Multi-Dos is a perl script which exploits recent DoS overflows in about 14 different windows based servers.
a65037de1510ccc5626b3a9322e4061a818bffbb2f6cf59e1ba5aef2bfd14477
Perl script which exploits the remote DoS vulnerabilities in PakMail v1.25.
d5ec97d5eb66bdf12849693d9d7f4da2ca0fc3a2e83ef999d90b969b514a278c
rpc.autofsd remote root exploit for BSD. Attempts to put a root shell on tcp port 530.
e490c2f957124325787c9c8f4f673ad539a7d8f7ebe5f0c7a051a9e4fc192557
The PakMail v1.25 mail server for Windows95, 98, and NT contains remote DoS vulnerabilities for the SMTP and POP3 servers. Exploit example included.
977f2a2808caed8f81f0b3c711b216873b8d13384d701586e96d0cf60c908eed
Most of UnixWare's pkg commands can be exploited to print /etc/shadow, leading to a probable root compromise. Tested on Unixware 7.1. Contains exploits for pkgtrans, pkginfo, pkginstall, pkgcat, and pkgparam.
0bda77b4bfd4fb0d530fdbb0f125b2437e75b360b862295fcd5fbc49d7944cba
Netscape under Windows 95 and NT 4.0 (suppose Win98 is vulnerable) allows reading local text and HTML files and files from any domain (probably reading files of other types of files is possible). Window spoofing is possible. It is also possible in some cases to read files behind fiewall. This vulnerability may be exploited using HTML email message or a newsgroup posting. Exploit code included. Demonstration here.
0a3d13522f593106bbaa7d375f521ad98569d9818af2bc967ab41e16e25de2b6
The majority of the UnixWare "pkg" command, such as pkginfo, pkgcat, pkgparam, etc, are vulnerable to a bug which will allow any user to read any file on the system as a result of their additional "dacread" permission in the privs file.
eed02a6b7a86a7d3af4ec8b75523b340d16c847a4c9f0c75df048402aa31a77e
/var/mail is mode 777 on unixware. As such, any user may create a file called /var/mail/ with a mode readable by him and trap all incoming mail. Afraid of getting caught? chown the file to (see my advisory on this subject), leaving it still world-readable.
46ae8ff88d8e772a92c9ba19350af2ed03967745531fb28c4fa5017049596f5c
Although UnixWare's /usr/X/bin/xauto is NOT suid/sgid, we can still overflow a buffer within it and gain root privileges. Exploit included.
1c1b11b96493a0a6c636a63b841987b7379e3ca31f6adcf1fb5f261a46c6bd93
Unixware allows regular users to use chown to give files away to other users. Tested on Unixware 7.1.
6a4b1a07cc91d4a9530defc0981f88a0f28de02c2709b9e4a672624b2b3113a4
On solaris (maybe also AIX) the installation of WebSphere from IBM installs a deinstallation shell script in /usr/bin with mode 777. This gets run by root.
ab14cab6e5574ea1cbe2c6ebaa65c3d72eab077850d8673140f0b2245ad67470
This is regarding a logic but in the shadow suite that enables a brute force attack for finding and cracking login in accounts via telnet (and possibly some other nasty side affects). If the account is locked or does not exist, the telnet connection will drop immediately.
361d517df27985b876da419da8f31aae37d0bb58446e06867cc90115923155ff
A vulnerability has been found that the installation of Internet Explorer 5 introduces in Windows NT through the Task Scheduler service. This vulnerability makes it possible for a User to become a member of the Administrators group if he/she can do an interactive logon. The Task Scheduler service is an "improved" version of the usual Schedule service - they are not the same thing. The Schedule service is replaced by the Task Scheduler when Internet Explorer 5 is installed on Windows NT. Microsoft security bulletin 51 addresses this issue and is available here.
e586b63470a7536dfa7b26cc02b77cf27aea8efa4fc13b852d5f0a78a50e98c8
A serious bug exists in UnixWare 7.1's libc. A buffer overflow in gethostbyname() will allow any user to obtain elevated privileges. My demonstration exploit happened to be "arp", but any program calling this function will do.
33ff95b3f628171302cc481f7d84bd468b39f1cbee5eefe342b2237ec3c91cdd
SCO UnixWare 7.1's sgid-sys /usr/bin/uidadmin will allow any user to gain root privileges as a result of it's ability to write *ANY* file, not just those traditionally writable by gid-sys. Exploit for 7.1 included, 7.0 is vulnerable as well.
e3601c95a78b23bc230de20b8d8323da8152ce4edc6999c9572c383340376a25
There is a Local/Remote DoS Attack in Serv-U FTP-Server v2.5a. Source / Binary available here.
d83888fc7f71eee75b5beae3a3c7641437bf142bd15113b4fdd74e42c083547c
Internet Explorer 5.0 under Windows 95 (guess other versions are affected) with its default security settings allows frame spoofing. The problem is setting the location of a frame to an arbitrary URL without updating the address bar. This vulnerability allows misleading the user he is browsing a trusted site, while in fact he may be browsing a hostile site which might be stealing information. Exploit code included. Demonstration here.
09497b7b50c16e58218c28a33279ed5882e86027db0bc70e9c6a2f753e1b716c