Packet Storm new exploits for September, 2002.
045ca73a0cacb6605a118c823acedaca1f5dc5f8eed502958f744a3d2c351d5d
CGI-Telnet 1.0, a cgi telnet script that runs on various Unix and NT webservers has vulnerabilities which can be manipulated into giving a user access. The password file is accessible in the web path and passwords are kept DES encrypted.
e0b5370c22e2597643e3465f2bbcd9a427ce709060d55d274bb546ca92480c8e
Teolupus OpenSSL Exploiter is an automated OpenSSL vulnerability scanner able to find, log and exploit a server "without human intervention". It is based on Nebunu apscan2 but has much more targets. Includes openfuckv2 and openssl-too-open both with more than 130 targets.
ce85e0330ac595ce313685f1e0d5ef79db96eff660b53e1cdb8a6938e169de1c
Apache + OpenSSL v0.9.6d and below exploit for FreeBSD. Tested on FreeBSD 4.4-STABLE, FreeBSD 4.4-RELEASE, FreeBSD 4.5-RELEASE, and FreeBSD 4.6-RELEASE-p1 with Apache-1.3.26 and Apache-1.3.19. Modified to brute force the offset from openssl-too-open.c. Includes scanners. WARNING: The binaries in this archive are infected with the ELF_GMON.A virus which sets up a backdoor on UDP port 3049. Updated by Ech0. Notice: Previous versions of this .tar.gz (before 3-11-03) had several binaries infected with the linux.osf.8759 virus. This tar contains both cleaned and infected binaries, with the cleaned ones running by default.
284a089a6557cd9d4d23a493e8aced962e8dcf4a523227361dd66fdd462ebab7
Zyxbrut.c is a brute force program written for the ZyXel router telnet service.
09a2e8873fc29128a79a933087fd6b993b20bc25a6fb311b7d0228b7d714db16
Modprobe shell metacharacter expansion local root exploit for Red Hat 7.x and SuSE 7.x.
7fbdc5e8a76bd2dfcc6ee414e1ca54dbf13a22c9c260b4f09dc6008c2feaf6c9
Mandrake 8.2 linuxconf local root exploit.
10ac292ecd095adfff7090099b436f9adcb2b98fee0c74a8249eeff765272b78
Local apache/PHP root exploit via libmm (apache-user -> root) temp race exploit. Spawns a root shell from the apache user.
1d5db464c8ba2e2fbf07162312ad2209781d2a9e0aa4407600ee8c2e6029a683
Unicode IIS exploit in perl. Tries 20 ways.
8662d0aab8bd41a11af165611d21686de5ca89f17b76ea0ca9ec002d6a6ccc07
iDEFENSE Security Advisory 10.01.2002 - It is possible for an attacker to bypass the restrictions imposed by The Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his choosing by inserting a special character sequence into his .forward file. Two attack methods both of which are detailed. Patch available here.
e1968987be598ce21fb8b01554f9dd70ecddae77782675c6591f723f39c2dab1
Buffer overflow exploit for gv v3.5.8 on linux which creates the file /tmp/itworked when gv opens the PDF. Some mail readers use GV to view pdf's. Tested on Red Hat 7.3.
17584573625605cf365839d42b6249b81ab8189d3e8207c905c43574b0b985ef
Apache + OpenSSL v0.9.6d and below exploit for FreeBSD. Tested on FreeBSD 4.4-STABLE, FreeBSD 4.4-RELEASE, FreeBSD 4.5-RELEASE, and FreeBSD 4.6-RELEASE-p1 with Apache-1.3.26 and Apache-1.3.19. Modified to brute force the offset from openssl-too-open.c. Updated by Ech0, and ysbadaddn.
d22209dfa296d626007b88527d9af34b681b9169c571f3e5c5859d8428447224
Apache OpenSSL v0.9.6d mass scanner. When a vulnerable server is found code is launched. Includes targets for Apache 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.26, 1.3.23, and 1.3.14. Includes openssl-too-open binary.
aa1467984afb050f4cdbdb18e5960709046b1acf4e899c587a3bb5f32f81af72
Linuxconf v1.28r3 and below local exploit which uses the ptrace method to find the offset. Tested on Mandrake 8.0 and 8.2, and Redhat 7.2 and 7.3.
7c69399dd7f5a08de186e149072b4b0ffad0e4adecf6598bc7fb8d45d8cc6354
Research on the recent OpenBSD select() bug and its possible exploitation. Includes a local denial of service exploit which was tested on OpenBSD v2.6 - 3.1.
a139e465d5432bfb22c8cb02fcaad81f3ba8d7d7f42d2f31a3ad875ca2065362
This exploit uses a symbolic link vulnerability in the Borland Interbase gds_lock_mgr binary to overwrite /etc/xinetd.d/xinetdbd with code that spawns a root shell on port 666 TCP.
d7d156c479c021809f9a0057514db6f1459ab7f03ab76f348bc1c94b1dfed0a8
This exploit abuses the KEY_ARG buffer overflow that exists in SSL enabled Apache web servers that are compiled with OpenSSL versions prior to 0.9.6e. The apache-ssl-bug.c exploit is based on the Slapper worm (bugtraq.c), which is based on a early version of the apache-open-ssl exploit.
436090b56a7078c33d435bf10253452623305a3c47e6e5c7f13c05a10118fd8d
Vbulletin/calender.php remote command execution exploit.
696c47bb743d4c61635d2b53c61441cce1ff71882f95ce0d1f8c84b21ee7c0c4
Qute.pl is a perl script which exploits a buffer overflow in Qstat 2.5b. Since Qstat is not SUID by default this script is useless.
e9f3bdc1f8a9d0bf7a7f036f80af23bc7c153c77c4f0d5f0a1ab127e999a6df2
iDEFENSE Security Advisory 09.23.2002 - A vulnerability exists in the latest version of the Dino Webserver that can allow an attacker to view and retrieve any file on the system.
173624a149e99e3fffdbb7f4f8d15aad56be0b1f6a78706b17e41d2dd0e718e6
AlsaPlayer contains a buffer overflow that can be used for privileges elevation when this program is setuid. Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1 . The overflow has been fixed in AlsaPlayer 0.99.71.
2875baab452b93c7ef7d5f24fbb1d46a9fa65f879a5d43f51352eee63870a710
Remote root exploit for Linux systems running Null httpd 0.5.0. Tested to work against Red Hat Linux 7.3.
f3ad09d77c82a11ae03bbf3d43ee72abb5ba62e08fc75bd608fa3668f74758b5
Linux proof of concept exploit for a local buffer overflow in GNU Awk 3.1.0-x.
f62fd32136729fe65cb7f634394e8934f10a695c31a7af7773e53edb7313938d
Compress v4.2.4 local test exploit for Linux systems.
318d7c70b2f38ab00a126f8d8729d585057a31c6d27afedab4e35dbadedd86bc
Qstat 2.5b local root exploit for Linux. Tested on Debian GNU/Linux (Woody). Since Qstat is not SUID by default this script is not useful for gaining more access to a linux system.
0d005a95b831a74d01a12035f653c2f4e07221122ab18b3bb24edc23fa876100