.:[packet storm]:. - http://packetstormsecurity.org/













about \| forums \| assessment \| defense \| papers \| magazines \| miscellaneous \| links

.: Exploits for January, 2001

Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: Downloads.

File Name Downloads File Size Last Modified MD5 Checksum

naptha-1.1.tgz 5371 Jan 27 01:16:18 2001 9e461df6b11c94a3409cd933dfbe9a0a
Naptha v1.1 is a denial of service attack against many OS's which uses established TCP connections to create a resource starvation attack. Includes three tools - bogusarp makes a bogus entry in the router's arp cache so it actually puts packets with our faked source address on the Ethernet, synsend, and srvr which replaces ackfin from Naptha 1.0. Tested against Windows 95, 98 and NT4 and more. Compiles on Linux 2.2.x, OpenBSD 2.7, FreeBSD 4.0. Homepage: http://razor.bindview.com. By Robert Keyes

iris-dos.c 3139 Jan 24 14:13:09 2001 644e11c8434d6546a2ada3504d491ce1
Denial of service attack against the Iris The Network Traffic Analyzer beta 1.01. Causes Iris to hang when it the traffic is examined. Homepage: http://www.digit-labs.org. By Grazer

tcpdump-xploit.c 6629 Jan 14 21:34:37 2001 289510d424aa0a665ee3161b20c9abab
Tcpdump v3.5.2 remote root exploit - Tested against X86 Linux. Exploits an overflow in the AFS packet parsing which requires the snaplen (-s) to be set to 500 or greater. Fixed in v3.62. Homepage: http://hispahack.ccc.de. By Zhodiac

rctab.tar.gz 3320 Jan 26 23:38:26 2001 51769f0a559e55a0fbe445c318e64d5b
Due to a various race conditions in the init level editing script /sbin/rctab it is possible for any local user to overwrite any system's file with arbitrary data. This may result in denial of service attack, local or even remote root compromise, if root runs the /sbin/rctab script. Tested against SuSE 7.0. By Ihaquer.

tar-symlink.txt 3183 Jan 8 15:33:23 2001 600ae24fbc5281fc8a5b4b3c636d3903
GNU tar follows symlinks blindly, a problem if you untar as root. Homepage: http://www.obit.nl. By Marco van Berkum

0101-exploits.tgz 77851 Feb 1 18:34:41 2001 529b73bf0d83aa85bfa82f9b57548e48
Packet Storm new exploits for January, 2001.

sa2001_01.txt 3874 Jan 9 00:24:47 2001 461b4b78a0613c22ce2385ec0debfced
NSFOCUS Security Advisory (SA2001-01) - The NetScreen Firewall / VPN Appliance has an overflow vulnerability in the web interface which allows remote users to crash the firewall with a large URL. All current versions of ScreenOS, including v1.73r1, 2.0r6, 2.1r3 and 2.5r1 are affected. Perl exploit included. Fix available here. Homepage: http://www.nsfocus.com. By Nsfocus Security Team

spitvt.c 7352 Jan 25 14:08:10 2001 97dcfd07f4dcf6be30fef0197b1c1ca1
SplitVT v1.6.4 and below local format string exploit which overflows the -rcfile command line flag. Tested on Slackware 7.1, Debian 2.2. Homepage: ftp://maxx.via.ecp.fr/spitvt. By Michel MaXX Kaempf

ecepass.tar.gz 2538 Jan 26 23:07:11 2001 81b9fda7f3e1e97294cd43a16f4d4c76
FreeBSD ipfw+ECE proof of concept code - Using FreeBSD divert rule, all outgoing traffic will have the ECE flag added to it, bypassing ipfw if it passes established connections. Homepage: http://sensepost.com. By Plathond

exhpcu.c 1597 Jan 8 17:06:45 2001 41bfb9a22eefc441486dce25261ca9f9
HP-UX v11.00 /bin/cu local buffer overflow exploit - Exploits the -l option. Provides a uid=bin shell. By Zorgon

unitools.tgz 5543 Jan 24 23:21:56 2001 31eb60d9e98049816c3c0907cb176c03
Unitools.tgz contains two perl scripts - unicodeloader.pl uploads files to a vulnerable IIS site, and unicodexecute3.pl includes searches for more executable directories and is more robust and stable. Homepage: http://www.sensepost.com. By Roelof W Temmingh

arpexp.c 3203 Jan 13 10:46:24 2001 9c79d0fb32487641840dd6b081e6d8fa
Solaris /usr/sbin/arp local root stack overflow exploit. Homepage: http://www.securityfocus.com. By Sor Pablo Sebastian, Dave Ahmed

glibc-resolve-tr.sh 1013 Jan 26 23:45:31 2001 4c421f7d5f1a7e40155c52fc44daa995
Glibc prior to v2.1.9x allows local users to read any file. This shell script exploits this bug using the Openssh-2.3.0p1 binary. Tested against Debian 2.3 and Redhat 7.0. By Charles Stevenson

prober.php3.tgz 4116 Nov 12 11:12:55 2001 3b84eccc265a9360ac00d4e6a518d991
This is wuftpd2.6.0x and qpop2.1.4 exploit ported to PHP. Even php in safe mode can not stop this script from working. Webhosting providers who provide PHP need to be careful. By Luki Rustianto

tru-64.su.c 3121 Jan 26 23:32:48 2001 3dd785c49420cd2ce460d0f2717087ad
Tru64 (OSF/1) /usr/bin/su local exploit - Works if executable stack is on. By K2

unicode_shell.pl 8023 Apr 24 16:55:07 2001 2fe5c09d88a363ca4fa10754b99b24ca
Unicode_shell.pl is an exploit for the IIS unicode bug which allows you to enter commands as if in a cmd.exe shell and uses 20 different URL's to check for the vulnerability. By B-Root

mscreen.c 2009 Jan 26 23:36:20 2001 0d6decf4c717851249cad2b166d2b635
SCO OpenServer v5.0.5 /usr/bin/mscreen local exploit. By K2

ns-shtml.pl 2817 Jan 26 23:02:45 2001 bd9a07a89b35b15672e6de6fbc167ecf
Netscape Enterprise Server 4.0 remote root exploit - Tested against Sparc SunOS 5.7. By Fyodor

bind-tsig.c 13043 Feb 1 10:06:43 2001 cd4a8638d718185f1f26451e0817ef66
Bind-tsig.c is a trojan which pretends to be a Bind 8 exploit, but actually attacks dns1.nai.com. By Anonymous

progress-db.txt 16122 Jan 31 10:47:12 2001 d02e5d8479bbefc220465668d82b3f20
The Progress Database Server v8.x and 9.x for Unix has several locally exploitable buffer overflows which can allow arbitrary code to run as root. Proof of concept exploit attached. By Krfinisterre

defcom.imagecast.txt 2849 Jan 8 17:15:04 2001 b6325a0535100802bdaa273349db1d0a
Defcom Labs Advisory def-2001-01 - ImageCast V4.1.0 for Windows, a rapid-PC-deployment tool much like Ghost, has problems handling malformed input which result in a dos attack against the ImageCast Control Center. Homepage: http://www.defcom.com. By Defcom Labs

smr.tar.gz 5606 Jan 8 15:25:19 2001 cac3eaee702ca738d65e56d47813af1f
Redhat rpc.statdx mass exploit - scans for vulnerable hosts and implants a bindshell. By God-

defcom.websphere.txt 2041 Jan 8 17:10:01 2001 d1c60ae0b02e1129be8ae653925d8ea4
Defcom Labs Advisory def-2001-02 - IBM WebSphere 3.52 (IBM HTTP Server 1.3.12) for Windows NT has a memory leak which can be used as a remote denial of service attack. Workaround included. Homepage: http://www.defcom.com. By Defcom Labs

guninski31.txt 2004 Jan 3 16:00:57 2001 bd37b33afb22c4facab4302296179eec
Georgi Guninski security advisory #31 - There is a security vulnerability in Windows Media Player 7 exploitable thru IE which allows reading local files and executing arbitrary programs. The problem is the WMP ActiveX Control which allows launching javascript URLs in arbitrary already open frames. This allows taking over the frame's DOM. Includes exploit code. Demonstration available here. Homepage: http://www.guninski.com. By Georgi Guninski

hk-0.1.zip 19330 Dec 18 11:20:21 2001 c304bfd8147a60c82839eaa4930b067a
Microsoft HK local exploit - Executes any command as SYSTEM, as described in MS01-003. Good for recovering lost admin rights. Includes C source and binary. Homepage: http://razor.bindview.com. By Todd Sabin

thebat.traverse.txt 3859 Jan 8 17:44:30 2001 ca77c4383a98f689f532016cfb080be4
The Bat! v1.48f and below has a client side vulnerability which allows malicious mail messages to add any files in any directory on the disk where user stores his attachments. Homepage: http://www.security.nnov.ru. By 3apa3a

thong.pl 3311 Jan 24 23:17:55 2001 d98c376f39aee68581c072f95ed01b71
Thong.pl is a perl script which exploits several vulnerabilities found in Cisco products. Includes the Cisco Catalyst ssh Protocol Mismatch dos, Cisco 675 Web Administration dos, Cisco Catalyst 3500 XL command execution, and the Cisco IOS Software HTTP Request dos. Homepage: http://hypoclear.cjb.net. By Hypoclear

whois.cgi.txt 922 Jan 5 18:07:54 2001 ea926901a6a2bcf609f547f5d7968695
Fastgraf's whois.cgi perl script lacks meta character checking, allowing remote users to execute arbitrary commands as uid of the webserver. By Marco van Berkum

whois.pl 1422 Jan 12 16:24:26 2001 cab6f0b2ef5ed6f5bb75170b42fd55ac
Whois.pl is a remote exploit for Fastgraf's whois.cgi perl script. By Marco van Berkum

write.c 1420 Jan 26 23:42:20 2001 fe5dc0ffbbd4dbd5da424b640fbbdb5b
/usr/bin/write overflow proof of concept exploit - Tested against Solaris 7 x86. By Pablo Sor

xgtk.c 4055 Jan 1 23:09:39 2001 0fd07dc3c51acefce8bf0ccd612371ad
Xgtk.c is a local exploit for any set*id program which use Gtk+ up to v1.2.8. Uses the GTK_MODULES environment variable to trick gtk into executing arbitrary commands contained in a bogus module. Homepage: http://www.realhalo.org. By Vade79

Privacy Statement

.: Exploits for January, 2001
Some of these exploits are from Bugtraq
		To Change Sort Order, Click On A Category. Sorted By: Downloads.
File Name	Downloads	File Size	Last Modified	MD5 Checksum
naptha-1.1.tgz	5371	Jan 27 01:16:18 2001	9e461df6b11c94a3409cd933dfbe9a0a
Naptha v1.1 is a denial of service attack against many OS's which uses established TCP connections to create a resource starvation attack. Includes three tools - bogusarp makes a bogus entry in the router's arp cache so it actually puts packets with our faked source address on the Ethernet, synsend, and srvr which replaces ackfin from Naptha 1.0. Tested against Windows 95, 98 and NT4 and more. Compiles on Linux 2.2.x, OpenBSD 2.7, FreeBSD 4.0. Homepage: http://razor.bindview.com. By Robert Keyes
iris-dos.c	3139	Jan 24 14:13:09 2001	644e11c8434d6546a2ada3504d491ce1
Denial of service attack against the Iris The Network Traffic Analyzer beta 1.01. Causes Iris to hang when it the traffic is examined. Homepage: http://www.digit-labs.org. By Grazer
tcpdump-xploit.c	6629	Jan 14 21:34:37 2001	289510d424aa0a665ee3161b20c9abab
Tcpdump v3.5.2 remote root exploit - Tested against X86 Linux. Exploits an overflow in the AFS packet parsing which requires the snaplen (-s) to be set to 500 or greater. Fixed in v3.62. Homepage: http://hispahack.ccc.de. By Zhodiac
rctab.tar.gz	3320	Jan 26 23:38:26 2001	51769f0a559e55a0fbe445c318e64d5b
Due to a various race conditions in the init level editing script /sbin/rctab it is possible for any local user to overwrite any system's file with arbitrary data. This may result in denial of service attack, local or even remote root compromise, if root runs the /sbin/rctab script. Tested against SuSE 7.0. By Ihaquer.
tar-symlink.txt	3183	Jan 8 15:33:23 2001	600ae24fbc5281fc8a5b4b3c636d3903
GNU tar follows symlinks blindly, a problem if you untar as root. Homepage: http://www.obit.nl. By Marco van Berkum
0101-exploits.tgz	77851	Feb 1 18:34:41 2001	529b73bf0d83aa85bfa82f9b57548e48
Packet Storm new exploits for January, 2001.
sa2001_01.txt	3874	Jan 9 00:24:47 2001	461b4b78a0613c22ce2385ec0debfced
NSFOCUS Security Advisory (SA2001-01) - The NetScreen Firewall / VPN Appliance has an overflow vulnerability in the web interface which allows remote users to crash the firewall with a large URL. All current versions of ScreenOS, including v1.73r1, 2.0r6, 2.1r3 and 2.5r1 are affected. Perl exploit included. Fix available here. Homepage: http://www.nsfocus.com. By Nsfocus Security Team
spitvt.c	7352	Jan 25 14:08:10 2001	97dcfd07f4dcf6be30fef0197b1c1ca1
SplitVT v1.6.4 and below local format string exploit which overflows the -rcfile command line flag. Tested on Slackware 7.1, Debian 2.2. Homepage: ftp://maxx.via.ecp.fr/spitvt. By Michel MaXX Kaempf
ecepass.tar.gz	2538	Jan 26 23:07:11 2001	81b9fda7f3e1e97294cd43a16f4d4c76
FreeBSD ipfw+ECE proof of concept code - Using FreeBSD divert rule, all outgoing traffic will have the ECE flag added to it, bypassing ipfw if it passes established connections. Homepage: http://sensepost.com. By Plathond
exhpcu.c	1597	Jan 8 17:06:45 2001	41bfb9a22eefc441486dce25261ca9f9
HP-UX v11.00 /bin/cu local buffer overflow exploit - Exploits the -l option. Provides a uid=bin shell. By Zorgon
unitools.tgz	5543	Jan 24 23:21:56 2001	31eb60d9e98049816c3c0907cb176c03
Unitools.tgz contains two perl scripts - unicodeloader.pl uploads files to a vulnerable IIS site, and unicodexecute3.pl includes searches for more executable directories and is more robust and stable. Homepage: http://www.sensepost.com. By Roelof W Temmingh
arpexp.c	3203	Jan 13 10:46:24 2001	9c79d0fb32487641840dd6b081e6d8fa
Solaris /usr/sbin/arp local root stack overflow exploit. Homepage: http://www.securityfocus.com. By Sor Pablo Sebastian, Dave Ahmed
glibc-resolve-tr.sh	1013	Jan 26 23:45:31 2001	4c421f7d5f1a7e40155c52fc44daa995
Glibc prior to v2.1.9x allows local users to read any file. This shell script exploits this bug using the Openssh-2.3.0p1 binary. Tested against Debian 2.3 and Redhat 7.0. By Charles Stevenson
prober.php3.tgz	4116	Nov 12 11:12:55 2001	3b84eccc265a9360ac00d4e6a518d991
This is wuftpd2.6.0x and qpop2.1.4 exploit ported to PHP. Even php in safe mode can not stop this script from working. Webhosting providers who provide PHP need to be careful. By Luki Rustianto
tru-64.su.c	3121	Jan 26 23:32:48 2001	3dd785c49420cd2ce460d0f2717087ad
Tru64 (OSF/1) /usr/bin/su local exploit - Works if executable stack is on. By K2
unicode_shell.pl	8023	Apr 24 16:55:07 2001	2fe5c09d88a363ca4fa10754b99b24ca
Unicode_shell.pl is an exploit for the IIS unicode bug which allows you to enter commands as if in a cmd.exe shell and uses 20 different URL's to check for the vulnerability. By B-Root
mscreen.c	2009	Jan 26 23:36:20 2001	0d6decf4c717851249cad2b166d2b635
SCO OpenServer v5.0.5 /usr/bin/mscreen local exploit. By K2
ns-shtml.pl	2817	Jan 26 23:02:45 2001	bd9a07a89b35b15672e6de6fbc167ecf
Netscape Enterprise Server 4.0 remote root exploit - Tested against Sparc SunOS 5.7. By Fyodor
bind-tsig.c	13043	Feb 1 10:06:43 2001	cd4a8638d718185f1f26451e0817ef66
Bind-tsig.c is a trojan which pretends to be a Bind 8 exploit, but actually attacks dns1.nai.com. By Anonymous
progress-db.txt	16122	Jan 31 10:47:12 2001	d02e5d8479bbefc220465668d82b3f20
The Progress Database Server v8.x and 9.x for Unix has several locally exploitable buffer overflows which can allow arbitrary code to run as root. Proof of concept exploit attached. By Krfinisterre
defcom.imagecast.txt	2849	Jan 8 17:15:04 2001	b6325a0535100802bdaa273349db1d0a
Defcom Labs Advisory def-2001-01 - ImageCast V4.1.0 for Windows, a rapid-PC-deployment tool much like Ghost, has problems handling malformed input which result in a dos attack against the ImageCast Control Center. Homepage: http://www.defcom.com. By Defcom Labs
smr.tar.gz	5606	Jan 8 15:25:19 2001	cac3eaee702ca738d65e56d47813af1f
Redhat rpc.statdx mass exploit - scans for vulnerable hosts and implants a bindshell. By God-
defcom.websphere.txt	2041	Jan 8 17:10:01 2001	d1c60ae0b02e1129be8ae653925d8ea4
Defcom Labs Advisory def-2001-02 - IBM WebSphere 3.52 (IBM HTTP Server 1.3.12) for Windows NT has a memory leak which can be used as a remote denial of service attack. Workaround included. Homepage: http://www.defcom.com. By Defcom Labs
guninski31.txt	2004	Jan 3 16:00:57 2001	bd37b33afb22c4facab4302296179eec
Georgi Guninski security advisory #31 - There is a security vulnerability in Windows Media Player 7 exploitable thru IE which allows reading local files and executing arbitrary programs. The problem is the WMP ActiveX Control which allows launching javascript URLs in arbitrary already open frames. This allows taking over the frame's DOM. Includes exploit code. Demonstration available here. Homepage: http://www.guninski.com. By Georgi Guninski
hk-0.1.zip	19330	Dec 18 11:20:21 2001	c304bfd8147a60c82839eaa4930b067a
Microsoft HK local exploit - Executes any command as SYSTEM, as described in MS01-003. Good for recovering lost admin rights. Includes C source and binary. Homepage: http://razor.bindview.com. By Todd Sabin
thebat.traverse.txt	3859	Jan 8 17:44:30 2001	ca77c4383a98f689f532016cfb080be4
The Bat! v1.48f and below has a client side vulnerability which allows malicious mail messages to add any files in any directory on the disk where user stores his attachments. Homepage: http://www.security.nnov.ru. By 3apa3a
thong.pl	3311	Jan 24 23:17:55 2001	d98c376f39aee68581c072f95ed01b71
Thong.pl is a perl script which exploits several vulnerabilities found in Cisco products. Includes the Cisco Catalyst ssh Protocol Mismatch dos, Cisco 675 Web Administration dos, Cisco Catalyst 3500 XL command execution, and the Cisco IOS Software HTTP Request dos. Homepage: http://hypoclear.cjb.net. By Hypoclear
whois.cgi.txt	922	Jan 5 18:07:54 2001	ea926901a6a2bcf609f547f5d7968695
Fastgraf's whois.cgi perl script lacks meta character checking, allowing remote users to execute arbitrary commands as uid of the webserver. By Marco van Berkum
whois.pl	1422	Jan 12 16:24:26 2001	cab6f0b2ef5ed6f5bb75170b42fd55ac
Whois.pl is a remote exploit for Fastgraf's whois.cgi perl script. By Marco van Berkum
write.c	1420	Jan 26 23:42:20 2001	fe5dc0ffbbd4dbd5da424b640fbbdb5b
/usr/bin/write overflow proof of concept exploit - Tested against Solaris 7 x86. By Pablo Sor
xgtk.c	4055	Jan 1 23:09:39 2001	0fd07dc3c51acefce8bf0ccd612371ad
Xgtk.c is a local exploit for any set*id program which use Gtk+ up to v1.2.8. Uses the GTK_MODULES environment variable to trick gtk into executing arbitrary commands contained in a bogus module. Homepage: http://www.realhalo.org. By Vade79



Privacy Statement