Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.
558bc757ee8a6481d9b014417a2378a9d3bc6e01e240f1411ccf84a919f8d209
Lsof is an extremely powerful unix diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes currently running on the system. It easily pinpoints which process is using each network connection / open port. FAQ available here.
f3bc1c5631f36073b92c9614c9ca82d6a9d8dfec135bdb95d79901f828332801
CERT Advisory CA-2002-35 - Cobalt Raq4 systems with the Security Hardening Package installed allow remote attackers to execute code as root because overflow.cgi does not adequately filter input destined for the email variable.
0f6f2e8184209658ee339e366fe5d0badc0607061e7156cc51ba6d1df49804c4
Microsoft Security Advisory MS02-070 - A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP enables attackers to silently downgrade the SMB Signing settings on an affected system, causing either or both systems to send unsigned data regardless of the signing policy the administrator had set. Although this vulnerability could be exploited to expose any SMB session to tampering, the most serious case would involve changing group policy information as it was being disseminated from a Windows 2000 domain controller to a newly logged-on network client. Doing this, the attacker can take actions such as adding users to the local Administrators group or installing and running code of his choice on the system.
96e6063a616fc74df791bacd1467819287ac6ed0f6d2d0080f21a501e53a28ea
Microsoft Security Advisory MS02-069 - Eight serious vulnerabilities were discovered in Microsoft VM which allow remote code execution via HTML email and malicious web pages.
f4af9d4c01a18e7ea7461b5d3985e9a101361a16870c806c84743c038cceefab
Whitepaper called Hackproofing Lotus Domino Web Server.
e72c2b8f13fb6814be70f4f3f1c13a46b474daf15badd237d92bab4ce9ce1bbd
Pc-cillin pop3trap.exe buffer overflow exploit in perl. Return address is off a little making it a denial of service exploit, but could be tweaked to execute shellcode that downloads a trojan.
8243cebd28bc9dc9a0fc4bca0bc3789808f36fb517a6a3f0b81c499438776f38
SunOS 5.6,5.7,5.8 remote /bin/login root exploit which uses the vulnerability described here.
762c482e53fa3ebd68fcb908fb91f3c8ff15e6d084aa07cd2ab6ce4ec51bf980
HTTPda is a perl script that searches a remote site for forms, .cgi and .pl files.
a3a3bab1e06d96a25c57f97e38cf006c4f87a7a73c39b74655b5d7f80e29a0ea
Sendmaild.c is a local root exploit for Sendmail on BSD. Exploits the bug discussed in FreeBSD-SA-01:57. Tested on FreeBSD 4.3-RELEASE with Sendmail 8.11.3.
af378464c45ce674f69dcef1b241d4a304679c343fa1f55700fd04fe7f29c324
Some information on the Common Gateway Interface (CGI).
8b26cd32cbd0a8326977f61fce8ef55d9a9016bc2750bd213be84e63a401d2b0
/usr/sbin/chat buffer overflow exploit local exploit. Tested on Redhat 6.2. Chat is not suid by default.
f723fc7663cbe3a0175c84613c487f43811558694a530902e3c7948cc38375a8
Libcodict is a user friendly "combo dictionary" C API developed in order to ease dictionary handling when developing open source security audit tools. Combo dictionaries are a different approach than the traditional plain dictionary with a user list and a list of commonly used passwords. When auditing a server environment, one of the biggest tasks are to remove all default users from old UNIX machines that never got any attention after installation. Using a list of default users and their commonly used passwords is the main idea behind this library.
633c06df61c744d927b6cde6a656b8f6c3da902f8993b3dc83e2cb0553597cd4
IDScenter is a free configuration and management GUI for Snort IDS on Windows platform. Features: Snort 1.9 / 1.8 / 1.7 support, Snort service mode support, Snort configuration wizard (Variables, Preprocessor plugins, Output plugins, Rulesets), Ruleset editor (supports all Snort 1.9.1 rule options), AutoBlock plugin support (ISS NetworkICE BlackICE Defender plugin included, Delphi framework too), Alert notification (via e-mail, alarm sound or only visual notification), Test configuration* feature (fast testing of your IDS configuration), Monitoring of up to 10 files and MySQL alert detection (allows centralized monitoring of all Snort sensors), Log rotation* (compressed archiving of log files), Integrated log viewer, Program execution if an attack was detected, and more.
3a88ed36a87e041f420709ee0d0fae0a1a24a406dd662453951cce94c79db13b
Proftpd v1.2.7rc3 and below remote denial of service exploit which requires a ftp user account or anonymous access to the ftp daemon. Consumes nearly all memory and alot of CPU. Tested against slackware 8.1 - proftpd 1.2.4 and 1.2.7rc3.
b472b47d7f8b3395438de6ee5627449c27fa18d2e9476e8790d13d7b98047093
Banshee is a fast lightweight mass scanner. Banshee can integrate with other tools like queso or xprobe to extend functionality. Features include port/rpc scanning, easily search-able logging, banner grabbing and more.
6615ccdb02fb1771bc0de830c3d08ed040754774c3a84c84bd5383ecf3940bc8
Ethereal is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Ethereal features that are missing from closed-source sniffers. Screenshot available here for details. The TAP subsystem received major updates. Ethereal can display more statistics, and several graphs have been added to Ethereal. New protocols were added and updated.
ae0ebc58d8c4e631f3858008aea7604efe33b9296a892f9427aacae760e2c0c8
Linux/OSF-8759 aka Linux/OSF-A Virus Cleaner. This program will scan the filesystem and tell you if you have this virus. When the virus is found, it will disinfect the file and hopefully restore the file to its original form. Includes C source. Archive password is set to p4ssw0rd. Use at your own risk.
bff6edc14dc0194eb073936f634185f7312ae609cdfab2ed0dab3cba3f31596a
Tunnel Finder v1.1 is a proxy checker that can display information from a list of proxies by searching for proxy servers that permit the CONNECT command allowing an end user to achieve a higher level of anonymity. Checks for SSL proxies as well.
4b444f4daa486243ceeea5eb1bfd6d9673d0ea2cceed67a0a7c357c3a7562414
Solaris 2.7 x86's sacadm has a buffer overflow in the processing of command line arguments. Perl code to test for the bug included.
3a600355f3aad555bb91e5d3bf28689c25c62071e1846b2ddf751c180bc9efd9
A troll attack opens up many idle connections from one ip, denying service to daemons with long timeouts.
34a212adbe2cadf2e6f62b47ce0a718e4c9a5e3186e8484b0ab70d0f4c86da6c
Trendmacro is a ISVW V3.6 proxy bouncer and banner grabber in perl. Grabs HTTP banners through a proxy.
aa43f1de04c24c95ac7e59e14e9bbd991950c0f67e3e3b38d7e84adb93926934
Apache 1.3.xx / Tomcat server with mod_jk remote denial of service exploit which uses chunked encoding requests, as described in Qualys Security Advisory QSA-2002-12-04.
26c922cb94695de52658f3b16ebbeebff4426b27d96a6b5ee0ee308e4f190146
Netbios Worm v1.0 is a simple program which shows how a worm can spread across netbios shares.
5537a2f48a21330e64b052695d14ffa0b6b83bfeb27f1a5920b8dbc6e6617e57
Libwhisker is a perl module for performing whisker CGI vulnerability checks. It adds a vast array of functionality and has robust functions that are geared toward network auditing. Function reference available here.
e542ac10fc69358b71c76c10dd0673cf046d45a5dd590997990739ebf75ff405