.:[packet storm]:.

about | forums | assessment | defense | papers | magazines | miscellaneous | links

To change sort order, click on the category. Sorted By: File Size.
.: 0107-exploits
File Name File Size Last Modified MD5 Checksum
0107-exploits.tgz81081Aug 2 13:09:51 2001da3cb1438250539d8be8380e15486d7d
Packet Storm new exploits for July, 2001.
cfingerd.c22161Jul 17 23:34:09 2001d764f4c05c80af0f321c878876a84804
Cfingerd v1.4.3 remote root exploit for Linux. Binds to port 113 and sends bogus ident information.  Homepage: http://security.is. By Digit
sneaky2.sh12487Jul 18 02:10:26 200125055226b0a890073e135c5b546d136f
Sneaky2.sh is a swiss army knife for Hotmail/Messenger. Implements Spoofing/brute force/misconception/unexpected input Class Attacks. Will spoof Hotmail/messenger server to recover user hotmail/password, crash messenger client, remotely inject and execute malicious exe on the victim host.  Homepage: http://www.securite-internet.com. By Gregory Duchemin
QDAV-2001-7-111799Jul 11 23:31:41 2001454c4032e3ae794c228b5636ca6399ae
qDefense Advisory QDAV-2001-7-1 - Multiple CGI Flat File database manipulation vulnerability. Many CGI scripts store data, including passwords, in a flat file database, using special characters as field and row delimiters. An attacker is often able to manipulate these databases by inserting extra delimiter characters.  Homepage: http://qDefense.com.
briiis-1.pl10133Jul 19 17:13:19 2001612717b92fc58a8c3aa69e838872170e
Briis-1.pl is a unicode / decode IIS attack tool which includes SSL support under Linux. Features many checks for CMD.EXE, Caches the found directory, SSL support with SSLeay (Unix), Easy to use text file upload, Easy to use / encoding option, Relative path name program execution, and Virtual host support. More info available here. By Ian Vitek
tstot.c10102Jul 12 01:13:12 200184f0f17bc976e6b8be69bacaeb5bf596
Tstot.c is a remote exploit for xloadimage for Red Hat 7.0. Xloadimage is a Netscape 4.77 helper application with a buffer overflow vulnerability. Binds a shell to a port. Fix available here. By zen-parse
qflood.c6903Jul 17 17:58:58 20017588a0c0ef179e78557b962a95c75291
Qflood.c fills up a Quake server with spoofed "unconnected" clients, disallowing other players the ability to connect to the server since the player limit fills up quickly. Additionally, if the server does not support multiple clients from the same IP address, it will disconnect legitimate players if the spoofed connection request matches that player. By Andy Gavin
ida-exploit.sh6176Jul 23 21:42:25 200100e34a156bbe3fe1825c7cec62b3b266
Windows 2000 remote IIS .ida exploit - Spawns a shell on port 8008. Tested on Win2k with no service pack and SP2. Includes instructions on finding the offset.  Homepage: http://monkey.org/~mat. By Mat
xdm-cookie-exploit.c6142Jul 12 15:26:04 2001cb62c9d2e6db81932cda010ba727d2a0
Current versions of xdm are sensitive to trivial brute force attack if it is compiled with bad options, mainly HasXdmXauth. Without this option, cookie is generated from gettimeofday(2). If you know starting time of xdm login session, computation of the cookie just takes a few seconds. By Ntf, Sky
cfingerd0x69.c5647Jul 12 00:28:25 20014b97d06d5fd883f3f606f5c5bab3b932
Cfingerd v1.4.3 and below Linux/x86 local root buffer overflow exploit. By Qitest1
pic-lpr-remote.c5320Jul 27 02:30:12 2001b872ac8b739399184c12ab501762793c
Pic / LPRng format string remote exploit. Pic is part of the groff package. It is used by troff-to-ps.fpi as uid lp when perl, troff and LPRng are installed. Tested against Redhat 7.0 (groff-1.16-7). By zen-parse
spadv03.txt5094Jul 30 02:12:09 200134db49ab75ca4fc3edbb7aa09d278554
The Windows 2000 telnetd service is vulnerable to a remote denial of service attack. The service crashes when scanned for the recent AYT telnetd vulnerability discovered by Scut. Includes SPtelnetAYT.c, a scanner for the AYT vulnerability in telnet daemons build upon the BSD source.  Homepage: http://www.secpoint.com. By Security Point
cfingerd-exploit.pl4227Jul 12 00:07:46 20017deade15eef46381573d4b4220a005e0
Cfingerd v1.4.3 and below local root buffer overflow exploit in perl. Exploits vulnerability.  Homepage: http://www.digit-labs.org/teleh0r. By Telehor
sr.pl3907Jul 18 01:47:37 200164a69339c5b64edbad5cc889a991464a
Checkpoint Firewall-1's SecureRemote allows any IP to connect and download sensitive network information. This perl script gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions).  Homepage: http://www.sensepost.com. By Haroon Meer & Roelof Temmingh
vvfreebsd.txt3901Jul 12 01:51:40 20012d223327e13a25c1742fe30e2fda51ba
Georgi Guninski security advisory #48, 2001 - There is local root compromise in FreeBSD 4.3 due to design flaw which allows injecting signal handlers in other processes. Includes vvfreebsd.c, a local root exploit.  Homepage: http://www.guninski.com. By Georgi Guninski
pileup-xpl.c3489Jul 29 04:07:36 20017db2fa47bb548a4281aad6708c157b54
/usr/bin/pileup local root exploit. Tested against Debian 2.2. By Core
kppp.c3279Jul 11 00:55:47 200162c2590edd286ebb913f7a78b60441ad
Kppp (/usr/local/kde/bin/kppp) v1.1.2 and below local exploit. Tested against x86 and Sparc Linux.  Homepage: http://nbs.extremenetworking.net. By Smashstack, Doom
mambo_advisorie.txt2945Jul 26 12:04:43 2001407a1020f4107e848ced585227bc294c
The Mambo Site Server v3.0.0 - 3.0.5 contains a vulnerability which allows users to gain administrative privileges by changing global variables via URL parsing.  Homepage: http://www.reverseonline.com.Ismael Peinado Palomo
idcf.c2877Jul 11 23:58:58 2001127d493b92791085586c97eff83512dc
Cfingerd v1.4.3 and below remote root exploit. Slightly broken. Exploit redirects fopen() call to popen() and executes code from ~/.nofinger. By zen-parse
attqt.pl2823Jul 23 12:20:12 20013215b593ce0c0f6a1dfd711c637436be
Attqt.pl is a tool for sending banned attachments through SMTP gateways by adding an invalid character to the filename. This is known to work on MailMarshall and TrendMicro Scanmail, others are probably vulnerable. By Aidan
ldap_exp2.c2818Jul 12 06:35:25 2001fdb9fe8c09fcd1a59d191b3a276848d3
Solaris 5.8 ldap / passwd local root exploit. Tested on SunOS 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-60. By Fyodor
slackware.init.txt2582Jul 18 02:06:29 2001da683d52f3f0072dc6963928eed7696f
Slackware 8.0 local root exploit - Creates a suid shell when "modprobe lp" is run from the startup scripts. By Josh
mcaffee.mycio.traver..>2559Jul 12 00:04:18 20013dda84290792822ead2aa88636a565b1
McAffee's MyCIO directory traversal vulnerability - Any machine running McAffee Agent ASaP VirusScan Software is vulnerable to a remote vulnerability which allows any file on the machine to be read. This software incorporates what is known as "Rumor Technology" that facilitates in the transfer of virus definitions between neighboring machines. This agent software runs as a service ("McAfee Agent") under the local system account and uses a light weight HTTP server that listens on TCP port 6515. Exploit URL included. By Ade245
whodo-ex.c2500Jul 12 05:58:37 200182dffcd2065e49a4222ebc5c8dbea224
Solaris whodo local root exploit. Tested against SunOS 5.5.1, 5.7, and 5.8 for x86. By Pablo Sor
libsldap-exp.c2358Jul 12 05:46:28 20017fb624eef82b60ad70c6ccf9b601a763
Solaris 8 libsldap local root exploit. Tested on an Ultra10 and an Enterprise 3500 with success. By Noir
slackware.man.c2216Jul 17 17:55:38 2001c1c8ef9823405a020ea2cc19d098e213
Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man. By Josh, Lockdown, zen-parse
filter-xpl.c2027Jul 18 02:50:05 2001ac0593f66f87f941019423787bd8fce7
/usr/local/bin/filter local exploit. Gives GID=mail. More information available Tested against Slackware 3.1. Exploits the nlspath buffer overflow. By _Phantom_
lmail-xpl.c2014Jul 12 06:26:25 20017f9da8c5028c2fd49aa9c8210d25ec8d
lmail local root exploit. Simply run it with the file you want to create/overwrite and the data you wish to place in the file. By Charles Stevenson
QDAV-2001-7-31896Jul 18 02:13:43 2001ccfd18fc1da76e132dea511b4220808d
qDefense Advisory Number QDAV-2001-7-3 - Interactive Story does not properly validate the contents of a hidden field entitled "next". By setting that field to the name of a file, and using double dots and poison nulls, an attacker can cause Interactive Story to display the contents of any file. Exploit URL included.  Homepage: http://qDefense.com.
ibm-db2.c1841Jul 29 02:28:44 20013de9be6028bd648021d753ebaaf12c72
IBM DB2 (which works under W98/NT/2000) Proof of concept Denial of Service. Sending 1 byte to port 6789 or 6790 IBM DB2 crashes, as described in ibm.db2.dos.txt. By Honoriak
ktv.sh1822Jul 18 02:59:25 2001e7386b4de150129eee315ee540b989bc
Ktvision v0.1.1-271 and below symlink local root exploit. Tested against SuSE 7.1. By Ihaquer
sig.c1752Jul 18 02:46:13 2001e9b50e27f1042cfbac603ed819ac6420
FreeBSD 3.1 - 4.3 local root exploit - Uses the signal condition vulnerability discovered by G. Guninski. By Lamerboy.
ml85p.sh1751Jul 17 17:43:02 200127106ddc98e2b944324483817b655184
Local root exploit for /usr/bin/ml85p, a suid binary which is vulnerable to a local symlink attack. It is included in Mandrake 8.0 by default. By Suid
squidmap.pl1499Jul 29 03:30:54 20013072c26d039e563fde8246ed1e61f590
Squid can be used to port scan if set up as a httpd accelerator (reverse proxy). Tested on Redhat 7.0. By Paul Nasrat
nerf.iis.dos.txt1136Jul 12 06:39:19 200186ac77030b990207e5472ee62b0bd790
Nerf Group Security Advisory #4 - Microsoft IIS 4 and 5 can be crashed remotely by reading device files (com1, com2, etc). Exploit URL included.  Homepage: http://www.nerf.ru. By Buggzy
xxman.sh832Jul 17 17:39:08 2001631ac7297588dc7496aa411184167887
Xxman.sh is a local root exploit for an insecure system call in xman.  Homepage: http://www.realhalo.org. By Vade79
cobalt.webmail.txt774Jul 12 06:01:17 200173faac454049acd5190bea40a1ba809a
Webmail on the Cobalt Cube contains a directory traversal vulnerability which allows users with mailboxes to read any file on the system. Exploit URL's included. Verified to work against the Sun Cube III as well. By KF
ttawebtop.html610Jul 18 02:54:16 20013c05d637d7955fb852fe1c1ec31d1681
Tarantella 3.01 ttawebtop.cgi "show files" exploit. '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retrieve files from remote sever, which should not be accessible normally. Exploit URL included. By KF
ibm.db2.dos.txt491Jul 12 00:26:20 2001f4b462d2987f201a50bd03e6f68934fd
IBM db2 for Windows (98/NT/2000) is vulnerable to a simple remote denial of service attack via db2ccs.exe (listening on port 6790) and db2jds.exe (port 6789). By Gilles
cayman.txt344Jul 12 00:36:59 20019cc90717d2cfb63a71c77417f014dbca
Cayman routers allow remote access by using } as the username. By Russell Handorf

Privacy Statement