oasis2.c sends spoofed ICMP_SOURCE_QUENCH packets, telling the victim host to slow down data transmission.
caf38ff30c91e72d083821bc20375b417d1bf05afe59cd3258fa379237529825
Freebsd cdrecord local root exploit - Tested against FreeBSD 3.3-RELEASE.
69c97fd5a84be42d400615e765ad61662441f2ca88b97bbb52105cfe55f17024
A new denial of service The Allaire ColdFusion Web Application Server contains a denial of service vulnerability in all ColdFusion versions up through and including 4.5.1. A very large password at the ColdFusion Administrator login page can bring the system to a halt.
42daef2c136accb3c2736c9630c8560472e737cbfa6d93ed211648d25c436216
/usr/bin/cdrecord local exploit for x86 linux - gives gid=80 shell. Tested on Mandrake 7.0.
8c45b8eeaaa72e51223e3ac9a61b3c58d5f14a3ff1e33a32566ccd253e0be59d
/usr/bin/kdesud has DISPLAY enviroment variable overflow - exploit gives gid=0, tested on Mandrake 7.02.
8b85d8dcf4d727c24bbbc0ac3bf68dc420f4d2860eb3301427c685428fe26a91
Solaris /usr/vmsys/bin/chkperm overflow - A long HOME environment variable can be used to provide a UID=bin shell.
40eca362e3afebe709d31273f915b144f1f648521921fe036f9461f0d0657adc
Design and Implementation Flaws in SessionWall-3 - SessionWall-3 (more recently known as e-Trust IDS) is a graphically controlled sniffer and network monitor / network censor for the Windows platform. The SessionWall-3 machine can be detected and identified remotely by a single ICMP packet. The password is stored in the registry with very simple XOR encryption. Includes sample code which decrypts the admin password, passive SW-3 detection, and active SW-3 detection & reply packet forger.
945236d2873af232b1208d9e5269794fa3947377e1a1f2f3f67b66264af1cf8a
tidcmp.c is an ICMP Source Quench attack. Sends spoofed ICMP type 4 packets to the victims router. Includes references to the relevant RFC's.
db223fd1d7252c5896709ec8d2d3cbedb3dafe880cb6106b6b57cdcd5ec79ff6
Linux 2.2.X local exploit - A new local bug in the 2.2 kernel has been discovered. Using the "capabilities" bug, it is possable to exec sendmail without the CAP_SETUID priv, which makes the setuid() call which drops privileges fail. Large chunks of code which were never meant to run as root do, exploiting this is trivial. Working exploit for sendmail + 2.2.16pre5 and below is included.
965ce9baf1810f15a570d4dbd22d0f6ca892ee2315f31ff40c37fd8a322944c1
Delphis Consulting Plc Security Team Advisory DST2K0011 - Buffer Overflow in HP Openview Network Node Manager v6.1 for Microsoft Windows NT v4.0 Workstation (SP6). By using the Alarm service which runs on port 2345 and is installed by default with HP openview network node manager, it is possible to cause a buffer overrun in OVALARMSRV, causing the EIP to be overwritten and allowing the execution of arbitry code.
53187d5cc8489d16517a4cf34b199ff2d209001ce4aa0b95b2f6e55c2e83c5b5
Delphis Consulting Plc Security Team Advisory DST2K0011 - The CMail Server v2.4.7 under Windows NT is vulnerable to a buffer overrun in NTDLL.DLL. By sending a long GET request to tcp port 8002, the EIP can be overwritten and arbitrary code execution is possible.
946d10f4fc740a5dbde0d93d04f4f2215477442195f130719d2903cf58a842de
Delphis Consulting Plc Security Team Advisory DST2K0010 - Two vulnerabilities were found in Ceilidh v2.60a for Microsoft Windows NT v4.0 Workstation (SP6). The html code which is generated by ceilidh.exe (example URL below) contains a hidden form field by the name of "translated_path", revleaing the true path. By using a specially crafted POST statement it is possible to spawn multiple copies of ceilidh.exe each taking 1% of CPU and 700k of memory. This can be sent multiple times to cause resource depletion on the remote host.
a6cda6dae6a389943157179ee378334ec7371c8e332286018cbcdb607a039b2e
MDMA Advisory #5 - It is possible to view the source of CGI scripts running under the Savant Webserver by omitting the HTTP version from your request.
1724fba392451be3b3274800afadb12de1c0b9bc1ae2d9480be7bf44fb177af0
Georgi Guninski security advisory #12 - Internet Explorer 5.01 under Windows 98 (other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of documents using JavaScript, IFRAME and WebBrowser control. This exposes the whole DOM of the target document and opens lots of security risks, such as reading local files, reading files from any host, window spoofing, getting cookies, etc. Exploit code included. Demonstration available here.
8aa57814b27a04133662e4ce2ca66e82e2d3cbb4f03b5ed71b69ebd2cf052c2c
DoS attack for all platforms of Checkpoint Firewall-1 has been identified. Large numbers of fragmented packets cause the CPU to hit 100% utilization, and the system locks up. Some systems may also crash, depending on OS type. The rulebase can not be used to block the attack, and nothing is logged. More information on Firewall-1's state table available here.
443e72af7463c692428baddc50b3b04477971f4a89888b58f9bd92548ef83428
MDMA Advisory #6 - EServ v2.92 and prior are vulnerable to a logging heap overflow vulnerability. Java proof of concept exploit code included.
8f8294582a025b703fc4bcc38a6d47de57ed4735dddb9a13e1f4b02168d4ba63
rootkeep.sh obtains root locally on Solaris via an included kcms exploit, and modifies the startup scripts so an account is added each time the machine is rebooted.
b31cab0f47180be89e3bf59a1a2676046fa41c7ed2eaf453f1356516a401c87d
Netwin ESMTP Server v2.7q linux x86 remote exploit. Tested on RedHat 6.1, binds a shell to TCP port 30464.
f6229c6e2a67eb3307f3fb307b27985b9446209516295d99dc899bca3fe60903
INND (InterNet News Daemon) 2.2.2 has a remotely exploitable stack overflow in the control articles handler. About 80% of usenet servers are vulnerable.
1fdab59692baa167e5e89c82010248721ee6cdb5b14cc48401a4a2cd02d49432
gdm (xdmcp) remote root exploit. Tested against SuSE 6.2 and RedHat 6.2 running gdm-2.0beta1-4. Binds a shell to port 3879.
5f84108be835cb86e853f427609a8dabcca65b14019c0c0ca3b864c31c36179b
xterm denial of service attack - By sending the VT control characters to resize a window it is possible to cause an xterm to crash and in some cases consume all available memory. This is a problem because remote users can inject these control characters into your xterm in many different ways. This sample exploit injects these control characters into a web get request. If an admin were to cat this log file, or happened to be doing a "tail -f access_log" at the time of attack they would find their xterm crashed. Tested against rxvt v2.6.1 and xterm (XFree86 3.3.3.1b(88b).
e795174a235a3f5459e6a457c90c55832ca2987bccf1247db19929754e389a0e
Windows Media Encoder 4.0 and 4.1 is vulnerable to a remote denial of service attack. This source causes the Windows Media Encoder to crash with a "Runtime Error". Tested on version 4.1.0.3920. This is the vulnerability described in ms00-038.
2ed47a5509b2f1b80d55fd6418bff28abd5d3f4d1ccef95b325aedc8176ceead
MDBMS v0.99b5 remote root exploit - tested on Redhat 6.0. Shellcode runs an interactive shell on port 30464.
a37ea7852b725a2b014dd84e51b418b4f973791e412512e52b44f2d86f61fd6c