ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for November, 2000 Section.
Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: File Size.

File Name Downloads File Size Last Modified
0011-exploits.tgz0442967Dec 14 17:53:46 2000
Packet Storm new exploits for November, 2000.
kde-exploit.gif0245580Nov 4 16:19:09 2000
KDE File Manager can be tricked into executing commands as root by creating a HTML file with a link to a binary. By Dotslash
NIT_UNICODE.zip071136Nov 29 00:26:21 2000
Microsoft IIS Unicode remote exploit which uses tftp to obtain code to run. By Stealthmode316
SynAttackProtect.txt028258Nov 25 17:56:43 2000
Windows NT 4.0 SP6a with SynAttackProtect set is vulnerable to a remote denial of service attack.  Homepage: http://adonis1@videotron.ca.
IISHack1.5.zip024117Nov 4 23:49:32 2000
IISHack 1.5 attempts to remotely exploit a local buffer overflow in the IIS 4.0 and 5.0 .asp file parsing mechanism using the unicode bug, resulting in remote system access.  Homepage: http://www.eEye.com. By eEye Digital Security
libc-language.su.c013626Dec 2 21:23:08 2000
Glibc 2.1 + /bin/su local root exploit. Tested on Redhat 6.2, 6.1, and SuSE 6.2. By Doing
super-sadmin.c013213Nov 25 17:44:32 2000
Super Solaris sadmin Exploit - works with solaris 2.6/7.0 SPARC and x86, does the sp guessing (much like sadmin-brute.c). By Optyx
sbo_ethereal.c012796Nov 18 21:12:51 2000
Ethereal v0.8.13 advisory and remote exploit for Linux x86. A stack overflow in the AFS packet parsing routine allows a spoofed packet to start a root shell bound to TCP port 36864.  Homepage: http://hacksware.com. By Mat
local_nonexec_sun.c010660Nov 14 14:19:00 2000
Solaris Sparc 2.6 / 7 local root exploit against /usr/bin/passwd which uses the yet unpatched libc locale bug and bypasses non-executable stack protection.  Homepage: http://www.nsfocus.com. By Warning3
xp-bitchx.c09668Dec 2 21:26:35 2000
BitchX v1.0c16 remote exploit. Tested against Redhat 6.0, 7.0, and Debian 2.2.  Homepage: http://www.netsearch-ezine.com. By Raise
sadmind-sun.brute.c07394Nov 13 16:37:21 2000
Remote exploit for rpc.sadmind which brute forces the offset. Tested against Solaris X86 and SPARC v2.6 and 7.0. By Nikolai Abromov
vixie-cron.sh07320Nov 17 01:16:49 2000
Vixie crontab local root exploit - an insecure fopen() call in Paul Vixie's crontab code is exploitable on systems where /var/spool/cron is user readable, such as Red Hat 6.1.  Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski
traceroot2.c06513Nov 14 21:47:19 2000
Traceroot2.c - Improved local root exploit in LBNL traceroute v1.4a5. Tested against Debian GNU/Linux 2.2 x86 and sparc, and Red Hat 6.2 x86. Advisory on this issue available here.  Homepage: ftp://maxx.via.ecp.fr/traceroot. By Michel MaXX Kaempf
phx.c05332Nov 15 19:59:00 2000
Phf remote buffer overflow exploit for Linux x86. This is unrelated to the well known bad filter problem. By Proton
wkit.joe.txt05306Nov 17 08:32:19 2000
Joe's Own Editor File Link Vulnerability - If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link.  Homepage: http://www.wkit.com/advisories. By Patrik Birgersson
1080r.c05219Nov 15 23:53:15 2000
Socks5 v1.0r10 remote buffer overflow exploit. Tested against Turbolinux 4.0.5 and Redhat 6.0.  Homepage: http://members.tripod.com/~ochodedos. By The Dark Raver
uni2.pl04801Nov 10 12:59:09 2000
Uni2.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. Also gives you the browser URL for the exploit. Origionally Stealthmode316, modifications by Roeland.
pollex.pl04693Nov 5 12:54:19 2000
Poll It CGI v2.0 contains remote vulnerabilities which allow remote command execution and reading any file on the webserver. Fix available here. By Keelis
openwall.c04622Nov 14 21:49:25 2000
Openwall.c is a local root exploit in LBNL traceroute v1.4a5 which executes the heap instead of the stack, avoiding the openwall kernel patch.  Homepage: ftp://maxx.via.ecp.fr/traceroot. By Michel MaXX Kaempf
coolz.cpp04416Nov 21 12:07:23 2000
Koules v1.4 (svgalib version) local root exploit.  Homepage: http://www.synnergy.net. By Scrippie
iis-unicode-exploit...>04305Nov 9 00:22:12 2000
IIS Unicode remote exploit - Executes commands remotely on IIS 4.0 on NT and IIS 5.0 on Windows NT and 2000.  Homepage: http://teleh0r.cjb.net. By Telehor
tessa.c04127Dec 6 21:03:21 2000
Remote denial of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service and Information Store. The bug is in the handling of a line containing Content="".  Homepage: http://securax.org/incubus. By Incubus
uni.pl04048Nov 5 15:24:09 2000
Uni.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. By Stealthmode316
cons.saver.txt03700Nov 13 15:53:14 2000
Many systems have the SUID bit set on cons.saver (/usr/lib/mc/bin/cons.saver), part of the Midnight Commander package. A denial of service vulnerability has been found which allows local users to overwrite a null character to any symlinkable file. Includes proof of concept exploit and a patch for cons.saver. By Z33d
analogx-4.10.dos.txt03674Nov 21 12:01:33 2000
Network Security Solutions Security Advisory - A denial of service vulnerability has been discovered in AnalogX proxy v4.10. POP, FTP, and SMTP are vulnerable to a buffer overflow, crashing all the proxy services.  Homepage: http://www.nssolution.net. By Zerologic
xrcvtty.c03245Dec 2 16:23:28 2000
BSDI 3.0/4.0 /usr/contrib/mh/lib/rcvtty local exploit - Gives a egid=4(tty) shell.  Homepage: http://www.fakehalo.org. By Vade79
sonata.teleconf.txt03136Nov 15 18:28:34 2000
Voyant Technologies Sonata Conferencing vulnerability report - Local and remote vulnerabilities have been found in both the Solaris and OS/2 hosts, including reused default passwords, poor file permissions, a lack of host hardening, account enumeration, and an insecure X console.  Homepage: http://vapid.dhs.org. By Larry W. Cashdollar
openssh.forwarding.t..>03070Nov 14 21:58:43 2000
All versions of the OpenSSH ssh client prior to 2.3.0 have a vulnerability which allows malicious OpenSSH servers to turn on port forwarding even if it is disabled in the client configuration, allowing hostile servers can access your X11 display or your ssh-agent. Newest version available here.  Homepage: http://www.openssh.com.
scx-sa-08.txt03068Nov 5 15:19:00 2000
Securax Security Advisory #8 - IIS 4.0 contains a denial of service vulnerability which is similar to the unicode vulnerability. This can be fixed by installing the recent unicode patches.  Homepage: http://securax.org. By Zoa_Chien
guninski27.txt02873Nov 13 16:07:13 2000
Georgi Guninski security advisory #27 - There is a security vulnerability in IE 5.x, Outlook, and Outlook Express which allows searching for files with specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this allows attackers to search for and retrieve any file on a users drive. The problem is the "ixsso.query" ActiveXObject which is used to query the Indexing service and surprisingly it is marked safe for scripting. Exploit code included, demonstration available here.  Homepage: http://www.nat.bg/~joro. By Georgi Guninski
mandrake.urpmi.txt02628Nov 4 16:10:19 2000
Mandrake 7.1's /usr/bin/urpmi allows attackers to install RPM's as root if they have an account in the urpmi group and possibly physical access. By Dotslash
pollit-2.0-exploit.p..>02545Nov 9 00:19:37 2000
Poll It v2.0 CGI exploit which binds a shell to tcp port 60179. By Telehor
iXsecurity.20001107...>02372Nov 13 17:13:10 2000
iXsecurity Security Vulnerability Report - The default installation of Compaq Web-Based Management on a Netware server reveals sensitive system files to anyone who can access TCP port 2301. Allows remote users to read the remote console password. Software version 2.28 verified vulnerable. Compaq advisory available here.  Homepage: http://www.ixsecurity.com. By Ian Vitek
xrestore.c02300Nov 3 18:43:54 2000
Restore (/sbin/restore) v0.4b15 local root exploit. Tested against Redhat 6.2.  Homepage: http://www.fakehalo.org. By Vade79
lnapster_dos.c02252Dec 2 17:08:50 2000
The Linux Napster Client v0.9 through v1.4.4 contains remote denial of service vulnerabilities, including a buffer overflow.  Homepage: http://www.fakehalo.org. By Vade79
quakeworldex.txt02155Nov 6 20:48:34 2000
Quake World server for Unix v2.30 contains a buffer overflow in the rcon featurE which causes the server to crash with a segmentation fault. Proof of concept exploit included.  Homepage: http://www.Hack-X.org. By Chandler
deb_gnomehack.c02069Nov 15 18:34:21 2000
Gnomehack v1.0.5 local buffer overflow exploit which gives a egid=60 (games) shell if gnomehack is sgid (2755), tested on Debian 2.2. The same bug also affects Nethack.  Homepage: http://www.fakehalo.org. By Vade79
dump.sh01903Nov 2 01:30:54 2000
Dump v0.4b15 and below for Linux contains a trivial local root vulnerability. Includes proof of concept exploit tested on Redhat 6.2. By Mat
bsdi_inews.c01870Dec 2 16:20:52 2000
BSDI 3.0 local Inews (inn-2.2) buffer overflow exploit. Gives egid=news shell.  Homepage: http://www.fakehalo.org. By Vade79
dae_sambar44.pl01861Nov 11 17:19:43 2000
The Sambar Server v4.4 Beta 4 for Windows 95/NT is vulnerable to a remote denial of service attack due to the con/con bug. Perl proof of concept code included.  Homepage: http://www.daemon-root.da.ru. By Daemon-root
dumpx.c01850Nov 11 17:29:27 2000
Dump-0.4b15-1 local root exploit tested on Redhat 6.2. By The Itch
aim.caching.txt01654Nov 15 23:31:34 2000
AOL Instant Messenger contains a caching vulnerability where once you have logged onto AIM with a screenname, you can permanently login with that screenname. By F3d
oidldapd.c01651Dec 5 18:13:05 2000
Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. I tested in RH 6.2 and 6.1.
bsdi_filter.c01472Nov 14 14:11:32 2000
BSDI /usr/contrib/bin/filter v2.* local buffer overflow exploit. Tested on BSDI 3.0, provides a shell with GID mail.  Homepage: http://www.fakehalo.org. By Vade79
bsdi_inc.c01410Nov 29 08:56:34 2000
BSDI 3.0 /usr/contrib/mh/bin/inc local root exploit.  Homepage: http://www.fakehalo.org. By Vade79
dump-exp.sh01405Nov 2 01:31:25 2000
Dump v0.4b15 for Linux on Redhat and others contains a trivial local root vulnerability. By Fish
bsdi_sperl.c01370Dec 2 16:19:26 2000
BSDI 3.0 /usr/bin/suidperl local root exploit.  Homepage: http://www.fakehalo.org. By Vade79
bsdi_elm.c01329Nov 15 23:26:42 2000
BSDI Elm 2.4 local buffer overflow exploit. Tested on BSDI/3.0, gives a group mail shell.  Homepage: http://www.fakehalo.org. By Vade79
gbook.cgi.txt01303Nov 11 19:24:45 2000
GBook - A web site guestbook has a remote command execution vulnerability in gbook.cgi.  Homepage: http://hacksware.com. By Mat
exgsx.c01285Nov 6 20:44:51 2000
Gsx-0.90d and below contains a remote denial of service vulnerability which allows remote users to crash the GTK scour client by creating many connections.  Homepage: http://www.Hack-X.org. By Chandler
mogrify.c01193Dec 2 17:36:15 2000
/usr/X11R6/bin/mogrify local buffer overflow exploit for Redhat 7.0.  Homepage: http://w3.swi.hu/zucco/. By Zucco
new.phf.txt01087Nov 13 17:00:53 2000
An exploitable buffer overflow vulnerability has been found in phf which is unrelated to the well known bad filter problem. All versions of phf should be removed. By Proton
hpux.10.20.644.txt01073Nov 13 17:04:52 2000
HP/UX 10.20 allows any file on the filesystem to be chmodded 644. By J.A. Gutierrez
omnisux.pl01049Nov 9 15:20:12 2000
The OmniHTTPd web server v2.06 and below contains a remote denial of service vulnerability in /cgi-bin/visadmin.exe. By Philer
exchange.dos.txt01019Nov 13 16:29:10 2000
Remote denail of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service. A message containing charset = "" causes mail service to crash.  Homepage: http://www.savelev.com. By Art Savelev
cgiforum-1.0.txt0767Dec 2 21:48:21 2000
CGIForum v1.0i (cgi-bin/cgiforum.pl) allows remote users to view any file on the system via a ../.. bug. By Zorgon
hp-ux.cu.overflow.tx..>0693Nov 4 16:21:24 2000
HP-UX vB.11.00 comes with /bin/cu SUID bin, which has a buffer overflow in the -l switch. By Zorgon
tetrinet-1.13.dos.tx..>0674Nov 18 23:18:11 2000
Tetrinet v1.13 has a denial of service vulnerability which is caused by telnetting to the tetrinet port and pressing enter once, freezing the game.  Homepage: http://www.m4dskill.org.Skyrim