Welcome to the Exploits for November, 2000 Section. | |||
Some of these exploits are from Bugtraq | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
0011-exploits.tgz | 0 | 442967 | Dec 14 17:53:46 2000 |
Packet Storm new exploits for November, 2000. | |||
kde-exploit.gif | 0 | 245580 | Nov 4 16:19:09 2000 |
KDE File Manager can be tricked into executing commands as root by creating a HTML file with a link to a binary. By Dotslash | |||
NIT_UNICODE.zip | 0 | 71136 | Nov 29 00:26:21 2000 |
Microsoft IIS Unicode remote exploit which uses tftp to obtain code to run. By Stealthmode316 | |||
SynAttackProtect.txt | 0 | 28258 | Nov 25 17:56:43 2000 |
Windows NT 4.0 SP6a with SynAttackProtect set is vulnerable to a remote denial of service attack. Homepage: http://adonis1@videotron.ca. | |||
IISHack1.5.zip | 0 | 24117 | Nov 4 23:49:32 2000 |
IISHack 1.5 attempts to remotely exploit a local buffer overflow in the IIS 4.0 and 5.0 .asp file parsing mechanism using the unicode bug, resulting in remote system access. Homepage: http://www.eEye.com. By eEye Digital Security | |||
libc-language.su.c | 0 | 13626 | Dec 2 21:23:08 2000 |
Glibc 2.1 + /bin/su local root exploit. Tested on Redhat 6.2, 6.1, and SuSE 6.2. By Doing | |||
super-sadmin.c | 0 | 13213 | Nov 25 17:44:32 2000 |
Super Solaris sadmin Exploit - works with solaris 2.6/7.0 SPARC and x86, does the sp guessing (much like sadmin-brute.c). By Optyx | |||
sbo_ethereal.c | 0 | 12796 | Nov 18 21:12:51 2000 |
Ethereal v0.8.13 advisory and remote exploit for Linux x86. A stack overflow in the AFS packet parsing routine allows a spoofed packet to start a root shell bound to TCP port 36864. Homepage: http://hacksware.com. By Mat | |||
local_nonexec_sun.c | 0 | 10660 | Nov 14 14:19:00 2000 |
Solaris Sparc 2.6 / 7 local root exploit against /usr/bin/passwd which uses the yet unpatched libc locale bug and bypasses non-executable stack protection. Homepage: http://www.nsfocus.com. By Warning3 | |||
xp-bitchx.c | 0 | 9668 | Dec 2 21:26:35 2000 |
BitchX v1.0c16 remote exploit. Tested against Redhat 6.0, 7.0, and Debian 2.2. Homepage: http://www.netsearch-ezine.com. By Raise | |||
sadmind-sun.brute.c | 0 | 7394 | Nov 13 16:37:21 2000 |
Remote exploit for rpc.sadmind which brute forces the offset. Tested against Solaris X86 and SPARC v2.6 and 7.0. By Nikolai Abromov | |||
vixie-cron.sh | 0 | 7320 | Nov 17 01:16:49 2000 |
Vixie crontab local root exploit - an insecure fopen() call in Paul Vixie's crontab code is exploitable on systems where /var/spool/cron is user readable, such as Red Hat 6.1. Homepage: http://lcamtuf.na.export.pl. By Michal Zalewski | |||
traceroot2.c | 0 | 6513 | Nov 14 21:47:19 2000 |
Traceroot2.c - Improved local root exploit in LBNL traceroute v1.4a5. Tested against Debian GNU/Linux 2.2 x86 and sparc, and Red Hat 6.2 x86. Advisory on this issue available here. Homepage: ftp://maxx.via.ecp.fr/traceroot. By Michel MaXX Kaempf | |||
phx.c | 0 | 5332 | Nov 15 19:59:00 2000 |
Phf remote buffer overflow exploit for Linux x86. This is unrelated to the well known bad filter problem. By Proton | |||
wkit.joe.txt | 0 | 5306 | Nov 17 08:32:19 2000 |
Joe's Own Editor File Link Vulnerability - If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link. Homepage: http://www.wkit.com/advisories. By Patrik Birgersson | |||
1080r.c | 0 | 5219 | Nov 15 23:53:15 2000 |
Socks5 v1.0r10 remote buffer overflow exploit. Tested against Turbolinux 4.0.5 and Redhat 6.0. Homepage: http://members.tripod.com/~ochodedos. By The Dark Raver | |||
uni2.pl | 0 | 4801 | Nov 10 12:59:09 2000 |
Uni2.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. Also gives you the browser URL for the exploit. Origionally Stealthmode316, modifications by Roeland. | |||
pollex.pl | 0 | 4693 | Nov 5 12:54:19 2000 |
Poll It CGI v2.0 contains remote vulnerabilities which allow remote command execution and reading any file on the webserver. Fix available here. By Keelis | |||
openwall.c | 0 | 4622 | Nov 14 21:49:25 2000 |
Openwall.c is a local root exploit in LBNL traceroute v1.4a5 which executes the heap instead of the stack, avoiding the openwall kernel patch. Homepage: ftp://maxx.via.ecp.fr/traceroot. By Michel MaXX Kaempf | |||
coolz.cpp | 0 | 4416 | Nov 21 12:07:23 2000 |
Koules v1.4 (svgalib version) local root exploit. Homepage: http://www.synnergy.net. By Scrippie | |||
iis-unicode-exploit...> | 0 | 4305 | Nov 9 00:22:12 2000 |
IIS Unicode remote exploit - Executes commands remotely on IIS 4.0 on NT and IIS 5.0 on Windows NT and 2000. Homepage: http://teleh0r.cjb.net. By Telehor | |||
tessa.c | 0 | 4127 | Dec 6 21:03:21 2000 |
Remote denial of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service and Information Store. The bug is in the handling of a line containing Content="". Homepage: http://securax.org/incubus. By Incubus | |||
uni.pl | 0 | 4048 | Nov 5 15:24:09 2000 |
Uni.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. By Stealthmode316 | |||
cons.saver.txt | 0 | 3700 | Nov 13 15:53:14 2000 |
Many systems have the SUID bit set on cons.saver (/usr/lib/mc/bin/cons.saver), part of the Midnight Commander package. A denial of service vulnerability has been found which allows local users to overwrite a null character to any symlinkable file. Includes proof of concept exploit and a patch for cons.saver. By Z33d | |||
analogx-4.10.dos.txt | 0 | 3674 | Nov 21 12:01:33 2000 |
Network Security Solutions Security Advisory - A denial of service vulnerability has been discovered in AnalogX proxy v4.10. POP, FTP, and SMTP are vulnerable to a buffer overflow, crashing all the proxy services. Homepage: http://www.nssolution.net. By Zerologic | |||
xrcvtty.c | 0 | 3245 | Dec 2 16:23:28 2000 |
BSDI 3.0/4.0 /usr/contrib/mh/lib/rcvtty local exploit - Gives a egid=4(tty) shell. Homepage: http://www.fakehalo.org. By Vade79 | |||
sonata.teleconf.txt | 0 | 3136 | Nov 15 18:28:34 2000 |
Voyant Technologies Sonata Conferencing vulnerability report - Local and remote vulnerabilities have been found in both the Solaris and OS/2 hosts, including reused default passwords, poor file permissions, a lack of host hardening, account enumeration, and an insecure X console. Homepage: http://vapid.dhs.org. By Larry W. Cashdollar | |||
openssh.forwarding.t..> | 0 | 3070 | Nov 14 21:58:43 2000 |
All versions of the OpenSSH ssh client prior to 2.3.0 have a vulnerability which allows malicious OpenSSH servers to turn on port forwarding even if it is disabled in the client configuration, allowing hostile servers can access your X11 display or your ssh-agent. Newest version available here. Homepage: http://www.openssh.com. | |||
scx-sa-08.txt | 0 | 3068 | Nov 5 15:19:00 2000 |
Securax Security Advisory #8 - IIS 4.0 contains a denial of service vulnerability which is similar to the unicode vulnerability. This can be fixed by installing the recent unicode patches. Homepage: http://securax.org. By Zoa_Chien | |||
guninski27.txt | 0 | 2873 | Nov 13 16:07:13 2000 |
Georgi Guninski security advisory #27 - There is a security vulnerability in IE 5.x, Outlook, and Outlook Express which allows searching for files with specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this allows attackers to search for and retrieve any file on a users drive. The problem is the "ixsso.query" ActiveXObject which is used to query the Indexing service and surprisingly it is marked safe for scripting. Exploit code included, demonstration available here. Homepage: http://www.nat.bg/~joro. By Georgi Guninski | |||
mandrake.urpmi.txt | 0 | 2628 | Nov 4 16:10:19 2000 |
Mandrake 7.1's /usr/bin/urpmi allows attackers to install RPM's as root if they have an account in the urpmi group and possibly physical access. By Dotslash | |||
pollit-2.0-exploit.p..> | 0 | 2545 | Nov 9 00:19:37 2000 |
Poll It v2.0 CGI exploit which binds a shell to tcp port 60179. By Telehor | |||
iXsecurity.20001107...> | 0 | 2372 | Nov 13 17:13:10 2000 |
iXsecurity Security Vulnerability Report - The default installation of Compaq Web-Based Management on a Netware server reveals sensitive system files to anyone who can access TCP port 2301. Allows remote users to read the remote console password. Software version 2.28 verified vulnerable. Compaq advisory available here. Homepage: http://www.ixsecurity.com. By Ian Vitek | |||
xrestore.c | 0 | 2300 | Nov 3 18:43:54 2000 |
Restore (/sbin/restore) v0.4b15 local root exploit. Tested against Redhat 6.2. Homepage: http://www.fakehalo.org. By Vade79 | |||
lnapster_dos.c | 0 | 2252 | Dec 2 17:08:50 2000 |
The Linux Napster Client v0.9 through v1.4.4 contains remote denial of service vulnerabilities, including a buffer overflow. Homepage: http://www.fakehalo.org. By Vade79 | |||
quakeworldex.txt | 0 | 2155 | Nov 6 20:48:34 2000 |
Quake World server for Unix v2.30 contains a buffer overflow in the rcon featurE which causes the server to crash with a segmentation fault. Proof of concept exploit included. Homepage: http://www.Hack-X.org. By Chandler | |||
deb_gnomehack.c | 0 | 2069 | Nov 15 18:34:21 2000 |
Gnomehack v1.0.5 local buffer overflow exploit which gives a egid=60 (games) shell if gnomehack is sgid (2755), tested on Debian 2.2. The same bug also affects Nethack. Homepage: http://www.fakehalo.org. By Vade79 | |||
dump.sh | 0 | 1903 | Nov 2 01:30:54 2000 |
Dump v0.4b15 and below for Linux contains a trivial local root vulnerability. Includes proof of concept exploit tested on Redhat 6.2. By Mat | |||
bsdi_inews.c | 0 | 1870 | Dec 2 16:20:52 2000 |
BSDI 3.0 local Inews (inn-2.2) buffer overflow exploit. Gives egid=news shell. Homepage: http://www.fakehalo.org. By Vade79 | |||
dae_sambar44.pl | 0 | 1861 | Nov 11 17:19:43 2000 |
The Sambar Server v4.4 Beta 4 for Windows 95/NT is vulnerable to a remote denial of service attack due to the con/con bug. Perl proof of concept code included. Homepage: http://www.daemon-root.da.ru. By Daemon-root | |||
dumpx.c | 0 | 1850 | Nov 11 17:29:27 2000 |
Dump-0.4b15-1 local root exploit tested on Redhat 6.2. By The Itch | |||
aim.caching.txt | 0 | 1654 | Nov 15 23:31:34 2000 |
AOL Instant Messenger contains a caching vulnerability where once you have logged onto AIM with a screenname, you can permanently login with that screenname. By F3d | |||
oidldapd.c | 0 | 1651 | Dec 5 18:13:05 2000 |
Exploit Code for oidldapd in Oracle 8.1.6 (8ir2) for Linux. I tested in RH 6.2 and 6.1. | |||
bsdi_filter.c | 0 | 1472 | Nov 14 14:11:32 2000 |
BSDI /usr/contrib/bin/filter v2.* local buffer overflow exploit. Tested on BSDI 3.0, provides a shell with GID mail. Homepage: http://www.fakehalo.org. By Vade79 | |||
bsdi_inc.c | 0 | 1410 | Nov 29 08:56:34 2000 |
BSDI 3.0 /usr/contrib/mh/bin/inc local root exploit. Homepage: http://www.fakehalo.org. By Vade79 | |||
dump-exp.sh | 0 | 1405 | Nov 2 01:31:25 2000 |
Dump v0.4b15 for Linux on Redhat and others contains a trivial local root vulnerability. By Fish | |||
bsdi_sperl.c | 0 | 1370 | Dec 2 16:19:26 2000 |
BSDI 3.0 /usr/bin/suidperl local root exploit. Homepage: http://www.fakehalo.org. By Vade79 | |||
bsdi_elm.c | 0 | 1329 | Nov 15 23:26:42 2000 |
BSDI Elm 2.4 local buffer overflow exploit. Tested on BSDI/3.0, gives a group mail shell. Homepage: http://www.fakehalo.org. By Vade79 | |||
gbook.cgi.txt | 0 | 1303 | Nov 11 19:24:45 2000 |
GBook - A web site guestbook has a remote command execution vulnerability in gbook.cgi. Homepage: http://hacksware.com. By Mat | |||
exgsx.c | 0 | 1285 | Nov 6 20:44:51 2000 |
Gsx-0.90d and below contains a remote denial of service vulnerability which allows remote users to crash the GTK scour client by creating many connections. Homepage: http://www.Hack-X.org. By Chandler | |||
mogrify.c | 0 | 1193 | Dec 2 17:36:15 2000 |
/usr/X11R6/bin/mogrify local buffer overflow exploit for Redhat 7.0. Homepage: http://w3.swi.hu/zucco/. By Zucco | |||
new.phf.txt | 0 | 1087 | Nov 13 17:00:53 2000 |
An exploitable buffer overflow vulnerability has been found in phf which is unrelated to the well known bad filter problem. All versions of phf should be removed. By Proton | |||
hpux.10.20.644.txt | 0 | 1073 | Nov 13 17:04:52 2000 |
HP/UX 10.20 allows any file on the filesystem to be chmodded 644. By J.A. Gutierrez | |||
omnisux.pl | 0 | 1049 | Nov 9 15:20:12 2000 |
The OmniHTTPd web server v2.06 and below contains a remote denial of service vulnerability in /cgi-bin/visadmin.exe. By Philer | |||
exchange.dos.txt | 0 | 1019 | Nov 13 16:29:10 2000 |
Remote denail of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service. A message containing charset = "" causes mail service to crash. Homepage: http://www.savelev.com. By Art Savelev | |||
cgiforum-1.0.txt | 0 | 767 | Dec 2 21:48:21 2000 |
CGIForum v1.0i (cgi-bin/cgiforum.pl) allows remote users to view any file on the system via a ../.. bug. By Zorgon | |||
hp-ux.cu.overflow.tx..> | 0 | 693 | Nov 4 16:21:24 2000 |
HP-UX vB.11.00 comes with /bin/cu SUID bin, which has a buffer overflow in the -l switch. By Zorgon | |||
tetrinet-1.13.dos.tx..> | 0 | 674 | Nov 18 23:18:11 2000 |
Tetrinet v1.13 has a denial of service vulnerability which is caused by telnetting to the tetrinet port and pressing enter once, freezing the game. Homepage: http://www.m4dskill.org.Skyrim | |||