Packet Storm new exploits for July, 2001.
da3cb1438250539d8be8380e15486d7dThe Windows 2000 telnetd service is vulnerable to a remote denial of service attack. The service crashes when scanned for the recent AYT telnetd vulnerability discovered by Scut. Includes SPtelnetAYT.c, a scanner for the AYT vulnerability in telnet daemons build upon the BSD source.
34db49ab75ca4fc3edbb7aa09d278554/usr/bin/pileup local root exploit. Tested against Debian 2.2.
7db2fa47bb548a4281aad6708c157b54Squid can be used to port scan if set up as a httpd accelerator (reverse proxy). Tested on Redhat 7.0.
3072c26d039e563fde8246ed1e61f590IBM DB2 (which works under W98/NT/2000) Proof of concept Denial of Service. Sending 1 byte to port 6789 or 6790 IBM DB2 crashes, as described in ibm.db2.dos.txt.
3de9be6028bd648021d753ebaaf12c72Pic / LPRng format string remote exploit. Pic is part of the groff package. It is used by troff-to-ps.fpi as uid lp when perl, troff and LPRng are installed. Tested against Redhat 7.0 (groff-1.16-7).
b872ac8b739399184c12ab501762793cThe Mambo Site Server v3.0.0 - 3.0.5 contains a vulnerability which allows users to gain administrative privileges by changing global variables via URL parsing.
407a1020f4107e848ced585227bc294cWindows 2000 remote IIS .ida exploit - Spawns a shell on port 8008. Tested on Win2k with no service pack and SP2. Includes instructions on finding the offset.
00e34a156bbe3fe1825c7cec62b3b266Attqt.pl is a tool for sending banned attachments through SMTP gateways by adding an invalid character to the filename. This is known to work on MailMarshall and TrendMicro Scanmail, others are probably vulnerable.
3215b593ce0c0f6a1dfd711c637436beBriis-1.pl is a unicode / decode IIS attack tool which includes SSL support under Linux. Features many checks for CMD.EXE, Caches the found directory, SSL support with SSLeay (Unix), Easy to use text file upload, Easy to use / encoding option, Relative path name program execution, and Virtual host support. More info available here.
612717b92fc58a8c3aa69e838872170eKtvision v0.1.1-271 and below symlink local root exploit. Tested against SuSE 7.1.
e7386b4de150129eee315ee540b989bcTarantella 3.01 ttawebtop.cgi "show files" exploit. '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retrieve files from remote sever, which should not be accessible normally. Exploit URL included.
3c05d637d7955fb852fe1c1ec31d1681/usr/local/bin/filter local exploit. Gives GID=mail. More information available <a href="http://www.tao.ca/fire/bos/0354.html"here.</a> Tested against Slackware 3.1. Exploits the nlspath buffer overflow.
ac0593f66f87f941019423787bd8fce7FreeBSD 3.1 - 4.3 local root exploit - Uses the signal condition vulnerability discovered by G. Guninski.
e9b50e27f1042cfbac603ed819ac6420qDefense Advisory Number QDAV-2001-7-3 - Interactive Story does not properly validate the contents of a hidden field entitled "next". Setting that field to the name of a file, and using double dots and poison nulls, an attacker can cause Interactive Story to display the contents of any file. Exploit URL included.
ccfd18fc1da76e132dea511b4220808dSneaky2.sh is a swiss army knife for Hotmail/Messenger. Implements Spoofing/brute force/misconception/unexpected input Class Attacks. Will spoof Hotmail/messenger server to recover user hotmail/password, crash messenger client, remotely inject and execute malicious exe on the victim host.
25055226b0a890073e135c5b546d136fSlackware 8.0 local root exploit - Creates a suid shell when "modprobe lp" is run from the startup scripts.
da683d52f3f0072dc6963928eed7696fCheckpoint Firewall-1's SecureRemote allows any IP to connect and download sensitive network information. This perl script gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions).
64a69339c5b64edbad5cc889a991464aCfingerd v1.4.3 remote root exploit for Linux. Binds to port 113 and sends bogus ident information.
d764f4c05c80af0f321c878876a84804Qflood.c fills up a Quake server with spoofed "unconnected" clients, disallowing other players the ability to connect to the server since the player limit fills up quickly. Additionally, if the server does not support multiple clients from the same IP address, it will disconnect legitimate players if the spoofed connection request matches that player.
7588a0c0ef179e78557b962a95c75291Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man.
c1c8ef9823405a020ea2cc19d098e213Local root exploit for /usr/bin/ml85p, a suid binary which is vulnerable to a local symlink attack. It is included in Mandrake 8.0 by default.
27106ddc98e2b944324483817b655184Xxman.sh is a local root exploit for an insecure system call in xman.
631ac7297588dc7496aa411184167887Current versions of xdm are sensitive to trivial brute force attack if it is compiled with bad options, mainly HasXdmXauth. Without this option, cookie is generated from gettimeofday(2). If you know starting time of xdm login session, computation of the cookie just takes a few seconds.
cb62c9d2e6db81932cda010ba727d2a0Nerf Group Security Advisory #4 - Microsoft IIS 4 and 5 can be crashed remotely by reading device files (com1, com2, etc). Exploit URL included.
86ac77030b990207e5472ee62b0bd790
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed