Antidote for RFPoison (Followup to RFP9906) Recently I released RFP9906: NT denial of service in services.exe (RFPoison). I included a limited sample exploit that would demonstrate the problem. Since then, I've worked with a few individuals and confirmed some configurations what will protect your system.
7d04c58afabcfae0c9ad8108d86888643b7d5e722aed854e013a8a8b7ccdde5eCaezar's Regwrite Injector.
18f265b0c7ffd9bd2c806086ff86d495d2898142655f0355ff5dee004831c1ceThis is a auto logger for Amuser-net BBS which is used in the many Japanese underground sites
80653f6e1487e011985dfd86c164d0cf36943b4d7308752dc4124f262cb28c83This utility lists the servers which have the security vulnerabilities of CGI program. This utility supports the pht, test-cgi, nph-test-cgi, campas, htmlscritp, servce, pwd. The addition of new vulnerabilities is very easy.
d4a27daf41edaca44387d84582a47076dd8c2e2c284b8050549e4fece0afa2f9The simple full-connection TCP port scanner. This utility lists the servers that open the specified port.
2c2f178a0939dd3208042185eefd81b52fe57d32f8e190530bd6b4b8757524b9Admintool local root exploit for Solaris2.6/7 Sparc machines.
b69c9cefb259fec08d07e73ec2112aafb9dd38c3c3df8295a4ee405733e2666dWe found the overflow bug of AL-Mail32 Ver1.10. It overflows when that receives the long message of From: or Reply-To:. If the POP3 server send the long reply message that contains the exploit code, client executes any code. This exploit code execute any command on the target windows.
707e8900f91b20b7c4ce906c63a00e36b79aa06a48654a492b594792e64b7447The test CGIs which are distributed with AN-HTTPd 1.20b contain the remote command execution problem.
2b6555ec7dadb833a618b2504a1b544225684da50219f4b22cbe90e83f51425bLocal root exploit code for buffer overflow in canuum for Japanese Linux.
fd52577360eeaf28add4cfb979dda4918874e018bf645981ba365c5ede4420e4We found the overflow bug of CHOCOA 1.0beta7R. It overflows when that receives the long TOPIC. If the server send the long TOPIC that contains the exploit code, client executes any code. This exploit code execute any command on the target windows.
1d808b55df808f181f7c029bf9268dfc7cd5c39061fb3906cefe50db633b1825We found the overflow bug of CMail Server 2.3 SP2. It overflows when that receives the long MAIL FROM: in SMTP handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the CMail Server 2.3 SP2.
c5662e8f3a1f97a425d8e0c04ec0eb3a1a5d42a218a8a4a487fe02fc9ace09fdBuffer overflow in E-MailClub Ver1.0.0.5. It overflows when that receives the long From: in POP3 handling. If the host recives the mail which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example generates the e-mail which contains the exploit code that reboot the target host. This exploit is coded for Windows98 Japanese edition, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
eb5bb461b617975286628c613e3683c4e15675996639c870d9fababc85a7a212We found the overflow bug of FuseMail 2.7. It overflows when that receives the long USER or PASS in POP3 handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the CMail FuseMail 2.7.
309610ace7f1c7fb6114ed72658bed907b4988c547c4ac6b184fd6b386bdd773We found the overflow bug of IBM HomePagePrint 1.0.7. If the visitors "print" or "preview" the web page which contains the long IMG SRC tags, the buffer overflow occurs. If this application reads the IMG SRC tag which is contained the exploit code, the host will be cracked. This sample generates a HTML file which is contained the exploit code that executes any command on the users' host.
5b41c9cf0b6067f3542e27cb0432a55a0de1c7f63f761bf8d438001347254958Microsoft Internet Explorer 4/5 overflows when the handling of "file://" specification. We coded the following sample codes. This codes generates the HTML file that reboots the client PC if the visitor uses IE4 for Windows98.
042079790a6a4e9b858fb430e1f60928c5954d79784d84570c99351187dc48e4This is overflow exploit for IE5.
af06e379b7a306fde53304718b7a6241229b6901fa31f4561c882f3b0b99c9d2Imagemap CGI which is written by C language is distributed with OmniHTTPd Pro2.04(shareware) and Ver1.01 (freeware), it has a security hole by the buffer overflow. Any instructions can be executed on the victim host by using this buffer overflow bug.
23049799fe2224b9687d2345582b6e2e023c1ecd39d0e9ef35a33a70b0a2fc7dThe popular Image viewer "Irfan View32" contains the buffer overflow problem, this problem exists in the handling of Adobe Photoshop image file. This code generates the jpg file which contains the exploit code that generates "exp.com" in "c:\" and executes it. "exp.com" is a simple demo program, there is no danger.
5a4c0197a83f99d759c5a6f2d4a089f21af960881b1053185810e9ea7530d600Exploit code for Solaris 2.6, 2.7 (sparc) libc/LC_MESSAGES buffer overflow that results in root compromise.
d3475dfd6a18d0ea0ebae341315790632e0506dde74ffd73896455098c786437Midi-Plugin program "YAMAHA MidiPlug 1.10b" for Windows IE4/5 contains the buffer overflow bug. If the long "TEXT" variable is specified in EMBED tag, the buffer overflow occurs. If attacker sets the exploit on the webpage, visitor's host will be cracked by the any instructions written in the "TEXT" variable.
2a70605bc9b04a24265c00812b131cf21426f0181e4073c6572a7373e6ba4550We found the overflow bug of NetcPlus SmartServer3. It overflows when that receives the long MAIL FROM: in SMTP handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the NetcPlus SmartServer3. T
49069946261916158d6a9396a9ecd8ea197a8009a2efbd25d17a2127840d6082We found the overflow bug of NextFTP Ver1.82. It overflows when that receives the long message of CWD reply. This exploit code execute any command on the target windows, but, if you modify the exploit code, you can send any codes such as the format or remove program, virus, trojan, and so on.
47d7736f87fb1530ec150962846999918098ac81ec6b671d35f46b6d4f89c748This is another personal mail server remote exploit. I also publish the exploit program that can send a trojan program which is prepared in the attacker host. Of course, it can be executed remotely. If the trojan program is sent, the victim machine will be controlled remotely.
1af18d870379d2efed6f956b9fbb2f89036673b7b62305dd1f0f23b667612ebaWe found the overflow bug of Personal Mail Server 3.072-3.09. It overflows when that receives the long MAIL FROM: in SMTP handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the Personal Mail Server 3.072-3.09
17339bed057ac8c0881bb3241b027969045a6a6d6911f4b0556a91f69c0c65c8Local root exploit for buffer overflow condition in sdtcm_convert, for Solaris Sparc machines.
a0d7c588f719baff069310b8f91c793cc31be84e8863b2e4edbb769adf0abb05
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed