ArchivesForums
 
about usforumsassessmentdefensepapersmagazinesmiscellaneouslinkscareers


Welcome to the Exploits for December, 2000 Section.
Some of these exploits are from Bugtraq

To Change Sort Order, Click On A Category.
Sorted By: Downloads.

File Name Downloads File Size Last Modified
0012-exploits.tgz0154662Jan 1 22:08:46 2001
Packet Storm new exploits for December, 2000.
7350nxt-v3.tar.gz08729Dec 18 18:16:52 2000
Exploit for the Bind NXT remote root vulnerability, which affects Bind v8.2 - 8.2.1. Compiles on Linux, tested against Irix, BSD, and Linux. Includes Irix shellcode for breaking chroot.  Homepage: https://www.team-teso.net.
7350oftpd.tar.gz07127Dec 18 18:05:22 2000
OpenBSD ftpd v2.4_BASE through 2.8 remote root exploit. Includes offsets for v2.6 through v2.8 and instructions for finding offsets of other versions. Requires a writable directory.  Homepage: https://www.team-teso.net. By Caddis
7350wu-v5.tar.gz016229Dec 31 10:53:49 2000
7350wu.c is a Wu-ftpd v2.6.0 remote root exploit which does it the proper way. Works on Linux/x86 and FreeBSD.  Homepage: https://www.team-teso.net. By Scut
CSA-200012.txt01737Dec 7 11:04:37 2000
CHINANSL Security Advisory(CSA-200012) - Ultraseek Server 3.0 Vulnerability allows malicious users to see the full pathnames of server addons.  Homepage: http://www.chinansl.com.
PhoneBook.c03048Dec 8 00:56:44 2000
Microsoft Phonebook Server Remote Exploit - Tests for the pbserver.dll buffer overflow. By David Litchfield
SEClpd.c010961Dec 30 19:41:34 2000
Lpr-ng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against RedHat 7.0. Includes the ability to brute force the offset.  Homepage: http://www.netcat.it. By Netcat
SRADV00005.txt03247Dec 6 21:59:56 2000
Secure Reality Pty Ltd. Security Advisory #5 - All 3.x versions of MailMan Webmail below v3.0.26 contain remote command execution vulnerabilities. The code contains several insecure calls to open() containing user specified data. These calls can be used to execute commands on the remote server with the permissions of the user that runs CGI scripts, usually the web server user which is in most cases 'nobody'. Fix available here.  Homepage: http://www.securereality.com.au. By Secure Reality
SRADV00006.txt05249Dec 6 22:04:06 2000
Secure Reality Pty Ltd. Security Advisory #6 - phpGroupWare is a multi-user web based groupware suite written in PHP. Versions below 0.9.7 under Unix make insecure calls to the include() function of PHP which can allow the inclusion of remote files, and thereby the execution of arbitrary commands on the remote web server with the permissions of the web server user, usually 'nobody'. Fix available here.  Homepage: http://www.securereality.com.au. By Secure Reality
SRADV00007.txt02247Dec 6 22:14:11 2000
Secure Reality Pty Ltd. Security Advisory #7 - MarkVision is a printer administration package from Lexmark. Versions previous to v4.4 contain local root buffer overflow vulnerabilities. Fix available here.  Homepage: http://www.securereality.com.au. By Secure Reality
Securax-SA-09.serv-u04676Dec 5 15:36:23 2000
Securax Security Advisory Securax-SA-09 - The Serv-U FTP server for Windows v 2.4a, 2.5h, and 3.0b (all versions tested) have vulnerabilities stemming from improper handling of hex encoded characters in ftp commands. The server will reveal the full path to the ftproot, allow read/write/execute/list access to any other file on the partition, and allow listing of all hidden files. Fix available here.  Homepage: http://www.securax.org. By Zoa_Chien
apcupsdos.c03492Dec 11 16:10:19 2000
Apcupsd v3.7.2 local denial of service attack. Can kill any running daemon. By The Itch
bf-code.c01530Dec 7 10:57:37 2000
Bftpd 1.0.12 contains a remote buffer overflow. Denial of service exploit included.  Homepage: http://www.pkcrew.org. By Asynchro
bindview.naptha.txt023509Dec 21 22:32:04 2000
The NAPTHA dos vulnerabilities (Revised Edition - Dec 18) - The naptha vulnerabilities are weaknesses in the way that TCP/IP stacks and network applications handle the state of a TCP connection.  Homepage: http://razor.bindview.com.
catman-race.txt04718Dec 23 15:07:23 2000
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept.  Homepage: http://vapid.betteros.org. By Larry W. Cashdollar
hhp-GnomeScott_smash..>01588Dec 30 19:14:01 2000
GnomeScott local buffer overflow which provides a gid=40 (game) shell on SuSE 6.4 and 7.0.  Homepage: http://www.hhp-programming.net. By Loophole
hhp-expect_adv0017.t..>06236Dec 30 19:18:48 2000
Expect v5.31.8 and v5.28.1 contains local buffer overflows. It is possible to exploit any suid/sgid expect application.  Homepage: http://www.hhp-programming.net. By Isox and Loophole
hhp-expect_smash.c03079Dec 30 19:10:52 2000
Expect (/usr/bin/expect) v5.31.8 and v5.28.1 local buffer overflow exploit. Tested on Slackware 7.x. Advisory available here.  Homepage: http://www.hhp-programming.net. By Isox
hhp-fancy_smash.c01268Dec 30 19:03:24 2000
Fancylogin v0.99.7 local root exploit. Tested on Red Hat 6.1.  Homepage: http://www.hhp-programming.net. By Icesk
hhp-gnomehack_smash...>02397Dec 30 19:07:05 2000
Gnomehack local buffer overflow exploit which provides a gid=60 (games) shell on Debian 2.2.  Homepage: http://www.hhp-programming.net. By Loophole
hhp-kwintv_smash.c02169Dec 30 19:05:35 2000
Kwintv local buffer overflow exploit which provides a gid=33 (video) shell on SuSE 7.0.  Homepage: http://www.hhp-programming.net. By Loophole
hhp-stonx_smash.c02828Dec 27 17:42:10 2000
STonX v0.6.5 and v0.6.7 local root exploit. Tested on Slackware 7.0.  Homepage: http://www.hhp-programming.net. By Loophole
hp-pppd.c02362Dec 5 18:07:07 2000
HP/UX v11.0 /usr/bin/pppd local root buffer overflow exploit. By K2
identdDoS.c02149Dec 23 18:19:41 2000
SuSE identd remote denial of service attack - Uses a long sting to set a pointer to NULL. By Root-Dude
interchange.txt01527Dec 21 21:05:14 2000
Infinite InterChange is a Win95/98/NT/2k mail server which has a remote denial of service vulnerability where it can be caused to crash via a malformed post request. This has been fixed in Infinite InterChange v3.61. By SNS Research
killntoe.c03567Dec 14 18:08:00 2000
Nettoe v1.0.5 denial of service attack - Causes the Nettoe server to use all available CPU cycles and lock the game.  Homepage: http://www.fakehalo.org. By Vade79
ksh.temp-hole.txt0914Dec 21 21:08:04 2000
The Korn Shell (ksh) uses temp files in an insecure manner. Demonstration included.  Homepage: http://www.maths.usyd.edu.au:8000/u/psz. By Paul Szabo
mon_pine.sh02464Dec 11 16:19:53 2000
Pine v4.30 and below allows outgoing mail to be hijacked if the alternate editor is enabled. Exploit script included.  Homepage: http://hacksware.com. By Mat
obsd-ftpd.c020337Dec 23 21:59:47 2000
OpenBSD v2.6 and 2.7 ftpd remote root exploit.  Homepage: http://www.synnergy.net. By Scrippie
omnihttpdex.c02424Dec 21 22:06:18 2000
Omni httpd v2.07 and below remote denial of service exploit. Combines a shell script from sirius from buffer0vefl0w security with a bugtraq report from Valentin Perelogin.  Homepage: http://www.Hack-X.org. By Kilrid
phpxpl.c09439Dec 5 17:44:57 2000
PHP 3.0.16/4.0.2 remote root format string overflow exploit for Linux/x86. Tested against Slackware 7.0 and Red Hat 6.0. By gneisenau@berlin.com
rdC-LPRng.c010325Dec 15 15:08:48 2000
LPRng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against the default install of Redhat 7.0 (LPRng-3.6.24-1) and LPRng3.6.22-1 installed on Slackware 7.0.  Homepage: http://www.rdcrew.com.ar. By Venomous
rpc-everythingform.t..>0914Dec 18 18:43:45 2000
everythingform.cgi uses a hidden field "config" to determine where to read configuration data from. Allows remote attackers to execute commands. Exploit URL's included. By RPC
scx-sa-10.txt04490Dec 8 01:16:16 2000
Securax Security Advisory #10 - The Watchguard SOHO Firewall is a small personal hardware firewall used for xDSL, ISDN and Cable connections. Local and Remote users can crash the Watchguard SOHO Firewall using multiple get requests to the webserver. Perl exploit included. This attack will not show up in the logfile except for a reboot notice.  Homepage: http://securax.org. By Vorlon
scx-sa-11.txt04310Dec 31 21:45:06 2000
Securax Security Advisory #11 - XFree86 Version 3.3.6 is vulnerable to a remote denial of service attack over tcp port 6000. The server can freeze if sent many characters, requiring a reboot to restore normal operation. Includes Linnuke.c proof of concept code.  Homepage: http://securax.org. By Root-dude
scx-sa-12.txt06659Dec 30 17:49:04 2000
Securax Security Advisory #12 - Apache 1.3.14 access_log and error_log can be altered somewhat by remote users if the site administrator reads the logs with cat or tail. Includes proof of concept code kosheen.c which attempts to display false values in a remote site's access_log and error_log.  Homepage: http://securax.org. By Incubus
scx-sa-13.txt03813Jan 1 10:19:53 2001
Securax Security Advisory #13 - When someone telnets to a unix system, the tty that will be assigned to him will be writable for any user on the system. However, when he is logged in, his tty will not be writable for all users. So if someone would write data to a tty that is currently used by someone who's logging in, that person won't be able to log in. Includes ttywrite.c proof of concept code.  Homepage: http://securax.org. By Root-dude
shop.pl.txt0721Dec 11 16:08:09 2000
Hassan Consulting's Shopping Cart Version 1.x (cgi-bin/shop.pl) contains remote vulnerabilities, including directory transversal with file read ability, listing files, and path disclosure. Exploit URL's included. By Dotslash
sonata-teleconf-2.tx..>02220Dec 21 22:11:46 2000
Voyant Technologies Sonata Conferencing Software v3.x on Solaris 2.x comes with the setuid binary doroot which executes any command as root.  Homepage: http://vapid.betteros.org. By Larry W. Cashdollar
wingate.c03065Dec 3 21:01:57 2000
Wingate 4.01 remote denial of service attack - Opens multiple connections and sends large amounts of MSG_OOB data, causing an "Out of buffers" error. By God-
wu-ftpd-solsparc.c08686Jan 1 22:07:40 2001
Solaris Wu-ftpd wu-2.4(1) remote root exploit which uses the site exec format string vulnerability. Tuned for Solaris Sparc v2.8 w/ inetd. By Kalou
xckermit.c04671Dec 18 17:49:52 2000
Ckermit v7.0 local buffer overflow exploit for Linux/x86. Not setuid by default, but often installed setuid.  Homepage: http://www.fakehalo.org. By Vade79
xitami-2.5b4.txt07951Dec 2 17:47:41 2000
Xitami WEB/FTP Server for Windows 95/98/NT/2k v2.5b4 has remote vulnerabilities which allow users to view sensitive system information via testcgi.exe. Passwords are stored in plain text. Denial of service is possible.  Homepage: http://www.nssolution.net. By Zerologic
xitetris.c04386Dec 18 18:24:51 2000
Itetris v1.6.2 local root exploit - Exploits a vulnerable system() call.  Homepage: http://www.fakehalo.org. By Vade79
xlockfmt.c08579Dec 5 18:09:09 2000
Xlock local format string exploit for Linux/x86. Tested on Slackware 7.1 and Redhat 6.2. By Ben Williams
xsold.c01544Dec 15 17:25:26 2000
Linux Xsoldier local root buffer overflow exploit. Overflows the -display command line option.  Homepage: http://www.nightbird.free.fr. By Zorgon
xxconq.c05050Dec 26 14:18:48 2000
Linux xconq v7.4.1 local exploit - Gives a gid=games shell by exploiting the -L parameter. Tested on Slackware.  Homepage: http://www.fakehalo.org. By Vade79
ypbind.tgz016159Dec 5 18:05:41 2000
Linux/x86 remote root exploit for ypbind (ypbind-mt). Tested against Red Hat 7, SuSe 6.x, and Debian. By Digit
sqladv2-poc.c03076Dec 2 21:09:46 2000
SQL2KOverflow.c - This code creates a file called 'SQL2KOverflow.txt' in the root of the c: drive. Requires a SQL username and password.  Homepage: http://www.atstake.com.
sqladv-poc.c09908Dec 2 21:15:31 2000
Microsoft SQL Server Extended Stored Procedure remote proof of concept exploit. Affects MS SQL Server 7.0 and MS SQL Server 2000 for Windows NT 4.0 / 2000.  Homepage: http://www.atstake.com.
sa_09.txt03682Dec 14 18:03:16 2000
NSFOCUS Security Advisory (SA2000-09) - EZshopper v2.0 and v3.0 from AHG contains remote CGI vulnerabilities which allow an attacker to get directory listings and sensitive file contents. Exploit URL's included.  Homepage: http://www.nsfocus.com.