about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers

Welcome to the Exploits for May, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0005-exploits.tgz3071400774Jul 13 2000 11:49:11
Packet Storm new exploits for May, 2000.
jidex.c6031877Jun 23 2000 16:52:07
Jidentd 1.0 IDENT server remote exploit. Tested under Slackware 3.6 and 4.0, Debian 2.1, Redhat 4.1, 5.0, 5.1 and 5.2. By Funkysh
DST2K0003.txt6772940Jun 2 2000 13:06:35
Delphis Consulting Plc Security Team Advisory DST2K0003 - Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool for Microsoft Windows NT v4.0 Server (SP6). Any user who can connect to tcp port 9999 can obtain a copy of the configuration. Secondly, if you pass an oversized buffer of 208 bytes or more within one of the configuration parameters the service will crash overwriting the stack but and the EIP with what ever was passed within the parameter. Homepage: By Delphis Consulting Security Team
DST2K0007.txt14562464Jun 2 2000 13:02:20
Delphis Consulting Plc Security Team Advisory DST2K0007 - Buffer Overrun in ITHouse Mail Server v1.04 for Microsoft Windows NT v4.0 Workstation (SP6). Sending an email via SMTP to an IT House Mail Server with a recipient's name in excess of 2270 bytes causes the IT House Mail Server to buffer overrun overwriting the EIP, allowing an attacker to execute arbitrary code on the the server. Homepage: By Delphis Consulting Security Team
DST2K0008.txt14512725Jun 2 2000 12:49:34
Delphis Consulting Plc Security Team Advisory DST2K0008 - Buffer Overrun in Sambar Server 4.3 (Production). By using the default finger script shipped with Sambar server it is possible to cause an Buffer overrun in sambar.dll overwriting the EIP allowing the execution of arbitry code. Homepage: By Delphis Consulting Security Team
spad01.txt14403710Jun 1 2000 15:35:12
Security Point Advisory #001 - Java Internet Shop allows users to change the prices on items. The Danish Shopexpress, and the English Zilron StoreCreator version 3.0 and below are vulnerable, an estimated 2500 online shops are running this software. Homepage here. By Security Point, Inc
elmex.c6401200Jun 1 2000 11:43:00
Elm 2.4 PL25 local GID mail exploit. Tested under Slackware 3.6, 4.0, Redhat 5.0, and 5.1. By Funkysh
mailx.c16411453Jun 1 2000 11:41:41
Mailx local exploit - Tested on Slackware 3.6, 4.0, and 7.0 and Debian 2.0r2, 2.1, 2.2. Gives GID mail shell. By Funkysh
mdbms.c13856547Jun 1 2000 11:30:41
MDBMS V0.96b6 remote root exploit - This code demonstrates a MDBMS v0.96b6 vulnerability which allows any remote user to exec a root shell. Tested on Linux SuSE 6.3. By TDP
kill_sntsd.pl13661301Jun 1 2000 11:02:20
A remote buffer overflow has been disvovered in the Simple Network Time Sync daemon and client version 1.0, tested on Redhat 6.1. Possible remote root compromise - denial of service exploit included. By Ben Taylor
Mail_bof.c14242160Jun 1 2000 00:05:35
/usr/bin/Mail local linux exploit which gives gid=12 shell. Tested against Slackware 3.6 and 7.0. Homepage here. By Vade79
majordomo.txt13079265May 31 2000 21:21:42
The mailinglist software majordomo has several local vulnerabilties. Local commands can be run wuth the UID and GID equal to the one used for majordomo. Exploit details and patch included. Homepage here. By Federico Schwindt
RFPickaxe2.pl10802643May 31 2000 16:41:05 is a windows port of RFP's demo exploit for the BlackICE IDS uses a management console. By Hypoclear
slirp_bof.c10382368May 31 2000 16:16:23
Slirp v1.0.10(RELEASE) local buffer overflow exploit for Linux which gives you a SGID shell if /usr/local/bin/slirp is mode 2755. Tested against Slackware 3.6. Includes perl script to find the offset. Homepage here. By Vade79
elm_last.c7262056May 31 2000 16:12:00
One last elm v2.4 / v2.5 exploit - gives EGID 12. This version works against almost all vulnerable versions of elm. Homepage here. By Vade79
sms.c16322324May 31 2000 15:35:49
sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat. Homepage here. By Venglin
teso-advisory-010.ta..>8483358May 31 2000 15:12:56
TESO Security Advisory #10 - KDE KApplication {} configfile vulnerability. Due to insecure creation of configuration files via KApplication-class, local lusers can create arbitrary files when running setuid root KDE-programs. Tested with SuSE 6.4 standard installation under KDE 1.1.2. Homepage here. By Stealth
bugzpladv1_eng.txt9779741May 31 2000 15:05:52
BugzPL ADVISORY #1 - Bypassing restricted bash. bash-2 gives us the option to use a shell in restricted mode. Includes a patch to bash to eliminate most of the described attacks. By Arkth
DST2K0009.txt6053208May 31 2000 13:32:00
Delphis Consulting Plc Security Team Advisory DST2K0009 - Userlisting Bug in Ipswitch WS_FTP Server 1.05E allows remote users to confuse the server manager. Homepage: By Delphis Security Team
swstack.txt11491237May 31 2000 10:14:35
Simple Web Server 0.5.1 stack overflow advisory. Allows eip to be overwritten. Homepage here. By SectorX
icq.web.front.dos.tx..>30412066May 30 2000 20:56:28
ICQ Web Front Remote denial of service vulnerability - ICQ 2000a, 99b, and 99a contain a vulnerability in the personal web server. Guestbook.cgi, installed by default, crashes when sent a long name. Homepage here. By Meliksah Ozoral
wemilo.tcl12753998May 29 2000 18:10:38
Remote Cart32 exploit - Though L0pht released an advisory and patch for the well known Cart32 bug, this is the first exploit released to date. Allows remote command execution. Homepage here. By Futant
jolt2.c73034187May 28 2000 00:27:57
jolt2.c exploits the recent "IP Fragment Reassembly" Windows remote denial of service vulnerability described in ms00-029. Tested against Win98, WinNT4/SP5,6, Win2K from linux. Allows the user to specify UDP or ICMP and send a spoofed source address. Linux and Windows binaries available here. By Phoenix
elm-ex.c16041505May 27 2000 17:04:14
Elm 2.5 PL3 exploit tested under linux Slackware 3.6, 4.0, 7.0. Homepage here. By Xfer
5niffi7.c250711722May 27 2000 01:41:51
5niffi7.c - Remote root exploit for sniffit (-L mail) 0.3.7.beta on Debian 2.2. Includes a detailed explanation of how the exploit works. By MaXX
Animal.c25052302May 27 2000 01:17:28
Gauntlet firewall remote proof of concept code, tested against BSDI. By Gramble
xaosexp.c15901301May 27 2000 00:46:34
/usr/bin/xaos local root buffer overflow exploit. Works on suse 6.1, and could be modified for 6.2. Homepage here. By DiGiT
ssibug1658923May 27 2000 00:36:34
The thttpd web server comes with a CGI script called /cgi-bin/ssi which allows any file on the system to be read. Exploit URL included. Homepage here. By DiGiT
elm_again.c13112183May 26 2000 22:03:43
elm_again.c exploits another buffer overflow in elm v2.5 giving a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6 and RedHat on elm2.5PL3. Homepage here. By Vade79
CISADV000524a.txt7173365May 26 2000 17:11:00
Cerberus Information Security Advisory (CISADV000524a) - The Cerberus Security Team has discovered a serious security flaw with Rockliffe's MailSite Management Agent for Windows (version This server allows remote users to access their POP3 accounts and read their mail over HTTP. The service usually listens on TCP port 90. Unfortunately there exists a buffer overrun vulnerability that allows attackers to execute arbitrary code. As this service runs as system, by default, any code executed will run with system privileges - meaning any server running this agent could be fully compromised. Homepage here.
access.counter-4.0.7..>12411223May 26 2000 16:47:12
A popular CGI web page acess counter, version 4.0.7 by George Burgyan permits execution of arbitrary commands as a result of unchecked user input. Commands are executed as the same permission of the webserver. By Howard M. Kash III
elm_bof25.c11812043May 26 2000 14:17:11
Elm v2.5 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on elm 2.5PL1-3, on Red Hat. Perl script to find offsets included. Homepage here. By Vade79
elm_bof24.c10471945May 26 2000 14:16:00
Elm v2.4 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6, elm 2.4PL25. Perl script to find offsets included. Homepage here. By Vade79
ezboard-scx-sa-03.tx..>12532868May 26 2000 12:06:35
Securax-SA-03 - Ezboard v5.3.9 remote dos attack via wildcards in URL. By Frazzle_Freckle
lpsetexp.c6971735May 26 2000 00:51:00
solaris 2.7 lpset local exploit, i386. Homepage here. By DiGiT
fdmountx.c14991039May 25 2000 11:44:18
/usr/bin/fdmount local linux exploit. Homepage here. By War
filterape.c13762686May 25 2000 11:42:02
filterape.c exploits a new elm buffer overflow to get EGID mail on Slackware. Homepage here. By Scrippie
Xsh0k.c20644435May 25 2000 03:32:41
Xwindows remote dos attack - creates a sequence of socket connections to tcp port 6000. Xwindows slows to a crawl and sometimes does not respond to user input. Homepage here. By Norby
CISADV000524b.txt8063416May 24 2000 17:43:00
The Cerberus Security Team has discovered that a flaw in the Carello web shopping cart enables remote attackers to vi ew .asp files on the the server's computer Affected system: Windows NT running IIS. Homepage here. By Robert Horton
dnsloop.tar.gz8524061May 24 2000 15:22:00
There is a remote denial of service exploit against tcpdump. Tcpdump interprets UDP packets on port 53 as DNS traffic, however, domain names in DNS packets use a compression scheme that jumps to a particular offset in the packet to avoid multiple occurances. By sending a packet that has the offset set to a particular location and if a program trying to decompress the domain name does not have a strategy for avoiding infinite loops, tcpdump may fall into an infinite loop. By Hugo Breton
b0f5-Qpopper.txt29045946May 24 2000 12:55:59
BufferOverflow Security Advisory #5 - Remote shell via Qpopper2.53. qpop_euidl.c exploit included. Requires a qpop account and gives UID mail. Homepage here. By Prizm
socket-dos.c16101167May 23 2000 11:48:29
socket-dos.c is a local ssh-1.2.27 exploit which creates a UNIX domain socket with an arbitrary file name anywhere in the filesystem on some machines. Homepage here.
sniffitexp.c16024384May 23 2000 11:25:28
Sniffit 0.3.7Beta Remote Exploit - sniffit has to be running (-L mail) flag set for this to work. Tested on RedHat 6.0. Homepage here. By Noir
killsentry.c14454670May 23 2000 10:42:01
killsentry.c shows that automatic firewalling is a bad idea by sending spoofed FIN packets from different hosts in an attempt to confuse Portsentry. Tested on FreeBSD 3.2. By Andrew Alston
ascend.c11539820May 23 2000 10:30:05
Ascend remote denial of service - Upon receiving a packet with non zero length tcp offsets ascend terminal servers will crash. Linux based exploit included. Homepage here. By The Posse.
kshux.c11883908May 22 2000 14:35:38
kshux.c -- krshd remote root exploit. This program exploits a vulnerability in the 'krshd' daemon included with the MIT Kerberos distribution. All versions are apparently vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. By Jim Paris
joe-fixed.c12181626May 22 2000 14:31:57
joe v2.8 stack overflow. joe overflows when trying to open() $HOME/.joerc. This is simply proof of concept code, hopefully to get the bug fixed. It will attempt to spawn a rootshell. Homepage Here. By SectorX.
ksux.c10331291May 22 2000 14:31:49
ksux.c -- ksu exploit. This program exploits a vulnerability in the 'ksu' utility included with the MIT Kerberos distribution. Versions prior to 1.1.1 are vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. Exploits for other operating systems and versions of Kerberos should also work. By Jim Paris
shellhit.c11851758May 22 2000 10:47:15
shellhit.c - TESO Hellkit contains a buffer overflow - exploit is just meant to be funny. To all scriptkiddies: You won't get root from this, go and find something more useful. Homepage here. By scrippie
cproxy.c12142410May 19 2000 13:17:27
Remote Denial of Service for CProxy v3.3 - Service Pack 2 for Windows NT. Homepage here. By TDP
xsol-x.c17972212May 19 2000 11:55:37
/usr/local/games/xsoldier local root exploit. Tested under Mandrake 7.0. Homepage here. By Larry W. Cashdollar
klogin.c16943570May 19 2000 11:18:05
BSDI 4.0.1 klogin remote root buffer overflow. The bug is actually in the kerberos library so this affects all kerb services (kerbIV). This code should need minimal (if any) modification to use on other kerberos services. By Duke
beos5-dos.txt16472050May 19 2000 10:41:22
AUX Technologies Security Advisory - Be/OS Remote Denial of Service. The Be/OS Operating System version 5.0 has a vulnerability in the tcp fragmentation which can lock up the system, requiring a cold reset. The bug can be reproduced using ISIC-0.05. Homepage here. By Visi0n
RFP2K05.txt12413870May 19 2000 09:13:41
NetProwler 3.0, a network based intrusion detection system, has a remote denial of service vulnerability. The software crashes when two fragmented IP packets are sent to an IP address that it is profiling. Netprowler must be profiling ftp in order for the exploit to work. Please note that Netprowler logs all incoming alerts to a Microsoft .mdb file. Please read RFP2K04.txt for more information. Homepage here. By Rain Forest Puppy
l0phtl0phe-kid.c17614367May 18 2000 22:57:00
l0phtl0phe-kid.c - Easy antisniff v1.02 exploit. l0pht messed up the fix for their problem in antisniff by not regarding the type signedness properties of the char and int values used, resulting in a cool of method bypassing the extra length + strncat checks. This version has been made easy enough for script kiddies to use - to avoid that "doesn't work" lamer claim. Homepage here. By Scut
l0phtl0phe.c16135516May 18 2000 15:29:50
l0phtl0phe.c - antisniff exploit (1.02 included). l0pht messed up the fix for their problem in antisniff by not regarding the type signedness properties of the char and int values used, resulting in a cool of method bypassing the extra length + strncat checks. Homepage here. By Scut
gnomelib.sh14742122May 18 2000 02:41:35
SuSE 6.3 and 6.4 Glomelib local root exploit. All gnome apps have an exploitable buffer overflow when getting the DISPLAY environment variable. By Bladi and Almudena
ADMDNews.zip17373833May 18 2000 02:35:36
ADMDNews_v2 - WinNT/Win2K x86 exploit for NetWin ( DNews server (v5.0f - v5.3e3) gupcgi.exe/dnewsweb.exe CGIs. This program exploits the buffer overflow condition in gupcgi.exe/dnewsweb.exe CGIs while processing the "cmd" parameter. Tested and confirmed under WinNT 4.0 SP5/SP6 & Win2K Beta 3 RC2 (build 2128). By Joey__
sniffit.c22253587May 18 2000 02:24:13
Sniffit 0.3.7beta Linux/x86 Remote Exploit. Tested on RedHat 5.2, 6.0, 6.2. Homepage here. By FuSyS
netopia.advisory.r91..>9182340May 17 2000 16:34:42
The Netopia R9100 permits a user not authorized with a special security password to neverthless modify the SNMP community strings, including enabling SNMP access that should be disabled. By Stephen Friedl.
Emurl2.0.windows13341945May 17 2000 15:43:53
Users can access the mailbox's content of anybody on the system. They can also steal their POP passwords since Emurl allows you to fetch your POP email from more than one source.
Banner.rotating11282967May 17 2000 15:40:57
A file called adpassword.txt is world readable as it is assigned the wrong permissions. This will allow a malicious attacker to read the contents of the file, to crack the DES encrypted password it contains (using a common-or-garden password cracker), and to edit banner entries,to add or to remove banners. Homepage Here. By zillion.
DoS-CProxyv3.313442423May 17 2000 15:37:27
Remote Denial of Service for CProxy v3.3 - Service Pack 2. This program xploits an overflow vulnerability in CProxy 3.3 SP2 HTTP Service (8080), causing server shutdown. By
cisco760.c10805137May 17 2000 15:34:13
Cisco 760 Series Connection Overflow. Affected Systems: Routers Cisco 760 Series. Others not tested. By Tiz.Telesup. 17 2000 15:23:28
Remote users can execute arbitrary commands on the web server with the priviledge level of the httpd process. Homepage Here. By Suid.
cisco.00-05-14.http112929196May 17 2000 13:44:07
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "http:///%%" is attempted. This defect can be exploited to produce a denial of service (DoS) attack. This defect has been discussed on public mailing lists and should be considered public information. Homepage Here.
sses-sshauth.txt9406110May 17 2000 12:22:30
A vulnerable secure shell distribution is available from the popular Zedz Consultants FTP site (formally known as The RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which contains faulty logic allowing users to essentially pass through the username/password authentication step and gain shell access. Homepage Here.
ACROS-2000-04-06-1-P..>97917712May 17 2000 12:15:49
Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator. Homepage Here.
lpset.overflow8341204May 17 2000 11:54:35
Here's an overflow exploit that works on a non-exec stack on x86 boxes. It demonstrates how it is possible to thread together several libc calls. By Tim Newsham.
windows2k.iss18271091May 17 2000 11:40:59
There is a security problem with shtml.exe that allows anyone to explore the local path of IIS web server. Found by Frankie Zie.
DoS.cayman9621089May 17 2000 11:37:31
Simple DOS attack against Cayman 3220-H DSL Router. Large username or password strings sent to the Cayman HTTP admin interface restart the router. Router log will show "restart not in response to admin command". By Cassius.
CISADV000505.txt8923049May 17 2000 11:33:03
Cerberus Information Security Advisory (CISADV000505) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's ( DNewsWeb (dnewsweb/dnewsweb.exe v5.3e1), CGI program designed to give access to NNTP services over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Homepage Here. By Mark Litchfield.
nai.00-05-04.trendmi..>8393359May 17 2000 11:29:25
Network Associates, Inc. COVERT Labs Security Advisory - An implementation flaw in the InterScan VirusWall SMTP gateway allows a remote attacker to execute code with the privileges of the daemon. Homepage Here.
CISADV000504.txt9103021May 17 2000 11:13:45
Cerberus Information Security Advisory (CISADV000504) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's ( DMailWeb (dmailweb/dmailweb.exe v2.5d), CGI program designed to give access to a user's SMTP and POP3 server over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Homepage Here. By David Litchfield.
CISADV000503.txt90313488May 17 2000 11:02:13
Cerberus Information Security Advisory (CISADV000503) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Lsoft's ( Listserv Web Archive component (wa/wa.exe v1.8d - this is the most recent version. Homepage Here. By David Litchfield.
rm.racecondition870945May 17 2000 10:50:56
If root ever does "rm -rf /tmp/foo" for a directory structure not completely owned by root, a local user can delete all files that root can. By Morten Welinder.
ultraboardv1.61291819May 17 2000 10:47:08
By using the good old NullByte(\000) its possible to open "any" file on the webserver(with its permissions) running the "UltraBoard" forum-software. By rudic.
RFP2K04.txt17895058May 17 2000 10:31:12
RFP2K04 - Mining BlackICE with RFPickAxe. BlackICE IDS uses a management console called ICECap to collect and monitor alerts sent by the various installed BlackICE agents. The ICECap user console sits on port 8081 and has the default login of 'iceman' with no password. The second problem is that the software uses, by default, the Microsoft Jet 3.5 engine to store alerts. If you couple that with the shell VBA problem (CVE: CAN-2000-0325), that means you can push alerts that contain commands to be executed on the ICECap system. Includes demo exploit. Homepage here. By Rain Forrest Puppy
disable.tcpdump9374009May 17 2000 10:24:06
There is a way to disable tcpdump running on a remote host. By sending a carefully crafted UDP packet on the network which tcpdump monitors, it is possible, under certain circonstances, to make tcpdump fall into an infinite loop. Hugo Breton.
filemaker.pro549353443May 17 2000 10:21:55
The precise details of how to exploit these holes is minimized to prevent compromising the integrity of all current Internet-accessible FileMaker Pro 5 databases and mail servers. However, details can be easily deduced by referencing the FileMaker Pro 5 documentation and by consulting the FileMaker XML Technology Overview white paper available via the FileMaker XML Central Web site.
cisco.help11074957May 17 2000 10:18:53
It seems that, even though a regular (non-"enabled") user should not be able to see the access-lists or other security-related information in the router, one can do just that. The online help systems doesn't list the commands as being available, but out of 75 extra "show" options that are available in "enable" mode (on a 12.0(5)3640), only 13 were actually restricted. By Fernando Montenegro.
pam_console.bug9392130May 17 2000 10:13:37
When accepting luser console login, pam_console called by /bin/login tries to be user-friendly, doing several chowns on devices like login tty and corresponding vcs[a] device, as well as other interesting devices: fd*, audio devices (dsp*, mixer*, audio*, midi*, sequencer), cdrom, streamer/zip drive devices, frame buffer devices, kbd*, js*, video*, radio*, winradio*, vtx*, vbi* and so on. Probably it's designed to make console logins more comfortable, but has DEADLY effects on servers with console luser-login ability (and that's quite common).
JANAHTTP.server11191318May 17 2000 10:04:31
Here is how to exploit the bug for cracking systems running Jana. I tested it with Jana 1.45 on Windows 98 and Windows 2000. 1. Open a browser window 2. Type i.e By eAX.
fdmnt-smash2.c11733165May 17 2000 09:33:38
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Modified from last version to work on Slackware 7. Homepage here. By Scrippie
ismyasp.pl22282412May 15 2000 13:15:22
LoWNOISE - ISMyASP - IIS ASP source code viewer using the ISM.DLL buffer truncation bug. By Efrain 'ET' Torres>15461165May 15 2000 13:07:13
New Vulnerability found in Allmanage. This one gives access to the main admin panel where you can set a lot of options and variables. Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. By Bighawk
ftpexp.c25592458May 15 2000 13:01:56
FTP Server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ?? getwd() overflow. linux exploit, remote penetration. Submitted Anonymously.
7350kscd.tar.gz12598307May 15 2000 12:43:59
New TESO kscd exploit (cd player is KDE multimedia package) Homepage here. By TESO
netprex.c189013152May 14 2000 17:39:38
netprex.c is a SPARC / i386 buffer overflow root exploit for /usr/lib/lp/bin/netpr. Tested on Solaris 2.6 & 2.7. By Cheez Whiz 13 2000 23:31:31
Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. By Bighawk
watcheador.zip2946174158May 13 2000 23:22:11
Watcheador is a Windows application allows you to view ASP source code using the Index Server bug in IIS 4 & IIS 5. Written in Delphi 4.0. Comments in spanish. By Leon De Juda 13 2000 17:06:00
Silent delivery and installation of an executable on a target Windows computer is possible by combining some bugs. No client input other than opening an email or newsgroup post is neceassary, making the possibilities endless. The key component is from Georgi Guninski, the wordpad overflow. An ActiveX control does the rest. Exploit code included.
nis-spoof.c13738039May 11 2000 20:10:07
nis-spoof.c spoofs the response from a NIS server to a client. Homepage here. By Trevor Schroeder
bugzilla.txt24568782May 11 2000 18:00:26
BufferOverflow Advisory: Unchecked system call in Bugzilla 2.8. The script used to submit new bugs, process_bug.cgi, is vulnerable because it does not check the contents of the who field. Includes perl remote exploit code. Homepage here. By {}
napstir.c40702140May 11 2000 15:39:55
Gnapster and possibly other napster clients do not check the integrity of filenames in download requests. Any filename that the client user has read access to may be downloaded. Also includes some service denial techniques. By S
hack-hm-1.1.txt61464178May 10 2000 18:09:51
Hotmail is vulnerable to yet another serious security problem involving javascript. Windows, MacOS, and Linux users are affected. Consequences include hotmail account takeover, redirecting a hotmail user to any site, or access to the users computer if combined with other known exploits. By Hawaiian Superman
netsolbug.txt23972128May 9 2000 14:43:18
Major security issue with This is being distributed amongst the irc. Homepage here. By vade79
SSG-arp.c13403253May 7 2000 20:02:47
SSG-arp.c - AIX local root /usr/sbin/arp exploit. Homepage here. By Cripto
elm-smash.c17462267May 5 2000 12:03:19
This exploit spawns an EGID mail shell on the default Slackware 4 install. Homepage here. By scrippie 5 2000 11:57:12
It is possible to cause a kernel panic on systems running NetBSD by sending a packet remotely with an unaligned IP Timestamp option. Homepage here. By ipfreely
connect.asm16273152May 4 2000 16:47:42
Passive Connection Shellcode. Source is well documented. Homepage here. By scrippie
cart32scan.c15093347May 4 2000 14:21:25
Originally posted on BugTraq in regards to the Cart32 vulnerability. This code checks to see if the host is active and then makes a http connection to the victim. It then scans the victim for the vulnerable version of cart32 and prints to stdout telling you if the server is vulnerable or not. By rossex
RFParalyze.txt27235731May 3 2000 14:56:44
Through a netbios session request packet with a NULL source name, Windows 9[5,8] show a number of odd responses. Everything from lockups, reboots and "the blue screen of death", to total loss of network connectivity. Source code included. Reverse engineered from a binary exploit already in use. By Rain Forest Puppy and Evan Brewer. Homepages at and
cart32scan.pl18011542May 2 2000 13:53:33
Script used to scan for the Cart32 vulnerability. Anonymously Submitted.
ISS.txt31902128May 2 2000 13:29:33
Internet Scanner and the Real Secure products can both be used for bad. Submitted Anonymously.
tcpb.c26537029May 1 2000 14:03:18
A backdoor over non connected and spoofed tcp packets. Homepage here. By CyRaX
fork2.c903555Apr 17 2000 13:04:00
This variation of forkbomb will still affect linux machines with process / user limits in effect. These processes are unkillable as of 2.2.5 and possibly 2.2.14. By Christophe Blaess
hack-hm-1.0.txt16874662Apr 10 2000 13:04:00
Hotmail is vulnerable to yet another serious security problem involving javascript. Windows, MacOS, and Linux users are affected. Filters may be bypassed by putting line feeds in the middle of the javascript code, the browser will remove the line feeds and execute it. By Hawaiian Superman