Immunix OS stackguard evading LC glibc + su + msgfmt local root exploit. Tested on Immunix OS (Stackguarded Redhat 6.2). Patch available here.
e2922ba11b17fe95138d9bdf5612999e7ad04919271ca894dc28a29b7d779223
/usr/bin/traceroute local root format string exploit for LBNL traceroute, distributed with Red Hat 6.1/6.2 and Debian 2.2.
eac8e33beaa9da34d3ff79bf6a8fd5f9817c277464588facdda8b802d020cab4
OpenBSD 2.6 and 2.7 xlock local root format string exploit.
d9c51047e5c8a7f38729c09e87bad09d9750d4d980cea6a7b2e76cf318636dba
Georgi Guninski security advisory #23 - Internet Explorer 5.5/Outlook allow executing arbitray programs after viewing web page or email message. This very serious vulnerability may easily lead to taking full control over user's computer. The problem is the com.ms.activeX.ActiveXComponent java object, which allows creating and scripting arbitrary ActiveX objects, including those not marked safe for scripting. Demonstration available here.
27e12e35034dfe08d65a2d1ce60a0c62b0edbb7d88eec3dfcb77203e10bad419
Delphis Consulting Plc Security Team Advisory DST2K0039 - WebData allows users which have an account to read any file on the webserver. Patch and exploit information included.
9d9b28782a7e43b0f385240fa3af864d29b9b0299405af6b0e8f22619c48d855
Delphis Consulting Plc Security Team Advisory DST2K0036 - CyberOffice Shopping Cart v2 under Windows NT allows remote users to modify the price of items because prices are set by a hidden form field.
23e3f2c45abc484fb83817dec5582c0edb01f638db7dcbb693eec81c06bf7de3
Cached_Feed.cgi v1.0 from here.
58833a60a07b6e7617ac6adbcde536677a6818e5d40950bc51da81bb9684196b
Thttpd 2.19 and below includes a CGI program "ssi" which contains a vulnerability which allows remote users to read any file on the webserver. Exploit examples included. Fix available here.
5cf4c016185b6b2c6b33bf5944ac239ead66ec315980d03e497f790eea3acb5b
When scp'ing files from a remote machine, the remote scp daemon can be modified to overwrite arbitrary files on the client side. Scp from ssh-1.2.30 and below is vulnerable. Proof of concept scp replacment included.
c83fdb97397307f495d1cef7e5ab8dc8f8740692dccebe8deaaee85d3f5a2fe1
BindView Security Advisory - Windows NT 4.0 and 2000 contain multiple vulnerabilities in the LPC ports, as described in ms00-070. Implications range from denial of service to local promotion.
e24169f769ff08b95674ca0b151e7ca48901eed39216c7984e0e4d0e2e4797ae
OpenBSD 2.7 local root exploit for /usr/bin/fstat + libutil exploit. Tested against OPenBSD 2.7 i386.
0871c02f9900cd9d31c6b18d39964674456feb034d0b15de1647853203cc0096
Easy Advertiser v. 2.04 Remote Exploit. The stats.cgi script used in Easy Advertiser has an insecure open() that allows this exploit to bind a shell to port 60179 running with user priviledges that the webserver is run as. Netcat is needed locally to use this.
3039f45d2afe1dffcacaeeaa10a0cd1ac319430fdfef2be12356e97c5078f50b
/usr/bin/chpass local EDITOR variable format string exploit for *BSD. Tested on OpenBSD, FreeBSD, and NetBSD.
97b3137f4851f097d02215919feb794baf8bc78203a4d676704fcda9229e4198
Inebriation.c is a local linux/x86 /bin/su + locale libc functions exploit which has been written in response to previous unreliable exploits for this vulnerability. It includes a perl wrapper to find the correct offset, can use GOT overwrites to evade stackguard, stackshield, and libsafe, uses clean overflow string creation, and has documentation and several other usability improvements.
79c94c5fa03623a02f4886cf1b9049e8f2ca654b18f436c51d3c88a2c462c274
There is a vulnerability in the Wingate engine that allows a malicious user to disable all services to the engine by sending an abnormal string to the enabled Winsock Redirecter Service. Wingate Home/Standard/Pro version 4.0.1 is vulnerable. The problem has been addressed in Wingate 4.1 Beta A.
adfb54633be316c75b5176b75c94c600197e9e47ad32afe8556a55aab94d4477