ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for May, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: File Size.

File Name Downloads File Size Last Modified
0005-exploits.tgz3071400774Jul 13 11:49:11 2000
Packet Storm new exploits for May, 2000.
watcheador.zip2946174158May 13 23:22:11 2000
Watcheador is a Windows application allows you to view ASP source code using the Index Server bug in IIS 4 & IIS 5. Written in Delphi 4.0. Comments in spanish. By Leon De Juda
cisco.00-05-14.http112929196May 17 13:44:07 2000
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload if the IOS HTTP service is enabled and browsing to "http:///%%" is attempted. This defect can be exploited to produce a denial of service (DoS) attack. This defect has been discussed on public mailing lists and should be considered public information. Homepage Here.
ACROS-2000-04-06-1-P..>97917712May 17 12:15:49 2000
Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator. Homepage Here.
CISADV000503.txt90313488May 17 11:02:13 2000
Cerberus Information Security Advisory (CISADV000503) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Lsoft's (www.lsoft.com) Listserv Web Archive component (wa/wa.exe v1.8d - this is the most recent version. Homepage Here. By David Litchfield.
netprex.c189013152May 14 17:39:38 2000
netprex.c is a SPARC / i386 buffer overflow root exploit for /usr/lib/lp/bin/netpr. Tested on Solaris 2.6 & 2.7. By Cheez Whiz
5niffi7.c250711722May 27 01:41:51 2000
5niffi7.c - Remote root exploit for sniffit (-L mail) 0.3.7.beta on Debian 2.2. Includes a detailed explanation of how the exploit works. By MaXX
ascend.c11539820May 23 10:30:05 2000
Ascend remote denial of service - Upon receiving a packet with non zero length tcp offsets ascend terminal servers will crash. Linux based exploit included. Homepage here. By The Posse.
bugzpladv1_eng.txt9779741May 31 15:05:52 2000
BugzPL ADVISORY #1 - Bypassing restricted bash. bash-2 gives us the option to use a shell in restricted mode. Includes a patch to bash to eliminate most of the described attacks. By Arkth
majordomo.txt13079265May 31 21:21:42 2000
The mailinglist software majordomo has several local vulnerabilties. Local commands can be run wuth the UID and GID equal to the one used for majordomo. Exploit details and patch included. Homepage here. By Federico Schwindt
bugzilla.txt24568782May 11 18:00:26 2000
BufferOverflow Advisory: Unchecked system call in Bugzilla 2.8. The script used to submit new bugs, process_bug.cgi, is vulnerable because it does not check the contents of the who field. Includes perl remote exploit code. Homepage here. By {}
nhc.kp.txt15118737May 5 11:57:12 2000
It is possible to cause a kernel panic on systems running NetBSD by sending a packet remotely with an unaligned IP Timestamp option. Homepage here. By ipfreely
7350kscd.tar.gz12598307May 15 12:43:59 2000
New TESO kscd exploit (cd player is KDE multimedia package) Homepage here. By TESO
nis-spoof.c13738039May 11 20:10:07 2000
nis-spoof.c spoofs the response from a NIS server to a client. Homepage here. By Trevor Schroeder
tcpb.c26537029May 1 14:03:18 2000
A backdoor over non connected and spoofed tcp packets. Homepage here. By CyRaX
silent.delivery.txt8296948May 13 17:06:00 2000
Silent delivery and installation of an executable on a target Windows computer is possible by combining some bugs. No client input other than opening an email or newsgroup post is neceassary, making the possibilities endless. The key component is from Georgi Guninski, the wordpad overflow. An ActiveX control does the rest. Exploit code included.
mdbms.c13856547Jun 1 11:30:41 2000
MDBMS V0.96b6 remote root exploit - This code demonstrates a MDBMS v0.96b6 vulnerability which allows any remote user to exec a root shell. Tested on Linux SuSE 6.3. By TDP
sses-sshauth.txt9406110May 17 12:22:30 2000
A vulnerable secure shell distribution is available from the popular Zedz Consultants FTP site (formally known as replay.com). The RedHat Linux RPM ssh-1.2.27-8i.src.rpm contains a PAM patch which contains faulty logic allowing users to essentially pass through the username/password authentication step and gain shell access. Homepage Here.
b0f5-Qpopper.txt29045946May 24 12:55:59 2000
BufferOverflow Security Advisory #5 - Remote shell via Qpopper2.53. qpop_euidl.c exploit included. Requires a qpop account and gives UID mail. Homepage here. By Prizm
RFParalyze.txt27235731May 3 14:56:44 2000
Through a netbios session request packet with a NULL source name, Windows 9[5,8] show a number of odd responses. Everything from lockups, reboots and "the blue screen of death", to total loss of network connectivity. Source code included. Reverse engineered from a binary exploit already in use. By Rain Forest Puppy and Evan Brewer. Homepages at www.el8.org and www.wiretrip.net.
l0phtl0phe.c16135516May 18 15:29:50 2000
l0phtl0phe.c - antisniff exploit (1.02 included). l0pht messed up the fix for their problem in antisniff by not regarding the type signedness properties of the char and int values used, resulting in a cool of method bypassing the extra length + strncat checks. Homepage here. By Scut
cisco760.c10805137May 17 15:34:13 2000
Cisco 760 Series Connection Overflow. Affected Systems: Routers Cisco 760 Series. Others not tested. By Tiz.Telesup.
RFP2K04.txt17895058May 17 10:31:12 2000
RFP2K04 - Mining BlackICE with RFPickAxe. BlackICE IDS uses a management console called ICECap to collect and monitor alerts sent by the various installed BlackICE agents. The ICECap user console sits on port 8081 and has the default login of 'iceman' with no password. The second problem is that the software uses, by default, the Microsoft Jet 3.5 engine to store alerts. If you couple that with the shell VBA problem (CVE: CAN-2000-0325), that means you can push alerts that contain commands to be executed on the ICECap system. Includes RFPickaxe.pl demo exploit. Homepage here. By Rain Forrest Puppy
cisco.help11074957May 17 10:18:53 2000
It seems that, even though a regular (non-"enabled") user should not be able to see the access-lists or other security-related information in the router, one can do just that. The online help systems doesn't list the commands as being available, but out of 75 extra "show" options that are available in "enable" mode (on a 12.0(5)3640), only 13 were actually restricted. By Fernando Montenegro.
killsentry.c14454670May 23 10:42:01 2000
killsentry.c shows that automatic firewalling is a bad idea by sending spoofed FIN packets from different hosts in an attempt to confuse Portsentry. Tested on FreeBSD 3.2. By Andrew Alston
hack-hm-1.0.txt16874662Apr 10 13:04:00 2000
Hotmail is vulnerable to yet another serious security problem involving javascript. Windows, MacOS, and Linux users are affected. Filters may be bypassed by putting line feeds in the middle of the javascript code, the browser will remove the line feeds and execute it. By Hawaiian Superman
Xsh0k.c20644435May 25 03:32:41 2000
Xwindows remote dos attack - creates a sequence of socket connections to tcp port 6000. Xwindows slows to a crawl and sometimes does not respond to user input. Homepage here. By Norby
sniffitexp.c16024384May 23 11:25:28 2000
Sniffit 0.3.7Beta Remote Exploit - sniffit has to be running (-L mail) flag set for this to work. Tested on RedHat 6.0. Homepage here. By Noir
l0phtl0phe-kid.c17614367May 18 22:57:00 2000
l0phtl0phe-kid.c - Easy antisniff v1.02 exploit. l0pht messed up the fix for their problem in antisniff by not regarding the type signedness properties of the char and int values used, resulting in a cool of method bypassing the extra length + strncat checks. This version has been made easy enough for script kiddies to use - to avoid that "doesn't work" lamer claim. Homepage here. By Scut
jolt2.c73034187May 28 00:27:57 2000
jolt2.c exploits the recent "IP Fragment Reassembly" Windows remote denial of service vulnerability described in ms00-029. Tested against Win98, WinNT4/SP5,6, Win2K from linux. Allows the user to specify UDP or ICMP and send a spoofed source address. Linux and Windows binaries available here. By Phoenix
hack-hm-1.1.txt61464178May 10 18:09:51 2000
Hotmail is vulnerable to yet another serious security problem involving javascript. Windows, MacOS, and Linux users are affected. Consequences include hotmail account takeover, redirecting a hotmail user to any site, or access to the users computer if combined with other known exploits. By Hawaiian Superman
dnsloop.tar.gz8524061May 24 15:22:00 2000
There is a remote denial of service exploit against tcpdump. Tcpdump interprets UDP packets on port 53 as DNS traffic, however, domain names in DNS packets use a compression scheme that jumps to a particular offset in the packet to avoid multiple occurances. By sending a packet that has the offset set to a particular location and if a program trying to decompress the domain name does not have a strategy for avoiding infinite loops, tcpdump may fall into an infinite loop. By Hugo Breton
disable.tcpdump9374009May 17 10:24:06 2000
There is a way to disable tcpdump running on a remote host. By sending a carefully crafted UDP packet on the network which tcpdump monitors, it is possible, under certain circonstances, to make tcpdump fall into an infinite loop. Hugo Breton.
wemilo.tcl12753998May 29 18:10:38 2000
Remote Cart32 exploit - Though L0pht released an advisory and patch for the well known Cart32 bug, this is the first exploit released to date. Allows remote command execution. Homepage here. By Futant
kshux.c11883908May 22 14:35:38 2000
kshux.c -- krshd remote root exploit. This program exploits a vulnerability in the 'krshd' daemon included with the MIT Kerberos distribution. All versions are apparently vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. By Jim Paris
RFP2K05.txt12413870May 19 09:13:41 2000
NetProwler 3.0, a network based intrusion detection system, has a remote denial of service vulnerability. The software crashes when two fragmented IP packets are sent to an IP address that it is profiling. Netprowler must be profiling ftp in order for the exploit to work. Please note that Netprowler logs all incoming alerts to a Microsoft .mdb file. Please read RFP2K04.txt for more information. Homepage here. By Rain Forest Puppy
ADMDNews.zip17373833May 18 02:35:36 2000
ADMDNews_v2 - WinNT/Win2K x86 exploit for NetWin (www.netwinsite.com) DNews server (v5.0f - v5.3e3) gupcgi.exe/dnewsweb.exe CGIs. This program exploits the buffer overflow condition in gupcgi.exe/dnewsweb.exe CGIs while processing the "cmd" parameter. Tested and confirmed under WinNT 4.0 SP5/SP6 & Win2K Beta 3 RC2 (build 2128). By Joey__
spad01.txt14403710Jun 1 15:35:12 2000
Security Point Advisory #001 - Java Internet Shop allows users to change the prices on items. The Danish Shopexpress, and the English Zilron StoreCreator version 3.0 and below are vulnerable, an estimated 2500 online shops are running this software. Homepage here. By Security Point, Inc
sniffit.c22253587May 18 02:24:13 2000
Sniffit 0.3.7beta Linux/x86 Remote Exploit. Tested on RedHat 5.2, 6.0, 6.2. Homepage here. By FuSyS
klogin.c16943570May 19 11:18:05 2000
BSDI 4.0.1 klogin remote root buffer overflow. The bug is actually in the kerberos library so this affects all kerb services (kerbIV). This code should need minimal (if any) modification to use on other kerberos services. By Duke
filemaker.pro549353443May 17 10:21:55 2000
The precise details of how to exploit these holes is minimized to prevent compromising the integrity of all current Internet-accessible FileMaker Pro 5 databases and mail servers. However, details can be easily deduced by referencing the FileMaker Pro 5 documentation and by consulting the FileMaker XML Technology Overview white paper available via the FileMaker XML Central Web site.
CISADV000524b.txt8063416May 24 17:43:00 2000
The Cerberus Security Team has discovered that a flaw in the Carello web shopping cart enables remote attackers to vi ew .asp files on the the server's computer Affected system: Windows NT running IIS. Homepage here. By Robert Horton
CISADV000524a.txt7173365May 26 17:11:00 2000
Cerberus Information Security Advisory (CISADV000524a) - The Cerberus Security Team has discovered a serious security flaw with Rockliffe's MailSite Management Agent for Windows (version 4.2.1.0). This server allows remote users to access their POP3 accounts and read their mail over HTTP. The service usually listens on TCP port 90. Unfortunately there exists a buffer overrun vulnerability that allows attackers to execute arbitrary code. As this service runs as system, by default, any code executed will run with system privileges - meaning any server running this agent could be fully compromised. Homepage here.
nai.00-05-04.trendmi..>8393359May 17 11:29:25 2000
Network Associates, Inc. COVERT Labs Security Advisory - An implementation flaw in the InterScan VirusWall SMTP gateway allows a remote attacker to execute code with the privileges of the daemon. Homepage Here.
teso-advisory-010.ta..>8483358May 31 15:12:56 2000
TESO Security Advisory #10 - KDE KApplication {} configfile vulnerability. Due to insecure creation of configuration files via KApplication-class, local lusers can create arbitrary files when running setuid root KDE-programs. Tested with SuSE 6.4 standard installation under KDE 1.1.2. Homepage here. By Stealth
cart32scan.c15093347May 4 14:21:25 2000
Originally posted on BugTraq in regards to the Cart32 vulnerability. This code checks to see if the host is active and then makes a http connection to the victim. It then scans the victim for the vulnerable version of cart32 and prints to stdout telling you if the server is vulnerable or not. By rossex
SSG-arp.c13403253May 7 20:02:47 2000
SSG-arp.c - AIX 4.1.4.0 local root /usr/sbin/arp exploit. Homepage here. By Cripto
DST2K0009.txt6053208May 31 13:32:00 2000
Delphis Consulting Plc Security Team Advisory DST2K0009 - Userlisting Bug in Ipswitch WS_FTP Server 1.05E allows remote users to confuse the server manager. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
fdmnt-smash2.c11733165May 17 09:33:38 2000
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Modified from last version to work on Slackware 7. Homepage here. By Scrippie
connect.asm16273152May 4 16:47:42 2000
Passive Connection Shellcode. Source is well documented. Homepage here. By scrippie
CISADV000505.txt8923049May 17 11:33:03 2000
Cerberus Information Security Advisory (CISADV000505) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's (http://netwinsite.com) DNewsWeb (dnewsweb/dnewsweb.exe v5.3e1), CGI program designed to give access to NNTP services over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Homepage Here. By Mark Litchfield.
CISADV000504.txt9103021May 17 11:13:45 2000
Cerberus Information Security Advisory (CISADV000504) - The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's (http://netwinsite.com) DMailWeb (dmailweb/dmailweb.exe v2.5d), CGI program designed to give access to a user's SMTP and POP3 server over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Homepage Here. By David Litchfield.
Banner.rotating11282967May 17 15:40:57 2000
A file called adpassword.txt is world readable as it is assigned the wrong permissions. This will allow a malicious attacker to read the contents of the file, to crack the DES encrypted password it contains (using a common-or-garden password cracker), and to edit banner entries,to add or to remove banners. Homepage Here. By zillion.
DST2K0003.txt6772940Jun 2 13:06:35 2000
Delphis Consulting Plc Security Team Advisory DST2K0003 - Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool for Microsoft Windows NT v4.0 Server (SP6). Any user who can connect to tcp port 9999 can obtain a copy of the configuration. Secondly, if you pass an oversized buffer of 208 bytes or more within one of the configuration parameters the service will crash overwriting the stack but and the EIP with what ever was passed within the parameter. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Consulting Security Team
ezboard-scx-sa-03.tx..>12532868May 26 12:06:35 2000
Securax-SA-03 - Ezboard v5.3.9 remote dos attack via wildcards in URL. By Frazzle_Freckle
DST2K0008.txt14512725Jun 2 12:49:34 2000
Delphis Consulting Plc Security Team Advisory DST2K0008 - Buffer Overrun in Sambar Server 4.3 (Production). By using the default finger script shipped with Sambar server it is possible to cause an Buffer overrun in sambar.dll overwriting the EIP allowing the execution of arbitry code. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Consulting Security Team
filterape.c13762686May 25 11:42:02 2000
filterape.c exploits a new elm buffer overflow to get EGID mail on Slackware. Homepage here. By Scrippie
RFPickaxe2.pl10802643May 31 16:41:05 2000
RFPickaxe2.pl is a windows port of RFP's RFPickaxe.pl demo exploit for the BlackICE IDS uses a management console. By Hypoclear
DST2K0007.txt14562464Jun 2 13:02:20 2000
Delphis Consulting Plc Security Team Advisory DST2K0007 - Buffer Overrun in ITHouse Mail Server v1.04 for Microsoft Windows NT v4.0 Workstation (SP6). Sending an email via SMTP to an IT House Mail Server with a recipient's name in excess of 2270 bytes causes the IT House Mail Server to buffer overrun overwriting the EIP, allowing an attacker to execute arbitrary code on the the server. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Consulting Security Team
ftpexp.c25592458May 15 13:01:56 2000
FTP Server (Version 6.2/OpenBSD/Linux-0.10) and 6.3 ?? getwd() overflow. linux exploit, remote penetration. Submitted Anonymously.
DoS-CProxyv3.313442423May 17 15:37:27 2000
Remote Denial of Service for CProxy v3.3 - Service Pack 2. This program xploits an overflow vulnerability in CProxy 3.3 SP2 HTTP Service (8080), causing server shutdown. By tdp@psynet.net.
ismyasp.pl22282412May 15 13:15:22 2000
LoWNOISE - ISMyASP - IIS ASP source code viewer using the ISM.DLL buffer truncation bug. By Efrain 'ET' Torres
cproxy.c12142410May 19 13:17:27 2000
Remote Denial of Service for CProxy v3.3 - Service Pack 2 for Windows NT. Homepage here. By TDP
slirp_bof.c10382368May 31 16:16:23 2000
Slirp v1.0.10(RELEASE) local buffer overflow exploit for Linux which gives you a SGID shell if /usr/local/bin/slirp is mode 2755. Tested against Slackware 3.6. Includes perl script to find the offset. Homepage here. By Vade79
netopia.advisory.r91..>9182340May 17 16:34:42 2000
The Netopia R9100 permits a user not authorized with a special security password to neverthless modify the SNMP community strings, including enabling SNMP access that should be disabled. By Stephen Friedl.
sms.c16322324May 31 15:35:49 2000
sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat. Homepage here. By Venglin
Animal.c25052302May 27 01:17:28 2000
Gauntlet firewall remote proof of concept code, tested against BSDI. By Gramble
elm-smash.c17462267May 5 12:03:19 2000
This exploit spawns an EGID mail shell on the default Slackware 4 install. Homepage here. By scrippie
xsol-x.c17972212May 19 11:55:37 2000
/usr/local/games/xsoldier local root exploit. Tested under Mandrake 7.0. Homepage here. By Larry W. Cashdollar
elm_again.c13112183May 26 22:03:43 2000
elm_again.c exploits another buffer overflow in elm v2.5 giving a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6 and RedHat on elm2.5PL3. Homepage here. By Vade79
Mail_bof.c14242160Jun 1 00:05:35 2000
/usr/bin/Mail local linux exploit which gives gid=12 shell. Tested against Slackware 3.6 and 7.0. Homepage here. By Vade79
napstir.c40702140May 11 15:39:55 2000
Gnapster and possibly other napster clients do not check the integrity of filenames in download requests. Any filename that the client user has read access to may be downloaded. Also includes some service denial techniques. By S
pam_console.bug9392130May 17 10:13:37 2000
When accepting luser console login, pam_console called by /bin/login tries to be user-friendly, doing several chowns on devices like login tty and corresponding vcs[a] device, as well as other interesting devices: fd*, audio devices (dsp*, mixer*, audio*, midi*, sequencer), cdrom, streamer/zip drive devices, frame buffer devices, kbd*, js*, video*, radio*, winradio*, vtx*, vbi* and so on. Probably it's designed to make console logins more comfortable, but has DEADLY effects on servers with console luser-login ability (and that's quite common).
ISS.txt31902128May 2 13:29:33 2000
Internet Scanner and the Real Secure products can both be used for bad. Submitted Anonymously.
netsolbug.txt23972128May 9 14:43:18 2000
Major security issue with networksolutions.com(easysteps.pl). This is being distributed amongst the irc. Homepage here. By vade79
gnomelib.sh14742122May 18 02:41:35 2000
SuSE 6.3 and 6.4 Glomelib local root exploit. All gnome apps have an exploitable buffer overflow when getting the DISPLAY environment variable. By Bladi and Almudena
icq.web.front.dos.tx..>30412066May 30 20:56:28 2000
ICQ Web Front Remote denial of service vulnerability - ICQ 2000a, 99b, and 99a contain a vulnerability in the personal web server. Guestbook.cgi, installed by default, crashes when sent a long name. Homepage here. By Meliksah Ozoral
elm_last.c7262056May 31 16:12:00 2000
One last elm v2.4 / v2.5 exploit - gives EGID 12. This version works against almost all vulnerable versions of elm. Homepage here. By Vade79
beos5-dos.txt16472050May 19 10:41:22 2000
AUX Technologies Security Advisory - Be/OS Remote Denial of Service. The Be/OS Operating System version 5.0 has a vulnerability in the tcp fragmentation which can lock up the system, requiring a cold reset. The bug can be reproduced using ISIC-0.05. Homepage here. By Visi0n
elm_bof25.c11812043May 26 14:17:11 2000
Elm v2.5 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on elm 2.5PL1-3, on Red Hat. Perl script to find offsets included. Homepage here. By Vade79
Emurl2.0.windows13341945May 17 15:43:53 2000
Users can access the mailbox's content of anybody on the system. They can also steal their POP passwords since Emurl allows you to fetch your POP email from more than one source.
elm_bof24.c10471945May 26 14:16:00 2000
Elm v2.4 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6, elm 2.4PL25. Perl script to find offsets included. Homepage here. By Vade79
jidex.c6031877Jun 23 16:52:07 2000
Jidentd 1.0 IDENT server remote exploit. Tested under Slackware 3.6 and 4.0, Debian 2.1, Redhat 4.1, 5.0, 5.1 and 5.2. By Funkysh
calendar.pl.vuln9821808May 17 15:23:28 2000
Remote users can execute arbitrary commands on the web server with the priviledge level of the httpd process. Homepage Here. By Suid.
shellhit.c11851758May 22 10:47:15 2000
shellhit.c - TESO Hellkit contains a buffer overflow - exploit is just meant to be funny. To all scriptkiddies: You won't get root from this, go and find something more useful. Homepage here. By scrippie
lpsetexp.c6971735May 26 00:51:00 2000
solaris 2.7 lpset local exploit, i386. Homepage here. By DiGiT
joe-fixed.c12181626May 22 14:31:57 2000
joe v2.8 stack overflow. joe overflows when trying to open() $HOME/.joerc. This is simply proof of concept code, hopefully to get the bug fixed. It will attempt to spawn a rootshell. Homepage Here. By SectorX.
cart32scan.pl18011542May 2 13:53:33 2000
Script used to scan for the Cart32 vulnerability. Anonymously Submitted.
elm-ex.c16041505May 27 17:04:14 2000
Elm 2.5 PL3 exploit tested under linux Slackware 3.6, 4.0, 7.0. Homepage here. By Xfer
mailx.c16411453Jun 1 11:41:41 2000
Mailx local exploit - Tested on Slackware 3.6, 4.0, and 7.0 and Debian 2.0r2, 2.1, 2.2. Gives GID mail shell. By Funkysh
JANAHTTP.server11191318May 17 10:04:31 2000
Here is how to exploit the bug for cracking systems running Jana. I tested it with Jana 1.45 on Windows 98 and Windows 2000. 1. Open a browser window 2. Type i.e http://the.server.com/./.././.././.././windows/win.ini. By eAX.
kill_sntsd.pl13661301Jun 1 11:02:20 2000
A remote buffer overflow has been disvovered in the Simple Network Time Sync daemon and client version 1.0, tested on Redhat 6.1. Possible remote root compromise - denial of service exploit included. By Ben Taylor
xaosexp.c15901301May 27 00:46:34 2000
/usr/bin/xaos local root buffer overflow exploit. Works on suse 6.1, and could be modified for 6.2. Homepage here. By DiGiT
ksux.c10331291May 22 14:31:49 2000
ksux.c -- ksu exploit. This program exploits a vulnerability in the 'ksu' utility included with the MIT Kerberos distribution. Versions prior to 1.1.1 are vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. Exploits for other operating systems and versions of Kerberos should also work. By Jim Paris
swstack.txt11491237May 31 10:14:35 2000
Simple Web Server 0.5.1 stack overflow advisory. Allows eip to be overwritten. Homepage here. By SectorX
access.counter-4.0.7..>12411223May 26 16:47:12 2000
A popular CGI web page acess counter, version 4.0.7 by George Burgyan permits execution of arbitrary commands as a result of unchecked user input. Commands are executed as the same permission of the webserver. By Howard M. Kash III
lpset.overflow8341204May 17 11:54:35 2000
Here's an overflow exploit that works on a non-exec stack on x86 boxes. It demonstrates how it is possible to thread together several libc calls. By Tim Newsham.
elmex.c6401200Jun 1 11:43:00 2000
Elm 2.4 PL25 local GID mail exploit. Tested under Slackware 3.6, 4.0, Redhat 5.0, and 5.1. By Funkysh
socket-dos.c16101167May 23 11:48:29 2000
socket-dos.c is a local ssh-1.2.27 exploit which creates a UNIX domain socket with an arbitrary file name anywhere in the filesystem on some machines. Homepage here.
allmanage.pl-admin.t..>15461165May 15 13:07:13 2000
New Vulnerability found in Allmanage. This one gives access to the main admin panel where you can set a lot of options and variables. Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. By Bighawk
windows2k.iss18271091May 17 11:40:59 2000
There is a security problem with shtml.exe that allows anyone to explore the local path of IIS web server. Found by Frankie Zie.
DoS.cayman9621089May 17 11:37:31 2000
Simple DOS attack against Cayman 3220-H DSL Router. Large username or password strings sent to the Cayman HTTP admin interface restart the router. Router log will show "restart not in response to admin command". By Cassius.
fdmountx.c14991039May 25 11:44:18 2000
/usr/bin/fdmount local linux exploit. Homepage here. By War
allmanage.pl.txt18231013May 13 23:31:31 2000
Websites using Allmanage Website Administration Software 2.6 with the upload ability contain an easily exploited vulnerability wich gives you full add/del/change access in the user-account directories and you can change the files in the main directory of the CGI script. By Bighawk
rm.racecondition870945May 17 10:50:56 2000
If root ever does "rm -rf /tmp/foo" for a directory structure not completely owned by root, a local user can delete all files that root can. By Morten Welinder.
ssibug1658923May 27 00:36:34 2000
The thttpd web server comes with a CGI script called /cgi-bin/ssi which allows any file on the system to be read. Exploit URL included. Homepage here. By DiGiT
ultraboardv1.61291819May 17 10:47:08 2000
By using the good old NullByte(\000) its possible to open "any" file on the webserver(with its permissions) running the "UltraBoard" forum-software. By rudic.
fork2.c903555Apr 17 13:04:00 2000
This variation of forkbomb will still affect linux machines with process / user limits in effect. These processes are unkillable as of 2.2.5 and possibly 2.2.14. By Christophe Blaess