Welcome to the Exploits for December, 2000 Section. | |||
Some of these exploits are from Bugtraq | |||
To Change Sort Order, Click On A Category. | |||
File Name | Downloads | File Size | Last Modified |
0012-exploits.tgz | 0 | 154662 | Jan 1 22:08:46 2001 |
Packet Storm new exploits for December, 2000. | |||
7350nxt-v3.tar.gz | 0 | 8729 | Dec 18 18:16:52 2000 |
Exploit for the Bind NXT remote root vulnerability, which affects Bind v8.2 - 8.2.1. Compiles on Linux, tested against Irix, BSD, and Linux. Includes Irix shellcode for breaking chroot. Homepage: https://www.team-teso.net. | |||
7350oftpd.tar.gz | 0 | 7127 | Dec 18 18:05:22 2000 |
OpenBSD ftpd v2.4_BASE through 2.8 remote root exploit. Includes offsets for v2.6 through v2.8 and instructions for finding offsets of other versions. Requires a writable directory. Homepage: https://www.team-teso.net. By Caddis | |||
7350wu-v5.tar.gz | 0 | 16229 | Dec 31 10:53:49 2000 |
7350wu.c is a Wu-ftpd v2.6.0 remote root exploit which does it the proper way. Works on Linux/x86 and FreeBSD. Homepage: https://www.team-teso.net. By Scut | |||
CSA-200012.txt | 0 | 1737 | Dec 7 11:04:37 2000 |
CHINANSL Security Advisory(CSA-200012) - Ultraseek Server 3.0 Vulnerability allows malicious users to see the full pathnames of server addons. Homepage: http://www.chinansl.com. | |||
PhoneBook.c | 0 | 3048 | Dec 8 00:56:44 2000 |
Microsoft Phonebook Server Remote Exploit - Tests for the pbserver.dll buffer overflow. By David Litchfield | |||
SEClpd.c | 0 | 10961 | Dec 30 19:41:34 2000 |
Lpr-ng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against RedHat 7.0. Includes the ability to brute force the offset. Homepage: http://www.netcat.it. By Netcat | |||
SRADV00005.txt | 0 | 3247 | Dec 6 21:59:56 2000 |
Secure Reality Pty Ltd. Security Advisory #5 - All 3.x versions of MailMan Webmail below v3.0.26 contain remote command execution vulnerabilities. The code contains several insecure calls to open() containing user specified data. These calls can be used to execute commands on the remote server with the permissions of the user that runs CGI scripts, usually the web server user which is in most cases 'nobody'. Fix available here. Homepage: http://www.securereality.com.au. By Secure Reality | |||
SRADV00006.txt | 0 | 5249 | Dec 6 22:04:06 2000 |
Secure Reality Pty Ltd. Security Advisory #6 - phpGroupWare is a multi-user web based groupware suite written in PHP. Versions below 0.9.7 under Unix make insecure calls to the include() function of PHP which can allow the inclusion of remote files, and thereby the execution of arbitrary commands on the remote web server with the permissions of the web server user, usually 'nobody'. Fix available here. Homepage: http://www.securereality.com.au. By Secure Reality | |||
SRADV00007.txt | 0 | 2247 | Dec 6 22:14:11 2000 |
Secure Reality Pty Ltd. Security Advisory #7 - MarkVision is a printer administration package from Lexmark. Versions previous to v4.4 contain local root buffer overflow vulnerabilities. Fix available here. Homepage: http://www.securereality.com.au. By Secure Reality | |||
Securax-SA-09.serv-u | 0 | 4676 | Dec 5 15:36:23 2000 |
Securax Security Advisory Securax-SA-09 - The Serv-U FTP server for Windows v 2.4a, 2.5h, and 3.0b (all versions tested) have vulnerabilities stemming from improper handling of hex encoded characters in ftp commands. The server will reveal the full path to the ftproot, allow read/write/execute/list access to any other file on the partition, and allow listing of all hidden files. Fix available here. Homepage: http://www.securax.org. By Zoa_Chien | |||
apcupsdos.c | 0 | 3492 | Dec 11 16:10:19 2000 |
Apcupsd v3.7.2 local denial of service attack. Can kill any running daemon. By The Itch | |||
bf-code.c | 0 | 1530 | Dec 7 10:57:37 2000 |
Bftpd 1.0.12 contains a remote buffer overflow. Denial of service exploit included. Homepage: http://www.pkcrew.org. By Asynchro | |||
bindview.naptha.txt | 0 | 23509 | Dec 21 22:32:04 2000 |
The NAPTHA dos vulnerabilities (Revised Edition - Dec 18) - The naptha vulnerabilities are weaknesses in the way that TCP/IP stacks and network applications handle the state of a TCP connection. Homepage: http://razor.bindview.com. | |||
catman-race.txt | 0 | 4718 | Dec 23 15:07:23 2000 |
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept. Homepage: http://vapid.betteros.org. By Larry W. Cashdollar | |||
hhp-GnomeScott_smash..> | 0 | 1588 | Dec 30 19:14:01 2000 |
GnomeScott local buffer overflow which provides a gid=40 (game) shell on SuSE 6.4 and 7.0. Homepage: http://www.hhp-programming.net. By Loophole | |||
hhp-expect_adv0017.t..> | 0 | 6236 | Dec 30 19:18:48 2000 |
Expect v5.31.8 and v5.28.1 contains local buffer overflows. It is possible to exploit any suid/sgid expect application. Homepage: http://www.hhp-programming.net. By Isox and Loophole | |||
hhp-expect_smash.c | 0 | 3079 | Dec 30 19:10:52 2000 |
Expect (/usr/bin/expect) v5.31.8 and v5.28.1 local buffer overflow exploit. Tested on Slackware 7.x. Advisory available here. Homepage: http://www.hhp-programming.net. By Isox | |||
hhp-fancy_smash.c | 0 | 1268 | Dec 30 19:03:24 2000 |
Fancylogin v0.99.7 local root exploit. Tested on Red Hat 6.1. Homepage: http://www.hhp-programming.net. By Icesk | |||
hhp-gnomehack_smash...> | 0 | 2397 | Dec 30 19:07:05 2000 |
Gnomehack local buffer overflow exploit which provides a gid=60 (games) shell on Debian 2.2. Homepage: http://www.hhp-programming.net. By Loophole | |||
hhp-kwintv_smash.c | 0 | 2169 | Dec 30 19:05:35 2000 |
Kwintv local buffer overflow exploit which provides a gid=33 (video) shell on SuSE 7.0. Homepage: http://www.hhp-programming.net. By Loophole | |||
hhp-stonx_smash.c | 0 | 2828 | Dec 27 17:42:10 2000 |
STonX v0.6.5 and v0.6.7 local root exploit. Tested on Slackware 7.0. Homepage: http://www.hhp-programming.net. By Loophole | |||
hp-pppd.c | 0 | 2362 | Dec 5 18:07:07 2000 |
HP/UX v11.0 /usr/bin/pppd local root buffer overflow exploit. By K2 | |||
identdDoS.c | 0 | 2149 | Dec 23 18:19:41 2000 |
SuSE identd remote denial of service attack - Uses a long sting to set a pointer to NULL. By Root-Dude | |||
interchange.txt | 0 | 1527 | Dec 21 21:05:14 2000 |
Infinite InterChange is a Win95/98/NT/2k mail server which has a remote denial of service vulnerability where it can be caused to crash via a malformed post request. This has been fixed in Infinite InterChange v3.61. By SNS Research | |||
killntoe.c | 0 | 3567 | Dec 14 18:08:00 2000 |
Nettoe v1.0.5 denial of service attack - Causes the Nettoe server to use all available CPU cycles and lock the game. Homepage: http://www.fakehalo.org. By Vade79 | |||
ksh.temp-hole.txt | 0 | 914 | Dec 21 21:08:04 2000 |
The Korn Shell (ksh) uses temp files in an insecure manner. Demonstration included. Homepage: http://www.maths.usyd.edu.au:8000/u/psz. By Paul Szabo | |||
mon_pine.sh | 0 | 2464 | Dec 11 16:19:53 2000 |
Pine v4.30 and below allows outgoing mail to be hijacked if the alternate editor is enabled. Exploit script included. Homepage: http://hacksware.com. By Mat | |||
obsd-ftpd.c | 0 | 20337 | Dec 23 21:59:47 2000 |
OpenBSD v2.6 and 2.7 ftpd remote root exploit. Homepage: http://www.synnergy.net. By Scrippie | |||
omnihttpdex.c | 0 | 2424 | Dec 21 22:06:18 2000 |
Omni httpd v2.07 and below remote denial of service exploit. Combines a shell script from sirius from buffer0vefl0w security with a bugtraq report from Valentin Perelogin. Homepage: http://www.Hack-X.org. By Kilrid | |||
phpxpl.c | 0 | 9439 | Dec 5 17:44:57 2000 |
PHP 3.0.16/4.0.2 remote root format string overflow exploit for Linux/x86. Tested against Slackware 7.0 and Red Hat 6.0. By gneisenau@berlin.com | |||
rdC-LPRng.c | 0 | 10325 | Dec 15 15:08:48 2000 |
LPRng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against the default install of Redhat 7.0 (LPRng-3.6.24-1) and LPRng3.6.22-1 installed on Slackware 7.0. Homepage: http://www.rdcrew.com.ar. By Venomous | |||
rpc-everythingform.t..> | 0 | 914 | Dec 18 18:43:45 2000 |
everythingform.cgi uses a hidden field "config" to determine where to read configuration data from. Allows remote attackers to execute commands. Exploit URL's included. By RPC | |||
scx-sa-10.txt | 0 | 4490 | Dec 8 01:16:16 2000 |
Securax Security Advisory #10 - The Watchguard SOHO Firewall is a small personal hardware firewall used for xDSL, ISDN and Cable connections. Local and Remote users can crash the Watchguard SOHO Firewall using multiple get requests to the webserver. Perl exploit included. This attack will not show up in the logfile except for a reboot notice. Homepage: http://securax.org. By Vorlon | |||
scx-sa-11.txt | 0 | 4310 | Dec 31 21:45:06 2000 |
Securax Security Advisory #11 - XFree86 Version 3.3.6 is vulnerable to a remote denial of service attack over tcp port 6000. The server can freeze if sent many characters, requiring a reboot to restore normal operation. Includes Linnuke.c proof of concept code. Homepage: http://securax.org. By Root-dude | |||
scx-sa-12.txt | 0 | 6659 | Dec 30 17:49:04 2000 |
Securax Security Advisory #12 - Apache 1.3.14 access_log and error_log can be altered somewhat by remote users if the site administrator reads the logs with cat or tail. Includes proof of concept code kosheen.c which attempts to display false values in a remote site's access_log and error_log. Homepage: http://securax.org. By Incubus | |||
scx-sa-13.txt | 0 | 3813 | Jan 1 10:19:53 2001 |
Securax Security Advisory #13 - When someone telnets to a unix system, the tty that will be assigned to him will be writable for any user on the system. However, when he is logged in, his tty will not be writable for all users. So if someone would write data to a tty that is currently used by someone who's logging in, that person won't be able to log in. Includes ttywrite.c proof of concept code. Homepage: http://securax.org. By Root-dude | |||
shop.pl.txt | 0 | 721 | Dec 11 16:08:09 2000 |
Hassan Consulting's Shopping Cart Version 1.x (cgi-bin/shop.pl) contains remote vulnerabilities, including directory transversal with file read ability, listing files, and path disclosure. Exploit URL's included. By Dotslash | |||
sonata-teleconf-2.tx..> | 0 | 2220 | Dec 21 22:11:46 2000 |
Voyant Technologies Sonata Conferencing Software v3.x on Solaris 2.x comes with the setuid binary doroot which executes any command as root. Homepage: http://vapid.betteros.org. By Larry W. Cashdollar | |||
wingate.c | 0 | 3065 | Dec 3 21:01:57 2000 |
Wingate 4.01 remote denial of service attack - Opens multiple connections and sends large amounts of MSG_OOB data, causing an "Out of buffers" error. By God- | |||
wu-ftpd-solsparc.c | 0 | 8686 | Jan 1 22:07:40 2001 |
Solaris Wu-ftpd wu-2.4(1) remote root exploit which uses the site exec format string vulnerability. Tuned for Solaris Sparc v2.8 w/ inetd. By Kalou | |||
xckermit.c | 0 | 4671 | Dec 18 17:49:52 2000 |
Ckermit v7.0 local buffer overflow exploit for Linux/x86. Not setuid by default, but often installed setuid. Homepage: http://www.fakehalo.org. By Vade79 | |||
xitami-2.5b4.txt | 0 | 7951 | Dec 2 17:47:41 2000 |
Xitami WEB/FTP Server for Windows 95/98/NT/2k v2.5b4 has remote vulnerabilities which allow users to view sensitive system information via testcgi.exe. Passwords are stored in plain text. Denial of service is possible. Homepage: http://www.nssolution.net. By Zerologic | |||
xitetris.c | 0 | 4386 | Dec 18 18:24:51 2000 |
Itetris v1.6.2 local root exploit - Exploits a vulnerable system() call. Homepage: http://www.fakehalo.org. By Vade79 | |||
xlockfmt.c | 0 | 8579 | Dec 5 18:09:09 2000 |
Xlock local format string exploit for Linux/x86. Tested on Slackware 7.1 and Redhat 6.2. By Ben Williams | |||
xsold.c | 0 | 1544 | Dec 15 17:25:26 2000 |
Linux Xsoldier local root buffer overflow exploit. Overflows the -display command line option. Homepage: http://www.nightbird.free.fr. By Zorgon | |||
xxconq.c | 0 | 5050 | Dec 26 14:18:48 2000 |
Linux xconq v7.4.1 local exploit - Gives a gid=games shell by exploiting the -L parameter. Tested on Slackware. Homepage: http://www.fakehalo.org. By Vade79 | |||
ypbind.tgz | 0 | 16159 | Dec 5 18:05:41 2000 |
Linux/x86 remote root exploit for ypbind (ypbind-mt). Tested against Red Hat 7, SuSe 6.x, and Debian. By Digit | |||
sqladv2-poc.c | 0 | 3076 | Dec 2 21:09:46 2000 |
SQL2KOverflow.c - This code creates a file called 'SQL2KOverflow.txt' in the root of the c: drive. Requires a SQL username and password. Homepage: http://www.atstake.com. | |||
sqladv-poc.c | 0 | 9908 | Dec 2 21:15:31 2000 |
Microsoft SQL Server Extended Stored Procedure remote proof of concept exploit. Affects MS SQL Server 7.0 and MS SQL Server 2000 for Windows NT 4.0 / 2000. Homepage: http://www.atstake.com. | |||
sa_09.txt | 0 | 3682 | Dec 14 18:03:16 2000 |
NSFOCUS Security Advisory (SA2000-09) - EZshopper v2.0 and v3.0 from AHG contains remote CGI vulnerabilities which allow an attacker to get directory listings and sensitive file contents. Exploit URL's included. Homepage: http://www.nsfocus.com. | |||