Welcome to the Exploits for October, 2000 Section. | |||
Some of these exploits are from Bugtraq | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
pqwak.zip | 1742 | 8294 | Oct 23 19:49:52 2000 |
This program exploits a flaw in the share level password authentication of MS windows 95/98/ME in its CIFS protocol to find the password of a given share on one of these machines, as discussed in ms00-072. By Shane Hird | |||
lbl-traceroute.txt | 1483 | 27217 | Oct 5 18:06:42 2000 |
/usr/bin/traceroute local root format string exploit for LBNL traceroute, distributed with Red Hat 6.1/6.2 and Debian 2.2. Homepage: http://www.synnergy.net. By Dvorak | |||
godmessageIV.zip | 1431 | 15015 | Oct 27 01:00:42 2000 |
Godmessage 4 Revision 5 is an implementation of Georgi Guninski's recent ActiveX exploit for Internet Explorer which attempts to install a trojan on any machine which views the included HTML. Changes: Revision 5 has all of the rest of the bug updates, plus includes an encrypted version, and denial of service versions (to force the user to reboot and shut down the server). It also includes an important hints section, and generally has been the work of the three developer's and a ton of testers. Warning: Do not view the included HTML files with an unpatched browser if you run Windows. By The Pull | |||
iis-unicode.txt | 1236 | 3345 | Oct 17 12:35:19 2000 |
Rain Forrest Puppy's investigation of the recent Microsoft IIS remote command execution vulnerability which was first mentioned in a forum post and later in ms00-078. UNICODE character translation on foreign IIS 4.0 and 5.0 servers allows additional ways of encoding '/' and '\', allowing commands to be executed under the IUSR_machine context. Homepage: http://www.wiretrip.net. By Rain Forrest Puppy | |||
sa_05.txt | 1064 | 3482 | Oct 11 18:43:35 2000 |
NSFocus Security Advisory(SA2000-05) - Microsoft Windows 9x NETBIOS password verification contains a vulnerability which allows an attacker to use a share only knowing the first byte of the password, which can easily be guessed. This is the flaw described in ms00-072 which affects Windows 95, 98, and 98se. Homepage: http://www.nsfocus.com. | |||
bsd_chpass.c | 916 | 3461 | Oct 3 14:21:05 2000 |
/usr/bin/chpass local EDITOR variable format string exploit for *BSD. Tested on OpenBSD, FreeBSD, and NetBSD. Homepage: http://teso.scene.at. By Caddis | |||
phploit.c | 912 | 19984 | Oct 17 02:16:02 2000 |
PHP/3.0.16 remote format string exploit for FreeBSD 3.4, Slackware Linux 4.0, and 7.0. Homepage: http://www.security.is. By Portal, Tf8 | |||
guninski23.txt | 906 | 4458 | Oct 5 17:52:57 2000 |
Georgi Guninski security advisory #23 - Internet Explorer 5.5/Outlook allow executing arbitray programs after viewing web page or email message. This very serious vulnerability may easily lead to taking full control over user's computer. The problem is the com.ms.activeX.ActiveXComponent java object, which allows creating and scripting arbitrary ActiveX objects, including those not marked safe for scripting. Demonstration available here or here. Homepage here. By Georgi Guninski"> courtesy of Bugtraq | |||
fwsa.sh | 898 | 12582 | Oct 6 22:33:37 2000 |
Fwsa.sh is a tool to penetration test Checkpoint Firewall-1 remotely which implements the recently published holes in session authentication. It attempts to recover user passwords, execute dos attacks, and brute force the firewall managment password. Homepage: http://c3rb3r@hotmail.com. | |||
inebriation.c | 892 | 17156 | Oct 3 13:12:26 2000 |
Inebriation.c is a local linux/x86 /bin/su + locale libc functions exploit which has been written in response to previous unreliable exploits for this vulnerability. It includes a perl wrapper to find the correct offset, can use GOT overwrites to evade stackguard, stackshield, and libsafe, uses clean overflow string creation, and has documentation and several other usability improvements. Homepage: http://www.synnergy.net. By Scrippie | |||
iisex.c | 871 | 2175 | Oct 19 11:28:41 2000 |
iisex.c is a remote command execution exploit for Microsoft IIS 4.0 and 5.0, as discussed in and iis-unicode.txt which attempts to provide an interactive cmd.exe shell. Homepage: http://www.securax.org. By Incubus | |||
wgate401.pl | 802 | 2788 | Oct 2 10:29:04 2000 |
There is a vulnerability in the Wingate engine that allows a malicious user to disable all services to the engine by sending an abnormal string to the enabled Winsock Redirecter Service. Wingate Home/Standard/Pro version 4.0.1 is vulnerable. The problem has been addressed in Wingate 4.1 Beta A. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
godmessageIII.zip | 796 | 20308 | Oct 6 20:32:32 2000 |
Godmessage 3 (Revision 4) is an Active X trojan which automatically uploads a binary to unpatched IE browsers by simply viewing HTML code. Tested against IE 5.0, 5.01, and 5.5 on Windows NT, 2000, and 98. WARNING: Viewing this HTML very well may break your computer if you run Windows! By The Pull | |||
33_su.c | 717 | 4754 | Oct 5 18:50:05 2000 |
Immunix OS stackguard evading LC glibc + su + msgfmt local root exploit. Tested on Immunix OS (Stackguarded Redhat 6.2). Patch available here. By Kil3r of Lam3rz | |||
obsd_fstat.c | 612 | 6580 | Oct 4 15:23:14 2000 |
OpenBSD 2.7 local root exploit for /usr/bin/fstat + libutil exploit. Tested against OPenBSD 2.7 i386. Homepage: http://www.ktwo.ca. By Ktwo, Caddis | |||
scp.hole.txt | 600 | 8489 | Oct 4 15:44:00 2000 |
When scp'ing files from a remote machine, the remote scp daemon can be modified to overwrite arbitrary files on the client side. Scp from ssh-1.2.30 and below is vulnerable. Proof of concept scp replacment included. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski, Craig Ruefenacht | |||
xlockx.c | 586 | 2437 | Oct 5 17:57:38 2000 |
OpenBSD 2.6 and 2.7 xlock local root format string exploit. By Noir | |||
freebsd-systat.c | 550 | 2634 | Oct 11 11:42:49 2000 |
FreeBSD 4.X local /usr/bin/systat exploit. Gives a sgid kmem shell by exploiting the .terminfo bug in ncurses. By Przemysaw Frasunek | |||
locale_sol.txt | 485 | 30588 | Oct 21 03:38:25 2000 |
This paper describes in detail the exploitation of the libc locale format string vulnerability on Solaris/SPARC. The full source code for the exploit is presented and some details of the implementation are discussed. Homepage: http://www.phreedom.org. By Solar Eclipse | |||
thttpd-219.txt | 483 | 2761 | Oct 4 17:49:46 2000 |
Thttpd 2.19 and below includes a CGI program "ssi" which contains a vulnerability which allows remote users to read any file on the webserver. Exploit examples included. Fix available here. Homepage: http://www.dopesquad.net/security. By Ghandi | |||
sa_04.txt | 448 | 2999 | Oct 11 18:45:55 2000 |
NSFocus Security Advisory(SA2000-04) - A denial of service flaw has been found in the Microsoft Win9x netbios client. An attacker can modify his host file share service and perform DoS attack against a Win9x client that visits it. Windows 95, 98, and 98se are vulnerable. Homepage: http://www.nsfocus.com. | |||
traceroute.c | 445 | 8283 | Oct 18 16:43:47 2000 |
Red Hat 6.1/6.2 traceroute local root exploit which exploits the traceroute -g bug, as described in the Red Hat Advisory on Traceroute. By Dvorak | |||
SLA-16.MasterIndex.t..> | 428 | 2008 | Oct 10 18:23:41 2000 |
Synnergy Laboratories Advisory SLA-2000-16 - Synnergy Labs has found a flaw within Master Index for Linux/UNIX that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. Exploit URL included. Fix available here. Homepage: http://www.synnergy.net. By Kostas Petrakis | |||
cached_feed.cgi.txt | 405 | 3446 | Oct 4 17:54:13 2000 |
Cached_Feed.cgi v1.0 from moreover.com lacks input validation, allowing any file on the webserver to be read. Exploit URL included. Fix available in V2.0, available here. Homepage: http://www.thewebmasters.net. By CDI | |||
ncurses-overflow.txt | 397 | 4499 | Oct 10 18:12:15 2000 |
The ncurses library v4.2 and 5.0 contains exploitable buffer overflows which can be used to gain additional priveledge if there are SUID programs which use ncurses and the library implementation supports ~/.terminfo. Vulnerable programs found so far include Red Hat and SuSE cda, FreeBSD /usr/bin/systat, and OpenBSD /usr/bin/systat. By Jouko Pynnen | |||
easy-adv-exploit.pl | 379 | 1986 | Oct 4 14:33:22 2000 |
Easy Advertiser v. 2.04 Remote Exploit. The stats.cgi script used in Easy Advertiser has an insecure open() that allows this exploit to bind a shell to port 60179 running with user priviledges that the webserver is run as. Netcat is needed locally to use this. Homepage: http://teleh0r.cjb.net. By teleh0r@doglover.com and anno. | |||
gdmurder.txt | 356 | 4620 | Oct 15 12:45:37 2000 |
GDM local root and/or denial of service attack, tested on Red Hat 6.2. Requires console access. Homepage: http://ashtar@dragon.hack.tc. | |||
webevent.txt | 309 | 1376 | Oct 20 22:55:53 2000 |
Webevent v3.3.3 (webevent.pl) is an online calendar which contains a remote cgi vulnerability which allows administrative access. | |||
oracle-815.c | 301 | 4546 | Oct 20 23:57:41 2000 |
Oracle 8.1.5 local buffer overflow exploit for Linux. Homepage: http://www.hackerslab.org. By Loveyou | |||
bindview.lpc.txt | 298 | 13765 | Oct 4 15:26:47 2000 |
BindView Security Advisory - Windows NT 4.0 and 2000 contain multiple vulnerabilities in the LPC ports, as described in ms00-070. Implications range from denial of service to local promotion. Homepage: http://razor.bindview.com. By Todd Sabin | |||
A100400-1 | 297 | 3199 | Oct 4 18:38:29 2000 |
Atstake Security Advisory - Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518) enabled. As part of the extra functionality provided by the WebDAV components. Microsoft has introduced the SEARCH request method to enable searching for files based upon certain criteria. This functionality can be exploited to gain what are equivalent to directory listings. These directory listings can be used by an attacker to locate files in the web directories that are not normally exposed through links on the web site. .inc files and other components of ASP applications that potentially contain sensitive information can be viewed this way. Homepage: http://www.atstake.com. By Mnemonix | |||
xzarch.c | 281 | 1519 | Oct 21 00:30:18 2000 |
Linux /usr/games/zarch v.92 local root buffer overflow exploit. Homepage: http://www.fakehalo.org. By Vade79 | |||
hp-ux.crontab.sh | 280 | 657 | Oct 23 23:59:28 2000 |
HP/UX crontab local shell script exploit. Homepage: http://www.hackerslab.com. By Kyong-won Cho | |||
wgate41a.txt | 255 | 8688 | Oct 16 23:53:22 2000 |
Wingate 4.1 Beta A and below allows users with access to read the logs to read any file on the filesystem by encoding the URL with escape codes, bypassing input validation. Includes wgate41a.c, proof of concept code. Fix available here. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
DST2K0039.txt | 252 | 4979 | Oct 4 18:11:17 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0039 - WebData allows users which have an account to read any file on the webserver. Patch and exploit information included. Homepage: http://www.delphisplc.com/thinking/whitepapers. | |||
SLA-15-PHPix.txt | 249 | 1616 | Oct 9 18:30:47 2000 |
PHPix, a Web-based photo album viewer written in PHP has a vulnerability which allows remote users to traverse directories and read any file on the server. Exploit URL included. Fix available here. Homepage: http://www.synnergy.net. By Kostas Petrakis | |||
DST2K0036.txt | 220 | 3582 | Oct 4 18:08:01 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0036 - CyberOffice Shopping Cart v2 under Windows NT allows remote users to modify the price of items because prices are set by a hidden form field. Homepage: http://www.delphisplc.com/thinking/whitepapers. | |||
VIGILANTE-2000014.tx..> | 204 | 1915 | Oct 10 17:22:28 2000 |
Vigilante Advisory #14 - HP Jetdirect print servers have multiple vulnerabilities which have effects ranging from the service crashing to the printer initiating a firmware upgrade based on random garbage in the memory, and in some cases powercycling won't fix the crash. It requires a new firmware burn by eg. HP to restore the Jetdirect card. The FTP, Telnet, and LPD services contain buffer overflows, and spoofed malformed packets can crash the printer. Fix available here. Homepage: http://www.vigilante.com. By Vigilante | |||
ppp-off.txt | 200 | 722 | Oct 19 01:59:18 2000 |
Slackware Linux's ppp-off command uses /tmp insecurely by writing ps output to /tmp/grep.tmp, allowing an unprivileged user to overwrite any file as root. By Sinfony | |||
xsplumber.c | 194 | 1731 | Oct 20 22:27:00 2000 |
Linux space plumber (/usr/games/splumber) local buffer overflow exploit. Homepage: http://www.fakehalo.org. By Vade79 | |||
kak.hta.tar.gz | 187 | 2208 | Oct 15 10:46:46 2000 |
Kak.hta is a variation of the recent ActiveX vulnerabililty discovered by Georgi Guninski which attempts to add programs to the StartUp folder if viewed with a vulnerable web browser or email client. Sent in by Dotslash. | |||
sa_03.txt | 184 | 3665 | Oct 11 15:56:33 2000 |
NSFOCUS Security Advisory(SA2000-03) - A denial of service vulnerability has been found in the IPX/SPX protocol implementation. When a WIN9x host receives a IPX NMPI packet that has the same source and destination machine name of its own, it will be lead to an infinite loop of sending and receiving packets. This attack will consume a large sum of CPU resource of attacked host, causing it to crash. Homepage: http://www.nsfocus.com. | |||
boa.server.txt | 181 | 3122 | Oct 9 17:57:35 2000 |
The BOA webserver version 0.94.8.2 and below contains a vulnerability which allows remote users to read any file on the system. Exploit URL included. Fix available here. Homepage: http://www.s21sec.com. By Lluis Mora | |||
guninski24.txt | 176 | 2994 | Oct 18 17:07:03 2000 |
Georgi Guninski security advisory #24 - IE 5.5, Outlook, and Outlook Express has a serious security vulnerability which allows remote users to read local files, arbitrary URLs, and local directory structure after viewing a web page or reading HTML message. The problem is that you are allowed to specify an arbitrary codebase for an applet loaded from <OBJECT> tag and a jar file. Demonstration exploit available here. Homepage here. By Georgi Guninski"> | |||
iis.asp.txt | 128 | 3350 | Oct 23 19:33:52 2000 |
How to read ASP source code on an IIS 5 server using the recently discovered IIS vulnerability. Homepage: http://adonis1@videotron.ca. | |||
unicode.pl | 118 | 2326 | Oct 20 22:18:39 2000 |
Unicde.pl exploits vulnerable IIS servers which allow remote command execition, as described in iis-unicode.txt. By SteeLe | |||
SLA-17.Anaconda.txt | 112 | 2077 | Oct 15 11:18:49 2000 |
Synnergy Laboratories Advisory SLA-2000-17 - A flaw in Linux/UNIX Anaconda Foundation Directory, a yahoo style search engine based on the Open Directory Project allows remote users to traverse the webservers filesystem, allowing arbitary files to be read by appending a trailing NULL byte in URL encoded format. Exploit URL included. Homepage: http://www.synnergy.net. By Kostas Petrakis | |||
half-life.txt | 33 | 3161 | Oct 18 17:29:05 2000 |
The Half-Life Dedicated Server for Linux v3.1.0.3 and below contains a remotely exploitable buffer overflow. Exploit code available here. By Mark Cooper | |||
redhat.lpr.txt | 27 | 5834 | Oct 21 03:35:26 2000 |
Lpr lpr-0.50-4 and below contains vulnerabilities which allow local users to access other accounts, and sometimes root. Homepage: http://crash.ihug.co.nz. By Zen-parse | |||
DST2K0040.txt | 25 | 3002 | Oct 6 22:48:09 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0040 - QuotaAdvisor 4.1 by WQuinn For Windows NT allows users to list all the files contained on a file system which is on a server with QuotaAdvisor running on it. Homepage: http://www.delphisplc.com/thinking/whitepapers. | |||
web_store-cgi.txt | 22 | 115 | Oct 18 16:46:17 2000 |
Web Store (cgi-bin/Web_store/web_store.cgi) is vulnerable to a bug which allows remote users to read any file on the webserver. Exploit URL included. | |||
zen-ntkb.c | 15 | 4718 | Oct 19 02:08:22 2000 |
/usr/sbin/userhelper / kbdrate local root exploit - works only at console. Works well for people you know. By zen-parse | |||
auction.weaver.txt | 13 | 9729 | Oct 18 17:21:41 2000 |
Auction Weaver LITE 1.0 - 1.04 contains remote vulnerabilities which allow users to read any file on the filesystem, and delete arbitrary files. Fix available here. Homepage: http://coley@mitre.org. | |||
0010-exploits.tgz | 0 | 218360 | Nov 2 01:22:03 2000 |
Packet Storm new exploits for October, 2000. | |||
formnow-exploit.pl | 0 | 2186 | Oct 28 13:23:39 2000 |
FormNow CGI script v1.0 remote exploit - Takes advantage of an insecure sendmail call to bind a shell to tcp port 60179. Homepage: http://teleh0r.cjb.net. By Telehor | |||
statdx2.tar.gz | 0 | 5856 | Oct 18 23:41:12 2000 |
Sorry, a description is unavailable. | |||
listmail-exploit.pl | 0 | 2086 | Oct 28 13:27:59 2000 |
Listmail v112 remote exploit which spawns a shell on tcp port 60179. Takes advantage of an insecure open call. Homepage: http://teleh0r.cjb.net. By Telehor | |||
guninski26.txt | 0 | 1991 | Oct 30 16:21:02 2000 |
Georgi Guninski security advisory #26 - Using specially designed URLs, IIS 5.0 may return user specified content to the browser. This poses great security risk, especially if the browser is JavaScript enabled and the problem is greater in IE. By clicking on links, just visiting hostile web pages or opening HTML email the target IIS sever may return user defined malicous active content. This is a bug in IIS 5.0, but it affects end users and is exploited with a browser. A typical exploit scenario is stealing cookies which may contain sensitive information. Homepage here. By Georgi Guninski"> | |||
hl-advisory.asc | 0 | 13943 | Oct 28 01:40:35 2000 |
The Half-life Dedicated Server for Linux contains remotely exploitable buffer overflow vulnerabilities. Includes remote buffer overflow exploit hl-rcon.c which has been tested against v3.1.0.x for Linux x86. Homepage: http://www.sekure.org. By Condor, Csh | |||
unicodexecute2.pl | 0 | 2235 | Oct 28 01:23:21 2000 |
Unicodexecute2 is a simple perl script to execute commands on vulnerable IIS servers w/ Unicode, as described in this article. Homepage: http://www.sensepost.com. By Roelof Temmingh | |||
utilmind-maillist-ex..> | 0 | 2916 | Oct 28 13:30:21 2000 |
Mailing List & News Version 1.7 remote exploit - takes advantage of insecure mail handling to spawn a shell on tcp port 60179. Homepage: http://teleh0r.cjb.net. By Telehor | |||
newsexp.tar.gz | 0 | 4588 | Oct 28 04:01:33 2000 |
News Update 1.1 advisory / remote exploit which allows changing the passwords for the cgi program without knowing the former password, allowing malicious users to modify your news-page. Homepage: http://www.brightdarkness.de. By Morpheusbd | |||
ntop-w-exp.c | 0 | 2931 | Oct 27 00:39:09 2000 |
Ntop -w v1.2a1 remote stack overflow exploit. Ntop in web mode (-w) contains an overflow when a long filename is requested. Fix available here. By Mat | |||
hostexp.c | 0 | 2016 | Oct 28 03:55:51 2000 |
Older version of the host command contains a remotely exploitable buffer overflow. The host command is used to perform the AXFR request to obtain the zone transfer information, and can be caused to execute arbitrary code when connecting to a fake DNS server, a netcat process listening on port 53. Homepage: http://www.kyuzz.org/antirez. By Antirez | |||
inbusdos.c | 0 | 1653 | Oct 27 00:59:09 2000 |
Denial of Service attack against an Intel InBusiness eMail Station. Will send a 630 char buffer to the pop server as argument of a USER command. The little box needs to be "powered off" and -on again. Homepage: http://securax.org/incubus. By Incubus | |||
pqwak2.zip | 0 | 9646 | Oct 28 01:31:09 2000 |
This program exploits a flaw in the share level password authentication of MS windows 95/98/ME in its CIFS protocol to find the password of a given share on one of these machines, as discussed in ms00-072. Changes: Lots of bug fixes! Works much better. By Shane Hird | |||