ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for June, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: File Size.

File Name Downloads File Size Last Modified
0006-exploits.tgz2458165194Jul 13 10:08:29 2000
Packet Storm new exploits for June, 2000.
wuftpd2600.c538219343Jun 23 11:03:57 2000
Wu-Ftpd 2.6.0 remote root exploit. Account is not required, anonymous access is enough. Tested against Redhat 6.2, Suse 6.3 and 6.4, FreeBSD 3.4-STABLE, FreeBSD 3.4-RELEASE, and FreeBSD 4.0-RELEASE. Slightly broken to prevent kids usage. By tf8
sw3paper.tgz73215595Jun 9 14:01:35 2000
Design and Implementation Flaws in SessionWall-3 - SessionWall-3 (more recently known as e-Trust IDS) is a graphically controlled sniffer and network monitor / network censor for the Windows platform. The SessionWall-3 machine can be detected and identified remotely by a single ICMP packet. The password is stored in the registry with very simple XOR encryption. Includes sample code which decrypts the admin password, passive SW-3 detection, and active SW-3 detection & reply packet forger. Homepage: http://www.phate.net. By Codex
bobek.c440514677Dec 5 18:10:00 2000
Bobek.c is a Wu-Ftpd 2.6.0 remote root exploit (updated 05/08/2000). Bug is in the SITE EXEC command, an account is not required as anonymous access is enough. Tested against Redhat 6.2, FreeBSD 3.4-STABLE, and FreeBSD 5.0-CURRENT. Homepage: http://b0f.freebsd.lublin.pl. By Venglin
crash_winlogin.c133514433Jun 15 16:14:32 2000
Proof of concept exploit for the "Remote Registry Access Authentication" vulnerability in Windows NT 4.0 which was described in ms00-040 which allows a user of the local network to crash winlogon.exe remotely. By Renaud Deraison
ufsroot.c83013638Jun 15 16:09:04 2000
Solaris 2.x through v8 contains an exploitable local root buffer overflow vulnerability in ufsrestore. Exploit code included and tested on Solaris 8 sun4u. Homepage: http://www.itsx.com. By Job de Haas
splitexp.c72512277Jun 15 14:48:57 2000
Splitvt 1.6.3 local root buffer overflow exploit - Tested on Debian. Includes lots of cool dubugging captures from gdb explaining what is going on. By Syzop
spj-004-000.txt70510078Jun 13 13:48:32 2000
S0ftpj Security Advisory SPJ-004-000 - Multiple remote CGI vulnerabilities in MailStudio2000. Users can view any file on the system, as well as execute commands remotely as root. Major search engines can be used to locate vulnerable hosts. Exploit descriptions included. Homepage: http://www.s0ftpj.org. By Fusys
testsyscall.c16249217Jun 21 15:06:23 2000
HP1 advisory - /usr/share/lkm/test/testsyscall.c for *BSD is vulnerable to a buffer overflow attack. When testsyscall is running via inetd, remote users can execute arbitrary commands. Includes problem discussion and exploit code. Homepage: http://www.hackphreak.org. By RLoxley
ex_winproxy.c16488392Nov 14 13:47:25 2000
Shadow Penguin Security Advsory #37 - WinProxy 2.0.0/2.0.1 (now known as Black Jumbo dog) contains many remotely exploitable buffer overflows. Exploit for the POP3 service included, tested on Japanese Windows98. Homepage: http://shadowpenguin.backsection.net. By UNYUN
rip.c14657097Jun 14 09:53:14 2000
rip.c is a local exploit for the dump package version 0.3-14 and 0.4b13 (restore binary). Tested against linux, gives a UID=0 shell on 2.2.16, GID=0 on 2.2.15 and below. Homepage: http://b0f.freebsd.lublin.pl. By Scrippie
ie5.force-feed.txt35216406Jun 29 16:48:42 2000
Microsoft Internet Explorer 5 and accompanying mail and news clients on win95, win98 and win2000 enjoy a unique status in that they choose to ignore user input. This document will show you how to manually force a file onto the target computer despite all prompts and warnings. Demonstration available here. Homepage: http://www.malware.com.
access.vba.txt11766315Jun 15 20:49:25 2000
Microsoft Access Databases are not afforded "Macro execution protection" in the manner of Word/Excel/Powerpoint documents. Attackers can insert trojan VBA code into MS Access documents to execute arbitrary commands on the remote machine. Homepage: http://johnny.ihackstuff.com. By Johnny
glftpd.privpath.txt10286137Jun 27 14:29:49 2000
Glftpd 1.18 through 1.21b8 has a serious problem with the privpath directives. Users with accounts can access directories on the site which they should not have access to. By Raymond Dijkxhoorn
wuXploit.tgz10614944Jul 1 14:16:54 2000
Wu-Ftpd 2.4.2, 2.5, and 2.6 are commonly misconfigured on linux to allow users which only have a valid FTP account to execute code. This code takes advantage of this configuration, mentioned in SUID Advisory #1 to execute a backdoor on the remote host. By Wildcoyote
tidcmp.c9154783Jun 9 13:45:00 2000
tidcmp.c is an ICMP Source Quench attack. Sends spoofed ICMP type 4 packets to the victims router. Includes references to the relevant RFC's. Homepage: http://www.antioffline.com. By Sil
fbi-aim-dos.txt28054725Jun 21 16:12:51 2000
AOL Instant Messenger remote dos exploit. Sending certain filenames to another user causes the remote AIM to crash. Only effective against Windows 2000 Professional, 95/98/98se are safe. Homepage: http://home.cyberarmy.com/fbi/. By Decss
oasis2.c10494601Jun 12 12:18:16 2000
oasis2.c sends spoofed ICMP_SOURCE_QUENCH packets, telling the victim host to slow down data transmission. By Oasis
userregsp.c7494561Jun 19 10:27:18 2000
MailStudio2000 v2.0 and below userreg.cgi exploit - Executes arbitrary commands on remote host as root.mail. By Fygrave
varitas.solaris.txt7654267Jun 16 16:45:09 2000
Veritas Volume Manager 3.0.x for Solaris contains a security hole which can, under specific circumstances, allow local users to gain root access. Exploit description included. By Echo8
coldfusion.dos.txt13873819Jun 9 15:43:19 2000
A new denial of service The Allaire ColdFusion Web Application Server contains a denial of service vulnerability in all ColdFusion versions up through and including 4.5.1. A very large password at the ColdFusion Administrator login page can bring the system to a halt. Homepage: http://www.allaire.com/security.
firewall-1.fragment...>17953808Jun 6 18:09:07 2000
DoS attack for all platforms of Checkpoint Firewall-1 has been identified. Large numbers of fragmented packets cause the CPU to hit 100% utilization, and the system locks up. Some systems may also crash, depending on OS type. The rulebase can not be used to block the attack, and nothing is logged. More information on Firewall-1's state table available here. Homepage: http://www.enteract.com/~lspitz/papers.html. By Lance Spitzner
2dopewars_exploits.t..>27293760Jun 25 23:36:32 2000
Dopewars 1.47-current has two local security holes. Dopewars is SGID games. Remote buffer overflows also exist. Homepage: http://www.fakehalo.org. By Vade79
gdmexpl.c19733711Jun 5 10:57:10 2000
gdm (xdmcp) remote root exploit. Tested against SuSE 6.2 and RedHat 6.2 running gdm-2.0beta1-4. Binds a shell to port 3879. Homepage: http://www.sekure.de. By AbraxaS
major2.c5883557Jun 18 23:44:48 2000
Majordomo local exploit for Suse 6.0 and 6.3. Tested against Majordomo Wrapper <= v1.94.5. Homepage: http://www.brightdarkness.de. By Morpheusbd
pine_bof.c7513453Jun 18 22:41:07 2000
Pine v4.10-21 local buffer overflow - drops a gid=mail shell if /usr/bin/pine is SGID. Tested on Debian slink2.1. By Vade79
rootkeep.sh15253310Jun 6 14:33:43 2000
rootkeep.sh obtains root locally on Solaris via an included kcms exploit, and modifies the startup scripts so an account is added each time the machine is rebooted. Homepage: http://www.antioffline.com. By Sil
mdma-6.eserv.txt11573283Jun 6 18:00:37 2000
MDMA Advisory #6 - EServ v2.92 and prior are vulnerable to a logging heap overflow vulnerability. Java proof of concept exploit code included. Homepage: http://www.mdma.za.net/fk. By Wizdumb
inndx.c8283260Jun 15 21:04:50 2000
inndx: innd remote 'news' user/group exploit. Tested on innd-2.2.2-3 default installation on RedHat 6.2. Homepage: http://www.elzabsoft.pl/~wp. By Wojciech Purczynski
mercur32.c8513165Jun 15 16:18:20 2000
Remote Denial of Service for Mercur 3.2 allows any remote user to shut down the server. By TDP
netscape.ftp.txt17373078Jun 21 13:27:02 2000
The Netscape Professional Services FTP server contains several remote vulnerabilities which are easily exploited. Any file on the system can be downloaded / uploaded, users can overwrite each other files via LDAP, and LDAP passwords can be read remotely. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski
proxy.dos8992931Aug 2 11:48:26 2000
Many HTTP proxies are vulnerable to a denial of service attack because they do not timeout connections to a remote host, causing the proxy to run out of available sockets and start refusing connections. Tested against Delegate 6.1.13. Exploit code included. Homepage: http://xorteam.cjb.net. By SectorX
DST2K0018.txt11932890Jun 21 13:54:05 2000
Delphis Consulting Plc Security Team Advisory DST2K0018 - WebBBS HTTP Server v1.15 under Windows NT contains remotely exploitable buffer overflow vulnerabilities. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
DST2K0011.txt6332873Jun 8 14:50:22 2000
Delphis Consulting Plc Security Team Advisory DST2K0011 - The CMail Server v2.4.7 under Windows NT is vulnerable to a buffer overrun in NTDLL.DLL. By sending a long GET request to tcp port 8002, the EIP can be overwritten and arbitrary code execution is possible. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
netscape.netware.txt11332854Jun 27 14:26:43 2000
Netscape Enterprise Server for Netware 5.0 and Netware 5.1 contain remote vulnerbailities. By issuing a malformed URL it is possible to cause a denial of service situation and/or execute arbitrary code on the server with the privileges of the web server. Homepage: http://www.vigilante.com. By VIGILANTe
imbof102.txt10472707Jun 29 08:10:37 2000
iMesh 1.02 builds 116 and 177 for Windows are vulnerable to a buffer overflow that can be exploited to execute arbitrary code. Once iMesh connects to a server, it begins listening on a TCP port (varies). An attacker can connect to this port and cause an overflow which will overwrite EIP, effectively redirecting the flow of execution. Homepage: http://bluepanda.box.sk. By Blue Panda
DST2K0012.txt7012654Jun 8 14:56:31 2000
Delphis Consulting Plc Security Team Advisory DST2K0011 - Buffer Overflow in HP Openview Network Node Manager v6.1 for Microsoft Windows NT v4.0 Workstation (SP6). By using the Alarm service which runs on port 2345 and is installed by default with HP openview network node manager, it is possible to cause a buffer overrun in OVALARMSRV, causing the EIP to be overwritten and allowing the execution of arbitry code. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
yl-cfDoS.c12152577Jun 13 13:32:49 2000
Cold Fusion 4.5.1 remote dos attack - sends a very long password, crashing the server. By Ytcracker
DST2K0010.txt6092521Jun 8 14:42:38 2000
Delphis Consulting Plc Security Team Advisory DST2K0010 - Two vulnerabilities were found in Ceilidh v2.60a for Microsoft Windows NT v4.0 Workstation (SP6). The html code which is generated by ceilidh.exe (example URL below) contains a hidden form field by the name of "translated_path", revleaing the true path. By using a specially crafted POST statement it is possible to spawn multiple copies of ceilidh.exe each taking 1% of CPU and 700k of memory. This can be sent multiple times to cause resource depletion on the remote host. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
inews_bof.c14322506Jun 23 17:03:58 2000
Inews (inn-2.2) local buffer overflow - provides a gid=news shell if /usr/bin/inews is SGID. Includes perl script to find the offset. Homepage: http://www.fakehalo.org. By Vade79
ie5-excel-powerpoint..>15222477Jun 29 14:29:55 2000
Georgi Guninski security advisory #13 - Internet Explorer 5.01, Excel 2000 and PowerPoint allow executing programs when viewing a web page or HTML email message via insecure ActiveX controls. This allows taking full control over user's computer. Demonstration available here. Homepage: http://www.nat.bg/~joro/. By Georgi Guninski
xterm-dos.c17052474Jun 2 12:43:41 2000
xterm denial of service attack - By sending the VT control characters to resize a window it is possible to cause an xterm to crash and in some cases consume all available memory. This is a problem because remote users can inject these control characters into your xterm in many different ways. This sample exploit injects these control characters into a web get request. If an admin were to cat this log file, or happened to be doing a "tail -f access_log" at the time of attack they would find their xterm crashed. Tested against rxvt v2.6.1 and xterm (XFree86 3.3.3.1b(88b). Homepage: http://www.rootshell.com. By Kit Knox
iisdos.c29852467Jun 26 02:00:05 2000
iisdos.c is a dos attack against Microsoft Windows 2000.0 running IIS. By WC
sawmill-5.0.21.txt10842455Jun 28 20:36:34 2000
Sawmill 5.0.21 is a site log statistics package for UNIX, Windows and MacOS which has remote vulnerabilities. Any file on the system can be read, and password is stored with a weak hash algorithm and can be decrypted using the included C program. This is dangerous because the previous security hole will allow you to read the hash and decrypt the admin password. Homepage: http://vapid.betteros.org. By Larry W. Cashdollar
smlnx.sh8272387Jun 26 01:54:50 2000
Linux kernel 2.2.X (X<=15) & sendmail less than or equal to 8.10.1 local root exploit shell script. By Wojciech Purczynski
mdbms-exp.c17142380Jun 2 11:29:21 2000
MDBMS v0.99b5 remote root exploit - tested on Redhat 6.0. Shellcode runs an interactive shell on port 30464. By Diab
gssftp.txt6652357Jun 15 00:38:21 2000
Remote vulnerabilities in GSSFTP daemon - A remote attacker can preform denial of service attacks, and local users can get root access. Source distributions which may contain vulnerable code include MIT Kerberos 5 releases krb5-1.1 and krb5-1.1.1, while MIT Kerberos 5 releases krb5-1.0.x is not vulnerable. By Tom Yu
cdrecord.c7402357Jun 9 15:24:05 2000
/usr/bin/cdrecord local exploit for x86 linux - gives gid=80 shell. Tested on Mandrake 7.0. By Noir
wmnetmon_bof.c7082335Jun 18 20:13:32 2000
Wmnetmon v0.2 buffer overflow exploit for Linux - Provides a euid=0 shell provided /usr/X11R6/bin/wmnetmon is suid root, as it is by default. Includes perl script to try all offsets. By Vade79
innd-2.2.2.txt10922289Jun 6 10:57:17 2000
INND (InterNet News Daemon) 2.2.2 has a remotely exploitable stack overflow in the control articles handler. About 80% of usenet servers are vulnerable. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski
ie-iframe.txt12362109Jun 6 18:28:01 2000
Georgi Guninski security advisory #12 - Internet Explorer 5.01 under Windows 98 (other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of documents using JavaScript, IFRAME and WebBrowser control. This exposes the whole DOM of the target document and opens lots of security risks, such as reading local files, reading files from any host, window spoofing, getting cookies, etc. Exploit code included. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski
ie5-access2000.txt17171971Jun 29 14:38:11 2000
Georgi Guninski security advisory #14 - Internet Explorer 5.01 and Access 2000 allow executing programs when viewing a web page or HTML email message. This allows taking full control over user's computer. Access 2000 allows executing VBA code which has access to system resources and in particular executing files. Includes exploit code which silently opens and executes VBA code from Access 2000. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski
Infosec.20000617.pan..>9971873Jun 21 13:47:24 2000
Novell Netware servers running Panda Antivirus allows attackers to run any command on a Netware console. By connecting to tcp port 2001, any Netware command can be executed with the CMD command. By Ian Vitek
msbd-dos.c12971841Jun 2 12:38:32 2000
Windows Media Encoder 4.0 and 4.1 is vulnerable to a remote denial of service attack. This source causes the Windows Media Encoder to crash with a "Runtime Error". Tested on version 4.1.0.3920. This is the vulnerability described in ms00-038. Homepage here. By Kit Knox
prlnx.sh7881801Jun 26 01:56:52 2000
Sendmail & procmail & kernel less than 2.2.15 local root exploit. By Wojciech Purczynski
freebsd-cdrecord.c6311739Jun 12 08:47:57 2000
Freebsd cdrecord local root exploit - Tested against FreeBSD 3.3-RELEASE. Homepage: http://xorteam.cjb.net. By SectorX
dmx.c16111700Jun 6 14:10:07 2000
Netwin ESMTP Server v2.7q linux x86 remote exploit. Tested on RedHat 6.1, binds a shell to TCP port 30464. By FunkySh
xwhois_bof.c5511503Jun 27 10:19:50 2000
xwhois buffer overflow, for Linux x86. This will give you a euid=0 shell if /usr/X11R6/bin/xwhois is SUID(=4755), which isn't anywhere by default. Homepage: http://www.fakehalo.org. By Vade79
setxconfxploit.c7501488Jun 18 23:49:05 2000
SetXConf local root exploit for Corel linux v1.0 with xconf utils. Homepage: http://www.suid.kg. By Suid
kdesud.c6881470Jun 9 15:16:58 2000
/usr/bin/kdesud has DISPLAY enviroment variable overflow - exploit gives gid=0, tested on Mandrake 7.02. By Noir
xfwm_bof.c5341418Jun 27 10:21:22 2000
xfwm buffer overflow exploit for Linux / x86. This will give you a euid=0 shell if /usr/X11R6/bin/xfwm is SUID(=4755), which isn't anywhere by default. Homepage: http://www.fakehalo.org. By Vade79
imesh102.pl12551350Jun 21 15:09:45 2000
A buffer overflow exists in iMesh 1.02 that allows the execution of arbitrary code. When the iMesh client connects to a server, the server is able to exploit the vulnerability and execute arbitrary code on the system the client is running on. Homepage: http://midgets.box.sk. By Chopsui-cide
leafchat.dos10301273Jun 27 14:32:29 2000
Java source to remotely crash LeafChat clients. Homepage: http://www.mdma.za.net. By Wizdumb
smartftp.txt6011248Jun 15 16:43:45 2000
Remove vulnerability has been found in the SmartFTP-D Server which allows a remote user with an account to read any file on the system. Homepage: http://jodeit.cjb.net. By Moritz Jodeit
mdma-5.savant.txt10431165Jun 6 21:12:43 2000
MDMA Advisory #5 - It is possible to view the source of CGI scripts running under the Savant Webserver by omitting the HTTP version from your request. Homepage: http://www.mdma.za.net/fk. By Wizdumb
exim.c705986Jun 26 02:01:35 2000
exim local buffer overflow exploit.
2.2.14-sendmail.tgz1106933Jun 8 16:51:27 2000
Linux 2.2.X local exploit - A new local bug in the 2.2 kernel has been discovered. Using the "capabilities" bug, it is possable to exec sendmail without the CAP_SETUID priv, which makes the setuid() call which drops privileges fail. Large chunks of code which were never meant to run as root do, exploiting this is trivial. Working exploit for sendmail + 2.2.16pre5 and below is included. By Florian Heinz
argo1002.pl1181913Jun 21 15:12:10 2000
This will cause Argosoft Mail Server 1.0.0.2 to page fault if the finger daemon is running. Homepage: http://midgets.box.sk. By Chopsui-cide
chkperm.c708908Jun 9 14:11:36 2000
Solaris /usr/vmsys/bin/chkperm overflow - A long HOME environment variable can be used to provide a UID=bin shell. By Guile cool
wingate.py1565803Jun 29 14:41:32 2000
Wingate.py is a dos exploit for Qbik wingate 3.0. Connects to tcp port 2080 and sends 2000 characters, causing all wingate services to crash. Origional bug found by eEye. By Prizm
isc-dhcpd.exploit.tx..>1480710Jun 27 15:01:55 2000
The ISC dhcp client contains a remote root hole. If the DHCP server gives out addresses containing backticks, shell commands can be run on the clients. By Todd T. Fries
dragonftp.py617548Jun 29 21:01:46 2000
Dragon Server(ftp) v1.00 and 2.00 remote dos exploit written in python. By Prizm
smallhttp.py534526Jun 29 21:04:29 2000
Small HTTP Server v. 1.212 remote dos attack written in python. See USSR Advisory #47 By Prizm