APC UPS 3.7.2 - 'apcupsd' Local Denial of Service

/ Local Denial of Service for any linux box running APCUPSD v3.7.2 APCUPSD has his pid file world writeable, therefore it is possible to let it kill another pid and create a denial of service against any running daemon. when the apcupsd is stopped, for example Bug discovered by: Mattias Dartsch...

ProFTPd 1.2.0 pre10 - Remote Denial of Service

ProFTPd 1.2.0 pre10 - Remote Denial of Service / ProFTPd DoS version 1.1 Remote DoS in proFTPd Code by: JeT-Li -The Wushu Master- [email protected] Recently I posted a remote DoS for ProFTPd based in the multiple use of the SIZE command in order to crash the system. Now and thanks to the...

Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0,0) + execve() Shellcode (566 bytes)

Linux/x86 - Audio knock knock knock via /dev/dsp + setreuid0,0 + execve Shellcode 566 bytes. Shellcode exploit for Linuxx86 platform / Audio knock knock knock via /dev/dsp + setreuid0,0 + execve shellcode. Linux x86 Author: Cody Tubbs loophole of hhp. www.hhp-programming.net / [email protected]...

Solaris 2.5.12.67.08 - patchadd Race Condition

Solaris 2.5.12.67.08 - patchadd Race Condition source: https://www.securityfocus.com/bid/2127/info patchadd is the patch management tool included with the Solaris Operating Environment, distributed by Sun Microsystems. A problem exists which could allow a user to corrupt or append system files. T...

Linux Kernel 2.2.x - Non-Readable File Ptrace Local Information Leak

source: https://www.securityfocus.com/bid/2044/info Ptrace is a unix system call that is used to analyze running processes, usually for breakpoint debugging. The linux implementation of ptrace in 2.2.x kernels and possibly earlier versions contains a vulnerability that may allow an attacker to ga...

dump 0.4b15 (RedHat 6.2) - Local Privilege Escalation

/ dump-0.4b15x.c dump-0.4b15 exploit: Redhat 6.2 dump command executes external program with suid priviledge. affected: /sbin/dump /sbin/dump.static /sbin/restore /sbin/restore.static Bug found by [email protected] This example was coded by [email protected] It was written for EDUCATION...

Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (8)

!/usr/bin/perl See http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806 Very simple PERL script to execute commands on IIS Unicode vulnerable servers Use port number with SSLproxy for testing SSL sites Usage: unicodexecute2 IP:port command Only makes use of "Socket" library New i...

xsplumber - strcpy() buffer overflow

Exploit for linux platform in category local exploits ==================================== xsplumber - strcpy buffer overflow ==================================== / linuxsplumberversion2 buffer overflow, by v9email protected. this is a misc. exploit for the linux-SVGAlib space plumber game. which...

ListMail 112 - Command Execution

ListMail 112 - Command Execution !/usr/bin/perl -w Listmail v112 by P.M.Systems / PoC Exploit Listmail is a powerful, hands-free mailing list manager which is exploitable due to an insecure open call. This exploit will attempt to bind a shell at port 60179/fido by using inetd. Code to spawn an...

buffer overflow in `phf'

PROBLEM: ... mainint argc, char argv entry entries64; ... forx=0;cl0 != '0';x++ m=x; getwordentriesx.val,cl,'&'; plustospaceentriesx.val; unescapeurlentriesx.val; getwordentriesx.name,entriesx.val,'='; ... The for' loop does not verify that x is less than 64. The entries' struct being a flat data...

Microsoft IIS 4.05.0 - Executable File Parsing

Microsoft IIS 4.05.0 - Executable File Parsing source: https://www.securityfocus.com/bid/1912/info When Microsoft IIS receives a valid request for an executable file, the filename is then passed onto the underlying operating system which executes the file. In the event that IIS receives a special...

iPlanet Web Server shtml File Handling Remote Overflow

It is possible to make the remote iPlanet web server execute arbitrary code when requesting a too long .shtml file with a name longer than 800 chars and containing computer code. An attacker may use this flaw to gain a shell on this host C Tenable Network Security, Inc. include"compat.inc"; if...

XFree86 3.3.53.3.6 - Xlib Display Buffer Overflow

XFree86 3.3.53.3.6 - Xlib Display Buffer Overflow source: https://www.securityfocus.com/bid/1805/info A vulnerability exists in xlib, the C language interface to the X Window System protocol. When applications linked to the xlib library are run, user-supplied values for the DISPLAY environment...

Oatmeal Studios Mail File 1.10 - Arbitrary File Disclosure

source: https://www.securityfocus.com/bid/1807/info OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to user-specified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents of any readable...

obsd_fun.c

"hello hello obsd team. my obsd box panics every few seconds. what the hell is wrong?" "oh ? really ? hmm...out of space in kmemmap ?" "YES. you know about this bug ?" "yes. some kiddo is running a DoS against your box. we fixed it in 2.7. the kernel runs out of memory if you flood it with...

LBL Traceroute 1.4 a5 - Heap Corruption (2)

// source: https://www.securityfocus.com/bid/1739/info Traceroute is a well-known network diagnostic tool used for analyzing the path on a network between two hosts. On unix systems, traceroute is typically installed setuid root because of its use of raw sockets. Certain versions of LBNL tracerou...

LBL Traceroute 1.4 a5 - Heap Corruption (3)

// source: https://www.securityfocus.com/bid/1739/info Traceroute is a well-known network diagnostic tool used for analyzing the path on a network between two hosts. On unix systems, traceroute is typically installed setuid root because of its use of raw sockets. Certain versions of LBNL tracerou...

Horde library Bug part 2

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Horde Library $from Bug part 2 + How to exploit with IMP and Sendmail Description: The Fix of the first detected problem with the $from variable in the horde library was just escaping shellchars which avoids directly executing commands. It is still...

MultiHTML.txt

Title : MultiHTML vulnerability. Description : Retrieve files from the server. Vendor status : Notified and a new not much improved script is released. Short description of the tool: ============================== MultiHTML allows you to put an SSI call where you want the HTML file to be displaye...

HP-UX 11.0 - net.init RC Script

source: https://www.securityfocus.com/bid/1602/info A vulnerability exists in HP-UX, from Hewlett Packard, under certain configurations. Version 11.0 is confirmed to have this problem; other versions may also be susceptible. If the CLEARTMP option in /etc/rc.config.d is set to 1, meaning enabled,...