about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers

Welcome to the Exploits for November, 2000 Section.
Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0011-exploits.tgz0442967Dec 14 2000 17:53:46
Packet Storm new exploits for November, 2000.
tessa.c04127Dec 6 2000 21:03:21
Remote denial of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service and Information Store. The bug is in the handling of a line containing Content="".  Homepage: By Incubus
oidldapd.c01651Dec 5 2000 18:13:05
Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. I tested in RH 6.2 and 6.1.
cgiforum-1.0.txt0767Dec 2 2000 21:48:21
CGIForum v1.0i (cgi-bin/ allows remote users to view any file on the system via a ../.. bug. By Zorgon
xp-bitchx.c09668Dec 2 2000 21:26:35
BitchX v1.0c16 remote exploit. Tested against Redhat 6.0, 7.0, and Debian 2.2.  Homepage: By Raise 2 2000 21:23:08
Glibc 2.1 + /bin/su local root exploit. Tested on Redhat 6.2, 6.1, and SuSE 6.2. By Doing
mogrify.c01193Dec 2 2000 17:36:15
/usr/X11R6/bin/mogrify local buffer overflow exploit for Redhat 7.0.  Homepage: By Zucco
lnapster_dos.c02252Dec 2 2000 17:08:50
The Linux Napster Client v0.9 through v1.4.4 contains remote denial of service vulnerabilities, including a buffer overflow.  Homepage: By Vade79
xrcvtty.c03245Dec 2 2000 16:23:28
BSDI 3.0/4.0 /usr/contrib/mh/lib/rcvtty local exploit - Gives a egid=4(tty) shell.  Homepage: By Vade79
bsdi_inews.c01870Dec 2 2000 16:20:52
BSDI 3.0 local Inews (inn-2.2) buffer overflow exploit. Gives egid=news shell.  Homepage: By Vade79
bsdi_sperl.c01370Dec 2 2000 16:19:26
BSDI 3.0 /usr/bin/suidperl local root exploit.  Homepage: By Vade79
bsdi_inc.c01410Nov 29 2000 08:56:34
BSDI 3.0 /usr/contrib/mh/bin/inc local root exploit.  Homepage: By Vade79
NIT_UNICODE.zip071136Nov 29 2000 00:26:21
Microsoft IIS Unicode remote exploit which uses tftp to obtain code to run. By Stealthmode316
SynAttackProtect.txt028258Nov 25 2000 17:56:43
Windows NT 4.0 SP6a with SynAttackProtect set is vulnerable to a remote denial of service attack.  Homepage:
super-sadmin.c013213Nov 25 2000 17:44:32
Super Solaris sadmin Exploit - works with solaris 2.6/7.0 SPARC and x86, does the sp guessing (much like sadmin-brute.c). By Optyx
coolz.cpp04416Nov 21 2000 12:07:23
Koules v1.4 (svgalib version) local root exploit.  Homepage: By Scrippie
analogx-4.10.dos.txt03674Nov 21 2000 12:01:33
Network Security Solutions Security Advisory - A denial of service vulnerability has been discovered in AnalogX proxy v4.10. POP, FTP, and SMTP are vulnerable to a buffer overflow, crashing all the proxy services.  Homepage: By Zerologic
tetrinet-1.13.dos.tx..>0674Nov 18 2000 23:18:11
Tetrinet v1.13 has a denial of service vulnerability which is caused by telnetting to the tetrinet port and pressing enter once, freezing the game.  Homepage:
sbo_ethereal.c012796Nov 18 2000 21:12:51
Ethereal v0.8.13 advisory and remote exploit for Linux x86. A stack overflow in the AFS packet parsing routine allows a spoofed packet to start a root shell bound to TCP port 36864.  Homepage: By Mat
wkit.joe.txt05306Nov 17 2000 08:32:19
Joe's Own Editor File Link Vulnerability - If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link.  Homepage: By Patrik Birgersson
vixie-cron.sh07320Nov 17 2000 01:16:49
Vixie crontab local root exploit - an insecure fopen() call in Paul Vixie's crontab code is exploitable on systems where /var/spool/cron is user readable, such as Red Hat 6.1.  Homepage: By Michal Zalewski
1080r.c05219Nov 15 2000 23:53:15
Socks5 v1.0r10 remote buffer overflow exploit. Tested against Turbolinux 4.0.5 and Redhat 6.0.  Homepage: By The Dark Raver
aim.caching.txt01654Nov 15 2000 23:31:34
AOL Instant Messenger contains a caching vulnerability where once you have logged onto AIM with a screenname, you can permanently login with that screenname. By F3d
bsdi_elm.c01329Nov 15 2000 23:26:42
BSDI Elm 2.4 local buffer overflow exploit. Tested on BSDI/3.0, gives a group mail shell.  Homepage: By Vade79
phx.c05332Nov 15 2000 19:59:00
Phf remote buffer overflow exploit for Linux x86. This is unrelated to the well known bad filter problem. By Proton
deb_gnomehack.c02069Nov 15 2000 18:34:21
Gnomehack v1.0.5 local buffer overflow exploit which gives a egid=60 (games) shell if gnomehack is sgid (2755), tested on Debian 2.2. The same bug also affects Nethack.  Homepage: By Vade79
sonata.teleconf.txt03136Nov 15 2000 18:28:34
Voyant Technologies Sonata Conferencing vulnerability report - Local and remote vulnerabilities have been found in both the Solaris and OS/2 hosts, including reused default passwords, poor file permissions, a lack of host hardening, account enumeration, and an insecure X console.  Homepage: By Larry W. Cashdollar
openssh.forwarding.t..>03070Nov 14 2000 21:58:43
All versions of the OpenSSH ssh client prior to 2.3.0 have a vulnerability which allows malicious OpenSSH servers to turn on port forwarding even if it is disabled in the client configuration, allowing hostile servers can access your X11 display or your ssh-agent. Newest version available here.  Homepage:
openwall.c04622Nov 14 2000 21:49:25
Openwall.c is a local root exploit in LBNL traceroute v1.4a5 which executes the heap instead of the stack, avoiding the openwall kernel patch.  Homepage: By Michel MaXX Kaempf
traceroot2.c06513Nov 14 2000 21:47:19
Traceroot2.c - Improved local root exploit in LBNL traceroute v1.4a5. Tested against Debian GNU/Linux 2.2 x86 and sparc, and Red Hat 6.2 x86. Advisory on this issue available here.  Homepage: By Michel MaXX Kaempf
local_nonexec_sun.c010660Nov 14 2000 14:19:00
Solaris Sparc 2.6 / 7 local root exploit against /usr/bin/passwd which uses the yet unpatched libc locale bug and bypasses non-executable stack protection.  Homepage: By Warning3
bsdi_filter.c01472Nov 14 2000 14:11:32
BSDI /usr/contrib/bin/filter v2.* local buffer overflow exploit. Tested on BSDI 3.0, provides a shell with GID mail.  Homepage: By Vade79
iXsecurity.20001107...>02372Nov 13 2000 17:13:10
iXsecurity Security Vulnerability Report - The default installation of Compaq Web-Based Management on a Netware server reveals sensitive system files to anyone who can access TCP port 2301. Allows remote users to read the remote console password. Software version 2.28 verified vulnerable. Compaq advisory available here.  Homepage: By Ian Vitek
hpux.10.20.644.txt01073Nov 13 2000 17:04:52
HP/UX 10.20 allows any file on the filesystem to be chmodded 644. By J.A. Gutierrez
new.phf.txt01087Nov 13 2000 17:00:53
An exploitable buffer overflow vulnerability has been found in phf which is unrelated to the well known bad filter problem. All versions of phf should be removed. By Proton
sadmind-sun.brute.c07394Nov 13 2000 16:37:21
Remote exploit for rpc.sadmind which brute forces the offset. Tested against Solaris X86 and SPARC v2.6 and 7.0. By Nikolai Abromov
exchange.dos.txt01019Nov 13 2000 16:29:10
Remote denail of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service. A message containing charset = "" causes mail service to crash.  Homepage: By Art Savelev
guninski27.txt02873Nov 13 2000 16:07:13
Georgi Guninski security advisory #27 - There is a security vulnerability in IE 5.x, Outlook, and Outlook Express which allows searching for files with specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this allows attackers to search for and retrieve any file on a users drive. The problem is the "ixsso.query" ActiveXObject which is used to query the Indexing service and surprisingly it is marked safe for scripting. Exploit code included, demonstration available here.  Homepage: By Georgi Guninski
cons.saver.txt03700Nov 13 2000 15:53:14
Many systems have the SUID bit set on cons.saver (/usr/lib/mc/bin/cons.saver), part of the Midnight Commander package. A denial of service vulnerability has been found which allows local users to overwrite a null character to any symlinkable file. Includes proof of concept exploit and a patch for cons.saver. By Z33d
gbook.cgi.txt01303Nov 11 2000 19:24:45
GBook - A web site guestbook has a remote command execution vulnerability in gbook.cgi.  Homepage: By Mat
dumpx.c01850Nov 11 2000 17:29:27
Dump-0.4b15-1 local root exploit tested on Redhat 6.2. By The Itch
dae_sambar44.pl01861Nov 11 2000 17:19:43
The Sambar Server v4.4 Beta 4 for Windows 95/NT is vulnerable to a remote denial of service attack due to the con/con bug. Perl proof of concept code included.  Homepage: By Daemon-root
uni2.pl04801Nov 10 2000 12:59:09 checks a host for the recent IIS unicode vulnerability in 14 different ways. Also gives you the browser URL for the exploit. Origionally Stealthmode316, modifications by Roeland.
omnisux.pl01049Nov 9 2000 15:20:12
The OmniHTTPd web server v2.06 and below contains a remote denial of service vulnerability in /cgi-bin/visadmin.exe. By Philer
iis-unicode-exploit...>04305Nov 9 2000 00:22:12
IIS Unicode remote exploit - Executes commands remotely on IIS 4.0 on NT and IIS 5.0 on Windows NT and 2000.  Homepage: By Telehor
pollit-2.0-exploit.p..>02545Nov 9 2000 00:19:37
Poll It v2.0 CGI exploit which binds a shell to tcp port 60179. By Telehor
quakeworldex.txt02155Nov 6 2000 20:48:34
Quake World server for Unix v2.30 contains a buffer overflow in the rcon featurE which causes the server to crash with a segmentation fault. Proof of concept exploit included.  Homepage: By Chandler
exgsx.c01285Nov 6 2000 20:44:51
Gsx-0.90d and below contains a remote denial of service vulnerability which allows remote users to crash the GTK scour client by creating many connections.  Homepage: By Chandler
uni.pl04048Nov 5 2000 15:24:09 checks a host for the recent IIS unicode vulnerability in 14 different ways. By Stealthmode316
scx-sa-08.txt03068Nov 5 2000 15:19:00
Securax Security Advisory #8 - IIS 4.0 contains a denial of service vulnerability which is similar to the unicode vulnerability. This can be fixed by installing the recent unicode patches.  Homepage: By Zoa_Chien
pollex.pl04693Nov 5 2000 12:54:19
Poll It CGI v2.0 contains remote vulnerabilities which allow remote command execution and reading any file on the webserver. Fix available here. By Keelis
IISHack1.5.zip024117Nov 4 2000 23:49:32
IISHack 1.5 attempts to remotely exploit a local buffer overflow in the IIS 4.0 and 5.0 .asp file parsing mechanism using the unicode bug, resulting in remote system access.  Homepage: By eEye Digital Security>0693Nov 4 2000 16:21:24
HP-UX vB.11.00 comes with /bin/cu SUID bin, which has a buffer overflow in the -l switch. By Zorgon
kde-exploit.gif0245580Nov 4 2000 16:19:09
KDE File Manager can be tricked into executing commands as root by creating a HTML file with a link to a binary. By Dotslash
mandrake.urpmi.txt02628Nov 4 2000 16:10:19
Mandrake 7.1's /usr/bin/urpmi allows attackers to install RPM's as root if they have an account in the urpmi group and possibly physical access. By Dotslash
xrestore.c02300Nov 3 2000 18:43:54
Restore (/sbin/restore) v0.4b15 local root exploit. Tested against Redhat 6.2.  Homepage: By Vade79
dump-exp.sh01405Nov 2 2000 01:31:25
Dump v0.4b15 for Linux on Redhat and others contains a trivial local root vulnerability. By Fish
dump.sh01903Nov 2 2000 01:30:54
Dump v0.4b15 and below for Linux contains a trivial local root vulnerability. Includes proof of concept exploit tested on Redhat 6.2. By Mat