ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for April, 2000 Section.
Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0004-exploits.tgz3523208103May 19 2000 10:56:12
Packet Storm new exploits for April, 2000.
FreeOnline.txt15452008May 4 2000 00:07:41
FreeOnline currently makes it's free users surf non-free zones for 30 minutes and 2hour lots within certain hours of the day. If you are a FreeOnline user which I currently am you may be interested to know that there is a way out to non-free sites using a site which FreeOnline does acknowledge as a site to be surfed at any times. By rarez
austnethack.tgz15675925Apr 28 2000 12:04:09
How AustNet's Virtual World was hacked to reveal users real IP. Slightly crippled demonstration code included. Lots of information on the austnet hack available here. By FallenAngel
sftp02b.c17492147Apr 28 2000 12:01:19
Smart FTP v0.2 Beta denial of service. Homepage here. By Chopsui-cide
qpopper.fgets.txt25524022Apr 27 2000 15:24:55
Sorry, a description is unavailable.
mmdump.pl16616520Apr 27 2000 14:26:06
Meeting Maker is a networked calendaring/scheduling software package that's estimated to be installed on over 700,000 desktops. Clients send passwords to a Meeting Maker server encoded using a polyalphabetic substitution cipher. Included perl script will decode passwords sent over the net. By Matt Power courtesy of Bugtraq.
lpset.sh1605627Apr 27 2000 14:12:55
/usr/bin/lpset vulnerability in Solaris/SPARC 2.7. Homepage here. By Noir
4man.c29271247Apr 27 2000 14:10:24
redhat 6.1 /usr/bin/man exploit. Homepage here. By Kil3r
sol7.lp.c13771467Apr 27 2000 13:43:18
Solaris 2.7 /usr/bin/lp local exploit, i386. By Digit
xsun2.c13041812Apr 27 2000 13:41:03
xsun2.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun. By Digit
sparc_lpset.c13952047Apr 27 2000 13:38:49
/usr/bin/lpset local root exploit for sparc. By Laurent Levier
imwheel_ex.c1525994Apr 27 2000 13:36:06
imwheel local root exploit (as discussed in RHSA-2000:016-02). By Funkysh
xdnewsweb.pl14552627Apr 27 2000 08:53:08
Vulnerability found in cgi DNEWSWEB used for reading news groups from web. Its possible to overflow stack and read any file from remote host with web server rights. All versions and for all OSes exploitable. Example of reading file /etc/passwd for Linux included. Fixed in dnews 5.4c1, available here. By djHD
dig.c1759963Apr 25 2000 12:51:02
dig v2.2 local buffer overflow exploit for x86 linux. Note that dig isn't suid/sgid on some platforms, yet on some it is. Homepage here. By Anathema
solx86-imapd.c14582892Apr 25 2000 12:42:44
imapd IMAP4rev1 v10.205 remote root exploit, solaris x86. Exploits the AUTHENTICATE overflow, yielding a remote root shell. Homepage here. By Anathema
solx86-nisd.c13175279Apr 25 2000 12:41:12
rpc.nisd remote root overflow, solaris 2.4 x86. Solaris 2.5.0 and 2.5.1 work with different offset. Homepage here. By Anathema
lpset.c12933054Apr 25 2000 12:39:30
/usr/bin/lpset local root stack overflow for Solaris 7, x86. Homepage here. By Anathema
xsun.c12242929Apr 25 2000 12:35:21
xsun.c is a Solaris 7 x86 local root stack overflow for /usr/openwin/bin/Xsun. Homepage here. By Anathema
b0f3-ncurses.txt13911493Apr 24 2000 15:37:30
BufferOverflow Security Advisory #3 - libncurses buffer overflow in NCURSES 1.8.6 on FreeBSD 3.4-STABLE. Setuid programs linked with libncurses can be exploited to obtain root access. Homepage here. By Venglin
freebsd.mtr.c14601618Apr 24 2000 15:32:29
FreeBSD mtr-0.41 local root exploit. Homepage here. By Venglin
lcdproc-exploit.c16705497Apr 23 2000 18:58:51
LCDproc is a system to display system information and other data on an LCD display which uses client / server communication. The server is vulnerable to remote buffer overflow allowing an attacker to remotely execute arbitrary code or cause the LCDproc server to crash. Patch available here. By Andrew Hobgood
wmaker.c15521781Apr 23 2000 18:27:28
Windowmaker 0.62.0 buffer overflow exploit - Although wmaker is not suid by default, this code will overflow the $DISPLAY environment variable. Homepage here. By Sectorx
ADV-150400.txt26643470Apr 23 2000 02:35:38
Microsoft Frontpage CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default and has three vulnerabilities. The full path to the root directory is revealed, a buffer overflow was found - remote code execution may be possable, and files on the server may be accessed. Homepage here. By Narrow
kill_nwtcp.c17152157Apr 23 2000 00:37:05
Novell Netware 5.1 Remote Administration Service contains a buffer overflow that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. DoS exploit included. Homepage here. By Michal Zalewski
RUS-CERT.200004-01.t..>133314149Apr 23 2000 00:30:13
RUS-CERT Advisory 200004-01: GNU Emacs 20 - Several vulnerabilities were discovered in all Emacs versions up to 20.6, including allowing unprivileged local users to eavesdrop the communication between Emacs and its subprocesses, Emacs Lisp tempfile problems, and the history of recently typed keys may expose passwords. The following systems were tested vulnerable: Linux, FreeBSD (and probably other *BSD variants), HP-UX 10.x, 11.00, and AIX 4. Solaris and DG/UX are unaffected.
razor.dvwssr.txt14754360Apr 23 2000 00:16:06
BindView RAZOR Team Analysis of DVWSSR.DLL - The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used. Homepage here. By Simple Nomad
panda-sec.zip17591190Apr 22 2000 23:57:18
Panda Security 3.0 for Windows 95 and 98 can be bypassed. Panda Security 3.0 is vulnerable to indirect registry key modifications, which allow Panda Security keys to be manipulated by any logged-on user. Because of a lack in system integrity checks, the entire software package could be uninstalled by a user. This zipfile contains demonstration exploit code. Homepage here. By Deepzone Security
rdist-bsd.c10171948Apr 22 2000 00:06:36
rdist-bsd.c is a /usr/bin/rdist local exploit for freebsd. Homepage here. By el8
ypghost050.tar.gz128414609Apr 22 2000 00:03:14
ypghost is a remote NIS exploit that spoofs UDP packets. Uses libpcap. Homepage here. By Arny
sunkill.c15402365Apr 21 2000 23:54:14
sunkill.c - Remote solaris 2.5.1 dos exploit. Opens a telnet connection on the victim machine and sends a few bad telnet negotiation options, then flooods the port with lots of ^D characters, using all available kernel memory. Homepage here.
hupux.sh12681645Apr 21 2000 23:51:09
hupux.sh hp-ux 09.04 local exploit - Takes advantage of default world writable /usr/local/bin. Homepage here.
scx-sa-02.txt14286868Apr 21 2000 16:51:04
Securax Security Advisory #2 - When the Microsoft Windows explorer tries to access parsing a filename that contains over 129 chars in the extension, a buffer will overflow, causing explorer to crash. EIP is overwritten, remote code execution is possible. By Zoa_Chien
RFP2K03.txt186938140Apr 20 2000 13:06:42
RFP2K03 - Contemplations on dvwssr.dll and how it affects life. Lots of information here. Also includes a fixed versoin of the perl exploit. Homepage here. By Rain Forrest Puppy
ide_expl.mrc20075209Apr 19 2000 14:46:37
ide_expl.mrc is an ircii-4-4 exploit ported to mirc5.7, works reverse to ircii-4.4.c. You send the chat request instead of having them chat you, attempts to execute /bin/sh. Homepage here. By Vade79
lincity.c15041054Apr 19 2000 01:43:09
lincity-svga local buffer overflow. Homepage here. By TFreak
lprm-bsd.c15316821Apr 19 2000 01:21:01
lprm-bsd.c - Exploit for lprm local root vulnerability in OpenBSD and FreeBSD-stable. Homepage here. By Niall Smart
named_dump.sh1525684Apr 19 2000 01:08:20
ISC BIND 4.9.7-T1B local exploit - The named daemon will dump the named database to /var/tmp/named_dump.db when it receives a SIGINT signal. It does not check for symbolic links while doing so and can be made to overwrite any file in the system. Homepage here.
imap_core.sh16996352Apr 19 2000 01:05:27
imap_core.sh is a quick proof of concept tool that causes some imapd implementations to dump core. Unfortunately the core file contains the password and shadow password file in it! Homepage here. By Mudge
ltrust.c1544774Apr 19 2000 00:52:05
Linux kernel 2.2.14 local DoS - When accessing a file or directory with a very long path the process hangs in an unkillable state. All other processes are SEGFAULTing when trying to access unkillable process' /proc entry. So system utilities ps, w, top, killall and the like are stoppping working. Except that, the system continues to function normally. The only solution is reboot. Homepage here.
bedie.tar.gz1184656Apr 19 2000 00:46:11
bedie is a beos (5.0/4.5) local dos exploit which exploits a kernel bug. ASM source and binary included. Homepage here. By Konstantin Boldyshev
bizdb.htm1534904Apr 19 2000 00:41:50
BizDB is a web databse integration product using perl CGI scripts. One of the scripts, bizdb-search.cgi, has an unchecked open() call and can therefore be made to execute commands at the privilege level of the webserver. Remote exploit included. Homepage here.
RDS_Toolkit.zip23636768Apr 18 2000 15:48:06
RDS Toolkit is another addon for msadc.pl. It is similar to spawncmd.pl which spawns a remote command on a NT machine using RDS, but the RDS Toolkit works in Windows and Unix based systems. By Narrow
netsurfer.txt37651906Apr 18 2000 15:34:23
Local users can steal credit card numbers and personal information from a Netsurfer e-commerace site due to bad default permissions. By Elsewhere
dsnhack.pl236511668Apr 15 2000 02:33:17
NewDSN.exe/CTGuestB.idc/Details.idc remote NT exploit. Homepage here. By Scrippie
ooo1.txt25035042Apr 15 2000 02:20:17
Netscape PublishingXpert 2.* file-reading/dir-listing vuln in PSCOErrPage.htm - On SunOS 5.5.1 and 5.6 (possibly others), Netscape PublishingXpert 2.* can read any file on the system. Many large e-commerace sites are vulnerable to this. Exploit details included. By \x00\x00
RFP2K02.txt48167470Apr 14 2000 13:25:13
RFP2K02 - "Netscape engineers are weenies!" AKA a back door in Microsoft FrontPage extensions/authoring components. Anyone with web authoring permission can use a backdoor in dvwssr.dll to read .asp (and .asa) files under the web root. As Microsoft has told me, the immediate problem is moreso the fact that any developer of one particular virtual site can download the .asp code of other virtual sites on the same system. Includes dvwssr.pl, a perl based exploit. Homepage here. By Rain Forrest Puppy
DeCRYPTO.zip290971912Apr 12 2000 15:24:04
CRYPTOCard's CRYPTOAdmin pin can be decrypted from the .pdb file - Windows 9X demonstration program. Homepage here. By Kingpin
cc-pinextract.txt229411818Apr 12 2000 15:18:10
CRYPTOCard's CRYPTOAdmin software is a challenge/response user authentication administration system. The PT-1 token, which runs on a PalmOS device, generates the one-time-password response. A PalmOS .PDB file is created for each user and loaded onto their Palm device. By gaining access to the .PDB file, the legitimate user's PIN can be determined through a series of DES decrypts-and-compares. Using the demonstration tool, the PIN can be determined in under 5 minutes on a Pentium III 450MHz. Homepage here. By Kingpin
sourcegrab.pl20061491Apr 12 2000 15:03:03
Exploit for Microsoft Index Server 2.0 hithighlight exploit (as described in ms00-006) which allows you to view any file in the wwwroot directory and down. By x00x00
Fortres4-analysis.tx..>36376680Apr 11 2000 18:33:57
Fortres 4.0 security software for Windows has an easily decrypted password. Qbasic source includeed to crack the simple encryption. By Frost Byte
yapp_exploit.c9543260Apr 11 2000 13:04:00
Local buffer overflow exploit for Yapp Conferencing System, Version 2.2. Homepage here. By Dave Bowman
beos.dos.txt24472104Apr 7 2000 21:01:54
The BeOS networking stack crashes when certain malformed packets are sent to it. This document explains two such packets and includes CASL scripts for packet generation. By Tim Newsham courtesy of Bugtraq
ypk.tar.gz10231865Apr 7 2000 13:04:00
ypk.tar.gz exploits the remote root sunos 4.1.3 ypupdated / keyserv vulnerability. Homepage here.
ms00-019.info.txt1979686Apr 7 2000 11:17:44
Exploit information for the "Virtualized UNC Share" problem talked about in MS00-019 which yeilds the source of .asp's. By Rain Forrest Puppy
mailform.txt21115231Apr 7 2000 10:48:49
MailForm v1.91 for Windows 95 and NT 4.0 allows potentially dangerous parameters to be specified by anyone who can execute it. The web interface allows remote users to execute arbitrary commands. Exploit code included. Homepage here. By Chopsui-cide
rmp_query.c15342181Apr 6 2000 18:00:33
This script exploits a vulnerability in the default installation of Caldera OpenLinux 2.3 which allows an attacker to obtain a listing of the packages, and versions of packages installed on this system, allowing an attacker to remotely determine vulnerabilities. Homepage here. By Alhambra
ircii-4.4.c21772730Apr 6 2000 17:55:52
ircii-4.4 exploit - buffer overflow in ircii dcc chat's allows arbitrary code execution. Tested against SuSE 6.x and Redhat. Homepage here. By Bladi
fcheck.txt16573307Apr 6 2000 17:09:05
Fcheck, a file integrity checker written in perl, can be subverted by a malicious user to execute arbitrary commands as root by creating files with shell metacharacters in their names. Version v.2.7.45 and below is vulnerable. By Matt Carothers courtesy of Bugtraq
winreal.6-7.txt36764229Apr 6 2000 12:05:41
There is a buffer overflow in the Win32 RealPlayer Basic client versions 6 and 7 which occurs when a long location to play string is entered. Using the HTML "EMBED" tag to embed RealPlayer in a webpage and setting the "AUTOSTART=true" flag, you can force RealPlayer to start automatically, triggering the overflow condition. It appears that arbitrary code could be exploited simply by *VISITING* a webpage with the malicious embedded RealPlayer tags. MacOS and linux versions appear not to be vulnerable. By Adam Muntner courtesy of Bugtraq
linux-masq-udp.txt24238673Apr 3 2000 19:19:24
Linux 2.2.x IP Masquerading allows UDP packets in from the outside until the firewall times out. Under certain rare conditions, a UDP based service could be exploited from the outside. By H D Moore courtesy of Bugtraq
cache-control.txt21395264Apr 3 2000 18:58:51
HTTP cache-control headers such as If-Modified-Since allow servers to track individual users in a manner similar to cookies, but with less constraints. This is a problem for user privacy against which browsers currently provide little protection. By Martin Pool courtesy of Bugtraq
str-msgchk.c16182085Apr 3 2000 16:30:59
mh/msgchk and mh/inc demonstration local exploit for FreeBSD / BSDI. Homepage here. By Stran9er
fdmnt-smash.c16413126Apr 3 2000 16:28:34
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Homepage here. By Scrippie
snmpx.sh2211842Apr 3 2000 16:26:12
Solaris 2.6 snmpdx remote exploit. Homepage here. By Acz
oracle.sh14461481Apr 3 2000 13:04:00
Oracle 8.1.5i install exploit - If Oracle is installed after this script has ran, roots .rhosts can be overwritten. Homepage here.