman-DSL router and many others, technitions are failing to reset the default password which in many cases default to no password at all. A malicious user could scan for such devices and on a DSL providers network. Worst case scenerio, the static routing tables can be altered to permit remote sniffing. By Andrew R. Siverly
cgimail.txt11053015Apr 19 19:23:42 2000
Anyone who can execute CGIMailer (anyone who can use the forms that use CGIMailer) can specify what configuration file to use and this can be any file on the system CGIMailer is running on. This allows for the existance of private files to be detected. There are more dangerous implications though: this vulnerability could possibly be exploited to obtain private files from the target system. If there is an FTP server running on the target system on which an attacker has upload priviledges, he/she could upload a malicious configuration file, and then run it using CGIMailer. Configuration files can be used to send files to the attacker via e-mail (among other things). By Chopsui-cide. Homepage Here.
tpgnrock.c10212912Mar 29 13:04:00 2000
Crash Exploit for AnalogX SimpleServer v1.03 By Presto
x-dumper.sh10101666Mar 13 13:04:00 2000
x-dumper.sh remote xwin exploit - Will attempt to dump a screen via xwd. By c0sa_n0stra
x11amp.txt972634Apr 19 16:59:21 2000
Vulnerability: Any user can overwrite any file in the system with x11amp ver .70. Found by Grampa Elite.
exp-wmcd.c3722249Apr 19 16:59:21 2000
Local exploit for Linux Mandrake 7.0's wmcdplay 1.0 beta 1. Unlike the Teso exploit for wmcdplay, this code exploits the -position argument. By Dethy