ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for March, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0003-exploits.tgz252494501May 19 2000 10:55:38
Packet Storm new exploits for March, 2000.
win98-bluescreen.txt29361876Apr 20 2000 13:59:44
More ways to abuse c|/con/con - In mail with html tags, in normal html, serv-u ftp, and win registry. By RUBINHO
cgimail.txt11053015Apr 19 2000 19:23:42
Anyone who can execute CGIMailer (anyone who can use the forms that use CGIMailer) can specify what configuration file to use and this can be any file on the system CGIMailer is running on. This allows for the existance of private files to be detected. There are more dangerous implications though: this vulnerability could possibly be exploited to obtain private files from the target system. If there is an FTP server running on the target system on which an attacker has upload priviledges, he/she could upload a malicious configuration file, and then run it using CGIMailer. Configuration files can be used to send files to the attacker via e-mail (among other things). By Chopsui-cide. Homepage Here.
ircii_exploit.txt14987942Apr 19 2000 19:14:41
Two exploits are included in this. It is a dcc chat buffer overflow in seperate exploits for linux and mirc. By bladi & aLmUDeNa.
x11amp.txt972634Apr 19 2000 16:59:21
Vulnerability: Any user can overwrite any file in the system with x11amp ver .70. Found by Grampa Elite.
exp-wmcd.c3722249Apr 19 2000 16:59:21
Local exploit for Linux Mandrake 7.0's wmcdplay 1.0 beta 1. Unlike the Teso exploit for wmcdplay, this code exploits the -position argument. By Dethy
irix-objectserver.c167219212Apr 3 2000 19:11:51
SGI IRIX objectserver remote exploit - Remotely adds account to the IRIX system. Patched February, 1998. Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2. By Marcy
rpc.AMD.FreeBSD3.2RE..>20142924Apr 1 2000 14:09:54
FreeBSD 3.2-REL AMD remote root exploit. By Anathema
icadecrypt.c.txt21471800Mar 31 2000 23:29:07
icadecrypt cracks the weak hash encryption on stored Citrix ICA passwords (in appsrv.ini). Homepage here. By Dug Song
ass.pl13471488Mar 31 2000 13:04:00
Halloween linux 4 local root exploit script for atsadc. Other distributions may be vulnerable. Homepage here. By S. Krahmer
NXT-Howto.txt555614093Mar 30 2000 00:24:56
BIND 8.2 - 8.2.2 remote root exploit how-to. Explains how to manipulate DNS records on a primary name server to exploit this vulnerability. Homepage here. By E-Mind
winmail305.txt12091008Mar 29 2000 13:04:00
Winmail 3.05 for Windows NT allows any file on the system to be read. Exploit code included. By Frankie Zie courtesy of Bugtraq
tpgnrock.c10212912Mar 29 2000 13:04:00
Crash Exploit for AnalogX SimpleServer v1.03 By Presto
kreatur.pl12371622Mar 28 2000 16:28:34
kreatecd local root-exploit helper script - Halloween Linux 4.0 and SuSE 6.0 - 6.3. Homepage here or here.
position.c17761976Mar 28 2000 16:21:43
Overflows the -position arg buffer in wmcdplay due to a bad sprintf call. Homepage here. By Larry W. Cashdollar
domain-socket.c1882871Mar 26 2000 13:04:00
Domain Socket Denial of Service Vulnerability affecting Linux kernel 2.3.99-pre2, Linux kernel 2.2.14, Linux kernel 2.2.12, RedHat Linux 6.2, RedHat Linux 6.1 sparc, RedHat Linux 6.1 i386, and RedHat Linux 6.1 alpha. Homepage here.
browser-bug.txt16592905Mar 25 2000 20:41:56
Linux web browsers are affected by accessing devices, this bug may be considered similar to the \con\con bug except that the technological superiority of Linux will prevent a system crash. Homepage here. By SET
win98-con-lan.txt5441784Mar 24 2000 21:04:48
A windows 9x machine that shares any of its files, even read only, can be crashed remotely via the con/con issue. By Toxic Waste
netscape-wp.dir-list22512619Mar 23 2000 23:59:17
ZSH Advisory - Netscape WebPublisher Allows Directory Listing and Access. Netscape Webpublisher is an addon to Netscape's Enterprise webserver which allows remote file modifications, uploads and downloads. A third party user can access the WebPublisher via downloading a number of java applets and the webserver's directory structure without having a valid account on the system. Netscape v3.5.1 / 3.6 SP1-3 under solaris are vulnerable. Homepage here. By F0bic
wmcdplay-exp.c170210904Mar 23 2000 22:11:48
5 exploits for wmcdplay (A cd player designed for WindowMaker - Release 1.0 Beta1) Tested on Mandrake 7.0. Homepage here. By Larry W. Cashdollar
pam-mdk.c27351588Mar 21 2000 14:22:00
PAM/userhelper exploit - Ported to Mandrake 6.1. Also works on Red Hat 6.0 and 6.1, gives uid 0. By Paulo Ribeiro
spoon.c27095033Mar 21 2000 03:41:56
spoon.c - (ab)use dig.cgi to proxy DNS dig requests. Useful to request a zone transfer without revealing your IP. Homepage here. By Obecian
wmexp.c11832315Mar 20 2000 13:04:00
Halloween Linux 4.0 and Debian Linux 2.1 local root exploit for wmcdplay. Other distros are maybe affected as well. Homepage here. By S. Krahmer & Stealth
spawncmd.pl16261270Mar 20 2000 13:04:00
Spawn a command shell on remote host with MSADC. Homepage here.
reset_state.c131910605Mar 20 2000 13:04:00
reset_state.c exploits a recent bug in pix firewalls which drops an entry in the state table when a rst packet is received. By Andrew Alston
printtool.sh1249822Mar 20 2000 13:04:00
printtool is an X11 printer configuration tool shipped with RedHat Linux and possibly other linux distributions. When configuring a printer with printtool, the permissions of the config file are set world-readable. When this happens, this script will kick in and give you the password. Homepage here. By Phonic
led_color.c11871965Mar 20 2000 13:04:00
Overflows the -l arg buffer in wmcdplay due to a bad sprintf call. Tested on Mandrake. Homepage here. By Larry W. Cashdollar
imexp.c12052630Mar 20 2000 13:04:00
Halloween 4 local root exploit for imwheel-solo. Other distros maybe affected as well. Homepage here. By S. Krahmer & Stealth
gpm-root.sh2486931Mar 20 2000 13:04:00
A vulnerability exists in the gpm-root program, part of the gpm package. A local console user can obtain root. Tested under RedHat Linux (6.2 / 6.1 / 6.0 / 6.0 / 5.2 / 5.1) and Debian Linux (2.2 / 2.1 / 2.0). Homepage here.
ftpwarez.c22475614Mar 15 2000 13:04:00
wu-ftpd beta17 remote root overflow (non-chroot). By Anathema
x-dumper.sh10101666Mar 13 2000 13:04:00
x-dumper.sh remote xwin exploit - Will attempt to dump a screen via xwd. By c0sa_n0stra
unpassworded.dsl.rou..>11533779Mar 11 2000 04:14:00
In the deployment of the Cayman-DSL router and many others, technitions are failing to reset the default password which in many cases default to no password at all. A malicious user could scan for such devices and on a DSL providers network. Worst case scenerio, the static routing tables can be altered to permit remote sniffing. By Andrew R. Siverly
Flying.txt1607837Mar 10 2000 12:39:48
Vulnerability in the game Flying rev 6.20 - read any file on the system. Tested on Redhat 5.2, possibly others. By Grampa Elite
redhat-printtool.txt2861850Mar 9 2000 12:28:40
By default, printtool leaves world readable printer passwords on Redhat 6.1 and 6.2B. By Cho Kyong-won courtesy of Bugtraq
ms-clipart.txt385810793Mar 9 2000 11:25:25
L0pht Research Labs Advisory - Microsoft ClipArt Gallery Overflow. An attacker can seize control of a Windows 95, 98, NT, or 2000 machine via any HTML source, including Microsoft Outlook e-mail. Proof of conccept exploit included. Homepage here. By Dildog
iis-enumerate.txt39171267Mar 9 2000 11:25:07
Another new way to find the web root directory of an IIS 4.0 webserver, if it is run on a share, by requesting a .idq file. By Jason Lutz
pocsag.txt26081029Mar 9 2000 11:25:00
Pocsag v2.05, a popular pager decoding software by default accepts connections on port 8000 with a default password, even remote access is not enabled, allowing anyone to view the decoded data. By Kuji courtesy of Bugtraq
flog.c33072961Mar 7 2000 04:40:35
Flog.c crashes Win95/98/se webservers by sending GET /con/con HTTP/1.0. Changes: This one works. By Infernal Pulse
infradig_1225_5-3-00..>29331464Mar 6 2000 12:49:12
Infradig 1.225 for Windows remote security hole - The administration server on port 81 allows anyone to edit accounts, add users, and set all kinds of things. Homepage here. By Nemesystm
SCX-SA-01.txt32767855Mar 6 2000 12:48:32
Securax Advisory - Many windows applications can be made to blue screen upon parsing special crafted path-strings refering to device drivers.
RLbison.tgz17192279Mar 6 2000 03:27:29
Roses Labs has discovered a remote buffer overflow in BisonWare FTP Server. Includes DoS exploit, remote code execution may be possible. English and spanish versions included. Homepage here. By Conde Vampiro
binds.c35046923Mar 3 2000 22:35:39
IRIX 5.3 and 6.2 remote bind iquery overflow. Homepage here. By LSD
sXe.c49717898Mar 3 2000 22:31:34
sXe sends IGMP packets, denying service to windows machines. If you can figure out how to use this, you can create quite an effective attack from even a 14kbs modem. Homepage here. By l-n1nja
irix-infosrch.cgi.tx..>2777550Mar 3 2000 20:20:40
Irix 6.5 InfoSearch is a web-based interface to books, manpages, and relnotes, distributed by SGI. infosrch.cgi can execute commands remotely. By Jared courtesy of Bugtraq
AIM-dos.txt63041178Mar 3 2000 20:17:18
AOL Instant Messenger can be crashed remotely with upper ascii symbols, version 3.5 tested, others most likely vulnerable. Unofficial patch available on the homepage, here. By Cruz courtesy of Bugtraq
officescan.txt30468966Mar 3 2000 20:12:33
Trendmicro Officescan 3.5 has severe remote vulnerabilities, allowing a malicious user to remotely uninstall the anti virus, remotely stop the scan, remotely make the anti virus inefficient by modifying the scan configuration file through the network on the target pc, and finally, remotely write anywhere on the target file system! Includes exploit instructions. Homepage here. By Gregory Duchemin"> courtesy of Bugtraq
win98-con.txt67881463Mar 3 2000 18:58:58
Many Windows programs crash if they access c:/con/con. IE and servU-FTP v 2.4a among others are vulnerable. By Zoa_Chien
sps3.c25722086Mar 3 2000 18:17:18
sps3.c - Spaghetti Proxy Server 3.0 DoS attack. It does not appear as though arbitrary code could be execute using this vulnerability. Homepage here. By Chopsui-cide
win98_con_exploit.ht..>24211408Mar 3 2000 01:24:18
Variation of the win98 con exploit that crashes netscape as well. Homepage here. By Neonlenz
unsigned.cab.exploit..>336219089Mar 2 2000 13:42:15
Vulnerability details and example exploit for Microsoft Active Setup control's unsigned CAB file execution vulnerability. Patched in November, 1999, the vulnerability was so severe that almost any kind of break-in was possible into unpatched IE client machines. By Mukand
ie5-chm.txt35141258Mar 2 2000 13:31:46
Georgi Guninski security advisory #8 - There is a vulnerability in IE 5.x for Win95/WinNT (probably others) which allows executing arbitrary programs using .chm files. Microsoft Networking must be installed. Demonstration which starts wordpad here. Homepage here. By Georgi Guninski"> courtesy of Bugtraq
bsd-sm884.c33903055Mar 2 2000 10:24:08
FreeBSD Sendmail 8.8.4 mime 7to8 remote exploit. Homepage here.
mailer.c29805441Mar 2 2000 10:18:39
Remote exploit for Mailer 4.3 - Win 9x/NT. Homepage here. By Cybz
getpop3.txt32172827Mar 1 2000 20:33:20
Getpop3 POP client for linux local root exploit - make any local file world writable. Homepage here. By r3p3nt
dosemu.sh1964948Mar 1 2000 15:53:52
Corel Linux dosemu config error. Local root compromise. By Suid
setxconf.sh1877303Mar 1 2000 15:52:54
Corel xconf utils local root (among others) vulnerability. By Suid
Infosec.20000229.axi..>24722242Mar 1 2000 01:24:30
Infosec Security Vulnerability Report - Bypassing authentication on Axis StorPoint CD. By modifying an URL, outsiders can access administrator URLs without entering username and password, allowing unauthorized access. By Ian Vitek courtesy of Bugtraq
hp-omniback.pl21811803Mar 1 2000 01:17:49
HP Openview Omniback software listens to port 5555, can be caused to run out of memory. Demonstration exploit in perl included. By Jon Hittner courtesy of Bugtraq
xterm-logfile.txt22581173Mar 1 2000 01:10:46
It used to be Well Known that xterm's way of opening a log file was insecure. Well, that was 5+ years ago so I decided to take a look at the current state of affairs. Things have changed, but mostly to "different" rather than "better". Symlink attack can overwrite any file with the UID of the xterm process. By Morten Welinder courtesy of Bugtraq
manxpl.c25811178Mar 1 2000 00:55:59
Linux x86 man exploit - exploits the stack overflow in man (PAGER env var) yielding egid man. Tested on Redhat 6.2. By Anathema
htdig.txt35461348Mar 1 2000 00:55:59
Htdig 3.1.4 search engine allows any file on the system to be read via CGI binary htsearch. Exploit information included. By Geoff Hutchison courtesy of Bugtraq