Packet Storm new exploits for October, 2003.
d3a79fb09de2d6d9b67f3692d88b62421c4928f44e80f659efe4a16af7a22e6f
WS_FTP server <= v4.0.1 for Windows 2000 remote stack overflow exploit which binds a shell to a port. Requires a ftp account.
b1f4ed5c9d225b1fb7ea0311a240a900e083988c7518ec87774a8c6f0b4fb4fd
PHP-Nuke v6.5 and Spaiz-nuke v1.2 SQL injection exploit written in PHP. Adds an admin account.
47cd69171dda836213caa1d223b99cca8f4117002517f1b0aadbde2461f80ce7
Denial of service buffer overflow exploit for the TelCondex web server v2.12.30210 Build 3285 and below which overflows the HTTP referrer. Fix available Oliver Karow.
cdf578b6896a5021d91c7ec240930f6c8c497603540962d784da890cb64b8c6d
Denial of service exploit in ls, which is exploited remotely via wu-ftpd v2.6.2. In perl.
7f8789561a1fa3a055ba0e37829696c2e35a87b3a2129c718de82f609d2c8592
The taper program in Redhat 7.3 contains a stack overflow. Note that taper is not setuid.
89a935c740c96748fa0a62389876ff938ee1fb09b87005b568f271a93db7ee97
Sh-httpd v0.3 and 0.4 contain a remote directory traversal vulnerability involving a wildcard character which allows attackers to read any file on the system and execute CGI's. Patch included.
a0ae3eee45856fba670f376c41e9f3a32c4c4558388732713876b66cc0eabf20
Php-nuke v6.6 and spaiz-nuke below v1.2beta remote exploit which allows you to take over the administrator account. In Spanish.
fea203fbdd282ac0f1ddebfc46fcc776162fbcc14818517c43a9ca33da3b0b37
The FlexWATCH surveillance camera server is used by many banks and "secure" places and contains remotely exploitable vulnerabilities which allow remote attackers to view camera footage, add users, remove users, change the configuration, disable camera surveillance, and more.
4dfc8429dbb28abe088145db865dc9a76237fec3689cc388ec2968f37e7ed819
PHP Advanced Poll v2.0.2 contains remotely exploitable PHP code injection, file include, and phpinfo vulnerabilities. Exploit URLs and vulnerable code snippets included. Patch and vulnerability details available here.
6008eb83abb995f5d86ca8e6da5d1c3d4e7dd8f7e12ece0b469a3c5301799f86
Solaris runtime linker (ld.so.1) local root buffer overflow exploit. Bug discovered by Jouko Pynnonen.
02f60b241dd919d6d735402393ba7bf40d3244805b413d1b9dcbc275b2dd3a98
Directory traversal attacks against the iWeb mini http server. Exploit URLs included. Vendor URL here.
2b782c3d3ced2d812d2176f016730c360d3e63673b1bd7984740c4dae9d99983
Xchat script which uses the DCC SEND overflow to kill mIRC clients v6.11 and below.
63d38d58a1234858cf30c84b453361fc91f45e8b2171b2aff2bafd7cbbdaddd8
Exploit for ms03-046 - Microsoft Exchange Server 5.5 and Exchange 2000 buffer overflow, in perl. Denial of service only.
dc02a00c9d484f730cae974d17f5aa3a118aa3df6f5a4b2305b54e7b02c2a0e4
cpCommerce v0.5f and below contains an input validation error in _functions.php which allows remote arbitrary code execution. Exploit URL included. Fix available here.
82a27c83f94222dae3692667195106e99a8da26568c8204f9da7e758dc5513ad
Information and packet capture of Mirc v6.11 and below DCC SEND buffer overflow exploit which crashes the client.
b62cb9645cd0d4b5e6523993aae3f46bbb8843c464d881ef3029941da07d7097
Iwconfig local proof of concept exploit - Causes a seg fault. Note that iwconfig is not suid.
867f82eb7dcfc7a51d785f60e5b6f4bdc86928b16aa0629292f6687d0fe23112
DeskPRO v1.1.0 and below do not adequately filter user provided data, allowing a remote attacker to insert malicious SQL statements into existing ones. Allows attackers to login to the system as an administrator without knowing the password.
983ccb3475e6d82e382857c1d96466127ac14546a3310ec3ddb85f10f737178d
mIRC v6.1 and below remote exploit which takes advantage of the bug described in mirc61.txt. Creates a HTML file which overflows the irc:// URI handling, spawning a local cmd.exe window. The exploit works even if mIRC is not started - The HTML can be in a HTML email or on a web page. Tested against Windows XP build 2600.xpclient.010817-1148.
4cd0bf42beaab24a9681b6932162eb72775c3439db6704c72c2c8e2f9991b043
Remote denial of service exploit for the Microsoft Messenger service buffer overflow described in ms03-043 which causes the target machine to reboot. Includes the ability to send the packet from a spoofed source address and requires the remote netbios name. Tested against Windows 2000 SP4.
e48b844bc994ff34f0e2029f0cb487338b88afdd156b72483f465c14da1a3d48
Local exploit for Oracle Release 2 Patch Set 3 Version 9.2.0.4.0 for Linux x86 that makes use of a buffer overflow to escalate user privileges via the oracle binary.
2c21dea3eb6b73fa7a98866ffe0291269326fe9469746e2067e9471a004ab542
The Linksys EtherFast Cable/DSL Firewall Router BEFSX41 (Firmware 1.44.3) is susceptible to a denial of service attack when a long string is sent to the Log_Page_Num parameter of the Group.cgi script.
f1c0300dc00e219b8dbc03dbdfde2f6bb99cf9e08b84db923315190b4e59337b
Simple notes on how to exploit GAIM via the festival plugin that was written quite poorly.
4ff6480817604dff4307edce42b3b214d5c319bf340fadc144ba47a1476fb3c8
slocate package version 2.6 has a heap overflow that can be used to escalate privileges.
6ba8b2301f291c7b2a07530eefefa4b0453357391429f5eb3cd5ef3de679a744