Welcome to the Exploits for July, 2000 Section. | |||
Some of these exploits are from Bugtraq and Security Bugware | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
0007-exploits.tgz | 2567 | 137051 | Aug 3 17:28:41 2000 |
Packet Storm new exploits for July, 2000. | |||
wuftpd-god.c | 5769 | 20305 | Jul 8 21:35:24 2000 |
Fixed version of the wu-ftpd 2.6.0 exploit. Now gets the return address correct much more often. By god-@efnet | |||
imeshexp.zip | 1734 | 15785 | Jul 3 20:41:15 2000 |
iMesh V1.02 Beta build 117 remote exploit for Windows 98. Exploits a buffer overflow to download a file from a given URL and execute it on the remote host. Includes windows binary and C source. Homepage: http://www.mxeleet.org. By Hitek | |||
7350qpop.c | 2478 | 13372 | Jul 15 16:34:29 2000 |
qpopper 2.53 euidl x86/linux remote exploit. Includes a procedure to abuse format strings to find the correct offset. Tested on Debian 2.1, RedHat 6.1, Slackware 7, Suse 5.2 and 6.0. Homepage: http://teso.scene.at. By Scut | |||
razor.password.txt | 623 | 10692 | Jul 5 15:10:39 2000 |
Razor is a configuration management tool which has a serious flaw with the Razor password file, rz_passwd. It can be decrypted with dumprazorpasswd.c or passwd_rz.pl which are included. By Shawn Clifford | |||
netscape.jpg-marker...> | 823 | 10594 | Jul 25 11:58:20 2000 |
Netscape browsers v4.73 and below can be tricked into executing arbitrary assembly code by a malicious web site. In the case of Netscape Mail or News, the attack may be performed via a mail message or a news article, as well. A bug in the way Netscape browsers use the Independent JPEG Group's decoder library can cause the JPEG stream to be read onto the heap. Exploiting this vulnerability into executing arbitrary code is non-trivial, but possible on some platforms. Homepage: http://www.openwall.com/advisories. By Solar Designer | |||
wu-ftpd26.c | 2007 | 7882 | Jul 17 16:34:58 2000 |
Remote root exploit for Wu-ftpd 2.6.0 from the ports collection running on FreeBSD v3.3, 3.4 and 4.0. Homepage: http://www.hack.co.za. By Glitch | |||
fawx2.c | 1917 | 7262 | Jul 24 16:34:35 2000 |
fawx2.c sends fragmented junk to port 139, causing a blue screen under Windows 95 / 98 / 2000. Homepage: http://www.slacknet.org. By Heeb | |||
wn-ex.c | 426 | 7238 | Jul 21 10:46:52 2000 |
Remote buffer overflow exploit for the wn webserver for linux version v2.0.9 and below. Homepage: http://www.ccc.de. By Dvorak | |||
OW-002-netscape-jpeg..> | 528 | 6471 | Jul 25 12:17:10 2000 |
Netscape 4.73 and below remote proof of concept exploit for linux/x86. Includes a test image which crashes Netscape, a JFIF file compiler which exploits the COM marker processing vulnerability, and an unofficial patch for Mozilla M15 and Win32 Netscape. Homepage: http://www.openwall.com/advisories. By Solar Designer | |||
FS-072800-9-BEA.txt | 951 | 6121 | Jul 30 02:48:31 2000 |
Foundstone Security Advisory - Two show code vulnerabilities exist with BEA's WebLogic 5.1.0 allowing an attacker to view the source code of any file within the web document root of the web server. Depending on web application and directory structure attacker can access and view unauthorized files. Proof of concept URL's included. Homepage: http://www.foundstone.com. By Saumil Shah | |||
FS-071000-5-JWS | 854 | 5756 | Jul 12 18:02:22 2000 |
The Sun Java Web Server for Solaris and Windows NT allows a remote attacker to execute arbitrary commands on the target system. Proof of concept included. Homepage: http://www.foundstone.com. By Saumil Shah | |||
pasvagg.pl | 568 | 5679 | Jul 24 12:47:23 2000 |
Passive Agression is a perl proof-of-concept exploit for downloading other user's files from FTP servers without needing thier authentication. It works against servers that use passive connections for data transfers and fail to check the incoming address of the data connection. It first attempts to determine the server-side data port incrementation rate and then guesses at the next port, makes a connection, and saves the retrieved data to a file. This does not work against M$ boxen, but is fairly impressive when run against large public FTP servers. A much more sinister purpose would be to snag confidential files being passed between corporate networks at scheduled times, like end of the day batch processing of customer orders, or crontab'd FTP backups. Homepage: http://www.digitaloffense.net. By H.D. Moore | |||
telsrv.txt | 887 | 5564 | Jul 17 15:47:05 2000 |
GAMSoft's TelSrv 1.4/1.5 contains a remote denial of service vulnerability. If supplied with a very large login name, the service will crash. By Prizm | |||
proftpX.c | 2111 | 5175 | Jul 1 13:51:53 2000 |
ProFTPD 1.2pre4 remote buffer overflow exploit. Requires a writable directory. By Wildcoyote | |||
cpd.c | 3100 | 4567 | Jul 1 14:43:17 2000 |
CheckPoint IP firewall crashes when it detects packets coming from a different MAC with the same IP address as itself. We simply send a few spoofed UDP packets to it. By Antipent | |||
FS-072500-7-ANA.txt | 629 | 4337 | Jul 25 16:01:40 2000 |
Foundstone Security Advisory - AnalogX Proxy v4.04 contains multiple buffer overflows. Includes several proof of concept denial of service examples. Homepage: http://www.foundstone.com. By Robin Keir | |||
cvs-1.10.8.txt | 816 | 4259 | Jul 28 12:25:55 2000 |
CVS v1.10.8 allows users to execute any binary on the server using CVS/Checkin.prog or CVS/Update.prog. By Tanaka Akira | |||
FS-072600-8-ANA.txt | 672 | 4165 | Jul 26 17:44:30 2000 |
Foundstone Security Advisory - AnalogX SimpleServer:WWW v1.06 and below is vulnerable to a "relative directory path" attack that allows a remote user to retrieve any known file one the the server. Homepage: http://www.foundstone.com. By Robin Keir | |||
dune_poc.c | 456 | 3815 | Jul 20 10:53:18 2000 |
The Dune Webserver v0.6.7 has remotely exploitable buffer overflows. This code is a proof of concept exploit for linux/x86. Homepage: http://www.fakehalo.org. By Vade79 | |||
outlook.advisory.txt | 848 | 3673 | Jul 19 10:47:28 2000 |
Microsoft Outlook Advisory and Remote Exploit - A bug in a shared component of Microsoft Outlook and Outlook Express mail clients can allow a remote user to write arbitrary data to the stack. This bug has been found to exist in all versions of MS Outlook and Outlook Express on both Windows 95/98 and Windows NT 4. Includes in depth discussion and proof-of-point exploit that, when placed in the header field of a message or MIME attached message, will download and execute an executable from the web. By Aaron Drew | |||
netscape.ad.00-07 | 1794 | 3324 | Jul 12 18:28:26 2000 |
Security Advisory ( netscape.ad.00-07 ) - Netscape Administration Server Password Disclosure. Netscape SuiteSpot running on Netscape webservers has a password file which in the default configuration is readable by remote users. All platforms are affected. By F0bic | |||
DST2K0019.txt | 1115 | 3284 | Jul 5 15:21:26 2000 |
Delphis Consulting Plc Security Team Advisory DST2K0019 - WebBBS v1.17 for Windows NT contains multiple buffer overflows, some of which allow remote code execution. Homepage: http://www.delphisplc.com/thinking/whitepapers/. By Delphis Security Team | |||
bitchx.dos.txt | 2546 | 3263 | Jul 8 16:03:30 2000 |
A denial of service bug was discovered in BitchX - a nasty user can invite you to a channel with a %s in it, causing the client to coredump. This is a classic case of printf(variable) where variable contains formatting chars. Patch available here. Homepage: htp://www.bitchx.com. By Colten Edwards | |||
Xnapster.c | 3364 | 3240 | Jul 1 13:58:14 2000 |
Gnapster 1.3.8 and Knapster 0.9 remote view file exploit. By Wildcoyote | |||
ralfchat12.txt | 936 | 3050 | Jul 11 21:51:13 2000 |
Ralf Chat 1.2, a free CGI based chat system has remote vulnerabilities. User passwords can be retrieved in plain text and the default admin password is rarely changed. By Daniel Wischnewski | |||
SuSeLocaltmpXploit.c | 1510 | 2920 | Jul 1 14:04:12 2000 |
SuSe 6.1 through 6.4 local exploit - when root switches users, /tmp/ will be the $HOME. This exploit will create a suid (user) shell when root su's to a user account. By Wildcoyote | |||
tetrinet_dos.c | 467 | 2890 | Jul 12 14:12:44 2000 |
Tetrinet v0.6 for linux denial of service exploit. If a user on the local network sends an encrypted string and disconnects before the login is completed, the Tetrinet server exits with a broken pipe. Homepage: http://www.fakehalo.org. By Vade79 | |||
xppnc.c | 570 | 2579 | Jul 21 11:41:24 2000 |
PNC Bouncer remote exploit - tested against v1.11 on RedHat 6.0, SuSE 6.3, and Mandrake 6.0. Homepage: http://www.undersec.com. By Raise | |||
JRUNremoteXploit.tgz | 1231 | 2560 | Jul 1 13:45:44 2000 |
JRun 2.3 remote buffer overflow exploit. Runs a shell on the port where the JRun webserver daemon is running. By Wildcoyote | |||
Infosec.20000712.wor..> | 1648 | 2508 | Jul 12 18:07:02 2000 |
Infosec Security Vulnerability Report - The web server for remote access to e-mail in WorldClient 2.1 for Windows NT is vulnerable for root dot dot. It is possible to read any file if the full path is known. By Christer Staffer | |||
VIGILANTE-2000004.tx..> | 503 | 2446 | Jul 19 13:07:58 2000 |
Vigilante Advisory #4 - HP Jetdirect FTP service has a remote denial of service vulnerability affecting versions 8.20 and below. A long quote command causes the printer to crash, requiring a power cycle. Homepage: http://www.vigilante.com. By Vigilante | |||
winamp.m3u.txt | 1285 | 2389 | Jul 27 13:59:09 2000 |
Winamp contains a buffer overflow in its M3U playlist parser. It is possible to execute arbitrary code on a remote computer via a malicious playlist. Proof of concept playlist included. By Pauli Ojanpera | |||
excel2000-exec.txt | 1804 | 2344 | Jul 13 10:20:40 2000 |
Excel 2000 serious vulnerability - Excel 2000/Windows 98 (other versions too) allows executing programs when opening an Excel Workbook (.xls file). This may be also be exploited thru IE or Outlook. This can easily lead to taking full control over user's computer. Demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
VIGILANTE-2000003.tx..> | 2122 | 2338 | Jul 15 16:50:39 2000 |
Microsoft IIS v4.0 and 5.0 contain a remote denial of service vulnerability if the server has been upgraded from v3.0. Issuing a malformed request for a certain file contained in /scripts/iisadmin can result in the webserver going into to an infinite loop, causing the web server to no longer accept requests. Microsoft bulletin available here. Homepage: http://www.vigilante.com. By Vigilante | |||
wu-ftpd-v2.4.4.c | 909 | 2206 | Jul 21 11:51:15 2000 |
Wu-ftpd v2.4(4) remote root exploit. Exploits the SITE EXEC buffer overflow. By Pascal Bouchareine | |||
pop2d.fold.txt | 1667 | 2173 | Jul 15 14:30:01 2000 |
Pop2d any file on the system can be read remotely on a pop2 server with a valid pop account due to a bug in the fold command. By Dotslash | |||
alibaba.txt | 1061 | 2124 | Jul 18 15:01:06 2000 |
Alibaba is a http server for Windows 95/98/NT which contains buffer overflows and allow remote users to execute commands remotely. By Prizm | |||
snoop.servlet.txt | 502 | 2091 | Jul 20 10:56:12 2000 |
The Snoop Servlet on Release Build 3.1 and 3.0 of Tomcat from Apache Software Foundation reveals the full path to the webserver and OS. By Efrain Torres | |||
SA2000-02.ism.dll | 1008 | 2040 | Jul 25 17:28:51 2000 |
ISBASE Security Advisory(SA2000-02) - Microsoft IIS v4.0 and 5.0 for Windows NT and Windows 2000 sometimes displays the contents of files that should not normally be displayed and sometimes contains sensitive data. ISS can be tricked into calling ISM.DLL and exposing the contents of .asp, .asa, and .ini files. Exploit description included. Homepage: http://www.isbase.com. By Isbase Security Team | |||
formmail-xploit.pl | 565 | 1915 | Jul 24 12:25:00 2000 |
Form Mail v1.0 (form.cgi) remote exploit - spawns an xterm from the victim computer. Homepage: http://teleh0r.cjb.net. By Telehor | |||
alienform2-xploit.pl | 518 | 1883 | Jul 24 11:59:22 2000 |
AlienForm2 remote cgi exploit - Spawns an xterm from target machine. Homepage: http://teleh0r.cjb.net. By Telehor | |||
SX-20000620-3 | 1416 | 1872 | Jul 6 22:16:32 2000 |
SecureXpert Labs Advisory [SX-20000620-3] - Partial Denial of Service in Check Point Firewall-1 on Windows NT. The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is vulnerable to a simple network-based attack which raises the firewall load to 100%. Homepage: http://www.securexpert.com. | |||
wftpd241.txt | 1148 | 1801 | Jul 11 14:30:12 2000 |
WFTPD and WFTPD Pro 2.41 RC10 are vulnerable to a dos attack which requires a valid account. An out of sequence RNTO command will cause WFTPD to crash. Perl exploit included. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
clickrespond-xploit...> | 449 | 1786 | Jul 24 12:19:27 2000 |
Click Responder v1.02 remote exploit - spawns an xterm from the victim computer. Homepage: http://teleh0r.cjb.net. By Telehor | |||
bnbform-xploit.pl | 521 | 1780 | Jul 24 11:56:41 2000 |
bnbform.cgi v4.0 and below remote exploit - reads any file on the system. Homepage: http://teleh0r.cjb.net. By Telehor | |||
SX-20000620-2 | 1414 | 1736 | Jul 6 22:14:24 2000 |
SecureXpert Labs Advisory [SX-20000620-2] - Multiple services on Windows 2000 Server are vulnerable to a simple attack which allows remote network users to drive the CPU utilization to 100% in an extremely short period of time, at little cost to the attacker's machine. Homepage: http://www.securexpert.com. | |||
bulkmail-xploit.pl | 432 | 1715 | Jul 24 12:00:51 2000 |
bulk.cgi is a Bulk Mailer CGI which has remote vulernabilities which allow an attacker to spawn an xterm. Homepage: http://teleh0r.cjb.net. By Telehor | |||
wftpd241-11.tgz | 545 | 1686 | Jul 24 16:43:12 2000 |
WFTPD/WFTPD Pro 2.41 RC11 contains four remote denial of service vulnerabilities. Perl proof of concept code included for each. Homepage: http://bluepanda.box.sk. By Blue Panda | |||
webactive.txt | 463 | 1660 | Jul 13 10:17:13 2000 |
WEBactive HTTP Server 1.00 contains a remote denial of service vulnerability. By Prizm | |||
bxexpl.c | 607 | 1570 | Jul 28 11:42:49 2000 |
BitchX-75p3 local exploit, Redhat 6.2 x86. By Flea | |||
SX-20000620-1 | 1101 | 1533 | Jul 6 22:10:53 2000 |
SecureXpert Labs Advisory [SX-20000620-1] - Denial of Service vulnerability in Microsoft Windows 2000 Telnet Server. A remote user can cause the telnet server to stop responding to requests by sending a stream of binary zeros to the telnet server. This can easily be reproduced from a Linux system using netcat with an input of /dev/zero, with a command such as "nc target.host 23 < /dev/zero". Homepage: http://www.securexpert.com. | |||
mw-exp.c | 1234 | 1530 | Jul 15 15:10:20 2000 |
makewhatis local dos exploit - overwrites /etc/passwd as soon as makewhatis runs, usually from cron. By Grazer1 | |||
xpbitchx.c | 584 | 1327 | Jul 21 11:56:28 2000 |
BitchX (75p3/1.0c16) local exploit. Homepage: http://www.undersec.com. By Raise | |||
bigbrother-1.4g.txt | 1725 | 1235 | Jul 12 17:56:29 2000 |
Big Brother v1.4g and below contains a vulnerability which allows a remote attacker to view any file on the system. By Safety | |||
netware50-sp5.dos.tx..> | 1071 | 1123 | Jul 12 22:37:24 2000 |
NetWare 5.0 with SP 5 has a remote denial of service vulnerability. By sending random data to tcp port 40193, a buffer is overflowed and the server issues a memory allocation error and eventually crashes. By Dimuthu Parussalla | |||
poll_it.txt | 1822 | 1028 | Jul 13 10:07:31 2000 |
Pollit, a cgi application, has a vulnerability which allows remote users to read any file on the system. A URL such as /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00 will spit out /etc/passwd. By Adrian Daminato | |||
ncsa1-3.c | 1328 | 1004 | Jul 31 14:25:09 2000 |
NCSA Httpd v1.3 remote root exploit. Tested against Slackware 4.0. Homepage: http://www.r00tabega.com. By Xtremist | |||
bb-14h2.txt | 1521 | 974 | Jul 13 10:25:08 2000 |
Big Brother up to version 1.4H2 contains a remote vulnerability which allows remote users to create a filename with an arbitrary extension. Since the file is droped into a directory accessible via the web server, any file extension that is parsed server side can be abused and commands can be executed remotely. By Xternal | |||
d-link.di-701.txt | 889 | 919 | Jul 28 11:35:16 2000 |
The D-Link DI-701 Residential Gateway has an open port which allows brute force password guessing, and has a factory set default password. By Brant Hale | |||
bajie.webserver.txt | 920 | 763 | Jul 31 13:56:50 2000 |
Bajie is a freeware HTTP daemon written in Java has vulnerabilities which allow remote users to view any file on the system, and find out the real server path. Homepage: http://www.mdma.za.net. By Wizdumb | |||
tomcat-3.1.path.txt | 483 | 542 | Jul 19 21:57:29 2000 |
Tomcat v3.1 from the Apache Software Foundation displays the full path of the web server. By ET LoWNOISE | |||