5niffi7.c - Remote root exploit for sniffit (-L mail) 0.3.7.beta on Debian 2.2. Includes a detailed explanation of how the exploit works.
024ddcc5e92f17b5a21a0b1e29b8e09fbda58d5ab78d29e5646d0557c2a197ff
Gauntlet firewall remote proof of concept code, tested against BSDI.
e083c880ad28d303ffd72c300afb16fe308a4792b9bb9ff3042cfa2e79c3b4d2
/usr/bin/xaos local root buffer overflow exploit. Works on suse 6.1, and could be modified for 6.2.
41063c66d14d76b252432334dc2031dd8d874cf94f253caf555c2a55974289a0
The thttpd web server comes with a CGI script called /cgi-bin/ssi which allows any file on the system to be read. Exploit URL included.
25679f8183d70073b7bf52ab21666b2b31569ed14056ca67fae4e26e726dd272
elm_again.c exploits another buffer overflow in elm v2.5 giving a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6 and RedHat on elm2.5PL3.
a63af30bfc97eb80e07b9f38915a5c778463721196ce3c7f4a6bf9172b6729c7
Cerberus Information Security Advisory (CISADV000524a) - The Cerberus Security Team has discovered a serious security flaw with Rockliffe's MailSite Management Agent for Windows (version 4.2.1.0). This server allows remote users to access their POP3 accounts and read their mail over HTTP. The service usually listens on TCP port 90. Unfortunately there exists a buffer overrun vulnerability that allows attackers to execute arbitrary code. As this service runs as system, by default, any code executed will run with system privileges - meaning any server running this agent could be fully compromised.
201140e806c2e3d3ec0bd2fb4cfda30b1743e7b0fd7054bcce93c848c6ca1a7a
A popular CGI web page acess counter, version 4.0.7 by George Burgyan permits execution of arbitrary commands as a result of unchecked user input. Commands are executed as the same permission of the webserver.
94ace7ee3453cc97474d0f764a764949d5e6287f3e4ff04fcae1b290ca7c34b5
Elm v2.5 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on elm 2.5PL1-3, on Red Hat. Perl script to find offsets included.
de3ca64288f925a9826cafbf271fc6605aa272bb27361e89cf5913320a7c513f
Elm v2.4 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6, elm 2.4PL25. Perl script to find offsets included.
03d1978ea3b8ab5173fda42c7786dc04993514aae31b5c97466470d36a8dddcf
Securax-SA-03 - Ezboard v5.3.9 remote dos attack via wildcards in URL.
ed822a1fc27e53ef490ca1eaffb4b388a0110ab561a1a5b201ae6e3397654cf5
solaris 2.7 lpset local exploit, i386.
82677b09b51b7eeb5f50474a25d70291b3e7b4d5eae939b2f28a8b28490519fa
/usr/bin/fdmount local linux exploit.
bf34985b1a8b79c1e149fa1edad4560a07632b016f0109a4da99d03ceb463282
filterape.c exploits a new elm buffer overflow to get EGID mail on Slackware.
0283514040bf44953fc6a6a2b5828645f76e0fbbd4376d98586c0470084c52fc
Xwindows remote dos attack - creates a sequence of socket connections to tcp port 6000. Xwindows slows to a crawl and sometimes does not respond to user input.
efe31e621870f97e050c9ccd97b857ea4370bb4acee4752fe8205face4d0fa94
The Cerberus Security Team has discovered that a flaw in the Carello web shopping cart enables remote attackers to vi ew .asp files on the the server's computer Affected system: Windows NT running IIS.
660eb984197ab48859340fb6d1ef3d916beb70b6534fb06bb49318f17b072048
There is a remote denial of service exploit against tcpdump. Tcpdump interprets UDP packets on port 53 as DNS traffic, however, domain names in DNS packets use a compression scheme that jumps to a particular offset in the packet to avoid multiple occurances. Sending a packet that has the offset set to a particular location and if a program trying to decompress the domain name does not have a strategy for avoiding infinite loops, tcpdump may fall into an infinite loop.
3cb11869215cdb4a624ad46e732b853b543df65c25669d3daa61fa3108233ad0
BufferOverflow Security Advisory #5 - Remote shell via Qpopper2.53. qpop_euidl.c exploit included. Requires a qpop account and gives UID mail.
3b9258be6be245c764411f6a0fb9887e6d3353efa7d0f966e6a4b94561a41ad0
socket-dos.c is a local ssh-1.2.27 exploit which creates a UNIX domain socket with an arbitrary file name anywhere in the filesystem on some machines.
7bdb442b497c168920cf7dcefe4563db3d8741d098266c65dd84c6cadc0ad94a
Sniffit 0.3.7Beta Remote Exploit - sniffit has to be running (-L mail) flag set for this to work. Tested on RedHat 6.0.
b573a5413280903555b0ee0798458bf852149647ac3a38ccab820bebcba4ba44
killsentry.c shows that automatic firewalling is a bad idea by sending spoofed FIN packets from different hosts in an attempt to confuse Portsentry. Tested on FreeBSD 3.2.
53c616376a8cf4e338ec21587c689c67facb4791006565268125022e9ce67769
Ascend remote denial of service - Upon receiving a packet with non zero length tcp offsets ascend terminal servers will crash. Linux based exploit included.
1c9d5ce7aadfbcbc5a0f59fb1a4d4366d8f996bd3022ebe70ecda1d75003f9cf
kshux.c -- krshd remote root exploit. This program exploits a vulnerability in the 'krshd' daemon included with the MIT Kerberos distribution. All versions are apparently vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0.
21dbac49e32798d882c9cc979e90d774e5d8ce9558b1930028784d9a54094e1b
joe v2.8 stack overflow. joe overflows when trying to open() $HOME/.joerc. This is simply proof of concept code, hopefully to get the bug fixed. It will attempt to spawn a rootshell.
92174114b15928ccc797f3ac28878ca4c0229150414ef0e2334636a47b1b6e21
ksux.c -- ksu exploit. This program exploits a vulnerability in the 'ksu' utility included with the MIT Kerberos distribution. Versions prior to 1.1.1 are vulnerable. This exploit is for Linux/x86 with Kerberos version 1.0. Exploits for other operating systems and versions of Kerberos should also work.
575f9b9cd458226ac2f5b33532684894fb83b67d2d03b4ba8441db5ccbd69505
shellhit.c - TESO Hellkit contains a buffer overflow - exploit is just meant to be funny. To all scriptkiddies: You won't get root from this, go and find something more useful.
a3e149bc4123017c3cbb604fcda0c4db3c04f6e279d5b9a75f8c0c48fe6dd47f