Welcome to the Exploits for March, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
0003-exploits.tgz | 2524 | 94501 | May 19 10:55:38 2000 |
Packet Storm new exploits for March, 2000. | |||
irix-objectserver.c | 1672 | 19212 | Apr 3 19:11:51 2000 |
SGI IRIX objectserver remote exploit - Remotely adds account to the IRIX system. Patched February, 1998. Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2. By Marcy | |||
unsigned.cab.exploit..> | 3362 | 19089 | Mar 2 13:42:15 2000 |
Vulnerability details and example exploit for Microsoft Active Setup control's unsigned CAB file execution vulnerability. Patched in November, 1999, the vulnerability was so severe that almost any kind of break-in was possible into unpatched IE client machines. By Mukand | |||
NXT-Howto.txt | 5556 | 14093 | Mar 30 00:24:56 2000 |
BIND 8.2 - 8.2.2 remote root exploit how-to. Explains how to manipulate DNS records on a primary name server to exploit this vulnerability. Homepage here. By E-Mind | |||
wmcdplay-exp.c | 1702 | 10904 | Mar 23 22:11:48 2000 |
5 exploits for wmcdplay (A cd player designed for WindowMaker - Release 1.0 Beta1) Tested on Mandrake 7.0. Homepage here. By Larry W. Cashdollar | |||
ms-clipart.txt | 3858 | 10793 | Mar 9 11:25:25 2000 |
L0pht Research Labs Advisory - Microsoft ClipArt Gallery Overflow. An attacker can seize control of a Windows 95, 98, NT, or 2000 machine via any HTML source, including Microsoft Outlook e-mail. Proof of conccept exploit included. Homepage here. By Dildog | |||
reset_state.c | 1319 | 10605 | Mar 20 13:04:00 2000 |
reset_state.c exploits a recent bug in pix firewalls which drops an entry in the state table when a rst packet is received. By Andrew Alston | |||
officescan.txt | 3046 | 8966 | Mar 3 20:12:33 2000 |
Trendmicro Officescan 3.5 has severe remote vulnerabilities, allowing a malicious user to remotely uninstall the anti virus, remotely stop the scan, remotely make the anti virus inefficient by modifying the scan configuration file through the network on the target pc, and finally, remotely write anywhere on the target file system! Includes exploit instructions. Homepage here. By Gregory Duchemin"> courtesy of Bugtraq | |||
ircii_exploit.txt | 1498 | 7942 | Apr 19 19:14:41 2000 |
Two exploits are included in this. It is a dcc chat buffer overflow in seperate exploits for linux and mirc. By bladi & aLmUDeNa. | |||
sXe.c | 4971 | 7898 | Mar 3 22:31:34 2000 |
sXe sends IGMP packets, denying service to windows machines. If you can figure out how to use this, you can create quite an effective attack from even a 14kbs modem. Homepage here. By l-n1nja | |||
SCX-SA-01.txt | 3276 | 7855 | Mar 6 12:48:32 2000 |
Securax Advisory - Many windows applications can be made to blue screen upon parsing special crafted path-strings refering to device drivers. | |||
binds.c | 3504 | 6923 | Mar 3 22:35:39 2000 |
IRIX 5.3 and 6.2 remote bind iquery overflow. Homepage here. By LSD | |||
ftpwarez.c | 2247 | 5614 | Mar 15 13:04:00 2000 |
wu-ftpd beta17 remote root overflow (non-chroot). By Anathema | |||
mailer.c | 2980 | 5441 | Mar 2 10:18:39 2000 |
Remote exploit for Mailer 4.3 - Win 9x/NT. Homepage here. By Cybz | |||
spoon.c | 2709 | 5033 | Mar 21 03:41:56 2000 |
spoon.c - (ab)use dig.cgi to proxy DNS dig requests. Useful to request a zone transfer without revealing your IP. Homepage here. By Obecian | |||
unpassworded.dsl.rou..> | 1153 | 3779 | Mar 11 04:14:00 2000 |
In the deployment of the Cayman-DSL router and many others, technitions are failing to reset the default password which in many cases default to no password at all. A malicious user could scan for such devices and on a DSL providers network. Worst case scenerio, the static routing tables can be altered to permit remote sniffing. By Andrew R. Siverly | |||
bsd-sm884.c | 3390 | 3055 | Mar 2 10:24:08 2000 |
FreeBSD Sendmail 8.8.4 mime 7to8 remote exploit. Homepage here. | |||
cgimail.txt | 1105 | 3015 | Apr 19 19:23:42 2000 |
Anyone who can execute CGIMailer (anyone who can use the forms that use CGIMailer) can specify what configuration file to use and this can be any file on the system CGIMailer is running on. This allows for the existance of private files to be detected. There are more dangerous implications though: this vulnerability could possibly be exploited to obtain private files from the target system. If there is an FTP server running on the target system on which an attacker has upload priviledges, he/she could upload a malicious configuration file, and then run it using CGIMailer. Configuration files can be used to send files to the attacker via e-mail (among other things). By Chopsui-cide. Homepage Here. | |||
flog.c | 3307 | 2961 | Mar 7 04:40:35 2000 |
Flog.c crashes Win95/98/se webservers by sending GET /con/con HTTP/1.0. Changes: This one works. By Infernal Pulse | |||
rpc.AMD.FreeBSD3.2RE..> | 2014 | 2924 | Apr 1 14:09:54 2000 |
FreeBSD 3.2-REL AMD remote root exploit. By Anathema | |||
tpgnrock.c | 1021 | 2912 | Mar 29 13:04:00 2000 |
Crash Exploit for AnalogX SimpleServer v1.03 By Presto | |||
browser-bug.txt | 1659 | 2905 | Mar 25 20:41:56 2000 |
Linux web browsers are affected by accessing devices, this bug may be considered similar to the \con\con bug except that the technological superiority of Linux will prevent a system crash. Homepage here. By SET | |||
getpop3.txt | 3217 | 2827 | Mar 1 20:33:20 2000 |
Getpop3 POP client for linux local root exploit - make any local file world writable. Homepage here. By r3p3nt | |||
imexp.c | 1205 | 2630 | Mar 20 13:04:00 2000 |
Halloween 4 local root exploit for imwheel-solo. Other distros maybe affected as well. Homepage here. By S. Krahmer & Stealth | |||
netscape-wp.dir-list | 2251 | 2619 | Mar 23 23:59:17 2000 |
ZSH Advisory - Netscape WebPublisher Allows Directory Listing and Access. Netscape Webpublisher is an addon to Netscape's Enterprise webserver which allows remote file modifications, uploads and downloads. A third party user can access the WebPublisher via downloading a number of java applets and the webserver's directory structure without having a valid account on the system. Netscape v3.5.1 / 3.6 SP1-3 under solaris are vulnerable. Homepage here. By F0bic | |||
wmexp.c | 1183 | 2315 | Mar 20 13:04:00 2000 |
Halloween Linux 4.0 and Debian Linux 2.1 local root exploit for wmcdplay. Other distros are maybe affected as well. Homepage here. By S. Krahmer & Stealth | |||
RLbison.tgz | 1719 | 2279 | Mar 6 03:27:29 2000 |
Roses Labs has discovered a remote buffer overflow in BisonWare FTP Server. Includes DoS exploit, remote code execution may be possible. English and spanish versions included. Homepage here. By Conde Vampiro | |||
exp-wmcd.c | 372 | 2249 | Apr 19 16:59:21 2000 |
Local exploit for Linux Mandrake 7.0's wmcdplay 1.0 beta 1. Unlike the Teso exploit for wmcdplay, this code exploits the -position argument. By Dethy | |||
Infosec.20000229.axi..> | 2472 | 2242 | Mar 1 01:24:30 2000 |
Infosec Security Vulnerability Report - Bypassing authentication on Axis StorPoint CD. By modifying an URL, outsiders can access administrator URLs without entering username and password, allowing unauthorized access. By Ian Vitek courtesy of Bugtraq | |||
sps3.c | 2572 | 2086 | Mar 3 18:17:18 2000 |
sps3.c - Spaghetti Proxy Server 3.0 DoS attack. It does not appear as though arbitrary code could be execute using this vulnerability. Homepage here. By Chopsui-cide | |||
position.c | 1776 | 1976 | Mar 28 16:21:43 2000 |
Overflows the -position arg buffer in wmcdplay due to a bad sprintf call. Homepage here. By Larry W. Cashdollar | |||
led_color.c | 1187 | 1965 | Mar 20 13:04:00 2000 |
Overflows the -l arg buffer in wmcdplay due to a bad sprintf call. Tested on Mandrake. Homepage here. By Larry W. Cashdollar | |||
win98-bluescreen.txt | 2936 | 1876 | Apr 20 13:59:44 2000 |
More ways to abuse c|/con/con - In mail with html tags, in normal html, serv-u ftp, and win registry. By RUBINHO | |||
hp-omniback.pl | 2181 | 1803 | Mar 1 01:17:49 2000 |
HP Openview Omniback software listens to port 5555, can be caused to run out of memory. Demonstration exploit in perl included. By Jon Hittner courtesy of Bugtraq | |||
icadecrypt.c.txt | 2147 | 1800 | Mar 31 23:29:07 2000 |
icadecrypt cracks the weak hash encryption on stored Citrix ICA passwords (in appsrv.ini). Homepage here. By Dug Song | |||
x-dumper.sh | 1010 | 1666 | Mar 13 13:04:00 2000 |
x-dumper.sh remote xwin exploit - Will attempt to dump a screen via xwd. By c0sa_n0stra | |||
kreatur.pl | 1237 | 1622 | Mar 28 16:28:34 2000 |
kreatecd local root-exploit helper script - Halloween Linux 4.0 and SuSE 6.0 - 6.3. Homepage here or here. | |||
pam-mdk.c | 2735 | 1588 | Mar 21 14:22:00 2000 |
PAM/userhelper exploit - Ported to Mandrake 6.1. Also works on Red Hat 6.0 and 6.1, gives uid 0. By Paulo Ribeiro | |||
ass.pl | 1347 | 1488 | Mar 31 13:04:00 2000 |
Halloween linux 4 local root exploit script for atsadc. Other distributions may be vulnerable. Homepage here. By S. Krahmer | |||
infradig_1225_5-3-00..> | 2933 | 1464 | Mar 6 12:49:12 2000 |
Infradig 1.225 for Windows remote security hole - The administration server on port 81 allows anyone to edit accounts, add users, and set all kinds of things. Homepage here. By Nemesystm | |||
win98-con.txt | 6788 | 1463 | Mar 3 18:58:58 2000 |
Many Windows programs crash if they access c:/con/con. IE and servU-FTP v 2.4a among others are vulnerable. By Zoa_Chien | |||
win98_con_exploit.ht..> | 2421 | 1408 | Mar 3 01:24:18 2000 |
Variation of the win98 con exploit that crashes netscape as well. Homepage here. By Neonlenz | |||
htdig.txt | 3546 | 1348 | Mar 1 00:55:59 2000 |
Htdig 3.1.4 search engine allows any file on the system to be read via CGI binary htsearch. Exploit information included. By Geoff Hutchison courtesy of Bugtraq | |||
spawncmd.pl | 1626 | 1270 | Mar 20 13:04:00 2000 |
Spawn a command shell on remote host with MSADC. Homepage here. | |||
iis-enumerate.txt | 3917 | 1267 | Mar 9 11:25:07 2000 |
Another new way to find the web root directory of an IIS 4.0 webserver, if it is run on a share, by requesting a .idq file. By Jason Lutz | |||
ie5-chm.txt | 3514 | 1258 | Mar 2 13:31:46 2000 |
Georgi Guninski security advisory #8 - There is a vulnerability in IE 5.x for Win95/WinNT (probably others) which allows executing arbitrary programs using .chm files. Microsoft Networking must be installed. Demonstration which starts wordpad here. Homepage here. By Georgi Guninski"> courtesy of Bugtraq | |||
AIM-dos.txt | 6304 | 1178 | Mar 3 20:17:18 2000 |
AOL Instant Messenger can be crashed remotely with upper ascii symbols, version 3.5 tested, others most likely vulnerable. Unofficial patch available on the homepage, here. By Cruz courtesy of Bugtraq | |||
manxpl.c | 2581 | 1178 | Mar 1 00:55:59 2000 |
Linux x86 man exploit - exploits the stack overflow in man (PAGER env var) yielding egid man. Tested on Redhat 6.2. By Anathema | |||
xterm-logfile.txt | 2258 | 1173 | Mar 1 01:10:46 2000 |
It used to be Well Known that xterm's way of opening a log file was insecure. Well, that was 5+ years ago so I decided to take a look at the current state of affairs. Things have changed, but mostly to "different" rather than "better". Symlink attack can overwrite any file with the UID of the xterm process. By Morten Welinder courtesy of Bugtraq | |||
pocsag.txt | 2608 | 1029 | Mar 9 11:25:00 2000 |
Pocsag v2.05, a popular pager decoding software by default accepts connections on port 8000 with a default password, even remote access is not enabled, allowing anyone to view the decoded data. By Kuji courtesy of Bugtraq | |||
winmail305.txt | 1209 | 1008 | Mar 29 13:04:00 2000 |
Winmail 3.05 for Windows NT allows any file on the system to be read. Exploit code included. By Frankie Zie courtesy of Bugtraq | |||
dosemu.sh | 1964 | 948 | Mar 1 15:53:52 2000 |
Corel Linux dosemu config error. Local root compromise. By Suid | |||
gpm-root.sh | 2486 | 931 | Mar 20 13:04:00 2000 |
A vulnerability exists in the gpm-root program, part of the gpm package. A local console user can obtain root. Tested under RedHat Linux (6.2 / 6.1 / 6.0 / 6.0 / 5.2 / 5.1) and Debian Linux (2.2 / 2.1 / 2.0). Homepage here. | |||
domain-socket.c | 1882 | 871 | Mar 26 13:04:00 2000 |
Domain Socket Denial of Service Vulnerability affecting Linux kernel 2.3.99-pre2, Linux kernel 2.2.14, Linux kernel 2.2.12, RedHat Linux 6.2, RedHat Linux 6.1 sparc, RedHat Linux 6.1 i386, and RedHat Linux 6.1 alpha. Homepage here. | |||
redhat-printtool.txt | 2861 | 850 | Mar 9 12:28:40 2000 |
By default, printtool leaves world readable printer passwords on Redhat 6.1 and 6.2B. By Cho Kyong-won courtesy of Bugtraq | |||
Flying.txt | 1607 | 837 | Mar 10 12:39:48 2000 |
Vulnerability in the game Flying rev 6.20 - read any file on the system. Tested on Redhat 5.2, possibly others. By Grampa Elite | |||
printtool.sh | 1249 | 822 | Mar 20 13:04:00 2000 |
printtool is an X11 printer configuration tool shipped with RedHat Linux and possibly other linux distributions. When configuring a printer with printtool, the permissions of the config file are set world-readable. When this happens, this script will kick in and give you the password. Homepage here. By Phonic | |||
win98-con-lan.txt | 5441 | 784 | Mar 24 21:04:48 2000 |
A windows 9x machine that shares any of its files, even read only, can be crashed remotely via the con/con issue. By Toxic Waste | |||
x11amp.txt | 972 | 634 | Apr 19 16:59:21 2000 |
Vulnerability: Any user can overwrite any file in the system with x11amp ver .70. Found by Grampa Elite. | |||
irix-infosrch.cgi.tx..> | 2777 | 550 | Mar 3 20:20:40 2000 |
Irix 6.5 InfoSearch is a web-based interface to books, manpages, and relnotes, distributed by SGI. infosrch.cgi can execute commands remotely. By Jared courtesy of Bugtraq | |||
setxconf.sh | 1877 | 303 | Mar 1 15:52:54 2000 |
Corel xconf utils local root (among others) vulnerability. By Suid | |||