ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for July, 2000 Section.

Some of these exploits are from Bugtraq and Security Bugware

To Change Sort Order, Click On A Category.
Sorted By: Last Modified.

File Name Downloads File Size Last Modified
0007-exploits.tgz2567137051Aug 3 2000 17:28:41
Packet Storm new exploits for July, 2000.
ncsa1-3.c13281004Jul 31 2000 14:25:09
NCSA Httpd v1.3 remote root exploit. Tested against Slackware 4.0. Homepage: http://www.r00tabega.com. By Xtremist
bajie.webserver.txt920763Jul 31 2000 13:56:50
Bajie is a freeware HTTP daemon written in Java has vulnerabilities which allow remote users to view any file on the system, and find out the real server path. Homepage: http://www.mdma.za.net. By Wizdumb
FS-072800-9-BEA.txt9516121Jul 30 2000 02:48:31
Foundstone Security Advisory - Two show code vulnerabilities exist with BEA's WebLogic 5.1.0 allowing an attacker to view the source code of any file within the web document root of the web server. Depending on web application and directory structure attacker can access and view unauthorized files. Proof of concept URL's included. Homepage: http://www.foundstone.com. By Saumil Shah
cvs-1.10.8.txt8164259Jul 28 2000 12:25:55
CVS v1.10.8 allows users to execute any binary on the server using CVS/Checkin.prog or CVS/Update.prog. By Tanaka Akira
bxexpl.c6071570Jul 28 2000 11:42:49
BitchX-75p3 local exploit, Redhat 6.2 x86. By Flea
d-link.di-701.txt889919Jul 28 2000 11:35:16
The D-Link DI-701 Residential Gateway has an open port which allows brute force password guessing, and has a factory set default password. By Brant Hale
winamp.m3u.txt12852389Jul 27 2000 13:59:09
Winamp contains a buffer overflow in its M3U playlist parser. It is possible to execute arbitrary code on a remote computer via a malicious playlist. Proof of concept playlist included. By Pauli Ojanpera
FS-072600-8-ANA.txt6724165Jul 26 2000 17:44:30
Foundstone Security Advisory - AnalogX SimpleServer:WWW v1.06 and below is vulnerable to a "relative directory path" attack that allows a remote user to retrieve any known file one the the server. Homepage: http://www.foundstone.com. By Robin Keir
SA2000-02.ism.dll10082040Jul 25 2000 17:28:51
ISBASE Security Advisory(SA2000-02) - Microsoft IIS v4.0 and 5.0 for Windows NT and Windows 2000 sometimes displays the contents of files that should not normally be displayed and sometimes contains sensitive data. ISS can be tricked into calling ISM.DLL and exposing the contents of .asp, .asa, and .ini files. Exploit description included. Homepage: http://www.isbase.com. By Isbase Security Team
FS-072500-7-ANA.txt6294337Jul 25 2000 16:01:40
Foundstone Security Advisory - AnalogX Proxy v4.04 contains multiple buffer overflows. Includes several proof of concept denial of service examples. Homepage: http://www.foundstone.com. By Robin Keir
OW-002-netscape-jpeg..>5286471Jul 25 2000 12:17:10
Netscape 4.73 and below remote proof of concept exploit for linux/x86. Includes a test image which crashes Netscape, a JFIF file compiler which exploits the COM marker processing vulnerability, and an unofficial patch for Mozilla M15 and Win32 Netscape. Homepage: http://www.openwall.com/advisories. By Solar Designer
netscape.jpg-marker...>82310594Jul 25 2000 11:58:20
Netscape browsers v4.73 and below can be tricked into executing arbitrary assembly code by a malicious web site. In the case of Netscape Mail or News, the attack may be performed via a mail message or a news article, as well. A bug in the way Netscape browsers use the Independent JPEG Group's decoder library can cause the JPEG stream to be read onto the heap. Exploiting this vulnerability into executing arbitrary code is non-trivial, but possible on some platforms. Homepage: http://www.openwall.com/advisories. By Solar Designer
wftpd241-11.tgz5451686Jul 24 2000 16:43:12
WFTPD/WFTPD Pro 2.41 RC11 contains four remote denial of service vulnerabilities. Perl proof of concept code included for each. Homepage: http://bluepanda.box.sk. By Blue Panda
fawx2.c19177262Jul 24 2000 16:34:35
fawx2.c sends fragmented junk to port 139, causing a blue screen under Windows 95 / 98 / 2000. Homepage: http://www.slacknet.org. By Heeb
pasvagg.pl5685679Jul 24 2000 12:47:23
Passive Agression is a perl proof-of-concept exploit for downloading other user's files from FTP servers without needing thier authentication. It works against servers that use passive connections for data transfers and fail to check the incoming address of the data connection. It first attempts to determine the server-side data port incrementation rate and then guesses at the next port, makes a connection, and saves the retrieved data to a file. This does not work against M$ boxen, but is fairly impressive when run against large public FTP servers. A much more sinister purpose would be to snag confidential files being passed between corporate networks at scheduled times, like end of the day batch processing of customer orders, or crontab'd FTP backups. Homepage: http://www.digitaloffense.net. By H.D. Moore
formmail-xploit.pl5651915Jul 24 2000 12:25:00
Form Mail v1.0 (form.cgi) remote exploit - spawns an xterm from the victim computer. Homepage: http://teleh0r.cjb.net. By Telehor
clickrespond-xploit...>4491786Jul 24 2000 12:19:27
Click Responder v1.02 remote exploit - spawns an xterm from the victim computer. Homepage: http://teleh0r.cjb.net. By Telehor
bulkmail-xploit.pl4321715Jul 24 2000 12:00:51
bulk.cgi is a Bulk Mailer CGI which has remote vulernabilities which allow an attacker to spawn an xterm. Homepage: http://teleh0r.cjb.net. By Telehor
alienform2-xploit.pl5181883Jul 24 2000 11:59:22
AlienForm2 remote cgi exploit - Spawns an xterm from target machine. Homepage: http://teleh0r.cjb.net. By Telehor
bnbform-xploit.pl5211780Jul 24 2000 11:56:41
bnbform.cgi v4.0 and below remote exploit - reads any file on the system. Homepage: http://teleh0r.cjb.net. By Telehor
xpbitchx.c5841327Jul 21 2000 11:56:28
BitchX (75p3/1.0c16) local exploit. Homepage: http://www.undersec.com. By Raise
wu-ftpd-v2.4.4.c9092206Jul 21 2000 11:51:15
Wu-ftpd v2.4(4) remote root exploit. Exploits the SITE EXEC buffer overflow. By Pascal Bouchareine
xppnc.c5702579Jul 21 2000 11:41:24
PNC Bouncer remote exploit - tested against v1.11 on RedHat 6.0, SuSE 6.3, and Mandrake 6.0. Homepage: http://www.undersec.com. By Raise
wn-ex.c4267238Jul 21 2000 10:46:52
Remote buffer overflow exploit for the wn webserver for linux version v2.0.9 and below. Homepage: http://www.ccc.de. By Dvorak
snoop.servlet.txt5022091Jul 20 2000 10:56:12
The Snoop Servlet on Release Build 3.1 and 3.0 of Tomcat from Apache Software Foundation reveals the full path to the webserver and OS. By Efrain Torres
dune_poc.c4563815Jul 20 2000 10:53:18
The Dune Webserver v0.6.7 has remotely exploitable buffer overflows. This code is a proof of concept exploit for linux/x86. Homepage: http://www.fakehalo.org. By Vade79
tomcat-3.1.path.txt483542Jul 19 2000 21:57:29
Tomcat v3.1 from the Apache Software Foundation displays the full path of the web server. By ET LoWNOISE
VIGILANTE-2000004.tx..>5032446Jul 19 2000 13:07:58
Vigilante Advisory #4 - HP Jetdirect FTP service has a remote denial of service vulnerability affecting versions 8.20 and below. A long quote command causes the printer to crash, requiring a power cycle. Homepage: http://www.vigilante.com. By Vigilante
outlook.advisory.txt8483673Jul 19 2000 10:47:28
Microsoft Outlook Advisory and Remote Exploit - A bug in a shared component of Microsoft Outlook and Outlook Express mail clients can allow a remote user to write arbitrary data to the stack. This bug has been found to exist in all versions of MS Outlook and Outlook Express on both Windows 95/98 and Windows NT 4. Includes in depth discussion and proof-of-point exploit that, when placed in the header field of a message or MIME attached message, will download and execute an executable from the web. By Aaron Drew
alibaba.txt10612124Jul 18 2000 15:01:06
Alibaba is a http server for Windows 95/98/NT which contains buffer overflows and allow remote users to execute commands remotely. By Prizm
wu-ftpd26.c20077882Jul 17 2000 16:34:58
Remote root exploit for Wu-ftpd 2.6.0 from the ports collection running on FreeBSD v3.3, 3.4 and 4.0. Homepage: http://www.hack.co.za. By Glitch
telsrv.txt8875564Jul 17 2000 15:47:05
GAMSoft's TelSrv 1.4/1.5 contains a remote denial of service vulnerability. If supplied with a very large login name, the service will crash. By Prizm
VIGILANTE-2000003.tx..>21222338Jul 15 2000 16:50:39
Microsoft IIS v4.0 and 5.0 contain a remote denial of service vulnerability if the server has been upgraded from v3.0. Issuing a malformed request for a certain file contained in /scripts/iisadmin can result in the webserver going into to an infinite loop, causing the web server to no longer accept requests. Microsoft bulletin available here. Homepage: http://www.vigilante.com. By Vigilante
7350qpop.c247813372Jul 15 2000 16:34:29
qpopper 2.53 euidl x86/linux remote exploit. Includes a procedure to abuse format strings to find the correct offset. Tested on Debian 2.1, RedHat 6.1, Slackware 7, Suse 5.2 and 6.0. Homepage: http://teso.scene.at. By Scut
mw-exp.c12341530Jul 15 2000 15:10:20
makewhatis local dos exploit - overwrites /etc/passwd as soon as makewhatis runs, usually from cron. By Grazer1
pop2d.fold.txt16672173Jul 15 2000 14:30:01
Pop2d any file on the system can be read remotely on a pop2 server with a valid pop account due to a bug in the fold command. By Dotslash
bb-14h2.txt1521974Jul 13 2000 10:25:08
Big Brother up to version 1.4H2 contains a remote vulnerability which allows remote users to create a filename with an arbitrary extension. Since the file is droped into a directory accessible via the web server, any file extension that is parsed server side can be abused and commands can be executed remotely. By Xternal
excel2000-exec.txt18042344Jul 13 2000 10:20:40
Excel 2000 serious vulnerability - Excel 2000/Windows 98 (other versions too) allows executing programs when opening an Excel Workbook (.xls file). This may be also be exploited thru IE or Outlook. This can easily lead to taking full control over user's computer. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski
webactive.txt4631660Jul 13 2000 10:17:13
WEBactive HTTP Server 1.00 contains a remote denial of service vulnerability. By Prizm
poll_it.txt18221028Jul 13 2000 10:07:31
Pollit, a cgi application, has a vulnerability which allows remote users to read any file on the system. A URL such as /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00 will spit out /etc/passwd. By Adrian Daminato
netware50-sp5.dos.tx..>10711123Jul 12 2000 22:37:24
NetWare 5.0 with SP 5 has a remote denial of service vulnerability. By sending random data to tcp port 40193, a buffer is overflowed and the server issues a memory allocation error and eventually crashes. By Dimuthu Parussalla
netscape.ad.00-0717943324Jul 12 2000 18:28:26
Security Advisory ( netscape.ad.00-07 ) - Netscape Administration Server Password Disclosure. Netscape SuiteSpot running on Netscape webservers has a password file which in the default configuration is readable by remote users. All platforms are affected. By F0bic
Infosec.20000712.wor..>16482508Jul 12 2000 18:07:02
Infosec Security Vulnerability Report - The web server for remote access to e-mail in WorldClient 2.1 for Windows NT is vulnerable for root dot dot. It is possible to read any file if the full path is known. By Christer Staffer
FS-071000-5-JWS8545756Jul 12 2000 18:02:22
The Sun Java Web Server for Solaris and Windows NT allows a remote attacker to execute arbitrary commands on the target system. Proof of concept included. Homepage: http://www.foundstone.com. By Saumil Shah
bigbrother-1.4g.txt17251235Jul 12 2000 17:56:29
Big Brother v1.4g and below contains a vulnerability which allows a remote attacker to view any file on the system. By Safety
tetrinet_dos.c4672890Jul 12 2000 14:12:44
Tetrinet v0.6 for linux denial of service exploit. If a user on the local network sends an encrypted string and disconnects before the login is completed, the Tetrinet server exits with a broken pipe. Homepage: http://www.fakehalo.org. By Vade79
ralfchat12.txt9363050Jul 11 2000 21:51:13
Ralf Chat 1.2, a free CGI based chat system has remote vulnerabilities. User passwords can be retrieved in plain text and the default admin password is rarely changed. By Daniel Wischnewski
wftpd241.txt11481801Jul 11 2000 14:30:12
WFTPD and WFTPD Pro 2.41 RC10 are vulnerable to a dos attack which requires a valid account. An out of sequence RNTO command will cause WFTPD to crash. Perl exploit included. Homepage: http://bluepanda.box.sk. By Blue Panda
wuftpd-god.c576920305Jul 8 2000 21:35:24
Fixed version of the wu-ftpd 2.6.0 exploit. Now gets the return address correct much more often. By god-@efnet
bitchx.dos.txt25463263Jul 8 2000 16:03:30
A denial of service bug was discovered in BitchX - a nasty user can invite you to a channel with a %s in it, causing the client to coredump. This is a classic case of printf(variable) where variable contains formatting chars. Patch available here. Homepage: htp://www.bitchx.com. By Colten Edwards
SX-20000620-314161872Jul 6 2000 22:16:32
SecureXpert Labs Advisory [SX-20000620-3] - Partial Denial of Service in Check Point Firewall-1 on Windows NT. The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is vulnerable to a simple network-based attack which raises the firewall load to 100%. Homepage: http://www.securexpert.com.
SX-20000620-214141736Jul 6 2000 22:14:24
SecureXpert Labs Advisory [SX-20000620-2] - Multiple services on Windows 2000 Server are vulnerable to a simple attack which allows remote network users to drive the CPU utilization to 100% in an extremely short period of time, at little cost to the attacker's machine. Homepage: http://www.securexpert.com.
SX-20000620-111011533Jul 6 2000 22:10:53
SecureXpert Labs Advisory [SX-20000620-1] - Denial of Service vulnerability in Microsoft Windows 2000 Telnet Server. A remote user can cause the telnet server to stop responding to requests by sending a stream of binary zeros to the telnet server. This can easily be reproduced from a Linux system using netcat with an input of /dev/zero, with a command such as "nc target.host 23 < /dev/zero". Homepage: http://www.securexpert.com.
DST2K0019.txt11153284Jul 5 2000 15:21:26
Delphis Consulting Plc Security Team Advisory DST2K0019 - WebBBS v1.17 for Windows NT contains multiple buffer overflows, some of which allow remote code execution. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team
razor.password.txt62310692Jul 5 2000 15:10:39
Razor is a configuration management tool which has a serious flaw with the Razor password file, rz_passwd. It can be decrypted with dumprazorpasswd.c or passwd_rz.pl which are included. By Shawn Clifford
imeshexp.zip173415785Jul 3 2000 20:41:15
iMesh V1.02 Beta build 117 remote exploit for Windows 98. Exploits a buffer overflow to download a file from a given URL and execute it on the remote host. Includes windows binary and C source. Homepage: http://www.mxeleet.org. By Hitek
cpd.c31004567Jul 1 2000 14:43:17
CheckPoint IP firewall crashes when it detects packets coming from a different MAC with the same IP address as itself. We simply send a few spoofed UDP packets to it. By Antipent
SuSeLocaltmpXploit.c15102920Jul 1 2000 14:04:12
SuSe 6.1 through 6.4 local exploit - when root switches users, /tmp/ will be the $HOME. This exploit will create a suid (user) shell when root su's to a user account. By Wildcoyote
Xnapster.c33643240Jul 1 2000 13:58:14
Gnapster 1.3.8 and Knapster 0.9 remote view file exploit. By Wildcoyote
proftpX.c21115175Jul 1 2000 13:51:53
ProFTPD 1.2pre4 remote buffer overflow exploit. Requires a writable directory. By Wildcoyote
JRUNremoteXploit.tgz12312560Jul 1 2000 13:45:44
JRun 2.3 remote buffer overflow exploit. Runs a shell on the port where the JRun webserver daemon is running. By Wildcoyote