ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for October, 2000 Section.
Some of these exploits are from Bugtraq

To change sort order, click on the category.
Sorted By: File Name.

File Name Downloads File Size Last Modified
0010-exploits.tgz0218360Nov 2 01:22:03 2000
Packet Storm new exploits for October, 2000.
33_su.c7174754Oct 5 18:50:05 2000
Immunix OS stackguard evading LC glibc + su + msgfmt local root exploit. Tested on Immunix OS (Stackguarded Redhat 6.2). Patch available here. By Kil3r of Lam3rz
A100400-12973199Oct 4 18:38:29 2000
Atstake Security Advisory - Microsoft's Internet Information Server 5.0 is WebDAV (RFC 2518) enabled. As part of the extra functionality provided by the WebDAV components. Microsoft has introduced the SEARCH request method to enable searching for files based upon certain criteria. This functionality can be exploited to gain what are equivalent to directory listings. These directory listings can be used by an attacker to locate files in the web directories that are not normally exposed through links on the web site. .inc files and other components of ASP applications that potentially contain sensitive information can be viewed this way.  Homepage: http://www.atstake.com. By Mnemonix
auction.weaver.txt139729Oct 18 17:21:41 2000
Auction Weaver LITE 1.0 - 1.04 contains remote vulnerabilities which allow users to read any file on the filesystem, and delete arbitrary files. Fix available here.  Homepage: http://coley@mitre.org.
bindview.lpc.txt29813765Oct 4 15:26:47 2000
BindView Security Advisory - Windows NT 4.0 and 2000 contain multiple vulnerabilities in the LPC ports, as described in ms00-070. Implications range from denial of service to local promotion.  Homepage: http://razor.bindview.com. By Todd Sabin
boa.server.txt1813122Oct 9 17:57:35 2000
The BOA webserver version 0.94.8.2 and below contains a vulnerability which allows remote users to read any file on the system. Exploit URL included. Fix available here.  Homepage: http://www.s21sec.com. By Lluis Mora
bsd_chpass.c9163461Oct 3 14:21:05 2000
/usr/bin/chpass local EDITOR variable format string exploit for *BSD. Tested on OpenBSD, FreeBSD, and NetBSD.  Homepage: http://teso.scene.at. By Caddis
cached_feed.cgi.txt4053446Oct 4 17:54:13 2000
Cached_Feed.cgi v1.0 from moreover.com lacks input validation, allowing any file on the webserver to be read. Exploit URL included. Fix available in V2.0, available here.  Homepage: http://www.thewebmasters.net. By CDI
DST2K0036.txt2203582Oct 4 18:08:01 2000
Delphis Consulting Plc Security Team Advisory DST2K0036 - CyberOffice Shopping Cart v2 under Windows NT allows remote users to modify the price of items because prices are set by a hidden form field.  Homepage: http://www.delphisplc.com/thinking/whitepapers.
DST2K0039.txt2524979Oct 4 18:11:17 2000
Delphis Consulting Plc Security Team Advisory DST2K0039 - WebData allows users which have an account to read any file on the webserver. Patch and exploit information included.  Homepage: http://www.delphisplc.com/thinking/whitepapers.
DST2K0040.txt253002Oct 6 22:48:09 2000
Delphis Consulting Plc Security Team Advisory DST2K0040 - QuotaAdvisor 4.1 by WQuinn For Windows NT allows users to list all the files contained on a file system which is on a server with QuotaAdvisor running on it.  Homepage: http://www.delphisplc.com/thinking/whitepapers.
easy-adv-exploit.pl3791986Oct 4 14:33:22 2000
Easy Advertiser v. 2.04 Remote Exploit. The stats.cgi script used in Easy Advertiser has an insecure open() that allows this exploit to bind a shell to port 60179 running with user priviledges that the webserver is run as. Netcat is needed locally to use this. Homepage: http://teleh0r.cjb.net. By teleh0r@doglover.com and anno.
formnow-exploit.pl02186Oct 28 13:23:39 2000
FormNow CGI script v1.0 remote exploit - Takes advantage of an insecure sendmail call to bind a shell to tcp port 60179.  Homepage: http://teleh0r.cjb.net. By Telehor
freebsd-systat.c5502634Oct 11 11:42:49 2000
FreeBSD 4.X local /usr/bin/systat exploit. Gives a sgid kmem shell by exploiting the .terminfo bug in ncurses. By Przemysaw Frasunek
fwsa.sh89812582Oct 6 22:33:37 2000
Fwsa.sh is a tool to penetration test Checkpoint Firewall-1 remotely which implements the recently published holes in session authentication. It attempts to recover user passwords, execute dos attacks, and brute force the firewall managment password.  Homepage: http://c3rb3r@hotmail.com.
gdmurder.txt3564620Oct 15 12:45:37 2000
GDM local root and/or denial of service attack, tested on Red Hat 6.2. Requires console access.  Homepage: http://ashtar@dragon.hack.tc.
godmessageIII.zip79620308Oct 6 20:32:32 2000
Godmessage 3 (Revision 4) is an Active X trojan which automatically uploads a binary to unpatched IE browsers by simply viewing HTML code. Tested against IE 5.0, 5.01, and 5.5 on Windows NT, 2000, and 98. WARNING: Viewing this HTML very well may break your computer if you run Windows! By The Pull
godmessageIV.zip143115015Oct 27 01:00:42 2000
Godmessage 4 Revision 5 is an implementation of Georgi Guninski's recent ActiveX exploit for Internet Explorer which attempts to install a trojan on any machine which views the included HTML. Changes: Revision 5 has all of the rest of the bug updates, plus includes an encrypted version, and denial of service versions (to force the user to reboot and shut down the server). It also includes an important hints section, and generally has been the work of the three developer's and a ton of testers. Warning: Do not view the included HTML files with an unpatched browser if you run Windows. By The Pull
guninski23.txt9064458Oct 5 17:52:57 2000
Georgi Guninski security advisory #23 - Internet Explorer 5.5/Outlook allow executing arbitray programs after viewing web page or email message. This very serious vulnerability may easily lead to taking full control over user's computer. The problem is the com.ms.activeX.ActiveXComponent java object, which allows creating and scripting arbitrary ActiveX objects, including those not marked safe for scripting. Demonstration available here or here.  Homepage here. By Georgi Guninski"> courtesy of Bugtraq
guninski24.txt1762994Oct 18 17:07:03 2000
Georgi Guninski security advisory #24 - IE 5.5, Outlook, and Outlook Express has a serious security vulnerability which allows remote users to read local files, arbitrary URLs, and local directory structure after viewing a web page or reading HTML message. The problem is that you are allowed to specify an arbitrary codebase for an applet loaded from <OBJECT> tag and a jar file. Demonstration exploit available here.  Homepage here. By Georgi Guninski">
guninski26.txt01991Oct 30 16:21:02 2000
Georgi Guninski security advisory #26 - Using specially designed URLs, IIS 5.0 may return user specified content to the browser. This poses great security risk, especially if the browser is JavaScript enabled and the problem is greater in IE. By clicking on links, just visiting hostile web pages or opening HTML email the target IIS sever may return user defined malicous active content. This is a bug in IIS 5.0, but it affects end users and is exploited with a browser. A typical exploit scenario is stealing cookies which may contain sensitive information.  Homepage here. By Georgi Guninski">
half-life.txt333161Oct 18 17:29:05 2000
The Half-Life Dedicated Server for Linux v3.1.0.3 and below contains a remotely exploitable buffer overflow. Exploit code available here. By Mark Cooper
hl-advisory.asc013943Oct 28 01:40:35 2000
The Half-life Dedicated Server for Linux contains remotely exploitable buffer overflow vulnerabilities. Includes remote buffer overflow exploit hl-rcon.c which has been tested against v3.1.0.x for Linux x86.  Homepage: http://www.sekure.org. By Condor, Csh
hostexp.c02016Oct 28 03:55:51 2000
Older version of the host command contains a remotely exploitable buffer overflow. The host command is used to perform the AXFR request to obtain the zone transfer information, and can be caused to execute arbitrary code when connecting to a fake DNS server, a netcat process listening on port 53.  Homepage: http://www.kyuzz.org/antirez. By Antirez
hp-ux.crontab.sh280657Oct 23 23:59:28 2000
HP/UX crontab local shell script exploit.  Homepage: http://www.hackerslab.com. By Kyong-won Cho
iis-unicode.txt12363345Oct 17 12:35:19 2000
Rain Forrest Puppy's investigation of the recent Microsoft IIS remote command execution vulnerability which was first mentioned in a forum post and later in ms00-078. UNICODE character translation on foreign IIS 4.0 and 5.0 servers allows additional ways of encoding '/' and '\', allowing commands to be executed under the IUSR_machine context.  Homepage: http://www.wiretrip.net. By Rain Forrest Puppy
iis.asp.txt1283350Oct 23 19:33:52 2000
How to read ASP source code on an IIS 5 server using the recently discovered IIS vulnerability.  Homepage: http://adonis1@videotron.ca.
iisex.c8712175Oct 19 11:28:41 2000
iisex.c is a remote command execution exploit for Microsoft IIS 4.0 and 5.0, as discussed in and iis-unicode.txt which attempts to provide an interactive cmd.exe shell.  Homepage: http://www.securax.org. By Incubus
inbusdos.c01653Oct 27 00:59:09 2000
Denial of Service attack against an Intel InBusiness eMail Station. Will send a 630 char buffer to the pop server as argument of a USER command. The little box needs to be "powered off" and -on again.  Homepage: http://securax.org/incubus. By Incubus
inebriation.c89217156Oct 3 13:12:26 2000
Inebriation.c is a local linux/x86 /bin/su + locale libc functions exploit which has been written in response to previous unreliable exploits for this vulnerability. It includes a perl wrapper to find the correct offset, can use GOT overwrites to evade stackguard, stackshield, and libsafe, uses clean overflow string creation, and has documentation and several other usability improvements.  Homepage: http://www.synnergy.net. By Scrippie
kak.hta.tar.gz1872208Oct 15 10:46:46 2000
Kak.hta is a variation of the recent ActiveX vulnerabililty discovered by Georgi Guninski which attempts to add programs to the StartUp folder if viewed with a vulnerable web browser or email client. Sent in by Dotslash.
lbl-traceroute.txt148327217Oct 5 18:06:42 2000
/usr/bin/traceroute local root format string exploit for LBNL traceroute, distributed with Red Hat 6.1/6.2 and Debian 2.2.  Homepage: http://www.synnergy.net. By Dvorak
listmail-exploit.pl02086Oct 28 13:27:59 2000
Listmail v112 remote exploit which spawns a shell on tcp port 60179. Takes advantage of an insecure open call.  Homepage: http://teleh0r.cjb.net. By Telehor
locale_sol.txt48530588Oct 21 03:38:25 2000
This paper describes in detail the exploitation of the libc locale format string vulnerability on Solaris/SPARC. The full source code for the exploit is presented and some details of the implementation are discussed.  Homepage: http://www.phreedom.org. By Solar Eclipse
ncurses-overflow.txt3974499Oct 10 18:12:15 2000
The ncurses library v4.2 and 5.0 contains exploitable buffer overflows which can be used to gain additional priveledge if there are SUID programs which use ncurses and the library implementation supports ~/.terminfo. Vulnerable programs found so far include Red Hat and SuSE cda, FreeBSD /usr/bin/systat, and OpenBSD /usr/bin/systat. By Jouko Pynnen
newsexp.tar.gz04588Oct 28 04:01:33 2000
News Update 1.1 advisory / remote exploit which allows changing the passwords for the cgi program without knowing the former password, allowing malicious users to modify your news-page.  Homepage: http://www.brightdarkness.de. By Morpheusbd
ntop-w-exp.c02931Oct 27 00:39:09 2000
Ntop -w v1.2a1 remote stack overflow exploit. Ntop in web mode (-w) contains an overflow when a long filename is requested. Fix available here. By Mat
obsd_fstat.c6126580Oct 4 15:23:14 2000
OpenBSD 2.7 local root exploit for /usr/bin/fstat + libutil exploit. Tested against OPenBSD 2.7 i386.  Homepage: http://www.ktwo.ca. By Ktwo, Caddis
oracle-815.c3014546Oct 20 23:57:41 2000
Oracle 8.1.5 local buffer overflow exploit for Linux.  Homepage: http://www.hackerslab.org. By Loveyou
phploit.c91219984Oct 17 02:16:02 2000
PHP/3.0.16 remote format string exploit for FreeBSD 3.4, Slackware Linux 4.0, and 7.0.  Homepage: http://www.security.is. By Portal, Tf8
ppp-off.txt200722Oct 19 01:59:18 2000
Slackware Linux's ppp-off command uses /tmp insecurely by writing ps output to /tmp/grep.tmp, allowing an unprivileged user to overwrite any file as root. By Sinfony
pqwak.zip17428294Oct 23 19:49:52 2000
This program exploits a flaw in the share level password authentication of MS windows 95/98/ME in its CIFS protocol to find the password of a given share on one of these machines, as discussed in ms00-072. By Shane Hird
pqwak2.zip09646Oct 28 01:31:09 2000
This program exploits a flaw in the share level password authentication of MS windows 95/98/ME in its CIFS protocol to find the password of a given share on one of these machines, as discussed in ms00-072. Changes: Lots of bug fixes! Works much better. By Shane Hird
redhat.lpr.txt275834Oct 21 03:35:26 2000
Lpr lpr-0.50-4 and below contains vulnerabilities which allow local users to access other accounts, and sometimes root.  Homepage: http://crash.ihug.co.nz. By Zen-parse
sa_03.txt1843665Oct 11 15:56:33 2000
NSFOCUS Security Advisory(SA2000-03) - A denial of service vulnerability has been found in the IPX/SPX protocol implementation. When a WIN9x host receives a IPX NMPI packet that has the same source and destination machine name of its own, it will be lead to an infinite loop of sending and receiving packets. This attack will consume a large sum of CPU resource of attacked host, causing it to crash.  Homepage: http://www.nsfocus.com.
sa_04.txt4482999Oct 11 18:45:55 2000
NSFocus Security Advisory(SA2000-04) - A denial of service flaw has been found in the Microsoft Win9x netbios client. An attacker can modify his host file share service and perform DoS attack against a Win9x client that visits it. Windows 95, 98, and 98se are vulnerable.  Homepage: http://www.nsfocus.com.
sa_05.txt10643482Oct 11 18:43:35 2000
NSFocus Security Advisory(SA2000-05) - Microsoft Windows 9x NETBIOS password verification contains a vulnerability which allows an attacker to use a share only knowing the first byte of the password, which can easily be guessed. This is the flaw described in ms00-072 which affects Windows 95, 98, and 98se.  Homepage: http://www.nsfocus.com.
scp.hole.txt6008489Oct 4 15:44:00 2000
When scp'ing files from a remote machine, the remote scp daemon can be modified to overwrite arbitrary files on the client side. Scp from ssh-1.2.30 and below is vulnerable. Proof of concept scp replacment included.  Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski, Craig Ruefenacht
SLA-15-PHPix.txt2491616Oct 9 18:30:47 2000
PHPix, a Web-based photo album viewer written in PHP has a vulnerability which allows remote users to traverse directories and read any file on the server. Exploit URL included. Fix available here.  Homepage: http://www.synnergy.net. By Kostas Petrakis
SLA-16.MasterIndex.t..>4282008Oct 10 18:23:41 2000
Synnergy Laboratories Advisory SLA-2000-16 - Synnergy Labs has found a flaw within Master Index for Linux/UNIX that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. Exploit URL included. Fix available here.  Homepage: http://www.synnergy.net. By Kostas Petrakis
SLA-17.Anaconda.txt1122077Oct 15 11:18:49 2000
Synnergy Laboratories Advisory SLA-2000-17 - A flaw in Linux/UNIX Anaconda Foundation Directory, a yahoo style search engine based on the Open Directory Project allows remote users to traverse the webservers filesystem, allowing arbitary files to be read by appending a trailing NULL byte in URL encoded format. Exploit URL included.  Homepage: http://www.synnergy.net. By Kostas Petrakis
statdx2.tar.gz05856Oct 18 23:41:12 2000
Sorry, a description is unavailable.
thttpd-219.txt4832761Oct 4 17:49:46 2000
Thttpd 2.19 and below includes a CGI program "ssi" which contains a vulnerability which allows remote users to read any file on the webserver. Exploit examples included. Fix available here.  Homepage: http://www.dopesquad.net/security. By Ghandi
traceroute.c4458283Oct 18 16:43:47 2000
Red Hat 6.1/6.2 traceroute local root exploit which exploits the traceroute -g bug, as described in the Red Hat Advisory on Traceroute. By Dvorak
unicode.pl1182326Oct 20 22:18:39 2000
Unicde.pl exploits vulnerable IIS servers which allow remote command execition, as described in iis-unicode.txt. By SteeLe
unicodexecute2.pl02235Oct 28 01:23:21 2000
Unicodexecute2 is a simple perl script to execute commands on vulnerable IIS servers w/ Unicode, as described in this article.  Homepage: http://www.sensepost.com. By Roelof Temmingh
utilmind-maillist-ex..>02916Oct 28 13:30:21 2000
Mailing List & News Version 1.7 remote exploit - takes advantage of insecure mail handling to spawn a shell on tcp port 60179.  Homepage: http://teleh0r.cjb.net. By Telehor
VIGILANTE-2000014.tx..>2041915Oct 10 17:22:28 2000
Vigilante Advisory #14 - HP Jetdirect print servers have multiple vulnerabilities which have effects ranging from the service crashing to the printer initiating a firmware upgrade based on random garbage in the memory, and in some cases powercycling won't fix the crash. It requires a new firmware burn by eg. HP to restore the Jetdirect card. The FTP, Telnet, and LPD services contain buffer overflows, and spoofed malformed packets can crash the printer. Fix available here.  Homepage: http://www.vigilante.com. By Vigilante
webevent.txt3091376Oct 20 22:55:53 2000
Webevent v3.3.3 (webevent.pl) is an online calendar which contains a remote cgi vulnerability which allows administrative access.
web_store-cgi.txt22115Oct 18 16:46:17 2000
Web Store (cgi-bin/Web_store/web_store.cgi) is vulnerable to a bug which allows remote users to read any file on the webserver. Exploit URL included.
wgate401.pl8022788Oct 2 10:29:04 2000
There is a vulnerability in the Wingate engine that allows a malicious user to disable all services to the engine by sending an abnormal string to the enabled Winsock Redirecter Service. Wingate Home/Standard/Pro version 4.0.1 is vulnerable. The problem has been addressed in Wingate 4.1 Beta A.  Homepage: http://bluepanda.box.sk. By Blue Panda
wgate41a.txt2558688Oct 16 23:53:22 2000
Wingate 4.1 Beta A and below allows users with access to read the logs to read any file on the filesystem by encoding the URL with escape codes, bypassing input validation. Includes wgate41a.c, proof of concept code. Fix available here.  Homepage: http://bluepanda.box.sk. By Blue Panda
xlockx.c5862437Oct 5 17:57:38 2000
OpenBSD 2.6 and 2.7 xlock local root format string exploit. By Noir
xsplumber.c1941731Oct 20 22:27:00 2000
Linux space plumber (/usr/games/splumber) local buffer overflow exploit.  Homepage: http://www.fakehalo.org. By Vade79
xzarch.c2811519Oct 21 00:30:18 2000
Linux /usr/games/zarch v.92 local root buffer overflow exploit.  Homepage: http://www.fakehalo.org. By Vade79
zen-ntkb.c154718Oct 19 02:08:22 2000
/usr/sbin/userhelper / kbdrate local root exploit - works only at console. Works well for people you know. By zen-parse
 
 
Privacy Statement