exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 76 - 100 of 128 RSS Feed

Files from David Litchfield

Email addressdavid at davidlitchfield.com
First Active1999-08-17
Last Active2017-09-14
adobexfdf.txt
Posted Mar 4, 2004
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory #NISR03022004 - Adobe Acrobat Reader version 5.1 is susceptible to a buffer overflow when an xfdf file is parsed and an unsafe call to sprintf is made.

tags | advisory, overflow
SHA-256 | 5c2fe87f3086d81cece64a96a65a42cdbe85f107673aa6bbea41d68b9a187dfe
NGSoracle.txt
Posted Nov 6, 2003
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory #NISR05112003 - Multiple Oracle Application Server SQL injection vulnerabilities exist for all OS platforms with Oracle 9i Application Server Release 1 and 2 and RDBMS.

tags | advisory, vulnerability, sql injection
SHA-256 | c14bf67a31522701aa71637b6fe672b5b213d2b13fe5d981c029e99e1d4ae4cf
defeating-w2k3-stack-protection.pdf
Posted Sep 13, 2003
Authored by David Litchfield | Site ngssoftware.com

Thorough paper discussing how to defeat the stack based buffer overflow prevention mechanism in Microsoft Windows 2003 Server.

tags | paper, overflow
systems | windows
SHA-256 | b38cd24d571d9497d31fa51821bf46da5ded71c3cc615f565477fda2effa5f09
NGSextproc.txt
Posted Jul 28, 2003
Authored by David Litchfield, Chris Anley | Site ngssoftware.com

NGSSoftware Insight Security Research Advisory #NISR25072003 - In an attempt to fix previous vulnerabilities discovered by NGSSoftware, the Oracle RDBMS fix patched the hole but left a logging function vulnerable to a stack overflow.

tags | advisory, overflow, vulnerability
SHA-256 | 237dd712fc93400a7d9eed9e111f3ab5238fd5fcb2322857fa12ec0d69be3187
SLWebmail.txt
Posted May 8, 2003
Authored by Mark Litchfield, David Litchfield | Site nextgenss.com

NGSSoftware Insight Security Research Advisory #NISR07052003B - SLWebMail 3 is vulnerable to various buffer overflows in many of its ISAPI DLL applications including showlogin.dll, recman.dll, admin.dll, and globallogin.dll. It is also vulnerable to arbitrary file access via ShowGodLog.dll which does not even force authentication prior to use. Physical paths can also be determined by making invalid requests to certain DLLs.

tags | advisory, overflow, arbitrary
SHA-256 | 54067ee210fce9b8f593df9b701aad1f9b7f8d14e93cc22925ce3b332df7bdb6
SLMail.txt
Posted May 8, 2003
Authored by Mark Litchfield, David Litchfield | Site nextgenss.com

NGSSoftware Insight Security Research Advisory #NISR07052003A - SLMail 5.1.0.4420 suffers from multiple remotely exploitable buffer overflows in its SMTP engine, poppasswd and pop3 server.

tags | advisory, overflow
SHA-256 | f1596ac171952997d68b570e48c7d33e603793b70bb773d5a05f225bd2eec995
ngs-2904.txt
Posted Apr 30, 2003
Authored by David Litchfield | Site ngssoftware.com

Software Insight Security Research Advisory #NISR29042003 - A classic stack based buffer overflow vulnerability exists in the Oracle database server that can be set up for exploitation by providing an overly long parameter for a connect string with the 'CREATE DATABASE LINK' query.

tags | advisory, overflow
SHA-256 | c3f8b0302120eee28deb89f9e37d6fc46825608d07e31b5127eebc4b72b60651
Hackproofing Lotus Domino Web Server
Posted Dec 12, 2002
Authored by David Litchfield

Whitepaper called Hackproofing Lotus Domino Web Server.

tags | paper, web
SHA-256 | e72c2b8f13fb6814be70f4f3f1c13a46b474daf15badd237d92bab4ce9ce1bbd
sql2.exe
Posted Nov 19, 2002
Authored by David Litchfield, Lion

MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and send a shell to tcp port 53. Windows binary, C++ source code here.

tags | exploit, remote, overflow, shell, udp, tcp
systems | windows
SHA-256 | d6907914ee2d6127262ab91de8878fe5f9b1afe9e8cda7d6345fd2c14feeb2fe
sql2.cpp
Posted Nov 19, 2002
Authored by David Litchfield, Lion

MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and send a shell to tcp port 53.

tags | exploit, remote, overflow, shell, udp, tcp
SHA-256 | 7044113295ae8d7257c9af9f64073d4d2e4576635263c471c511b95c4f6eb551
ora-isqlplus.txt
Posted Nov 19, 2002
Authored by David Litchfield | Site ngssoftware.com

The Oracle iSQL*Plus 91 R1 and R2 web based application has an authentication buffer overflow on all OS's in the User ID parameter which allows remote attackers to execute arbitrary code as the oracle user on Unix and SYSTEM on Windows. Patch available here.

tags | exploit, remote, web, overflow, arbitrary, sql injection
systems | windows, unix
SHA-256 | 1721781c18414d0033b5c54cab225544447998747b4d67107efcbc20286bb7b9
mssql-webtasks.txt
Posted Oct 22, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Advisory - Microsoft SQL Server 2000 and 7 allow attackers to gain control of the database by elevating their privileges by using the xp_runwebtask stored procedure. Fix available here.

SHA-256 | 0993da5c8ab7c5ff24d06d11c71e7c6166e5eef4f669d081f8f47da07b21ae30
mssql-sp_MSSetServerProperties.txt
Posted Sep 4, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Research Advisory NISR03092002 - The sp_MSSetServerProperties stored procedure in Microsoft SQL Server 2000 contains a low risk issue which allows remote users to decide whether or not SQL server starts up automatically. This does not allow an attacker to com promise the server or data but may be used in conjunction with another attack.

tags | remote
SHA-256 | 2d8b8761c587c92d162bdf1ffcb36e42ec190e63cc9a5e3406c3b2a332cc6519
dotnet-msde.txt
Posted Sep 4, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Research Advisory NISR03092002B - The Microsoft Windows .NET Server Release Candidate contains a buffer overflow in name resolution which allows an attacker without a userID or password to take control of the server with a single packet to UDP port 1434 on the machine running MSDE. Fix available here.

tags | overflow, udp
systems | windows
SHA-256 | 9db34630d664597a8cf29192735e45564c2d9e401bac5a6b0d4ed6fab67a82c6
mssql-udp.txt
Posted Sep 4, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Research Advisory NISR25072002 - Microsoft's database server SQL Server 2000 exhibits two buffer overrun vulnerabilities that can be exploited by a remote attacker without ever having to authenticate to the server. What further exacerbates these issues is that the attack is channeled over UDP port 1434. Whether the SQL Server process runs in the security context of a domain user or the local SYSTEM account, successful exploitation of these security holes will mean a total compromise of the target server and its data.

tags | remote, overflow, local, udp, vulnerability
SHA-256 | 7374876a71fb3fcb12a28e6f8cfb96087512b03f0bc58422af03eaa003fa9944
mssql-sp_MScopyscriptfile.txt
Posted Aug 23, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Advisory NISR22002002A - Microsoft SQL Server 2000 SP 2 allows unprivileged users to insert and run arbitrary commands because a public stored procedure fails to validate user input before passing it to xp_cmdshell. Fix available here.

tags | arbitrary
SHA-256 | ec956303773437c9c86299281915cc489c31d1aba9eef2f1ee381b8c865bfd6d
mssql-jobs2.txt
Posted Aug 21, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Advisory NISR19002002A - Microsoft SQL Server 2000 and 7 come with a "helper" service which allows a low privileged user to create and overwrite arbitrary files on the SQL server. Includes proof of concept SQL code.

tags | arbitrary, proof of concept
SHA-256 | d00fd77d758ad8f157ea1a193c0b5f00842cddd2ba606d82b82ca8b386411279
mssql-esppu.txt
Posted Aug 16, 2002
Authored by David Litchfield | Site ngssoftware.com

NGSSoftware Security Advisory - Microsoft SQL Server 2000 and 7's helper service allows an attacker to submit jobs to the SQL Agent to be executed with elevated privileges. Proof of concept sql code included. This vulnerability is discussed in ms02-042.

tags | proof of concept
SHA-256 | 9bf0a97cb7b8ed59e9098bf029a62f468d0bfbd94895eae5891363aff1545a15
oralist.txt
Posted Aug 16, 2002
Authored by David Litchfield | Site ngssoftware.com

Oracle provide a tool called the Listener Control utility (lsnrctl) to allow an Oracle DBA to remotely control the Listener. The Listener is responsible for dealing with client requests for database services. This control utility contains an indirect remotely exploitable format string vulnerability. By default the Oracle Listener is not protected against unauthenticated access and control. The configuration files of Listeners in such a state can be modified without the user needing to supply a password. By modifying certain entries in the listener.ora file, by inserting a format string exploit, an attacker can gain control of a Listener control utility.

SHA-256 | 670c33c99fb1077f6adc54c6ef7f9e82ca3f1c4fcc69fdf1ecde9e16b02514fa
cracking-sql-passwords.pdf
Posted Jul 10, 2002
Authored by David Litchfield | Site ngssoftware.com

Information on cracking the Microsoft SQL pwdencrypt() hash function which is used to generate SQL hashes.

tags | paper, sql injection
SHA-256 | 5c2b4319be1979dcbd27e7fd3420df3b66d393c7fcb09d4c8682d6c6694cd701
iplanet.search.txt
Posted Jul 10, 2002
Authored by David Litchfield | Site ngssoftware.com

The Sun iPlanet Web Server iWS 4.1 and 6.0 contains a remotely exploitable buffer overflow if the search feature is enabled.

tags | web, overflow
SHA-256 | 569fc6dbae95b454b1cb7139d2f9325513c3521f10923c0642d0afb59f288e67
ora-reports.txt
Posted Jun 13, 2002
Authored by David Litchfield | Site ngssoftware.com

The Oracle 9iAS Reports Server contains a remotely exploitable buffer overrun vulnerability in one of its CGI's. By supplying an overly long database name parameter to the rwcgi60 with the setauth method, an attacker can run code with the privileges of the web server, or SYSTEM on windows.

tags | web, overflow, cgi
systems | windows
SHA-256 | 36a7f0df817729ef91da8556ccad29083ab8e3a5fd0b1f644b31ce787342fffa
ora-lsnr.txt
Posted Jun 13, 2002
Authored by David Litchfield | Site ngssoftware.com

The Oracle TNS Listener version 9i contains a buffer overflow vulnerability which can be exploited over tcp port 1521 to gain remote SYSTEM / root access. By supplying an overly long SERVICE_NAME parameter an attacker can execute code before any logging is done.

tags | remote, overflow, root, tcp
SHA-256 | 09848a3033d275f59cf4d5ef91914e928a9a4fc43a64f46b30fa0e2a771e35d4
jrun.txt
Posted May 30, 2002
Authored by David Litchfield | Site ngssoftware.com

Macromedia JRun v3.1 for IIS 4/5 on WinNT 4/Win2K contains buffer overflow which allows remote code execution as the local system account.

tags | remote, overflow, local, code execution
systems | windows
SHA-256 | 2bd79d12f83316af1256e8abf3f82e65b0e812edc901f4c331319be81254b1ee
sparc.zip
Posted Jan 25, 2002
Authored by David Litchfield | Site atstake.com

This document describes buffer overrun vulnerabilities on Sun Microsystems SPARC machines. We will begin by examining the SPARC architecture, looking at the registers and the stack. We will then go on to see exact how buffer overrun vulnerabilities occur and how control over the processes execution is gained under SPARC and then detail how, from here, the vulnerability can be exploited to gain control over the computer by looking at exploit code that spawns a shell under Solaris.

tags | paper, overflow, shell, vulnerability
systems | unix, solaris
SHA-256 | ea2827088b20a431d2ee4be68183cd2ee8cf525ff70d198af4b747cffecabe5c
Page 4 of 6
Back23456Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close