The enq program under AIX has an overflow that exists in the command line argument parsing. This exploit successfully utilizes the vulnerability to escalate privileges to egid=printq. Tested on AIX 4.3.3.
b9aa6fde8e33084acefb4bf66b450b630fbf86049e406631ffdece9bd065b6e7
Hassan Consulting Shopping Cart Version 1.x remote exploit that will spawn a bash shell with the webserver uid.
dea6448742f595a7fb941c5c76e95b1b84e045870de595c28a05c9048dcfd2fa
Xitami WEB/FTP Server for Windows 95/98/NT/2k v2.5b4 has remote vulnerabilities which allow users to view sensitive system information via testcgi.exe. Passwords are stored in plain text. Denial of service is possible.
963cbf8d5f403c450c746e48d4a87ee002babfa21848572bbe2f6ac1680a715f
Packet Storm exploits for the year 2000!
4ae50131fa96b7884e5a06211b6fd3aa3bd9cddb32775d54716fe237e1df0a77
Packet Storm new exploits for December, 2000.
22896c58fc1a2ddb91fc7dcfdefbfd61c874798ef8047086e139fbb6014c7a93
Solaris Wu-ftpd wu-2.4(1) remote root exploit which uses the site exec format string vulnerability. Tuned for Solaris Sparc v2.8 w/ inetd.
845e79245e95e32f9006adac7db0f41adfb93a2b685b71a7e404e3a30bdafb26
Securax Security Advisory #13 - When someone telnets to a unix system, the tty that will be assigned to him will be writable for any user on the system. However, when he is logged in, his tty will not be writable for all users. So if someone would write data to a tty that is currently used by someone who's logging in, that person won't be able to log in. Includes ttywrite.c proof of concept code.
e75a840488618e3a62e3bda5514108f15199ee99169afe9ae87c7041a15d8156
Securax Security Advisory #11 - XFree86 Version 3.3.6 is vulnerable to a remote denial of service attack over tcp port 6000. The server can freeze if sent many characters, requiring a reboot to restore normal operation. Includes Linnuke.c proof of concept code.
d85f44f0f08c172627069fd7c4b1a4471100fdaa8e7642820989936cc36dee3f
7350wu.c is a Wu-ftpd v2.6.0 remote root exploit which does it the proper way. Works on Linux/x86 and FreeBSD.
33f1db59facbfa0648cc1b9e7fac8958fdfbe6056b000bfbd7ca175b8b29af23
Lpr-ng v3.6.24 and below remote root exploit for Linux/x86 which exploits the syslog() format string vulnerability. Tested against RedHat 7.0. Includes the ability to brute force the offset.
45ca5a83e4e3b2935bbcc030e7aa7274b856c0e76c603e32c6c7565d8a05ad2a
Expect v5.31.8 and v5.28.1 contains local buffer overflows. It is possible to exploit any suid/sgid expect application.
8a69e04abc43d9ebdcd6198de5a7b5431ff007a5dca07c47115be8df48b6e33d
GnomeScott local buffer overflow which provides a gid=40 (game) shell on SuSE 6.4 and 7.0.
b91af559b80952154115640a2ad71c7a3af251836cff99bde6dad6259ee95e28
Expect (/usr/bin/expect) v5.31.8 and v5.28.1 local buffer overflow exploit. Tested on Slackware 7.x. Advisory available here.
763a21a0317bfb6f2998e4af7bd10b8c567fd24381ff2cea8e0f004f377ce176
Gnomehack local buffer overflow exploit which provides a gid=60 (games) shell on Debian 2.2.
5ccc4924acae3a7b73ecd24a19febb73d31ccc8e7ed7d704614e4dcbd8d4550a
Kwintv local buffer overflow exploit which provides a gid=33 (video) shell on SuSE 7.0.
d44863b348783f75efca589a0a0b99b6a150e833cd2e1dd95d32999361050380
Fancylogin v0.99.7 local root exploit. Tested on Red Hat 6.1.
6a6d636b942d55b3a7cd1edceb5b8ba35821afd8196ce14ad6e2f04d65c3d913
Securax Security Advisory #12 - Apache 1.3.14 access_log and error_log can be altered somewhat by remote users if the site administrator reads the logs with cat or tail. Includes proof of concept code kosheen.c which attempts to display false values in a remote site's access_log and error_log.
e90beb99adb94acadafbb8f08e10bfc7cc59ecc22dd244a99d29f6720dd48e59
STonX v0.6.5 and v0.6.7 local root exploit. Tested on Slackware 7.0.
c751c9ecd87655ab1f2703c193c5080ea84909a0b48d28666ce7f32edbf5b25e
Linux xconq v7.4.1 local exploit - Gives a gid=games shell by exploiting the -L parameter. Tested on Slackware.
58e72092adb49d8ae668a492bed2721cde6ad0ab1e236ba3ab3787b8b6b8d6f7
OpenBSD v2.6 and 2.7 ftpd remote root exploit.
3bce3b748cccc4e919388bcb98fab8e0032f8b36b13107f0b8d2af7e7591fff5
SuSE identd remote denial of service attack - Uses a long sting to set a pointer to NULL.
5428c66fd108f4593af53e80bdb814ea4c560c05eda8deea3e7caaa7e617830e
Solaris 2.7/2.8 /usr/bin/catman allows local users to clobber root owned files by symlinking temporary files. Includes catman-race.pl and ctman-race2.pl for proof of concept.
9a29d9929df3618598e1b73b8901c5d5026303418322bac348f2cc5417e8cef6
The NAPTHA dos vulnerabilities (Revised Edition - Dec 18) - The naptha vulnerabilities are weaknesses in the way that TCP/IP stacks and network applications handle the state of a TCP connection.
c292602620f5df846e547c83d8ca52048ace27d17ccb5b270d8f412c29746e7c
Voyant Technologies Sonata Conferencing Software v3.x on Solaris 2.x comes with the setuid binary doroot which executes any command as root.
66e1e97f64c7220d0c49571196c3c0b688f31aa0b1d4177776bcaca25289e18f
Omni httpd v2.07 and below remote denial of service exploit. Combines a shell script from sirius from buffer0vefl0w security with a bugtraq report from Valentin Perelogin.
4d3154c89c3ecd6fc2094b5e325fa6c37806583f8e2045d1e514e145f3c09e7b