Welcome to the Exploits for June, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
wuftpd2600.c | 5382 | 19343 | Jun 23 11:03:57 2000 |
Wu-Ftpd 2.6.0 remote root exploit. Account is not required, anonymous access is enough. Tested against Redhat 6.2, Suse 6.3 and 6.4, FreeBSD 3.4-STABLE, FreeBSD 3.4-RELEASE, and FreeBSD 4.0-RELEASE. Slightly broken to prevent kids usage. By tf8 | |||
bobek.c | 4405 | 14677 | Dec 5 18:10:00 2000 |
Bobek.c is a Wu-Ftpd 2.6.0 remote root exploit (updated 05/08/2000). Bug is in the SITE EXEC command, an account is not required as anonymous access is enough. Tested against Redhat 6.2, FreeBSD 3.4-STABLE, and FreeBSD 5.0-CURRENT. Homepage: http://b0f.freebsd.lublin.pl. By Venglin | |||
ie5.force-feed.txt | 3521 | 6406 | Jun 29 16:48:42 2000 |
Microsoft Internet Explorer 5 and accompanying mail and news clients on win95, win98 and win2000 enjoy a unique status in that they choose to ignore user input. This document will show you how to manually force a file onto the target computer despite all prompts and warnings. Demonstration available here. Homepage: http://www.malware.com. | |||
iisdos.c | 2985 | 2467 | Jun 26 02:00:05 2000 |
iisdos.c is a dos attack against Microsoft Windows 2000.0 running IIS. By WC | |||
fbi-aim-dos.txt | 2805 | 4725 | Jun 21 16:12:51 2000 |
AOL Instant Messenger remote dos exploit. Sending certain filenames to another user causes the remote AIM to crash. Only effective against Windows 2000 Professional, 95/98/98se are safe. Homepage: http://home.cyberarmy.com/fbi/. By Decss | |||
2dopewars_exploits.t..> | 2729 | 3760 | Jun 25 23:36:32 2000 |
Dopewars 1.47-current has two local security holes. Dopewars is SGID games. Remote buffer overflows also exist. Homepage: http://www.fakehalo.org. By Vade79 | |||
0006-exploits.tgz | 2458 | 165194 | Jul 13 10:08:29 2000 |
Packet Storm new exploits for June, 2000. | |||
gdmexpl.c | 1973 | 3711 | Jun 5 10:57:10 2000 |
gdm (xdmcp) remote root exploit. Tested against SuSE 6.2 and RedHat 6.2 running gdm-2.0beta1-4. Binds a shell to port 3879. Homepage: http://www.sekure.de. By AbraxaS | |||
firewall-1.fragment...> | 1795 | 3808 | Jun 6 18:09:07 2000 |
DoS attack for all platforms of Checkpoint Firewall-1 has been identified. Large numbers of fragmented packets cause the CPU to hit 100% utilization, and the system locks up. Some systems may also crash, depending on OS type. The rulebase can not be used to block the attack, and nothing is logged. More information on Firewall-1's state table available here. Homepage: http://www.enteract.com/~lspitz/papers.html. By Lance Spitzner | |||
netscape.ftp.txt | 1737 | 3078 | Jun 21 13:27:02 2000 |
The Netscape Professional Services FTP server contains several remote vulnerabilities which are easily exploited. Any file on the system can be downloaded / uploaded, users can overwrite each other files via LDAP, and LDAP passwords can be read remotely. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski | |||
ie5-access2000.txt | 1717 | 1971 | Jun 29 14:38:11 2000 |
Georgi Guninski security advisory #14 - Internet Explorer 5.01 and Access 2000 allow executing programs when viewing a web page or HTML email message. This allows taking full control over user's computer. Access 2000 allows executing VBA code which has access to system resources and in particular executing files. Includes exploit code which silently opens and executes VBA code from Access 2000. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
mdbms-exp.c | 1714 | 2380 | Jun 2 11:29:21 2000 |
MDBMS v0.99b5 remote root exploit - tested on Redhat 6.0. Shellcode runs an interactive shell on port 30464. By Diab | |||
xterm-dos.c | 1705 | 2474 | Jun 2 12:43:41 2000 |
xterm denial of service attack - By sending the VT control characters to resize a window it is possible to cause an xterm to crash and in some cases consume all available memory. This is a problem because remote users can inject these control characters into your xterm in many different ways. This sample exploit injects these control characters into a web get request. If an admin were to cat this log file, or happened to be doing a "tail -f access_log" at the time of attack they would find their xterm crashed. Tested against rxvt v2.6.1 and xterm (XFree86 3.3.3.1b(88b). Homepage: http://www.rootshell.com. By Kit Knox | |||
ex_winproxy.c | 1648 | 8392 | Nov 14 13:47:25 2000 |
Shadow Penguin Security Advsory #37 - WinProxy 2.0.0/2.0.1 (now known as Black Jumbo dog) contains many remotely exploitable buffer overflows. Exploit for the POP3 service included, tested on Japanese Windows98. Homepage: http://shadowpenguin.backsection.net. By UNYUN | |||
testsyscall.c | 1624 | 9217 | Jun 21 15:06:23 2000 |
HP1 advisory - /usr/share/lkm/test/testsyscall.c for *BSD is vulnerable to a buffer overflow attack. When testsyscall is running via inetd, remote users can execute arbitrary commands. Includes problem discussion and exploit code. Homepage: http://www.hackphreak.org. By RLoxley | |||
dmx.c | 1611 | 1700 | Jun 6 14:10:07 2000 |
Netwin ESMTP Server v2.7q linux x86 remote exploit. Tested on RedHat 6.1, binds a shell to TCP port 30464. By FunkySh | |||
wingate.py | 1565 | 803 | Jun 29 14:41:32 2000 |
Wingate.py is a dos exploit for Qbik wingate 3.0. Connects to tcp port 2080 and sends 2000 characters, causing all wingate services to crash. Origional bug found by eEye. By Prizm | |||
rootkeep.sh | 1525 | 3310 | Jun 6 14:33:43 2000 |
rootkeep.sh obtains root locally on Solaris via an included kcms exploit, and modifies the startup scripts so an account is added each time the machine is rebooted. Homepage: http://www.antioffline.com. By Sil | |||
ie5-excel-powerpoint..> | 1522 | 2477 | Jun 29 14:29:55 2000 |
Georgi Guninski security advisory #13 - Internet Explorer 5.01, Excel 2000 and PowerPoint allow executing programs when viewing a web page or HTML email message via insecure ActiveX controls. This allows taking full control over user's computer. Demonstration available here. Homepage: http://www.nat.bg/~joro/. By Georgi Guninski | |||
isc-dhcpd.exploit.tx..> | 1480 | 710 | Jun 27 15:01:55 2000 |
The ISC dhcp client contains a remote root hole. If the DHCP server gives out addresses containing backticks, shell commands can be run on the clients. By Todd T. Fries | |||
rip.c | 1465 | 7097 | Jun 14 09:53:14 2000 |
rip.c is a local exploit for the dump package version 0.3-14 and 0.4b13 (restore binary). Tested against linux, gives a UID=0 shell on 2.2.16, GID=0 on 2.2.15 and below. Homepage: http://b0f.freebsd.lublin.pl. By Scrippie | |||
inews_bof.c | 1432 | 2506 | Jun 23 17:03:58 2000 |
Inews (inn-2.2) local buffer overflow - provides a gid=news shell if /usr/bin/inews is SGID. Includes perl script to find the offset. Homepage: http://www.fakehalo.org. By Vade79 | |||
coldfusion.dos.txt | 1387 | 3819 | Jun 9 15:43:19 2000 |
A new denial of service The Allaire ColdFusion Web Application Server contains a denial of service vulnerability in all ColdFusion versions up through and including 4.5.1. A very large password at the ColdFusion Administrator login page can bring the system to a halt. Homepage: http://www.allaire.com/security. | |||
crash_winlogin.c | 1335 | 14433 | Jun 15 16:14:32 2000 |
Proof of concept exploit for the "Remote Registry Access Authentication" vulnerability in Windows NT 4.0 which was described in ms00-040 which allows a user of the local network to crash winlogon.exe remotely. By Renaud Deraison | |||
msbd-dos.c | 1297 | 1841 | Jun 2 12:38:32 2000 |
Windows Media Encoder 4.0 and 4.1 is vulnerable to a remote denial of service attack. This source causes the Windows Media Encoder to crash with a "Runtime Error". Tested on version 4.1.0.3920. This is the vulnerability described in ms00-038. Homepage here. By Kit Knox | |||
imesh102.pl | 1255 | 1350 | Jun 21 15:09:45 2000 |
A buffer overflow exists in iMesh 1.02 that allows the execution of arbitrary code. When the iMesh client connects to a server, the server is able to exploit the vulnerability and execute arbitrary code on the system the client is running on. Homepage: http://midgets.box.sk. By Chopsui-cide | |||
ie-iframe.txt | 1236 | 2109 | Jun 6 18:28:01 2000 |
Georgi Guninski security advisory #12 - Internet Explorer 5.01 under Windows 98 (other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of documents using JavaScript, IFRAME and WebBrowser control. This exposes the whole DOM of the target document and opens lots of security risks, such as reading local files, reading files from any host, window spoofing, getting cookies, etc. Exploit code included. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
yl-cfDoS.c | 1215 | 2577 | Jun 13 13:32:49 2000 |
Cold Fusion 4.5.1 remote dos attack - sends a very long password, crashing the server. By Ytcracker | |||
DST2K0018.txt | 1193 | 2890 | Jun 21 13:54:05 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0018 - WebBBS HTTP Server v1.15 under Windows NT contains remotely exploitable buffer overflow vulnerabilities. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
argo1002.pl | 1181 | 913 | Jun 21 15:12:10 2000 |
This will cause Argosoft Mail Server 1.0.0.2 to page fault if the finger daemon is running. Homepage: http://midgets.box.sk. By Chopsui-cide | |||
access.vba.txt | 1176 | 6315 | Jun 15 20:49:25 2000 |
Microsoft Access Databases are not afforded "Macro execution protection" in the manner of Word/Excel/Powerpoint documents. Attackers can insert trojan VBA code into MS Access documents to execute arbitrary commands on the remote machine. Homepage: http://johnny.ihackstuff.com. By Johnny | |||
mdma-6.eserv.txt | 1157 | 3283 | Jun 6 18:00:37 2000 |
MDMA Advisory #6 - EServ v2.92 and prior are vulnerable to a logging heap overflow vulnerability. Java proof of concept exploit code included. Homepage: http://www.mdma.za.net/fk. By Wizdumb | |||
netscape.netware.txt | 1133 | 2854 | Jun 27 14:26:43 2000 |
Netscape Enterprise Server for Netware 5.0 and Netware 5.1 contain remote vulnerbailities. By issuing a malformed URL it is possible to cause a denial of service situation and/or execute arbitrary code on the server with the privileges of the web server. Homepage: http://www.vigilante.com. By VIGILANTe | |||
2.2.14-sendmail.tgz | 1106 | 933 | Jun 8 16:51:27 2000 |
Linux 2.2.X local exploit - A new local bug in the 2.2 kernel has been discovered. Using the "capabilities" bug, it is possable to exec sendmail without the CAP_SETUID priv, which makes the setuid() call which drops privileges fail. Large chunks of code which were never meant to run as root do, exploiting this is trivial. Working exploit for sendmail + 2.2.16pre5 and below is included. By Florian Heinz | |||
innd-2.2.2.txt | 1092 | 2289 | Jun 6 10:57:17 2000 |
INND (InterNet News Daemon) 2.2.2 has a remotely exploitable stack overflow in the control articles handler. About 80% of usenet servers are vulnerable. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski | |||
sawmill-5.0.21.txt | 1084 | 2455 | Jun 28 20:36:34 2000 |
Sawmill 5.0.21 is a site log statistics package for UNIX, Windows and MacOS which has remote vulnerabilities. Any file on the system can be read, and password is stored with a weak hash algorithm and can be decrypted using the included C program. This is dangerous because the previous security hole will allow you to read the hash and decrypt the admin password. Homepage: http://vapid.betteros.org. By Larry W. Cashdollar | |||
wuXploit.tgz | 1061 | 4944 | Jul 1 14:16:54 2000 |
Wu-Ftpd 2.4.2, 2.5, and 2.6 are commonly misconfigured on linux to allow users which only have a valid FTP account to execute code. This code takes advantage of this configuration, mentioned in SUID Advisory #1 to execute a backdoor on the remote host. By Wildcoyote | |||
oasis2.c | 1049 | 4601 | Jun 12 12:18:16 2000 |
oasis2.c sends spoofed ICMP_SOURCE_QUENCH packets, telling the victim host to slow down data transmission. By Oasis | |||
imbof102.txt | 1047 | 2707 | Jun 29 08:10:37 2000 |
iMesh 1.02 builds 116 and 177 for Windows are vulnerable to a buffer overflow that can be exploited to execute arbitrary code. Once iMesh connects to a server, it begins listening on a TCP port (varies). An attacker can connect to this port and cause an overflow which will overwrite EIP, effectively redirecting the flow of execution. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
mdma-5.savant.txt | 1043 | 1165 | Jun 6 21:12:43 2000 |
MDMA Advisory #5 - It is possible to view the source of CGI scripts running under the Savant Webserver by omitting the HTTP version from your request. Homepage: http://www.mdma.za.net/fk. By Wizdumb | |||
leafchat.dos | 1030 | 1273 | Jun 27 14:32:29 2000 |
Java source to remotely crash LeafChat clients. Homepage: http://www.mdma.za.net. By Wizdumb | |||
glftpd.privpath.txt | 1028 | 6137 | Jun 27 14:29:49 2000 |
Glftpd 1.18 through 1.21b8 has a serious problem with the privpath directives. Users with accounts can access directories on the site which they should not have access to. By Raymond Dijkxhoorn | |||
Infosec.20000617.pan..> | 997 | 1873 | Jun 21 13:47:24 2000 |
Novell Netware servers running Panda Antivirus allows attackers to run any command on a Netware console. By connecting to tcp port 2001, any Netware command can be executed with the CMD command. By Ian Vitek | |||
tidcmp.c | 915 | 4783 | Jun 9 13:45:00 2000 |
tidcmp.c is an ICMP Source Quench attack. Sends spoofed ICMP type 4 packets to the victims router. Includes references to the relevant RFC's. Homepage: http://www.antioffline.com. By Sil | |||
proxy.dos | 899 | 2931 | Aug 2 11:48:26 2000 |
Many HTTP proxies are vulnerable to a denial of service attack because they do not timeout connections to a remote host, causing the proxy to run out of available sockets and start refusing connections. Tested against Delegate 6.1.13. Exploit code included. Homepage: http://xorteam.cjb.net. By SectorX | |||
mercur32.c | 851 | 3165 | Jun 15 16:18:20 2000 |
Remote Denial of Service for Mercur 3.2 allows any remote user to shut down the server. By TDP | |||
ufsroot.c | 830 | 13638 | Jun 15 16:09:04 2000 |
Solaris 2.x through v8 contains an exploitable local root buffer overflow vulnerability in ufsrestore. Exploit code included and tested on Solaris 8 sun4u. Homepage: http://www.itsx.com. By Job de Haas | |||
inndx.c | 828 | 3260 | Jun 15 21:04:50 2000 |
inndx: innd remote 'news' user/group exploit. Tested on innd-2.2.2-3 default installation on RedHat 6.2. Homepage: http://www.elzabsoft.pl/~wp. By Wojciech Purczynski | |||
smlnx.sh | 827 | 2387 | Jun 26 01:54:50 2000 |
Linux kernel 2.2.X (X<=15) & sendmail less than or equal to 8.10.1 local root exploit shell script. By Wojciech Purczynski | |||
prlnx.sh | 788 | 1801 | Jun 26 01:56:52 2000 |
Sendmail & procmail & kernel less than 2.2.15 local root exploit. By Wojciech Purczynski | |||
varitas.solaris.txt | 765 | 4267 | Jun 16 16:45:09 2000 |
Veritas Volume Manager 3.0.x for Solaris contains a security hole which can, under specific circumstances, allow local users to gain root access. Exploit description included. By Echo8 | |||
pine_bof.c | 751 | 3453 | Jun 18 22:41:07 2000 |
Pine v4.10-21 local buffer overflow - drops a gid=mail shell if /usr/bin/pine is SGID. Tested on Debian slink2.1. By Vade79 | |||
setxconfxploit.c | 750 | 1488 | Jun 18 23:49:05 2000 |
SetXConf local root exploit for Corel linux v1.0 with xconf utils. Homepage: http://www.suid.kg. By Suid | |||
userregsp.c | 749 | 4561 | Jun 19 10:27:18 2000 |
MailStudio2000 v2.0 and below userreg.cgi exploit - Executes arbitrary commands on remote host as root.mail. By Fygrave | |||
cdrecord.c | 740 | 2357 | Jun 9 15:24:05 2000 |
/usr/bin/cdrecord local exploit for x86 linux - gives gid=80 shell. Tested on Mandrake 7.0. By Noir | |||
sw3paper.tgz | 732 | 15595 | Jun 9 14:01:35 2000 |
Design and Implementation Flaws in SessionWall-3 - SessionWall-3 (more recently known as e-Trust IDS) is a graphically controlled sniffer and network monitor / network censor for the Windows platform. The SessionWall-3 machine can be detected and identified remotely by a single ICMP packet. The password is stored in the registry with very simple XOR encryption. Includes sample code which decrypts the admin password, passive SW-3 detection, and active SW-3 detection & reply packet forger. Homepage: http://www.phate.net. By Codex | |||
splitexp.c | 725 | 12277 | Jun 15 14:48:57 2000 |
Splitvt 1.6.3 local root buffer overflow exploit - Tested on Debian. Includes lots of cool dubugging captures from gdb explaining what is going on. By Syzop | |||
wmnetmon_bof.c | 708 | 2335 | Jun 18 20:13:32 2000 |
Wmnetmon v0.2 buffer overflow exploit for Linux - Provides a euid=0 shell provided /usr/X11R6/bin/wmnetmon is suid root, as it is by default. Includes perl script to try all offsets. By Vade79 | |||
chkperm.c | 708 | 908 | Jun 9 14:11:36 2000 |
Solaris /usr/vmsys/bin/chkperm overflow - A long HOME environment variable can be used to provide a UID=bin shell. By Guile cool | |||
exim.c | 705 | 986 | Jun 26 02:01:35 2000 |
exim local buffer overflow exploit. | |||
spj-004-000.txt | 705 | 10078 | Jun 13 13:48:32 2000 |
S0ftpj Security Advisory SPJ-004-000 - Multiple remote CGI vulnerabilities in MailStudio2000. Users can view any file on the system, as well as execute commands remotely as root. Major search engines can be used to locate vulnerable hosts. Exploit descriptions included. Homepage: http://www.s0ftpj.org. By Fusys | |||
DST2K0012.txt | 701 | 2654 | Jun 8 14:56:31 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0011 - Buffer Overflow in HP Openview Network Node Manager v6.1 for Microsoft Windows NT v4.0 Workstation (SP6). By using the Alarm service which runs on port 2345 and is installed by default with HP openview network node manager, it is possible to cause a buffer overrun in OVALARMSRV, causing the EIP to be overwritten and allowing the execution of arbitry code. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
kdesud.c | 688 | 1470 | Jun 9 15:16:58 2000 |
/usr/bin/kdesud has DISPLAY enviroment variable overflow - exploit gives gid=0, tested on Mandrake 7.02. By Noir | |||
gssftp.txt | 665 | 2357 | Jun 15 00:38:21 2000 |
Remote vulnerabilities in GSSFTP daemon - A remote attacker can preform denial of service attacks, and local users can get root access. Source distributions which may contain vulnerable code include MIT Kerberos 5 releases krb5-1.1 and krb5-1.1.1, while MIT Kerberos 5 releases krb5-1.0.x is not vulnerable. By Tom Yu | |||
DST2K0011.txt | 633 | 2873 | Jun 8 14:50:22 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0011 - The CMail Server v2.4.7 under Windows NT is vulnerable to a buffer overrun in NTDLL.DLL. By sending a long GET request to tcp port 8002, the EIP can be overwritten and arbitrary code execution is possible. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
freebsd-cdrecord.c | 631 | 1739 | Jun 12 08:47:57 2000 |
Freebsd cdrecord local root exploit - Tested against FreeBSD 3.3-RELEASE. Homepage: http://xorteam.cjb.net. By SectorX | |||
dragonftp.py | 617 | 548 | Jun 29 21:01:46 2000 |
Dragon Server(ftp) v1.00 and 2.00 remote dos exploit written in python. By Prizm | |||
DST2K0010.txt | 609 | 2521 | Jun 8 14:42:38 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0010 - Two vulnerabilities were found in Ceilidh v2.60a for Microsoft Windows NT v4.0 Workstation (SP6). The html code which is generated by ceilidh.exe (example URL below) contains a hidden form field by the name of "translated_path", revleaing the true path. By using a specially crafted POST statement it is possible to spawn multiple copies of ceilidh.exe each taking 1% of CPU and 700k of memory. This can be sent multiple times to cause resource depletion on the remote host. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
smartftp.txt | 601 | 1248 | Jun 15 16:43:45 2000 |
Remove vulnerability has been found in the SmartFTP-D Server which allows a remote user with an account to read any file on the system. Homepage: http://jodeit.cjb.net. By Moritz Jodeit | |||
major2.c | 588 | 3557 | Jun 18 23:44:48 2000 |
Majordomo local exploit for Suse 6.0 and 6.3. Tested against Majordomo Wrapper <= v1.94.5. Homepage: http://www.brightdarkness.de. By Morpheusbd | |||
xwhois_bof.c | 551 | 1503 | Jun 27 10:19:50 2000 |
xwhois buffer overflow, for Linux x86. This will give you a euid=0 shell if /usr/X11R6/bin/xwhois is SUID(=4755), which isn't anywhere by default. Homepage: http://www.fakehalo.org. By Vade79 | |||
smallhttp.py | 534 | 526 | Jun 29 21:04:29 2000 |
Small HTTP Server v. 1.212 remote dos attack written in python. See USSR Advisory #47 By Prizm | |||
xfwm_bof.c | 534 | 1418 | Jun 27 10:21:22 2000 |
xfwm buffer overflow exploit for Linux / x86. This will give you a euid=0 shell if /usr/X11R6/bin/xfwm is SUID(=4755), which isn't anywhere by default. Homepage: http://www.fakehalo.org. By Vade79 | |||