about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers

Welcome to the Exploits for April, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Downloads.

File Name Downloads File Size Last Modified
RFP2K02.txt48167470Apr 14 13:25:13 2000
RFP2K02 - "Netscape engineers are weenies!" AKA a back door in Microsoft FrontPage extensions/authoring components. Anyone with web authoring permission can use a backdoor in dvwssr.dll to read .asp (and .asa) files under the web root. As Microsoft has told me, the immediate problem is moreso the fact that any developer of one particular virtual site can download the .asp code of other virtual sites on the same system. Includes, a perl based exploit. Homepage here. By Rain Forrest Puppy
netsurfer.txt37651906Apr 18 15:34:23 2000
Local users can steal credit card numbers and personal information from a Netsurfer e-commerace site due to bad default permissions. By Elsewhere
winreal.6-7.txt36764229Apr 6 12:05:41 2000
There is a buffer overflow in the Win32 RealPlayer Basic client versions 6 and 7 which occurs when a long location to play string is entered. Using the HTML "EMBED" tag to embed RealPlayer in a webpage and setting the "AUTOSTART=true" flag, you can force RealPlayer to start automatically, triggering the overflow condition. It appears that arbitrary code could be exploited simply by *VISITING* a webpage with the malicious embedded RealPlayer tags. MacOS and linux versions appear not to be vulnerable. By Adam Muntner courtesy of Bugtraq
Fortres4-analysis.tx..>36376680Apr 11 18:33:57 2000
Fortres 4.0 security software for Windows has an easily decrypted password. Qbasic source includeed to crack the simple encryption. By Frost Byte
0004-exploits.tgz3523208103May 19 10:56:12 2000
Packet Storm new exploits for April, 2000.
4man.c29271247Apr 27 14:10:24 2000
redhat 6.1 /usr/bin/man exploit. Homepage here. By Kil3r
DeCRYPTO.zip290971912Apr 12 15:24:04 2000
CRYPTOCard's CRYPTOAdmin pin can be decrypted from the .pdb file - Windows 9X demonstration program. Homepage here. By Kingpin
ADV-150400.txt26643470Apr 23 02:35:38 2000
Microsoft Frontpage CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default and has three vulnerabilities. The full path to the root directory is revealed, a buffer overflow was found - remote code execution may be possable, and files on the server may be accessed. Homepage here. By Narrow
qpopper.fgets.txt25524022Apr 27 15:24:55 2000
Sorry, a description is unavailable.
ooo1.txt25035042Apr 15 02:20:17 2000
Netscape PublishingXpert 2.* file-reading/dir-listing vuln in PSCOErrPage.htm - On SunOS 5.5.1 and 5.6 (possibly others), Netscape PublishingXpert 2.* can read any file on the system. Many large e-commerace sites are vulnerable to this. Exploit details included. By \x00\x00
beos.dos.txt24472104Apr 7 21:01:54 2000
The BeOS networking stack crashes when certain malformed packets are sent to it. This document explains two such packets and includes CASL scripts for packet generation. By Tim Newsham courtesy of Bugtraq
linux-masq-udp.txt24238673Apr 3 19:19:24 2000
Linux 2.2.x IP Masquerading allows UDP packets in from the outside until the firewall times out. Under certain rare conditions, a UDP based service could be exploited from the outside. By H D Moore courtesy of Bugtraq
dsnhack.pl236511668Apr 15 02:33:17 2000
NewDSN.exe/CTGuestB.idc/Details.idc remote NT exploit. Homepage here. By Scrippie
RDS_Toolkit.zip23636768Apr 18 15:48:06 2000
RDS Toolkit is another addon for It is similar to which spawns a remote command on a NT machine using RDS, but the RDS Toolkit works in Windows and Unix based systems. By Narrow
cc-pinextract.txt229411818Apr 12 15:18:10 2000
CRYPTOCard's CRYPTOAdmin software is a challenge/response user authentication administration system. The PT-1 token, which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created for each user and loaded onto their Palm device. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series of DES decrypts-and-compares. Using the demonstration tool, the PIN can be determined in under 5 minutes on a Pentium III 450MHz. Homepage here. By Kingpin
snmpx.sh2211842Apr 3 16:26:12 2000
Solaris 2.6 snmpdx remote exploit. Homepage here. By Acz
ircii-4.4.c21772730Apr 6 17:55:52 2000
ircii-4.4 exploit - buffer overflow in ircii dcc chat's allows arbitrary code execution. Tested against SuSE 6.x and Redhat. Homepage here. By Bladi
cache-control.txt21395264Apr 3 18:58:51 2000
HTTP cache-control headers such as If-Modified-Since allow servers to track individual users in a manner similar to cookies, but with less constraints. This is a problem for user privacy against which browsers currently provide little protection. By Martin Pool courtesy of Bugtraq
mailform.txt21115231Apr 7 10:48:49 2000
MailForm v1.91 for Windows 95 and NT 4.0 allows potentially dangerous parameters to be specified by anyone who can execute it. The web interface allows remote users to execute arbitrary commands. Exploit code included. Homepage here. By Chopsui-cide
ide_expl.mrc20075209Apr 19 14:46:37 2000
ide_expl.mrc is an ircii-4-4 exploit ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat request instead of having them chat you, attempts to execute /bin/sh. Homepage here. By Vade79
sourcegrab.pl20061491Apr 12 15:03:03 2000
Exploit for Microsoft Index Server 2.0 hithighlight exploit (as described in ms00-006) which allows you to view any file in the wwwroot directory and down. By x00x00 7 11:17:44 2000
Exploit information for the "Virtualized UNC Share" problem talked about in MS00-019 which yeilds the source of .asp's. By Rain Forrest Puppy
RFP2K03.txt186938140Apr 20 13:06:42 2000
RFP2K03 - Contemplations on dvwssr.dll and how it affects life. Lots of information here. Also includes a fixed versoin of the perl exploit. Homepage here. By Rain Forrest Puppy
dig.c1759963Apr 25 12:51:02 2000
dig v2.2 local buffer overflow exploit for x86 linux. Note that dig isn't suid/sgid on some platforms, yet on some it is. Homepage here. By Anathema
panda-sec.zip17591190Apr 22 23:57:18 2000
Panda Security 3.0 for Windows 95 and 98 can be bypassed. Panda Security 3.0 is vulnerable to indirect registry key modifications, which allow Panda Security keys to be manipulated by any logged-on user. Because of a lack in system integrity checks, the entire software package could be uninstalled by a user. This zipfile contains demonstration exploit code. Homepage here. By Deepzone Security
sftp02b.c17492147Apr 28 12:01:19 2000
Smart FTP v0.2 Beta denial of service. Homepage here. By Chopsui-cide
kill_nwtcp.c17152157Apr 23 00:37:05 2000
Novell Netware 5.1 Remote Administration Service contains a buffer overflow that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. DoS exploit included. Homepage here. By Michal Zalewski
imap_core.sh16996352Apr 19 01:05:27 2000 is a quick proof of concept tool that causes some imapd implementations to dump core. Unfortunately the core file contains the password and shadow password file in it! Homepage here. By Mudge
lcdproc-exploit.c16705497Apr 23 18:58:51 2000
LCDproc is a system to display system information and other data on an LCD display which uses client / server communication. The server is vulnerable to remote buffer overflow allowing an attacker to remotely execute arbitrary code or cause the LCDproc server to crash. Patch available here. By Andrew Hobgood
mmdump.pl16616520Apr 27 14:26:06 2000
Meeting Maker is a networked calendaring/scheduling software package that's estimated to be installed on over 700,000 desktops. Clients send passwords to a Meeting Maker server encoded using a polyalphabetic substitution cipher. Included perl script will decode passwords sent over the net. By Matt Power courtesy of Bugtraq.
fcheck.txt16573307Apr 6 17:09:05 2000
Fcheck, a file integrity checker written in perl, can be subverted by a malicious user to execute arbitrary commands as root by creating files with shell metacharacters in their names. Version v.2.7.45 and below is vulnerable. By Matt Carothers courtesy of Bugtraq
fdmnt-smash.c16413126Apr 3 16:28:34 2000
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Homepage here. By Scrippie
str-msgchk.c16182085Apr 3 16:30:59 2000
mh/msgchk and mh/inc demonstration local exploit for FreeBSD / BSDI. Homepage here. By Stran9er
lpset.sh1605627Apr 27 14:12:55 2000
/usr/bin/lpset vulnerability in Solaris/SPARC 2.7. Homepage here. By Noir
austnethack.tgz15675925Apr 28 12:04:09 2000
How AustNet's Virtual World was hacked to reveal users real IP. Slightly crippled demonstration code included. Lots of information on the austnet hack available here. By FallenAngel
wmaker.c15521781Apr 23 18:27:28 2000
Windowmaker 0.62.0 buffer overflow exploit - Although wmaker is not suid by default, this code will overflow the $DISPLAY environment variable. Homepage here. By Sectorx
FreeOnline.txt15452008May 4 00:07:41 2000
FreeOnline currently makes it's free users surf non-free zones for 30 minutes and 2hour lots within certain hours of the day. If you are a FreeOnline user which I currently am you may be interested to know that there is a way out to non-free sites using a site which FreeOnline does acknowledge as a site to be surfed at any times. By rarez
ltrust.c1544774Apr 19 00:52:05 2000
Linux kernel 2.2.14 local DoS - When accessing a file or directory with a very long path the process hangs in an unkillable state. All other processes are SEGFAULTing when trying to access unkillable process' /proc entry. So system utilities ps, w, top, killall and the like are stoppping working. Except that, the system continues to function normally. The only solution is reboot. Homepage here.
sunkill.c15402365Apr 21 23:54:14 2000
sunkill.c - Remote solaris 2.5.1 dos exploit. Opens a telnet connection on the victim machine and sends a few bad telnet negotiation options, then flooods the port with lots of ^D characters, using all available kernel memory. Homepage here.
bizdb.htm1534904Apr 19 00:41:50 2000
BizDB is a web databse integration product using perl CGI scripts. One of the scripts, bizdb-search.cgi, has an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. Remote exploit included. Homepage here.
rmp_query.c15342181Apr 6 18:00:33 2000
This script exploits a vulnerability in the default installation of Caldera OpenLinux 2.3 which allows an attacker to obtain a listing of the packages, and versions of packages installed on this system, allowing an attacker to remotely determine vulnerabilities. Homepage here. By Alhambra
lprm-bsd.c15316821Apr 19 01:21:01 2000
lprm-bsd.c - Exploit for lprm local root vulnerability in OpenBSD and FreeBSD-stable. Homepage here. By Niall Smart
named_dump.sh1525684Apr 19 01:08:20 2000
ISC BIND 4.9.7-T1B local exploit - The named daemon will dump the named database to /var/tmp/named_dump.db when it receives a SIGINT signal. It does not check for symbolic links while doing so and can be made to overwrite any file in the system. Homepage here.
imwheel_ex.c1525994Apr 27 13:36:06 2000
imwheel local root exploit (as discussed in RHSA-2000:016-02). By Funkysh
lincity.c15041054Apr 19 01:43:09 2000
lincity-svga local buffer overflow. Homepage here. By TFreak
razor.dvwssr.txt14754360Apr 23 00:16:06 2000
BindView RAZOR Team Analysis of DVWSSR.DLL - The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used. Homepage here. By Simple Nomad 24 15:32:29 2000
FreeBSD mtr-0.41 local root exploit. Homepage here. By Venglin
solx86-imapd.c14582892Apr 25 12:42:44 2000
imapd IMAP4rev1 v10.205 remote root exploit, solaris x86. Exploits the AUTHENTICATE overflow, yielding a remote root shell. Homepage here. By Anathema
xdnewsweb.pl14552627Apr 27 08:53:08 2000
Vulnerability found in cgi DNEWSWEB used for reading news groups from web. Its possible to overflow stack and read any file from remote host with web server rights. All versions and for all OSes exploitable. Example of reading file /etc/passwd for Linux included. Fixed in dnews 5.4c1, available here. By djHD
oracle.sh14461481Apr 3 13:04:00 2000
Oracle 8.1.5i install exploit - If Oracle is installed after this script has ran, roots .rhosts can be overwritten. Homepage here.
scx-sa-02.txt14286868Apr 21 16:51:04 2000
Securax Security Advisory #2 - When the Microsoft Windows explorer tries to access parsing a filename that contains over 129 chars in the extension, a buffer will overflow, causing explorer to crash. EIP is overwritten, remote code execution is possible. By Zoa_Chien
sparc_lpset.c13952047Apr 27 13:38:49 2000
/usr/bin/lpset local root exploit for sparc. By Laurent Levier
b0f3-ncurses.txt13911493Apr 24 15:37:30 2000
BufferOverflow Security Advisory #3 - libncurses buffer overflow in NCURSES 1.8.6 on FreeBSD 3.4-STABLE. Setuid programs linked with libncurses can be exploited to obtain root access. Homepage here. By Venglin
sol7.lp.c13771467Apr 27 13:43:18 2000
Solaris 2.7 /usr/bin/lp local exploit, i386. By Digit
RUS-CERT.200004-01.t..>133314149Apr 23 00:30:13 2000
RUS-CERT Advisory 200004-01: GNU Emacs 20 - Several vulnerabilities were discovered in all Emacs versions up to 20.6, including allowing unprivileged local users to eavesdrop the communication between Emacs and its subprocesses, Emacs Lisp tempfile problems, and the history of recently typed keys may expose passwords. The following systems were tested vulnerable: Linux, FreeBSD (and probably other *BSD variants), HP-UX 10.x, 11.00, and AIX 4. Solaris and DG/UX are unaffected.
solx86-nisd.c13175279Apr 25 12:41:12 2000
rpc.nisd remote root overflow, solaris 2.4 x86. Solaris 2.5.0 and 2.5.1 work with different offset. Homepage here. By Anathema
xsun2.c13041812Apr 27 13:41:03 2000
xsun2.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun. By Digit
lpset.c12933054Apr 25 12:39:30 2000
/usr/bin/lpset local root stack overflow for Solaris 7, x86. Homepage here. By Anathema
ypghost050.tar.gz128414609Apr 22 00:03:14 2000
ypghost is a remote NIS exploit that spoofs UDP packets. Uses libpcap. Homepage here. By Arny
hupux.sh12681645Apr 21 23:51:09 2000 hp-ux 09.04 local exploit - Takes advantage of default world writable /usr/local/bin. Homepage here.
xsun.c12242929Apr 25 12:35:21 2000
xsun.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun. Homepage here. By Anathema
bedie.tar.gz1184656Apr 19 00:46:11 2000
bedie is a beos (5.0/4.5) local dos exploit which exploits a kernel bug. ASM source and binary included. Homepage here. By Konstantin Boldyshev
ypk.tar.gz10231865Apr 7 13:04:00 2000
ypk.tar.gz exploits the remote root sunos 4.1.3 ypupdated / keyserv vulnerability. Homepage here.
rdist-bsd.c10171948Apr 22 00:06:36 2000
rdist-bsd.c is a /usr/bin/rdist local exploit for freebsd. Homepage here. By el8
yapp_exploit.c9543260Apr 11 13:04:00 2000
Local buffer overflow exploit for Yapp Conferencing System, Version 2.2. Homepage here. By Dave Bowman