Phf remote buffer overflow exploit for Linux x86. This is unrelated to the well known bad filter problem.
dda637097e40cd9c4bab46146c697ddeda5528f58361e4794448e0c9456e6f07
Gnomehack v1.0.5 local buffer overflow exploit which gives a egid=60 (games) shell if gnomehack is sgid (2755), tested on Debian 2.2. The same bug also affects Nethack.
816be742420d036d0db3dc9087eb0fb8b2fcf51694ed67304fa2c176d19a55ca
Voyant Technologies Sonata Conferencing vulnerability report - Local and remote vulnerabilities have been found in both the Solaris and OS/2 hosts, including reused default passwords, poor file permissions, a lack of host hardening, account enumeration, and an insecure X console.
a8e729c47d2cec5776df25793904a78c510a9d33109cf09b1c50ec0743406e0e
All versions of the OpenSSH ssh client prior to 2.3.0 have a vulnerability which allows malicious OpenSSH servers to turn on port forwarding even if it is disabled in the client configuration, allowing hostile servers can access your X11 display or your ssh-agent. Newest version available here.
88a6f152715ed2102ed19a929d57f787c9dc819200cd2d44c5c2953c5a65bd70
Openwall.c is a local root exploit in LBNL traceroute v1.4a5 which executes the heap instead of the stack, avoiding the openwall kernel patch.
5a4eb07dd10935e561cd0362cab0d201490486943936df1793875876d5cc6377
Traceroot2.c - Improved local root exploit in LBNL traceroute v1.4a5. Tested against Debian GNU/Linux 2.2 x86 and sparc, and Red Hat 6.2 x86. Advisory on this issue available here.
a06125779635863516715cdc87f58a395e2f5821e7f2c5fb7bace3311690914b
Solaris Sparc 2.6 / 7 local root exploit against /usr/bin/passwd which uses the yet unpatched libc locale bug and bypasses non-executable stack protection.
9dc277fdb780142c947251ebc93a3f2d952d404ea7c6e9a9a18360bb133880c4
BSDI /usr/contrib/bin/filter v2.* local buffer overflow exploit. Tested on BSDI 3.0, provides a shell with GID mail.
e534fc0c8aa82b47dead2e0e671e1935ad2cdccabd46b611e35f366b86b24a78
iXsecurity Security Vulnerability Report - The default installation of Compaq Web-Based Management on a Netware server reveals sensitive system files to anyone who can access TCP port 2301. Allows remote users to read the remote console password. Software version 2.28 verified vulnerable. Compaq advisory available here.
992ae643310081a28265d7edbe6fcf3cd675ed92732e4ecbee1271c805355517
HP/UX 10.20 allows any file on the filesystem to be chmodded 644.
368ae0b6b600d64d563f95321811ba39e6896823d87ed0d1bd39969c6643ad34
An exploitable buffer overflow vulnerability has been found in phf which is unrelated to the well known bad filter problem. All versions of phf should be removed.
ff285dd904fee784fd1e37931b106356da7e64de091e7f180c0b4cd0475e9bdb
Remote exploit for rpc.sadmind which brute forces the offset. Tested against Solaris X86 and SPARC v2.6 and 7.0.
c543a35cc08b05e3cb588f1186f77256b06978241255de8c03f64460975820d7
Remote denail of service exploit for Microsoft Exchange 5.5 SP3 Internet Mail Service. A message containing charset = "" causes mail service to crash.
c78e67a1dba1114925190b261aaf34271dcd0f4d45718566b9aeb095f29a02b4
Georgi Guninski security advisory #27 - There is a security vulnerability in IE 5.x, Outlook, and Outlook Express which allows searching for files with specific name (wildcards are allowed) or content. Combined with other local file reading vulnerabilities this allows attackers to search for and retrieve any file on a users drive. The problem is the "ixsso.query" ActiveXObject which is used to query the Indexing service and surprisingly it is marked safe for scripting. Exploit code included, demonstration available here.
3742942ac9c34bf744dba44bf01b4e6299d39d0c180e6b80617ec20f063387b0
Many systems have the SUID bit set on cons.saver (/usr/lib/mc/bin/cons.saver), part of the Midnight Commander package. A denial of service vulnerability has been found which allows local users to overwrite a null character to any symlinkable file. Includes proof of concept exploit and a patch for cons.saver.
65e644ff14594df49724ef14d399326c53243a989d5213911a2bd76b3885227c
GBook - A web site guestbook has a remote command execution vulnerability in gbook.cgi.
3432eb8381e12fc433761f3a9958b15e18568c1417a95438a04888df586aee42
Dump-0.4b15-1 local root exploit tested on Redhat 6.2.
d31cd93409f644756b8b6acfdfd278b35330784f6a3365bc1c5848ed1558216f
The Sambar Server v4.4 Beta 4 for Windows 95/NT is vulnerable to a remote denial of service attack due to the con/con bug. Perl proof of concept code included.
55be48679e17a74e5287e6a851ca595e4a6e8b5e87adc6609febe7527a7324fa
Uni2.pl checks a host for the recent IIS unicode vulnerability in 14 different ways. Also gives you the browser URL for the exploit. Origionally Roeland.
e78ceffc48a61327d8c39d0102a0875da2417fd1dcd4021dee6997d46324ab95
The OmniHTTPd web server v2.06 and below contains a remote denial of service vulnerability in /cgi-bin/visadmin.exe.
e9fe1c87ec8c2ace2f271f1492b978a382de898fb38ca45578151f10e594c30a
IIS Unicode remote exploit - Executes commands remotely on IIS 4.0 on NT and IIS 5.0 on Windows NT and 2000.
fbc3b2aa102785a4757f4a193d95da46e9bee307e89c92a60281da7338e006dd
Poll It v2.0 CGI exploit which binds a shell to tcp port 60179.
ac9a11e96cfadd025d991a68aab80ce6e5c6b256ab9c91bac1ebb6ed4483fa53
Quake World server for Unix v2.30 contains a buffer overflow in the rcon featurE which causes the server to crash with a segmentation fault. Proof of concept exploit included.
5b198903dd85e21a8769b846a484a623ccc88784bcd3bfc27ed0eaca05c05520
Gsx-0.90d and below contains a remote denial of service vulnerability which allows remote users to crash the GTK scour client by creating many connections.
fca19f01f198cf6d609684334652291702e97a3f95884df50ab26df1d034a49d
Securax Security Advisory #8 - IIS 4.0 contains a denial of service vulnerability which is similar to the unicode vulnerability. This can be fixed by installing the recent unicode patches.
f877b8c806d53dfad30246acf6a74461dbb28f13b37fda783263068d9efcb449