ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for December, 2000 Section.
Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0012-exploits.tgz0154662Jan 1 2001 22:08:46
Packet Storm new exploits for December, 2000.
wu-ftpd-solsparc.c08686Jan 1 2001 22:07:40
Solaris Wu-ftpd wu-2.4(1) remote root exploit which uses the site exec format string vulnerability. Tuned for Solaris Sparc v2.8 w/ inetd. By Kalou
scx-sa-13.txt03813Jan 1 2001 10:19:53
Securax Security Advisory #13 - When someone telnets to a unix system, the tty that will be assigned to him will be writable for any user on the system. However, when he is logged in, his tty will not be writable for all users. So if someone would write data to a tty that is currently used by someone who's logging in, that person won't be able to log in. Includes ttywrite.c proof of concept code.  Homepage: http://securax.org. By Root-dude
scx-sa-11.txt04310Dec 31 2000 21:45:06
Securax Security Advisory #11 - XFree86 Version 3.3.6 is vulnerable to a remote denial of service attack over tcp port 6000. The server can freeze if sent many characters, requiring a reboot to restore normal operation. Includes Linnuke.c proof of concept code.  Homepage: http://securax.org. By Root-dude
7350wu-v5.tar.gz016229Dec 31 2000 10:53:49
7350wu.c is a Wu-ftpd v2.6.0 remote root exploit which does it the proper way. Works on Linux/x86 and FreeBSD.  Homepage: https://www.team-teso.net. By Scut
SEClpd.c010961Dec 30 2000 19:41:34
Lpr-ng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against RedHat 7.0. Includes the ability to brute force the offset.  Homepage: http://www.netcat.it. By Netcat
hhp-expect_adv0017.t..>06236Dec 30 2000 19:18:48
Expect v5.31.8 and v5.28.1 contains local buffer overflows. It is possible to exploit any suid/sgid expect application.  Homepage: http://www.hhp-programming.net. By Isox and Loophole
hhp-GnomeScott_smash..>01588Dec 30 2000 19:14:01
GnomeScott local buffer overflow which provides a gid=40 (game) shell on SuSE 6.4 and 7.0.  Homepage: http://www.hhp-programming.net. By Loophole
hhp-expect_smash.c03079Dec 30 2000 19:10:52
Expect (/usr/bin/expect) v5.31.8 and v5.28.1 local buffer overflow exploit. Tested on Slackware 7.x. Advisory available here.  Homepage: http://www.hhp-programming.net. By Isox
hhp-gnomehack_smash...>02397Dec 30 2000 19:07:05
Gnomehack local buffer overflow exploit which provides a gid=60 (games) shell on Debian 2.2.  Homepage: http://www.hhp-programming.net. By Loophole
hhp-kwintv_smash.c02169Dec 30 2000 19:05:35
Kwintv local buffer overflow exploit which provides a gid=33 (video) shell on SuSE 7.0.  Homepage: http://www.hhp-programming.net. By Loophole
hhp-fancy_smash.c01268Dec 30 2000 19:03:24
Fancylogin v0.99.7 local root exploit. Tested on Red Hat 6.1.  Homepage: http://www.hhp-programming.net. By Icesk
scx-sa-12.txt06659Dec 30 2000 17:49:04
Securax Security Advisory #12 - Apache 1.3.14 access_log and error_log can be altered somewhat by remote users if the site administrator reads the logs with cat or tail. Includes proof of concept code kosheen.c which attempts to display false values in a remote site's access_log and error_log.  Homepage: http://securax.org. By Incubus
hhp-stonx_smash.c02828Dec 27 2000 17:42:10
STonX v0.6.5 and v0.6.7 local root exploit. Tested on Slackware 7.0.  Homepage: http://www.hhp-programming.net. By Loophole
xxconq.c05050Dec 26 2000 14:18:48
Linux xconq v7.4.1 local exploit - Gives a gid=games shell by exploiting the -L parameter. Tested on Slackware.  Homepage: http://www.fakehalo.org. By Vade79
obsd-ftpd.c020337Dec 23 2000 21:59:47
OpenBSD v2.6 and 2.7 ftpd remote root exploit.  Homepage: http://www.synnergy.net. By Scrippie
identdDoS.c02149Dec 23 2000 18:19:41
SuSE identd remote denial of service attack - Uses a long sting to set a pointer to NULL. By Root-Dude
catman-race.txt04718Dec 23 2000 15:07:23
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept.  Homepage: http://vapid.betteros.org. By Larry W. Cashdollar
bindview.naptha.txt023509Dec 21 2000 22:32:04
The NAPTHA dos vulnerabilities (Revised Edition - Dec 18) - The naptha vulnerabilities are weaknesses in the way that TCP/IP stacks and network applications handle the state of a TCP connection.  Homepage: http://razor.bindview.com.
sonata-teleconf-2.tx..>02220Dec 21 2000 22:11:46
Voyant Technologies Sonata Conferencing Software v3.x on Solaris 2.x comes with the setuid binary doroot which executes any command as root.  Homepage: http://vapid.betteros.org. By Larry W. Cashdollar
omnihttpdex.c02424Dec 21 2000 22:06:18
Omni httpd v2.07 and below remote denial of service exploit. Combines a shell script from sirius from buffer0vefl0w security with a bugtraq report from Valentin Perelogin.  Homepage: http://www.Hack-X.org. By Kilrid
ksh.temp-hole.txt0914Dec 21 2000 21:08:04
The Korn Shell (ksh) uses temp files in an insecure manner. Demonstration included.  Homepage: http://www.maths.usyd.edu.au:8000/u/psz. By Paul Szabo
interchange.txt01527Dec 21 2000 21:05:14
Infinite InterChange is a Win95/98/NT/2k mail server which has a remote denial of service vulnerability where it can be caused to crash via a malformed post request. This has been fixed in Infinite InterChange v3.61. By SNS Research
rpc-everythingform.t..>0914Dec 18 2000 18:43:45
everythingform.cgi uses a hidden field "config" to determine where to read configuration data from. Allows remote attackers to execute commands. Exploit URL's included. By RPC
xitetris.c04386Dec 18 2000 18:24:51
Itetris v1.6.2 local root exploit - Exploits a vulnerable system() call.  Homepage: http://www.fakehalo.org. By Vade79
7350nxt-v3.tar.gz08729Dec 18 2000 18:16:52
Exploit for the Bind NXT remote root vulnerability, which affects Bind v8.2 - 8.2.1. Compiles on Linux, tested against Irix, BSD, and Linux. Includes Irix shellcode for breaking chroot.  Homepage: https://www.team-teso.net.
7350oftpd.tar.gz07127Dec 18 2000 18:05:22
OpenBSD ftpd v2.4_BASE through 2.8 remote root exploit. Includes offsets for v2.6 through v2.8 and instructions for finding offsets of other versions. Requires a writable directory.  Homepage: https://www.team-teso.net. By Caddis
xckermit.c04671Dec 18 2000 17:49:52
Ckermit v7.0 local buffer overflow exploit for Linux/x86. Not setuid by default, but often installed setuid.  Homepage: http://www.fakehalo.org. By Vade79
xsold.c01544Dec 15 2000 17:25:26
Linux Xsoldier local root buffer overflow exploit. Overflows the -display command line option.  Homepage: http://www.nightbird.free.fr. By Zorgon
rdC-LPRng.c010325Dec 15 2000 15:08:48
LPRng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against the default install of Redhat 7.0 (LPRng-3.6.24-1) and LPRng3.6.22-1 installed on Slackware 7.0.  Homepage: http://www.rdcrew.com.ar. By Venomous
killntoe.c03567Dec 14 2000 18:08:00
Nettoe v1.0.5 denial of service attack - Causes the Nettoe server to use all available CPU cycles and lock the game.  Homepage: http://www.fakehalo.org. By Vade79
sa_09.txt03682Dec 14 2000 18:03:16
NSFOCUS Security Advisory (SA2000-09) - EZshopper v2.0 and v3.0 from AHG contains remote CGI vulnerabilities which allow an attacker to get directory listings and sensitive file contents. Exploit URL's included.  Homepage: http://www.nsfocus.com.
mon_pine.sh02464Dec 11 2000 16:19:53
Pine v4.30 and below allows outgoing mail to be hijacked if the alternate editor is enabled. Exploit script included.  Homepage: http://hacksware.com. By Mat
apcupsdos.c03492Dec 11 2000 16:10:19
Apcupsd v3.7.2 local denial of service attack. Can kill any running daemon. By The Itch
shop.pl.txt0721Dec 11 2000 16:08:09
Hassan Consulting's Shopping Cart Version 1.x (cgi-bin/shop.pl) contains remote vulnerabilities, including directory transversal with file read ability, listing files, and path disclosure. Exploit URL's included. By Dotslash
scx-sa-10.txt04490Dec 8 2000 01:16:16
Securax Security Advisory #10 - The Watchguard SOHO Firewall is a small personal hardware firewall used for xDSL, ISDN and Cable connections. Local and Remote users can crash the Watchguard SOHO Firewall using multiple get requests to the webserver. Perl exploit included. This attack will not show up in the logfile except for a reboot notice.  Homepage: http://securax.org. By Vorlon
PhoneBook.c03048Dec 8 2000 00:56:44
Microsoft Phonebook Server Remote Exploit - Tests for the pbserver.dll buffer overflow. By David Litchfield
CSA-200012.txt01737Dec 7 2000 11:04:37
CHINANSL Security Advisory(CSA-200012) - Ultraseek Server 3.0 Vulnerability allows malicious users to see the full pathnames of server addons.  Homepage: http://www.chinansl.com.
bf-code.c01530Dec 7 2000 10:57:37
Bftpd 1.0.12 contains a remote buffer overflow. Denial of service exploit included.  Homepage: http://www.pkcrew.org. By Asynchro
SRADV00007.txt02247Dec 6 2000 22:14:11
Secure Reality Pty Ltd. Security Advisory #7 - MarkVision is a printer administration package from Lexmark. Versions previous to v4.4 contain local root buffer overflow vulnerabilities. Fix available here.  Homepage: http://www.securereality.com.au. By Secure Reality
SRADV00006.txt05249Dec 6 2000 22:04:06
Secure Reality Pty Ltd. Security Advisory #6 - phpGroupWare is a multi-user web based groupware suite written in PHP. Versions below 0.9.7 under Unix make insecure calls to the include() function of PHP which can allow the inclusion of remote files, and thereby the execution of arbitrary commands on the remote web server with the permissions of the web server user, usually 'nobody'. Fix available here.  Homepage: http://www.securereality.com.au. By Secure Reality
SRADV00005.txt03247Dec 6 2000 21:59:56
Secure Reality Pty Ltd. Security Advisory #5 - All 3.x versions of MailMan Webmail below v3.0.26 contain remote command execution vulnerabilities. The code contains several insecure calls to open() containing user specified data. These calls can be used to execute commands on the remote server with the permissions of the user that runs CGI scripts, usually the web server user which is in most cases 'nobody'. Fix available here.  Homepage: http://www.securereality.com.au. By Secure Reality
xlockfmt.c08579Dec 5 2000 18:09:09
Xlock local format string exploit for Linux/x86. Tested on Slackware 7.1 and Redhat 6.2. By Ben Williams
hp-pppd.c02362Dec 5 2000 18:07:07
HP/UX v11.0 /usr/bin/pppd local root buffer overflow exploit. By K2
ypbind.tgz016159Dec 5 2000 18:05:41
Linux/x86 remote root exploit for ypbind (ypbind-mt). Tested against Red Hat 7, SuSe 6.x, and Debian. By Digit
phpxpl.c09439Dec 5 2000 17:44:57
PHP 3.0.16/4.0.2 remote root format string overflow exploit for Linux/x86. Tested against Slackware 7.0 and Red Hat 6.0. By gneisenau@berlin.com
Securax-SA-09.serv-u04676Dec 5 2000 15:36:23
Securax Security Advisory Securax-SA-09 - The Serv-U FTP server for Windows v 2.4a, 2.5h, and 3.0b (all versions tested) have vulnerabilities stemming from improper handling of hex encoded characters in ftp commands. The server will reveal the full path to the ftproot, allow read/write/execute/list access to any other file on the partition, and allow listing of all hidden files. Fix available here.  Homepage: http://www.securax.org. By Zoa_Chien
wingate.c03065Dec 3 2000 21:01:57
Wingate 4.01 remote denial of service attack - Opens multiple connections and sends large amounts of MSG_OOB data, causing an "Out of buffers" error. By God-
sqladv-poc.c09908Dec 2 2000 21:15:31
Microsoft SQL Server Extended Stored Procedure remote proof of concept exploit. Affects MS SQL Server 7.0 and MS SQL Server 2000 for Windows NT 4.0 / 2000.  Homepage: http://www.atstake.com.
sqladv2-poc.c03076Dec 2 2000 21:09:46
SQL2KOverflow.c - This code creates a file called 'SQL2KOverflow.txt' in the root of the c: drive. Requires a SQL username and password.  Homepage: http://www.atstake.com.
xitami-2.5b4.txt07951Dec 2 2000 17:47:41
Xitami WEB/FTP Server for Windows 95/98/NT/2k v2.5b4 has remote vulnerabilities which allow users to view sensitive system information via testcgi.exe. Passwords are stored in plain text. Denial of service is possible.  Homepage: http://www.nssolution.net. By Zerologic