oasis2.c sends spoofed ICMP_SOURCE_QUENCH packets, telling the victim host to slow down data transmission.
caf38ff30c91e72d083821bc20375b417d1bf05afe59cd3258fa379237529825Freebsd cdrecord local root exploit - Tested against FreeBSD 3.3-RELEASE.
69c97fd5a84be42d400615e765ad61662441f2ca88b97bbb52105cfe55f17024A new denial of service The Allaire ColdFusion Web Application Server contains a denial of service vulnerability in all ColdFusion versions up through and including 4.5.1. A very large password at the ColdFusion Administrator login page can bring the system to a halt.
42daef2c136accb3c2736c9630c8560472e737cbfa6d93ed211648d25c436216/usr/bin/cdrecord local exploit for x86 linux - gives gid=80 shell. Tested on Mandrake 7.0.
8c45b8eeaaa72e51223e3ac9a61b3c58d5f14a3ff1e33a32566ccd253e0be59d/usr/bin/kdesud has DISPLAY enviroment variable overflow - exploit gives gid=0, tested on Mandrake 7.02.
8b85d8dcf4d727c24bbbc0ac3bf68dc420f4d2860eb3301427c685428fe26a91Solaris /usr/vmsys/bin/chkperm overflow - A long HOME environment variable can be used to provide a UID=bin shell.
40eca362e3afebe709d31273f915b144f1f648521921fe036f9461f0d0657adcDesign and Implementation Flaws in SessionWall-3 - SessionWall-3 (more recently known as e-Trust IDS) is a graphically controlled sniffer and network monitor / network censor for the Windows platform. The SessionWall-3 machine can be detected and identified remotely by a single ICMP packet. The password is stored in the registry with very simple XOR encryption. Includes sample code which decrypts the admin password, passive SW-3 detection, and active SW-3 detection & reply packet forger.
945236d2873af232b1208d9e5269794fa3947377e1a1f2f3f67b66264af1cf8atidcmp.c is an ICMP Source Quench attack. Sends spoofed ICMP type 4 packets to the victims router. Includes references to the relevant RFC's.
db223fd1d7252c5896709ec8d2d3cbedb3dafe880cb6106b6b57cdcd5ec79ff6Linux 2.2.X local exploit - A new local bug in the 2.2 kernel has been discovered. Using the "capabilities" bug, it is possable to exec sendmail without the CAP_SETUID priv, which makes the setuid() call which drops privileges fail. Large chunks of code which were never meant to run as root do, exploiting this is trivial. Working exploit for sendmail + 2.2.16pre5 and below is included.
965ce9baf1810f15a570d4dbd22d0f6ca892ee2315f31ff40c37fd8a322944c1Delphis Consulting Plc Security Team Advisory DST2K0011 - Buffer Overflow in HP Openview Network Node Manager v6.1 for Microsoft Windows NT v4.0 Workstation (SP6). By using the Alarm service which runs on port 2345 and is installed by default with HP openview network node manager, it is possible to cause a buffer overrun in OVALARMSRV, causing the EIP to be overwritten and allowing the execution of arbitry code.
53187d5cc8489d16517a4cf34b199ff2d209001ce4aa0b95b2f6e55c2e83c5b5Delphis Consulting Plc Security Team Advisory DST2K0011 - The CMail Server v2.4.7 under Windows NT is vulnerable to a buffer overrun in NTDLL.DLL. By sending a long GET request to tcp port 8002, the EIP can be overwritten and arbitrary code execution is possible.
946d10f4fc740a5dbde0d93d04f4f2215477442195f130719d2903cf58a842deDelphis Consulting Plc Security Team Advisory DST2K0010 - Two vulnerabilities were found in Ceilidh v2.60a for Microsoft Windows NT v4.0 Workstation (SP6). The html code which is generated by ceilidh.exe (example URL below) contains a hidden form field by the name of "translated_path", revleaing the true path. By using a specially crafted POST statement it is possible to spawn multiple copies of ceilidh.exe each taking 1% of CPU and 700k of memory. This can be sent multiple times to cause resource depletion on the remote host.
a6cda6dae6a389943157179ee378334ec7371c8e332286018cbcdb607a039b2eMDMA Advisory #5 - It is possible to view the source of CGI scripts running under the Savant Webserver by omitting the HTTP version from your request.
1724fba392451be3b3274800afadb12de1c0b9bc1ae2d9480be7bf44fb177af0Georgi Guninski security advisory #12 - Internet Explorer 5.01 under Windows 98 (other versions are also vulnerable) allows circumventing "Cross frame security policy" by accessing the DOM of documents using JavaScript, IFRAME and WebBrowser control. This exposes the whole DOM of the target document and opens lots of security risks, such as reading local files, reading files from any host, window spoofing, getting cookies, etc. Exploit code included. Demonstration available here.
8aa57814b27a04133662e4ce2ca66e82e2d3cbb4f03b5ed71b69ebd2cf052c2cDoS attack for all platforms of Checkpoint Firewall-1 has been identified. Large numbers of fragmented packets cause the CPU to hit 100% utilization, and the system locks up. Some systems may also crash, depending on OS type. The rulebase can not be used to block the attack, and nothing is logged. More information on Firewall-1's state table available here.
443e72af7463c692428baddc50b3b04477971f4a89888b58f9bd92548ef83428MDMA Advisory #6 - EServ v2.92 and prior are vulnerable to a logging heap overflow vulnerability. Java proof of concept exploit code included.
8f8294582a025b703fc4bcc38a6d47de57ed4735dddb9a13e1f4b02168d4ba63rootkeep.sh obtains root locally on Solaris via an included kcms exploit, and modifies the startup scripts so an account is added each time the machine is rebooted.
b31cab0f47180be89e3bf59a1a2676046fa41c7ed2eaf453f1356516a401c87dNetwin ESMTP Server v2.7q linux x86 remote exploit. Tested on RedHat 6.1, binds a shell to TCP port 30464.
f6229c6e2a67eb3307f3fb307b27985b9446209516295d99dc899bca3fe60903INND (InterNet News Daemon) 2.2.2 has a remotely exploitable stack overflow in the control articles handler. About 80% of usenet servers are vulnerable.
1fdab59692baa167e5e89c82010248721ee6cdb5b14cc48401a4a2cd02d49432gdm (xdmcp) remote root exploit. Tested against SuSE 6.2 and RedHat 6.2 running gdm-2.0beta1-4. Binds a shell to port 3879.
5f84108be835cb86e853f427609a8dabcca65b14019c0c0ca3b864c31c36179bxterm denial of service attack - By sending the VT control characters to resize a window it is possible to cause an xterm to crash and in some cases consume all available memory. This is a problem because remote users can inject these control characters into your xterm in many different ways. This sample exploit injects these control characters into a web get request. If an admin were to cat this log file, or happened to be doing a "tail -f access_log" at the time of attack they would find their xterm crashed. Tested against rxvt v2.6.1 and xterm (XFree86 3.3.3.1b(88b).
e795174a235a3f5459e6a457c90c55832ca2987bccf1247db19929754e389a0eWindows Media Encoder 4.0 and 4.1 is vulnerable to a remote denial of service attack. This source causes the Windows Media Encoder to crash with a "Runtime Error". Tested on version 4.1.0.3920. This is the vulnerability described in ms00-038.
2ed47a5509b2f1b80d55fd6418bff28abd5d3f4d1ccef95b325aedc8176ceeadMDBMS v0.99b5 remote root exploit - tested on Redhat 6.0. Shellcode runs an interactive shell on port 30464.
a37ea7852b725a2b014dd84e51b418b4f973791e412512e52b44f2d86f61fd6c
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed