Section: .. / 0008-exploits /
| /// File Name: |
A090800-1 |
Description:
|
[at]stake Advisory A090800-1 - Application: Mobius DocumentDirect for the Internet 1.2, Platform: Windows NT 4.0, Severity: There are several buffer overflow conditions that could result in execution of arbitrary code or a denial of service.
| | Homepage: | http://www.atstake.com/research/advisories/2000/ | | File Size: | 5930 | | Last Modified: | Sep 11 19:17:57 2000 |
| MD5 Checksum: | b27171849ec91d61d3294a6e2267d4c0 |
|
| /// File Name: |
xperl.sh |
Description:
|
Suidperl v5.00503 and below local root exploit which exploits an undocumented /bin/mail feature when perl wants to notify root on inode race conditions. Tested on Redhat 6.x/7.0.
| | Author: | Michal Zalewski | | Homepage: | http://lcamtuf.na.export.pl | | File Size: | 5756 | | Last Modified: | Aug 9 02:19:43 2000 |
| MD5 Checksum: | 50a48f4a8f99682d1282169e08046448 |
|
| /// File Name: |
xitdos.c |
Description:
|
Xitami Webserver v2.4d3 and below are vulnerable to a remote dos attack. Sending malformed data to port 81 will cause the server to stop responding. Tested agasinst Xitami on Win95/98/NT4.0.
| | Author: | Mozy | | File Size: | 5547 | | Last Modified: | Aug 9 01:05:50 2000 |
| MD5 Checksum: | fe429b58f15ba97c9b34dc2ce6ffe97e |
|
| /// File Name: |
crackncftp.c |
Description:
|
The ncftp client uses an easily decrypted scheme to save passwords to remote FTP sites in a bookmark file. Crackncftp.c provides the plaintext when from the encrypted string.
| | Author: | Zorgon | | Homepage: | http://zorgon.freeshell.org | | File Size: | 5056 | | Last Modified: | Aug 17 03:45:04 2000 |
| MD5 Checksum: | 652d5a84fea593b7798071e24c6325d1 |
|
| /// File Name: |
FS-073100-10-BEA.txt |
Description:
|
Foundstone Security Advisory FS-073100-10-BEA - It is possible to compile and execute any arbitrary file within the web document root directory of the WebLogic server as if it were a JSP/JHTML file, even if the file type is not .jsp or .jhtml. If applications residing on the WebLogic server write to files within the web document root directory, it is possible to insert executable code in the form of JSP or JHTML tags and have the code compiled and executed using WebLogic's handlers. This can potentially cause an attacker to gain administrative control of the underlying operating systems.
| | Author: | Shreeraj Shah | | Homepage: | http://www.foundstone.com/advisories.htm | | File Size: | 5037 | | Last Modified: | Aug 2 20:44:19 2000 |
| MD5 Checksum: | 1dd991014f7279d9d772f52478be66d3 |
|
| /// File Name: |
tin_bof.c |
Description:
|
Tin v1.4.3 local linux/x86 buffer overflow exploit which spawns a gid=news shell if /usr/bin/tin is setgid.
| | Author: | Vade79 | | Homepage: | http://www.realhalo.org | | File Size: | 5033 | | Last Modified: | Aug 5 03:41:05 2000 |
| MD5 Checksum: | 38f634c84ebce9f02cbade96bace7ee2 |
|
| /// File Name: |
fpage-DoS.pl |
Description:
|
Fpage-DoS.pl - Info based attacks DoS Front page. To exploit this vunerability you must have the extensions "/ _ vti_bin/shtml.exe in your server. This is a demonstration script to remotely overflow various server buffers, resulting in a denial of service, for TESTING purposes only. Runs on *nix & Windows with perl.
| | Author: | alt3kx | | Homepage: | http://www.raza-mexicana.org | | File Size: | 4865 | | Last Modified: | Aug 30 23:24:30 2000 |
| MD5 Checksum: | 4ef33313379701100a8e4dac1ecbb646 |
|
| /// File Name: |
labs51.txt |
Description:
|
USSR Labs Advisory #51 - There is a remote denial of service caused by a buffer overflow memory problem in the rpc module of the Pragma TelnetServer 2000 for Windows NT/2000. The included shell code causes the system to crash.
| | Homepage: | http://www.ussrback.com | | File Size: | 4816 | | Last Modified: | Aug 24 18:53:33 2000 |
| MD5 Checksum: | 5451e4fdd8c8cb64106282d8dc91a7fc |
|
| /// File Name: |
libc2-x86.c |
Description:
|
libc.so LC_MESSAGES local exploit for solaris 2.7 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 4779 | | Last Modified: | Sep 7 22:58:44 2000 |
| MD5 Checksum: | 39fa1e883a0035bd2109d6da65288055 |
|
| /// File Name: |
darxite.tar.gz |
Description:
|
Darxite, a daemon that retrieves files via FTP or HTTP, has several vulnerabilities throughout the code that allow a local/remote user to crash the servers, as well as a passwd authentication remote overflow, allowing remote shell access as the uid of the darxite daemon. Exploit and advisory included. Tested against Linux x86 systems.
| | Author: | dethy | | Homepage: | http://www.synnergy.net | | File Size: | 4738 | | Last Modified: | Aug 23 02:03:59 2000 |
| MD5 Checksum: | 32a8c8dcfdcba3259e8d0e9af20eba1a |
|
| /// File Name: |
arrayd.c |
Description:
|
Irix 6.5/6.4/6.3/6.2 arrayd remote buffer overflow exploit as described in CA-99-09-arrayd.txt.
| | Homepage: | http://lsd-pl.net | | File Size: | 4658 | | Last Modified: | Sep 8 00:17:00 2000 |
| MD5 Checksum: | e14c5e74a826f15f48e76a155fec4eb9 |
|
| /// File Name: |
012.txt |
Description:
|
Pgxconfig is a Raptor graphics card configuration tool for Solaris which has multiple local vulnerabilities. The environment is not sanitized and root privileges are not dropped, allowing commands to be run as root. Local root exploit included.
| | Author: | Suid courtesy of Bugtraq | | Homepage: | http://www.suid.kg | | File Size: | 4572 | | Last Modified: | Aug 2 21:44:15 2000 |
| MD5 Checksum: | 6e972f5716c026877853b5cc1c5cc953 |
|
| /// File Name: |
libc2.c |
Description:
|
libc.so LC_MESSAGES local root exploit for solaris 2.6 2.7 sparc.
| | Homepage: | http://lsd-pl.net | | File Size: | 4268 | | Last Modified: | Sep 7 22:22:43 2000 |
| MD5 Checksum: | a7db329e7fd398e5593e15fc04665870 |
|
| /// File Name: |
nlps_server.c |
Description:
|
listen/nlps_server remote buffer overflow exploit for solaris 2.4 2.5 2.5.1 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 3669 | | Last Modified: | Sep 7 22:29:13 2000 |
| MD5 Checksum: | 7d6ace098ce5091f2641f7b3c8a9d7c5 |
|
| /// File Name: |
libc-x86.c |
Description:
|
libc.so getopt() local root exploit for solaris 2.5 2.5.1 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 3608 | | Last Modified: | Sep 7 22:39:17 2000 |
| MD5 Checksum: | b64185dce94f438a017a5023737a09ef |
|
| /// File Name: |
websitepro.txt |
Description:
|
WebSite Pro is a Web Server for Win95/98/NT platforms. The vulnerability (or bad server administration) allows any user to create arbitrary files with arbitrary text on the victim machine, from the Internet web browser.
| | Author: | a default installation, any user can create or uploads files to the victim machine running a vulnerable version of WebSite Pro. The problem is a bad "protection access" of the main directories on the machine. | | File Size: | 3528 | | Last Modified: | Sep 11 18:58:50 2000 |
| MD5 Checksum: | 923f9c6216a742ebff00f589bf593f03 |
|
| /// File Name: |
dtprintinfo.c |
Description:
|
/usr/dt/bin/dtprintinfo local root exploit for solaris 2.6 2.7 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 3389 | | Last Modified: | Sep 7 22:36:20 2000 |
| MD5 Checksum: | 125f0cdf634704b1de2c1b3ad80a3d9d |
|
| /// File Name: |
horde.txt |
Description:
|
The $from-bug is in the horde library file 'horde.lib', (on debian systems installed in /usr/share/horde/lib/horde.lib) in line 1108 belonging to function "mailfrom". In this file there is a call to "popen" with an unchecked "from:"-line as argument. Bug found and exploited by Jens "atomi" Steube, Fixed and documentated by Christian "thepoet" Winter
| | File Size: | 3312 | | Last Modified: | Sep 11 19:09:56 2000 |
| MD5 Checksum: | 7ee65a0d5d1fa264e6a56df32877bea2 |
|
| /// File Name: |
libnsl-x86.c |
Description:
|
libnsl.so gethostbyname() for solaris 2.5 2.5.1 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 3125 | | Last Modified: | Sep 7 22:56:58 2000 |
| MD5 Checksum: | b8b2e8fcbd05a1a6ef0c12ae579e0a4a |
|
| /// File Name: |
ufsdump-x86.c |
Description:
|
/usr/lib/fs/ufs/ufsdump local root exploit for solaris 2.6 2.7 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 3114 | | Last Modified: | Sep 7 22:47:58 2000 |
| MD5 Checksum: | a63386ba40bab5b3d8a4c7f49f5e9223 |
|
| /// File Name: |
irix-libc.c |
Description:
|
libc.so NLSPATH local exploit for Irix 6.2.
| | Homepage: | http://lsd-pl.net | | File Size: | 3111 | | Last Modified: | Sep 8 00:26:12 2000 |
| MD5 Checksum: | 2b1f37157932fbf6eba526123da8636f |
|
| /// File Name: |
word-access.txt |
Description:
|
Georgi Guninski security advisory #17 - MS Word and MS Access 2000 (with or without Service Release 1a) allow executing arbitrary programs if a Word document is opened. This may be exploited also by visiting a web page with IE or opening/previewing HTML email message with Outlook. In order this to work, the user must be able to access a mdb file, which resides either on an UNC share or a local drive. This allows taking full control over user's computer. Demonstration exploit available here or here.
| | Author: | Georgi Guninski | | Homepage: | http://www.nat.bg/~joro | | File Size: | 2984 | | Last Modified: | Aug 10 01:23:51 2000 |
| MD5 Checksum: | eb038ae038008adf38ec1a34dbcc3916 |
|
| /// File Name: |
clientagent662.txt |
Description:
|
Client Agent 6.62 for Unix Vulnerability, Tested on a Debian 2.2.14, Client Agent has a hole allowing to execute an arbitrary code by root without its knowing. In the meantime, some conditions are necessary to exploit this vulnerability. Client Agent is used with ARCserveIT, the safe software. It must be installed on all the workstations. A global configuration file agent.cfg keep every sub-agents installed on your system. This file is in /usr/CYEagent, and receive the information from the sub-agent when the script /opt/uagent/uagensetup is run.
| | Author: | zorgon | | Homepage: | http://www.nightbird.free.fr | | File Size: | 2968 | | Last Modified: | Sep 1 01:01:58 2000 |
| MD5 Checksum: | bdc6bbbc293aae841e2449293838218a |
|
| /// File Name: |
tip.c |
Description:
|
/usr/bin/tip local root exploit for solaris 2.6 2.7 x86.
| | Homepage: | http://lsd-pl.net | | File Size: | 2961 | | Last Modified: | Sep 7 22:50:32 2000 |
| MD5 Checksum: | 84b3ef4a3056f76c2d99ad9fb7040998 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
