ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for September, 2000 Section.

Some of these exploits are from Bugtraq and Security Bugware

To change sort order, click on the category.
Sorted By: File Name.

File Name Downloads File Size Last Modified
0009-exploits.tgz0167744Nov 2 01:21:32 2000
Packet Storm new exploits for September, 2000.
12250.c5991405Sep 28 14:59:02 2000
IMAPrev1 12.2xx exploit (lsub bug). Slackware 4.0 remote overflow. By del0rean
A092600-156714389Sep 28 14:37:22 2000
Atstake Security Advisory - PalmOS Password Retrieval and Decoding. Severity: Moderate. PalmOS offers a built-in Security application which is used for the legitimate user to protect and hide records from unauthorized users by means of a password. Passwords can easily be obtained and decoded allowing an attacker to access all private records on a Palm device.  Homepage: http://www.atstake.com/research/advisories/2000/. By Kingpin
adv_telnet1.txt29182455Sep 7 12:54:11 2000
Hyperterminal, the default telnet program on Windows 98, contains a buffer overflow vulnerability. It is possible to exploit via IE using a long telnet: URL. Homepage: http://www.meliksah.net. By Meliksah Ozoral
alabanza.txt3852474Sep 27 14:13:13 2000
This hole is for the control panel of all Alabanza based resellers/hosts. There could be more bugs. This is serious enough since you can delete all resold domains for a particulr webhosting company. You can also change the default MX and CNAME records of all associated domains. By Weihan Leow
anyportal-0.1.txt11601731Sep 11 12:54:48 2000
Anyportal v0.1 allows remote users to read any file on the webserver by submitting modified forms. Homepage: http://www.nightbird.free.fr. By Zorgon
auction.weaver.pl7892369Sep 6 16:10:39 2000
Auction Weaver 1.02 Lite remote proof of concept exploit. Spawns an xterm by exploiting an insecure open() call. Homepage: http://teleh0r.cjb.net. By Telehor
axur.c94118878Sep 28 15:12:17 2000
Q-POP 2.53 Remote Overflow. By Gustavo Scotti
bland.c3448862Sep 12 21:16:08 2000
bland.c exploits a bug in Guantlet 5.0 which causes the firewall to hang when an invalid ICMP packet is sent to a machine which is forwarded through the firewall. Homepage: http://www.msg.net/firewalls/tis. By Mike Frantzen
brwgate-dos.c4201688Sep 27 14:48:46 2000
Denial of service for NetcPlus BrowseGate 2.80 for Windows NT and 2000 when you sned more than 8000 characters in a GET / http-request, causing the system to crash.  Homepage: http://securax.org/incubus. By incubus
cisco.tar.gz5217373Sep 23 12:49:02 2000
Denial of service exploit for CiscoSecure ACS for Windows NT Server prior to release 2.4(3), as described in cisco.00-09-21.ciscosecure. Sends an oversized URL to TCP port 2002, causing the CSAdmin module to crash.  Homepage: http://www.8op.com/rsh. By Doom and Netsym
cpmdaemon.txt91813346Sep 6 14:33:27 2000
cpmdaemon is a program that runs as a daemon or a cgi which allows changing of passwords. It allows brute force dictionary attacks against user passwords without any logging. Includes exp_cpmdaemon.c proof of concept code. Homepage: http://www.s0d.org. By El Nahual
csm.proxy.bypass.txt116738Oct 5 18:21:05 2000
The CSM proxy server's siteblocker feature can be bypassed by setting up your web browser to use an external proxy. By Hermann Tischendorf
cxterm.c4031699Sep 28 15:00:38 2000
Local exploit for cxterm 5.1-p1. Tested on: RedHat 5.2/6.0, Slackware 3.6. By warning3@hotmail.com
DST2K0032.txt2684304Sep 28 15:28:05 2000
DST2K0032: Multiple Issues with Talentsoft WebPlus Application Server. Delphis Consulting Internet Security Team (DCIST) discovered low to medium severity vulnerabilities in Webplus under Windows NT.  Homepage: http://www.delphisplc.com/thinking/whitepapers/. By DCIST
DST2K0035.txt2574910Oct 4 18:04:03 2000
Delphis Consulting Plc Security Team Advisory DST2K0035 - CyberOffice Shopping Cart v2 under Windows NT allows remote users to gain access to the main database by default.  Homepage: http://www.delphisplc.com/thinking/whitepapers.
DST2K0037.txt3433730Sep 28 15:41:15 2000
Delphis Consulting Plc Security Team Advisory DST2K0037 - It is possible to bypass the quotas imposed by QuotaAdvisor by utilizing data streams alternative to the default. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
DST2K0042.txt4174607Sep 28 15:44:34 2000
Delphis Consulting Plc Security Team Advisory DST2K0042 - The following vulnerability in Web+ Application Server under Linux has been discovered. Severity: High. If the default example scripts are installed it is possible to execute/read any file which Web+ user (default is 'nobody') has access to using the Web+Ping example. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
eject.locale.c4294929Sep 12 20:12:50 2000
Solaris 2.x locale exploit - exploits /usr/bin/msgfmt and /usr/bin/eject locale format bug for local root access. Homepage: http://www.nsfocus.com. By Warning3
expl395.c24216615Sep 8 16:06:01 2000
Screen 3.9.5 and below local root exploit for Linux. Tested against SuSE 6.1. By Ihaquer
explbsd395.c3504506Sep 12 21:41:48 2000
Screen 3.9.5 BSD local root exploit. Tested against OpenBSD. By Ihaquer
ezbounce.c8716526Sep 29 15:27:58 2000
Ezbounce version (0.85.2 and probably others) remote overflow exploit for RedHat 6.0. By SectorX
fi.sh3821120Sep 28 15:13:56 2000
FlagShip (from Red Hat Application CD) is a Database Development System for xBase based applications on nearly all Unix brands. Problem: /usr/bin/FSserial is world-writeable! We can replace it with an trojan and trick root to execute it. OS affected: Red Hat 6.0. By Narrow
fp-ext-dos.sh5561026Sep 12 21:11:41 2000
Frontpage Server Extension shtml.exe denial of service attack. Based on an advisory by www.xato.net. Vulnerable systems include Microsoft Windows 95, 98, NT 4.0 and NT 2000. Homepage: http://grazer.gz.ee. By Grazer
glibc-language.c22964337Sep 8 16:02:45 2000
GLIBC 2.1 language local root exploit. Includes bypassing Solar Designer Stack Patch. Tested against Debian 2.1/2.2, exploits Glibc and /usr/bin/msgfmt. By Z33d
Gopher2.3.1p0.c2888477Sep 8 15:53:51 2000
Gopher2.3.1p0 and below has many overflowable functions in the daemon. Most of them overflow with hardcoded data that gets passed along - making it not possible to change any pointers. The "halidate" function contains an exploitable buffer overflow - exploit code for linux included. Note: This is not related to the other vulnerability, authenticate.c, which has since been patched in 2.3.1p0. 2.3.1p0 is vulnerable to this. Homepage: http://www.fakehalo.org. By Vade79
hhp-kermit_smash.c2411786Sep 19 15:13:47 2000
C-Kermit local exploit. Versions 7.0.197 and below are vulnerable. Tested on Slackware 7, where it is not suid. It is suid on Olivetti X/OS R2.3, 3.x.  Homepage: http://www.hhp-programming.net. By Loophole
horde-imp.txt8093075Sep 12 17:21:12 2000
The IMP-2.2.0 webmail interface contains a bug in the the library file "horde.lib" which allows commands to be executed under the UID which the webserver runs as. Exploit information included. Patch available here. By Christian Winter
i-was-bored.c3094478Sep 12 11:30:50 2000
Darxite Daemon v0.4 password authentication buffer overflow exploit. Spawns a remote shell. Homepage: http://www.synnergy.net. By Scrippie
icq.greeting-card.tx..>2175383Sep 6 16:04:20 2000
The ICQ Greeting Card service allows HTML commands to be sent to the target user. Any malicious HTML such as file:///c:/con/con can crash the system or exploit other HTML based vulnerabilities. Homepage: http://www.meliksah.net. By Meliksah Ozoral
innd.c7827984Sep 28 15:23:02 2000
INND/NNRP remote root overflow. Overflow occurs in the From: field. Affects INND/NNRP versions prior to 1.6.X. Author Unknown.
killbnc.c15722735Sep 8 09:41:25 2000
BNC 2.6.4 remote denial of service exploit. Causes all users who are connected to IRC by BNC by exhausting the resources of the BNC server. Homepage: http://www.fakehalo.org. By Vade79
klogd-linux.txt21923718Sep 18 18:41:44 2000
Kernel logging daemon klogd in the sysklogd package for Linux contains a "format bug" making it vulnerable to local root compromise (successfully tested on Linux/x86). There's also a possibility for remote vulnerability under certain (rather unprobable) circumstances and a more probable semi-remote exploitableness with knfsd.  Homepage: http://www.secmod.com. By Jouko Pynnen
klogd.exploit.txt5693259Sep 27 14:01:49 2000
Klogd Local Exploit. Envcheck is a Linux/x86 kernel module which strips dangerous environment variables before executing a new program, and which can be used to log these probably threatening events. However, a recent format string handling bug in klogd allows an attacker to overflow its buffer and execute arbitrary code.  Homepage: http://www.iki.fi/ee/. By Esa Etelavuori
linstatex.c12526344Sep 28 15:17:44 2000
Remote root overflow for linux rpc.statd SM_UNMON_ALL vulnerability. Author Unknown.
locale.c6903488Sep 12 21:39:31 2000
locale.c is a local root exploit for the glibc / locale format string bug. Tested against RedHat 6.2 with kernel 2.2.16. Homepage: http://www.nsfocus.com. By Warning3
mobiusdocdix.c6869954Sep 12 21:26:10 2000
Mobius DocumentDirect for the Internet 1.2 remote exploit. Binds a shell to a port. By Wildcoyote
multihtml.c13454884Sep 19 17:17:00 2000
Multihtml.c is a remote exploit for /cgi-bin/multihtml.pl, versions previous to 2.2 which spawns a remote shell.  Homepage: http://www.r00tabega.org. By Bansh33, Zillion
MultiHTML.txt14091392Sep 15 15:21:31 2000
MultiHTML (/cgi-bin/multihtml.pl)is a CGI script which has a vulnerability allowing remote users to read any file on the webserver. By Niels Heinen
napster.path-disclos..>20642168Sep 19 15:27:25 2000
Napster sends the full path of all the MP3's it sends to the remote user. By Wade Lewis
netscape.overflow.tx..>17681478Sep 28 15:51:39 2000
Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html. By Michal Zalewski
phpPhotoAlbum.txt7851649Sep 11 12:46:49 2000
phpPhotoAlbum v0.99 and below for Windows and Unix allows remote users to read any file on the system with priviledges as the httpd. Fix available here. Homepage: http://www.synnergy.net. By Pestilence
pine421.txt3993868Sep 27 14:44:05 2000
Proof of Concept. There exists a vulnerability in Pine 4.21 involving the portion of code in charge of peroidically checking email when a pine client is open. By Arkane
qpop3b.c6488240Sep 28 15:01:33 2000
QPOP 3.0beta AUTH remote root stack overflow (linux x86 version)
rovikingxploit.c89610846Sep 12 21:28:58 2000
Robotex Viking Server 1.0.6 Build 355 and prior for Windows 95 and NT remote buffer overflow exploit. Binds a shell to a port. By Wildcoyote
rudp.c7997767Sep 28 15:16:44 2000
GDM Remote Exploit based on the original bug found by Chris Evans. Vulnerable version : gdm-2.0beta2-23 ( gnome and single version ). Not Vulnerable : 1.0.0.35. Vulnerable Platforms : RedHat 6.0-6.2. By Crashkiller
rumple.tgz2443072Sep 12 20:40:43 2000
rumple.tgz exploits the recent ld.so unsetenv vulnerability in Caldera Openlinux. By Nimrood
sambar-http.txt13522138Sep 14 17:37:10 2000
Sambar Server 4.4 Beta 3 and below for WinNT, Win95 OSR2, (possibly Linux affected) contains a vulnerability which allows remote users to browse the filesystem of the webserver. Fix available here. Homepage: http://www.synnergy.net. By Dethy
sco-httpx.c4171653Sep 28 15:02:51 2000
Scounix httpd Remote Exploit.
screen-expl.c4032125Sep 12 21:35:32 2000
Screen 3.7.6 (and others) local root exploit. By Ihaquer
siemens.ipphone.txt5822414Sep 28 15:50:02 2000
The Siemens HiNet LP 5100 IP-phone is vulnerable to a buffer overflow when the GET request method is used with a large request size. Vulnerability can lead to a partial or complete crash of phone services. By Michal Zalewski
SRADV00001.txt2934805Sep 11 11:54:13 2000
Secure Reality Pty Ltd. Security Advisory #1 - PHP's handling of uploads permits a remote attacker to manipulate PHP applications into opening arbitrary files on the server with the permission level of the user running the server. Almost any PHP program which provides upload capability is vulnerable. Homepage: http://www.securereality.com.au. By Secure Reality Advisories
tco.txt14714393Sep 21 17:05:59 2000
Synnergy Laboratories Advisory SLA-2000-14 - The BSD/Linux telnet client has a stack overflow which is not usually a security problem, except in the case of a restricted shell environment which allows users to set environment variables and run telnet. Perl proof of concept exploit included.  Homepage: http://www.synnergy.net. By Dethy
thatware.txt5132739Sep 1 11:00:20 2000
Thatware is a news portal administration tool. The security vulnerabilities in Thatware allows attacker to gain administrative access to the application. Two exploits included. Fix: For a quick fix, simply rename admin.php3 and simply quote all numeric data in SQL statements. By Fabian Clone
tsql.c4551640Sep 28 15:05:17 2000
Msql local overflow. Author Unknown.
typsoft-ftpd.txt6012318Sep 12 11:27:39 2000
TYPSoft FTP Server 0.78 for Windows 9X and WinNT is vulnerable to a denial of service attack. Sending a long user or pass commands causes the server to hang and increase system resources. Perl exploit included. Homepage: http://www.synnergy.net. By Dethy
unixware.scohelp.txt3776643Sep 28 14:31:04 2000
CORE SDI Security Advisory - SCO Unixware 7 default installation includes scohelp, an http server that listens on port 457/tcp and allows access to manual pages and other documentation files. The search CGI script provided for that purpose has a vulnerability that could allow any remote attacker to execute arbitrary code on the vulnerable machine with privileges of user "nobody". Homepage: http://www.core-sdi.com. By Ivan Arce
VIGILANTE-2000008.tx..>7102142Sep 6 14:41:23 2000
Vigilante Advisory #8 - NTMail Configuration Service v5 & v6 denial of service. The web configuration running on TCP port 8000 does not flush incomplete HTTP requests, and thus it is possible to use up all the server ressources within a very short time. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000009.tx..>6312184Sep 13 12:37:11 2000
Vigilante Advisory #9 - Internet Information Server (IIS) 4.0 for Windows NT 4.0 is vulnerable to a denial of service attack as described in ms00-063 in which a certain series of requests can cause INETINFO.EXE to gradually consume all system ressources (99-100% CPU and all memory). When the pagefile can't expand any further, INETINFO.EXE is killed by the operating system. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000010.tx..>5592336Sep 13 12:48:08 2000
Vigilante Advisory #10 - Intel Express Switch series 500 crashes when a malformed ICMP packet is sent to the Intel Express Switch or a host behind it. The switch looses all routing functionality but continues to function as a switch, except for the fact that learning also crashes, so new connections are not "picked up". Fix available here. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000011.tx..>5752082Sep 13 13:27:12 2000
Vigilante Advisory #11 - Lotus Domino ESMTP Service Lotus Domino Release 5.0.2a contains a buffer overflow in the processing of SMTp commands, causing the service to crash. Tested on OS/2 Warp 4.5, it is assumed that other platforms are vulnerable as well. Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000012.tx..>6782206Sep 18 16:59:56 2000
Vigilante Advisory #12 - Mdaemon 3.1.1 for Windows NT includes Webconfig and Worldclient which listen to TCP port 3000 and 3001. They both are vulnerable to a heap overflow vulnerability which could be used to execute arbitrary code. Fix available here.  Homepage: http://www.vigilante.com. By Vigilante
VIGILANTE-2000013.tx..>6391335Sep 19 16:07:14 2000
Vigilante Advisory #13 - WinCOM LPD V1.00.90 for Windows NT contains a denial of service vulnerability. A steady stream of LPD options sent to TCP port 515 will eventually consume all the memory on that host.  Homepage: http://www.vigilante.com. By Vigilante
webtv.tar.gz690654Sep 21 16:59:40 2000
Exploit for the recently published Denial of Service Vulnerability in WebTV for Windows discussed on Bugtraq ID 1671 published on 9/12/2000. By Doom and Netsym
wftpd241-12-2.txt870875Sep 5 22:08:25 2000
WFTPD/WFTPD Pro 2.41 RC12 devulges sensitive information by revealing the full path of the current directory. This is fixed in WFTPD/WFTPD Pro 2.41 RC13. Exploit details included. Homepage: http://bluepanda.box.sk. By Blue Panda
wftpd241-12.txt7731603Sep 5 22:06:19 2000
WFTPD/WFTPD Pro 2.41 RC12 contains a remote denial of service vulnerability which does not require a valid login/password. Perl exploit code included. Homepage: http://bluepanda.box.sk. By Blue Panda
winshellcode.h67023790Sep 28 14:57:20 2000
WinShellCode. win32 portbinding shellcode.  Homepage: http://www.cnns.net. By sunx
winweb.c3651575Sep 12 21:20:00 2000
winweb.c exploits the con/con bug to crash the Windows 98 webserver. By Castrol
win_2000.telnet.tgz183014812Sep 15 15:27:02 2000
The Windows 2000 Telnet client can be launched via email or browser and automatically passes NTLM authentication credentials to a telnet server. Proof of concept exploit includes a modified telnet server which causes the w2k telnet client to auto authenticate and prehash-ntlm.c which can be used to launch a dictionary attack against a retrieved hash. By Monti
wu-lnx.c17977138Sep 28 15:06:26 2000
Linux wu-ftpd - 2.6.0(1) (tested on RH6.2 wu from rpm). By vsz_
wu30.c6338185Sep 28 15:08:53 2000
Remote root exploit for wu-ftpd on SCO unix. Based on: ADMwuftpd.c from duke. By The Dark Raver
xloadx.c3572021Sep 28 15:10:36 2000
Sco 5.0.4 local overflow using xload.  Homepage: http://members.tripod.com/~ochodedos. By doble
xsunsploit.c4401589Sep 28 15:04:20 2000
Solaris 7 Xsun(suid) local overflow - Solaris 2.7/(2.6?) x86 sploit no sparc code. By DiGiT
yabb.txt7712240Sep 12 21:31:58 2000
Yabb 9.1.2000 and prior for Windows and Unix is a web based BBS system which has a vulnerability in YaBB.pl which allows remote attackers to view any file on the system. Homepage: http://www.synnergy.net. By Kostas Petrakis
zgv-exploit.c4131601Sep 12 20:43:37 2000
Zgv 3.0 local exploit for Linux. Homepage: http://b0f.freebsd.lublin.pl. By Slash
 
 
Privacy Statement