.:[packet storm]:. ArchivesForums

about | forums | assessment | defense | papers | magazines | miscellaneous | links

To change sort order, click on the category. Sorted By: File Size.
.: 0209-exploits
File Name File Size Last Modified MD5 Checksum
0209-exploits.tgz4528261Oct 9 17:57:49 2002d61e47de2cd35e4a4c6debc4aecef9d2
Packet Storm new exploits for September, 2002.
ssh3.tar.gz2241217Sep 6 17:30:02 2002abf180ace6bd404efc6c00127e6d5213
Ssh3.tar.gz is a LPRng, Named, FTPD, SSHD, RPC and Telnetd mass scanner/rooter. By Daddy_cad
massrooter.tar.gz1505102Sep 6 17:33:48 20027b5a9c6d711c0796b6a85aa94c7a1f52
Massrooter takes advantage of vulnerabilities in bind, lpd, rpc, wuftpd, telnet, mail, ssl, and ssh on multiple systems. By Daddy_cad
wuscan.tgz183110Sep 6 17:32:43 2002eb2b86497f9b9f51773beea85d15123a
Wu-ftpd 2.6.1 mass rooter / scanner. By Daddy_cad
SSL-scan.tar.gz115124Sep 29 23:26:14 200277c9e8f827451addb1ba3c347d35e4c8
Apache + OpenSSL v0.9.6d and below exploit for FreeBSD. Tested on FreeBSD 4.4-STABLE, FreeBSD 4.4-RELEASE, FreeBSD 4.5-RELEASE, and FreeBSD 4.6-RELEASE-p1 with Apache-1.3.26 and Apache-1.3.19. Modified to brute force the offset from openssl-too-open.c. Includes scanners. WARNING: The binaries in this archive are infected with the ELF_GMON.A virus which sets up a backdoor on UDP port 3049. Updated by CrZ and Ech0.
apscan2.tgz94609Sep 29 23:37:40 2002f56c7c14685cd643a637f60e42497615
Apache OpenSSL v0.9.6d mass scanner. When a vulnerable server is found code is launched. Includes targets for Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.26, 1.3.23, and 1.3.14. Includes openssl-too-open binary. By Nebunu
bugtraqworm.tgz87726Sep 16 10:19:29 2002fc2a65953a4b98971888d9b5df4d1c53
Linux Slapper Worm - This file contains the binaries and source code for the current Apache worm which affects multiple versions of Linux. It exploits an OpenSSL buffer overflow to run a shell on the remote system and also contains the ability to perform a DDoS attack. These files were found in the wild from machines that had been compromised.
SQLTools.rar85807Sep 5 23:05:17 2002efeeb8be77d011e25f8dc1cfb38fa77e
SQLTools is a collection of tools for auditing MSSQL servers including SQLScanner,SQLPing, SQLCracker, SQLDOSStorm, and SQLOverflowDos. By Refdom
aspcode.c45626Sep 2 17:38:42 2002921d412df9cff8fa94e2aaff0a650ce3
Aspcode.c is an IIS v4.0, 5.0 5.1 asp.dll buffer overflow exploit for Windows. By Yuange
cgitelnet.pdf45271Sep 2 08:35:23 2002cb3d0aa2678e9486c390c0e477aa0e01
CGI-Telnet 1.0, a cgi telnet script that runs on various Unix and NT webservers has vulnerabilities which can be manipulated into giving a user access. The password file is accessible in the web path and passwords are kept DES encrypted.  Homepage: http://neoerudition.net. By Lawrence Lavigne
targets.31934692Sep 11 07:31:01 2002d6d6df1179ca1c74160efd5cdeb5b0c0
List of targets for the x2 remote crc32 ssh exploit which contains 319 entries.
openssl-bsd.c29820Sep 30 02:24:51 200293c74bbed4fa5628590f8a08cc6a569d
Apache + OpenSSL v0.9.6d and below exploit for FreeBSD. Tested on FreeBSD 4.4-STABLE, FreeBSD 4.4-RELEASE, FreeBSD 4.5-RELEASE, and FreeBSD 4.6-RELEASE-p1 with Apache-1.3.26 and Apache-1.3.19. Modified to brute force the offset from openssl-too-open.c. Updated by CrZ, Ech0, and ysbadaddn.
SQLScan.zip24788Sep 4 22:07:41 20026e80ac480a5081c6d7b2b7381a02f471
SQLScan v1.0 is intended to run against Microsoft SQL Server and attempts to connect directly to port 1433. Features the ability to scan one host or an IP list from an input file, the ability to scan for one SQL account password or multiple passwords from a dictionary file, and the ability to create an administrative NT backdoor account on vulnerable hosts, which will fail if xp_cmdshell is disabled on the server. By NTSleuth
apache-ssl-bug.c19418Sep 25 14:58:21 20021be047c32ae0e2d1d8930d2ce4c4f7cc
This exploit abuses the KEY_ARG buffer overflow that exists in SSL enabled Apache web servers that are compiled with OpenSSL versions prior to 0.9.6e. The apache-ssl-bug.c exploit is based on the Slapper worm (bugtraq.c), which is based on a early version of the apache-open-ssl exploit. By Andy.
openssl-too-open.tar..>18396Sep 17 06:49:52 20026c37282f541f13add85e5b2b76e3678e
OpenSSL v0.9.6d and below remote exploit for Apache/mod_ssl servers which takes advantage of the KEY_ARG overflow. Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner which is more reliable than the RUS-CERT scanner and a detailed vulnerability analysis.  Homepage: http://phreedom.org. By Solar Eclipse
apache-linux.txt18138Sep 18 23:39:21 20026c13247823eb45dd5c16db33f5077072
Apache OpenSSL handshake exploit for Linux/x86, from a circulating Apache worm. Spawns a nobody shell on tcp port 30464. Includes targets for most recent distributions. By Nebunu
smbkillah.c16004Sep 4 15:54:35 20026fd9ace29c75dceb75b2523f9af18d4f
Smbkillah.c exploits the SMB death bug in the WinXX OS. By b0uNtYkI113r
pirch98.zip15901Sep 5 00:14:24 20024828fff9ebe60b2e0057cb601748011c
Pirch98 irc client contains a buffer overflow which can allow remote code execution in the way that pirch 98 handles links to other channels and websites. The Pirch98 client now shipping at www.pirch.com has been fixed. Includes ASM source and Windows binary for an exploit which opens a shell on port 31337. By Vecna
unishell.pl10904Oct 21 23:58:42 2002b31f98e1ede92b439df11826c886cdd8
Unicode IIS exploit in perl. Tries 20 ways. By Pakk.
free-apache.txt9102Sep 18 23:34:19 2002c951622daa65e39d1df562c2219acecc
FreeBSD Apache exploit based on apache-worm.c. Affects FreeBSD 4.5 Apache 1.3.20-24. Sends a nobody shell to TCP port 30464. This is a fixed version - Prior versions were broken. By Nebunu
bakkum.c8137Sep 23 07:24:48 200288f53e3ca0b89baf95643a18cb9584bb
Remote root exploit for Linux systems running Null httpd 0.5.0. Tested to work against Red Hat Linux 7.3.  Homepage: http://www.netric.org. By eSDee
ohMy-another-efs.c7612Sep 20 11:11:34 2002c20b9e3e46a310536130a5d004e7bfff
Efstool local root exploit which works against Redhat 7.3.  Homepage: http://www.daforest.org/~j0ker/index.html . By Joker
scalpel.c7175Nov 30 12:24:01 2002dcffeb448888592287ff24ca6be0c617
Local apache/PHP root exploit via libmm (apache-user -> root) temp race exploit. Spawns a root shell from the apache user.  Homepage: http://www.team-teso.net. By Sebastian Krahmer
efstool.txt6573Sep 12 15:27:30 2002044dc4da250fc55be975c7fb9c557d87
Efstool local root exploit. A condition has been found in efstool which is shipped with Redhat and Slackware linux (and possibly other distributions) which, given the right environment, root privileges can be gained. Full research provided.  Homepage: http://www.soldierx.com. By ntfx
trillian-ini-decrypt..>5538Sep 9 21:53:31 20028f33c678cbd7adb091aaa4b1764a89ce
Trillian, a popular utility used in conjunction with various Instant Messaging like ICQ, AIM, MSN Messenger, etc, stores a User's password utilizing a simple XOR with a key that is uniform throughout every installation. This utility decrypts all related .INI files displaying a list of usernames, "encrypted" passwords, and plain text passwords. By Evan Nemerson
idefense.smrsh.txt5421Oct 1 23:17:32 20026b1f79ee66a3ac3df14ff5df61ce1de7
DEFENSE Security Advisory 10.01.2002 - It is possible for an attacker to bypass the restrictions imposed by The Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his choosing by inserting a special character sequence into his .forward file. Two attack methods both of which are detailed. Patch available here.  Homepage: http://www.idefense.com. By David Endler, Zen-Parse, and Pedram Amini
phpcrlf.txt4861Sep 10 21:25:52 2002fb701d51ad9b8b40f4146b525decc01a
fopen(), file() and other functions in PHP have a vulnerability that makes it possible to add extra HTTP headers to HTTP queries. Attackers may use it to escape certain restrictions, like what host to access on a web server. In some cases, this vulnerability even opens up for arbitrary net connections, turning some PHP scripts into proxies and open mail relays. By Ulf Harnhammar
gm010-ie4712Sep 10 23:20:53 20020a3d976bfa8b7f03c04ae3576b7fb110
GreyMagic Security Advisory GM#010-IE - Microsoft Internet Explorer 5.5 and above are vulnerable to an attacker who can execute scripts on any page that contains frame or iframe elements, ignoring any protocol or domain restriction set forth by Internet Explorer. This means that an attacker can steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine. Note that any other application that uses Internet Explorer's engine is also affected.  Homepage: http://sec.greymagic.com/adv/gm010-ie/.
trillident.c4665Sep 21 00:35:05 200273cffa14787d80bf5655dc7c2ecb1125
Exploit for the PRIVMESG remote denial of service vulnerability that exists in Trillian v.73 and .74 which sends an overflow in the ident connection. Compiles on Unix based OS's. By Netmask
lconfmdk.c4215Sep 17 04:39:57 20020d6dda171bc76298526af8422229e9cb
Linuxconf local root exploit for Mandrake 8.2. By Priest.
vbull.c4075Sep 24 22:53:47 20020569a0851a81caa5f67a940a3af6fe2d
Vbulletin/calender.php remote command execution exploit. By Gosper
scrollkeeper.txt3668Sep 3 23:02:08 200250e765c00289c2db6b2c1e3233a003bc
A vulnerability exists in the insecure creation of files in /tmp by Scrollkeeper versions 0.3.4 and 0.3.11. Proof of concept exploit included. By Spybreak
openbsd-select-bug.t..>3560Sep 29 03:11:35 200211b34ff9c52e9241262598028265afec
Research on the recent OpenBSD select() bug and its possible exploitation. Includes a local denial of service exploit which was tested on OpenBSD v2.6 - 3.1.  Homepage: http://www.drugphish.ch. By Sec
nslconf.c3381Sep 29 21:53:41 2002d7351358fc20587891f1f8c16b558242
Linuxconf v1.28r3 and below local exploit which uses the ptrace method to find the offset. Tested on Mandrake 8.0 and 8.2, and Redhat 7.2 and 7.3.  Homepage: http://www.netsearch-ezine.com. By Raise
idefense.libkvm.txt3351Sep 17 05:29:59 2002b728af73087e744934fdfbbea052f689
iDEFENSE Security Advisory 09.16.2002 - The FreeBSD ports asmon, ascpu, bubblemon, wmmon, and wmnet2 can be locally manipulated to take advantage of open file descriptors /dev/mem and /dev/kmem to gain root privileges on a target host. These five programs are installed setgid kmem by default. Exploit information included.  Homepage: http://www.idefense.com. By David Endler and Jaguar
guardadv.db4web.txt3215Sep 21 01:09:06 200264d4d5f90284d5f5e2d2bb4d52fe728f
Guardeonic Solutions Security Advisory #01-2002 - The DB4Web Application Server for Linux, Unix, and Windows can be accessed with malicious URLs allowing users to download any readable file on the server. Exploit URL's included.  Homepage: http://www.guardeonic.com. By Stefan Bagdohn
pwck_exp.c3099Sep 4 22:30:36 20025bf12aa6da163e5d29f5c86199ba3290
Pwck local linux buffer overflow exploit. By default /usr/sbin/pwck is not setuid, if +s pwck bingo #. Tested on Mandrake 8.2. By Tacettin
ES-cisco-vpn.c3087Sep 19 05:07:14 2002a2c3a57714a738b22361ec246558f0da
Cisco VPN 5000 Linux client version 5.1.5 local root exploit that uses the close_tunnel binary. By ElectronicSouls
autolinuxconf.tgz2880Sep 11 07:05:00 2002835c256e407b88f79f3720a9d406f353
Autolinuxconf.tgz is an improved exploit for linuxconf <= 1.28r3 which has been found to work on Mandrake 8.1 and 8.2 and Redhat 7.2 and 7.3.  Homepage: http://www.myseq.com. By Syscalls
TRU64_nlspath2859Sep 10 22:27:31 2002dee2152324a9cc4b106b58e6c131dfef
Proof of concept local root exploit written in Perl for NLSPATH overflow on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com. By stripey
SurfinGate.txt2471Sep 4 23:59:30 20021458603dc6c13802ef082062b929b537
The Finjan SurfinGate 6.0x on Windows NT 4.0 and 2000 can be bypassed by using IP addresses instead of hostnames or by adding a dot to the end of hostnames.  Homepage: http://www.computec.ch. By Marc Ruef
idefense.dinoweb.txt2429Sep 23 21:27:17 2002c2e5dd5d49683b918059438a2f7d405a
iDEFENSE Security Advisory 09.23.2002 - A vulnerability exists in the latest version of the Dino Webserver that can allow an attacker to view and retrieve any file on the system.  Homepage: http://www.idefense.com. By David Endler
Trillian-Privmsg.c2377Sep 20 07:32:58 2002b8200c45f1819c16c6c76345ee427d53
Exploit for the PRIVMESG DoS that exists in several Trillian versions. This code, which emulates an IRC server, should work against Trillian version 0.73 and 0.74. Compiles on Windows - Tested with Borland 5.5 Commandline Tools. By Lance Fitz-Herbert
pwck_expl.c2212Sep 16 20:38:42 2002e75c0f9d4f3f94b01dfe8ec10f582fa4
Pwck local exploit for Redhat 7.2. /usr/sbin/pwck must be -rwsr-sr-x to give a root shell. By Klep
afd-expl.c2205Sep 5 21:33:42 2002f273a2abf33bbe40cc716f3cc0cc09a5
AFD v1.2.14 local root heap overflow exploit. Includes offset for Redhat 7.3 and instructions for finding offsets.  Homepage: http://www.netric.org. By eSDee
TRU64_xkb2175Sep 10 22:38:22 2002b7d1b4f1d2f36cd4d8925080798e18fd
Proof of concept local root exploit for _XKB_CHARSET on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com. By stripey
sws_web_killer.c2157Sep 2 09:32:39 2002b4f2224f7060b64ce3e013d5f258a859
Proof of Concept Exploit for SWS Web Server v0.1.0. The SWS web server will re-spawn its process every time it receives a string without a linebreak. Tested on: Slackware 8.1 and Redhat 7.0. By SaMaN
upb.admin.txt2155Sep 5 22:47:23 2002b062b12a3b4fcbc8784d6ef88b87722a
Ultimate PHP Board (UPB) prior to Public Beta v1.0b allows users to gain admin access. Exploit information included.  Homepage: http://www.hackeri.org. By Hipik
alsaplayer-suid.c2104Sep 23 07:49:29 2002d3864c1d3454e61a8246fa4e1966ac8f
AlsaPlayer contains a buffer overflow that can be used for privileges elevation when this program is setuid. Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1 . The overflow has been fixed in AlsaPlayer 0.99.71. By zillion By KF
zyxbrut.c.orig2066Dec 14 06:27:54 2002aa0507fb1ed8677a43d8e629ad4d5380
sorry, a description is unavailable.
zyxbrut.c2065Dec 14 06:28:02 20025f844ffa9b55b1b76815a74672ea8085
Zyxbrut.c is a brute force program written for the ZyXel router telnet service. By BetaFly Computer Team
k3.c1985Sep 19 02:33:53 2002a91745fde8b472e0455ff81b929e63c3
k3.c is a Linux proof of concept exploit for a buffer overflow vulnerability that exists in the atftp client version 0.5 and 0.6.  Homepage: http://www.netric.org By sacrine.
woltlab.txt1959Sep 10 23:30:05 2002f6e418e576a98c54acfc3e3af0967bb9
Woltlab Burning Board 2.0 RC 1 has a vulnerability that allows any user (even guests, depending on the configuration) to compromise every other account due to a variable containing unchecked user input in board.php, which can be used for a sql injection attack. By Cano2
linuxconf.c1917Sep 2 09:07:09 20029e3fb1c2aba9c8f13a8b0068713b3667
Proof of Concept exploit for the local buffer overflow vulnerability existing in linuxconf v1.28r3 and below which allows users to spawn a root shell. Tested on RedHat 7.0 with linuxconf 1.25r3. By Jin Yean Tan
cisco-vpn-5000-lnx.c1848Sep 19 05:02:03 20027943a0a865858b090e32ef6d43864ca5
This exploit abuses a local buffer overflow in the Cisco VPN 5000 Linux client v5.1.5 close_tunnel binary to spawn a root shell.  Homepage: http://www.safemode.org. By Zillion
compress_expl.c1799Sep 21 02:34:25 2002599d99a8e14ed34f83f118d3d2d84799
Compress v4.2.4 local test exploit for Linux systems.  Homepage: http://www.netric.org.
qute.pl1786Sep 24 00:13:22 20026182325164cd3e63f9c2688fa96bcc6f
Qute.pl is a perl script which exploits a buffer overflow in Qstat 2.5b. Since Qstat is not SUID by default this script is useless. By Arne Schwerdtfegger.
interbase-gds-exploi..>1777Sep 26 04:49:32 20020ecb679470d57b48ec01e63e5ca67c13
This exploit uses a symbolic link vulnerability in the Borland Interbase gds_lock_mgr binary to overwrite /etc/xinetd.d/xinetdbd with code that spawns a root shell on port 666 TCP.  Homepage: http://www.i-security.nl. By grazer
mdklinuxconf.c1757Nov 30 12:25:30 2002e617b71655e152bbee80aa2767e49ca1
Mandrake 8.2 linuxconf local root exploit. By Pokleyzz
elinuxconf2.c1687Sep 2 09:10:41 20029902c624a4fa627d34e0dd222043ded8
Another Proof of Concept exploit for the local buffer overflow vulnerability existing in linuxconf v1.28r3 and below which allows users to spawn a root shell. Tested on Mandrake Linux 8.2.  Homepage: http://www.scan-associates.net. By pokleyzz
coudrape.c1621Sep 11 07:18:00 200284517123be77c81385f4331da5de0b49
Efstool local root exploit for linux/x86 in C. By Cloudass
rootprobe.sh1599Nov 30 12:33:45 200228b219ae719f042d7c7ce6eac9ef28bd
Modprobe shell metacharacter expansion local root exploit for Red Hat 7.x and SuSE 7.x.  Homepage: http://www.team-teso.net. By Sebastian Krahmer
gv-exploit.pdf1377Sep 30 22:44:40 2002da9705f79a8782d078819470306ac5c0
Buffer overflow exploit for gv v3.5.8 on linux which creates the file /tmp/itworked when gv opens the PDF. Some mail readers use GV to view pdf's. Tested on Red Hat 7.3.  Homepage: http://www.idefense.com. By Zen-Parse
sx-slap.pl1106Sep 12 05:22:18 2002727c37f6b87d09e49e5738313b20ce83
Remote / Local buffer overflow for Savant Web Server 3.1 and below, as described in Foundstone advisory 091002-SVWS. Crashes the daemon, no patch is available as of the 11th of Sept, 02.  Homepage: http://legion2000.security.nu. By NTFX
qspl.c1100Sep 21 01:32:15 20025bd205acc310c5c0a4a244f24352737d
Qstat 2.5b local root exploit for Linux. Tested on Debian GNU/Linux (Woody). Since Qstat is not SUID by default this script is not useful for gaining more access to a linux system. By Oscar Linderholm
gawk_expl.c1047Sep 21 02:37:51 20029e653a0462e3f7ef60c123e9ca381c63
Linux proof of concept exploit for a local buffer overflow in GNU Awk 3.1.0-x.  Homepage: http://www.netric.org.
TRU64_dtterm1037Sep 10 22:17:34 2002fbc1785d31e44f9c9588303d7828137f
Proof of concept local root exploit for dtterm on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com. By stripey
TRU64_dtaction995Sep 10 22:10:28 2002bad813771eedaf4767d6244cfb4ba69c
Proof of concept local root exploit for dtaction on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com/. By stripey
TRU64_dtprintinfo992Sep 10 22:15:10 20027e52f96fd8503185cc33cb015befcb06
Proof of concept local root exploit for dtprintinfo on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com. By stripey
TRU64_su946Sep 10 22:36:28 2002f587978781a3655004ef60d6595781ee
Another version of the proof of concept local root exploit for su on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com. By stripey
TRU64_dxterm901Sep 10 22:20:02 2002dcff3ccecc59db66d33b935d1b1113d9
Proof of concept local root exploit for dxterm on the HP/Compaq Tru64 Operating System. HP/Compaq advisory and patches available Here.  Homepage: http://www.snosoft.com. By stripey
efstool.pl646Sep 11 07:15:00 2002adcba327cd833a9c94c4cfbf10570e96
Efstool local root exploit for linux/x86 in perl. By user_15335[at]erato.uk.clara.net

Privacy Statement