Lots and lots of fun with rpc.statd

Last week was a little quiet, so I thought I'd throw some kindling on the fire. Here's another prime example of a format string bug: our old friend rpc.statd. Attached is an exploit. The offsets are for Linux/PowerPC, Debian 2.2. It isn't functional, though - and it's more than just kiddy-proofed...

Дырка в dalnet irc server

Переполнение буфера, но недостаточное место для вставки шел-кода...

Elm Development Group ELM 2.42.5.1 Mail for UNIX - ELM Buffer Overflow (2)

Elm Development Group ELM 2.42.5.1 Mail for UNIX - ELM Buffer Overflow 2 // source: https://www.securityfocus.com/bid/1276/info Buffer overflow vulnerabilities exist in elm Electronic Mail for Unix. / Elm 2.5 PL3 exploit Tested Under Linux Slackware 3.6, 4.0, 7.0 By xfer [email protected] ...

connect.asm

; Passive Connection Shellcode ; ; Coded by Scrippie - [email protected] - http://b0f.freebsd.lublin.pl ; ; Why? This evades firewalls... ; This is the well documented testing part of the shellcode ; The code isn't relocatable, isn't optimized and contains NULL chars ; ; YES, this is for NASM, I...

Solaris 7 x86 lpset exploit.

Solaris 7 x86 /usr/bin/lpset overflow, there is a small overflow32 bytes in lpset which will yield root access if properly exploited. There is a sparc version avail for this bug, the bug was discovered by duke some time ago. I am releasing this exploit because of a copy-cat exploit on hack.co.za...

Solaris 7 x86 lp exploit.

Setuid proggie /usr/bin/lp has an easily exploitable buffer overflow. This exploit is for Solaris 7 x86 version, no sparc exploit is available to my knowledge. later, DiGiT / solaris 2.7 /usr/bin/lp local exploit, i386. discovered by DiGiT. try offset 150-250 if sploit fails greets: !ADM,...

Solaris 2.67.0 - lpset -r Local Buffer Overflow (2)

Solaris 2.67.0 - lpset -r Local Buffer Overflow 2 // source: https://www.securityfocus.com/bid/1138/info A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. Howeve...

XFree86 server overflow - exploit issues

While trying to exploit this overflow, I noticed that the problem lies in lovely strcpy call, which overwrites stack. Unfortunately, any 'offending' non-alphanumeric characters are replaced with '' somewhere before. Uh, most of people will say "it's impossible to write alphanumeric shellcode, so ...

FreeBSD 3.3 - 'angband' Local Buffer Overflow

// source: https://www.securityfocus.com/bid/840/info The version angband shipped with FreeBSD 3.3-RELEASE is vulnerable to a local buffer overflow attack. Since it is setgid games, a compromise of files and directories owned by group games is possible. / FreeBSD 3.3 angband exploit yields egid o...

Qualcomm qpopper 3.03.0 b20 - Remote Buffer Overflow (1)

Qualcomm qpopper 3.03.0 b20 - Remote Buffer Overflow 1 // source: https://www.securityfocus.com/bid/830/info There is a buffer overflow vulnerability present in current 3.x versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the ho...

realown.asm

; The binary is available at http://www.beavuh.org. ; ; This exploits a buffer overflow in RealServers web authentication on ; the administrator port - hence the reason the shellcode is base64 encoded. ; This has been tested on the NT version with a default installation. ; If RealServer is...

crond_exploit.txt

Subject: Crond Scooby Snacks for Everyone. To: [email protected] Paul Vixie loves us all so much it's overflowing. For your own private use, standard disclaimer and transfer of responsibility to that of the end user applies. Oh yeah, and I made it semi-self cleaning just because I love yo...

libtermcap_xterm_exploit.txt

Subject: libtermcap xterm exploit To: [email protected] / libtermcap xterm exploit by m0f0 1999 it works for xterm/nxterm Tested Slackware 3.5, 3.6 / include define BUFSIZE 5000 define POSRET 2000 define POSSEP 3000 define RETADDR 0xbfffefef define EGG "/tmp/eggtermcap" // shellcode char...

Solaris 7.0 usrbinmail - -m Local Buffer Overflow

Solaris 7.0 usrbinmail - -m Local Buffer Overflow // source: https://www.securityfocus.com/bid/672/info A buffer overflow vulnerability in the '/usr/bin/mail' program's handling of the '-m' command line argument allows local users to obtain access to the 'mail' group. / Generic Solaris x86 exploi...

digital-unix4.0-asm-shell.txt

Date: Tue, 26 Jan 1999 15:18:08 -0500 From: Seth Michael McGann To: [email protected] Subject: Re: Digital Unix 4.0 exploitable buffer overflows On Mon, 25 Jan 1999, Lamont Granquist wrote: Previously Digital Unix has been relatively immune to buffer overflow attacks due to the lack of an...

Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (1)

Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow 1 // source: https://www.securityfocus.com/bid/86/info A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf' in line 192 in 'main.c':...

Fred N. van Kempen dip 3.3.7 - Local Buffer Overflow (2)

// source: https://www.securityfocus.com/bid/86/info A buffer overflow resides in 'dip-3.3.7o' and derived programs. This is a problem only on systems where 'dip' is installed setuid. The culpable code is an 'sprintf' in line 192 in 'main.c': sprintfbuf, "%s/LCK..%s", PATHLOCKD, nam; / Linux x86...

Solaris 2.4 passwd, yppasswd, and nispasswd Overflow Exploits

Exploit for solaris platform in category local exploits ============================================================= Solaris 2.4 passwd, yppasswd, and nispasswd Overflow Exploits ============================================================= ---------------------------- file newpass.c...

Solaris 5.5.1 X11R6.3 - xterm '-xrm' Local Privilege Escalation

/ X11R6.3 xterm exploit for solaris 5.5.1 by DCRH 28/5/97 / include include include include define EXTRA2 1300 define BUFLENGTH 400 define EXTRA 500 / Need an addr such that contents of addr+0xe98 = 0 / define SAFEADDR unsigned0xefff2008 define STACKOFFSET 0x4800 define SPARCNOP 0xa61cc013 ulong...

Solaris 5.5.1 X11R6.3 - xterm -xrm Local Privilege Escalation

Solaris 5.5.1 X11R6.3 - xterm -xrm Local Privilege Escalation / X11R6.3 xterm exploit for solaris 5.5.1 by DCRH 28/5/97 / include include include include define EXTRA2 1300 define BUFLENGTH 400 define EXTRA 500 / Need an addr such that contents of addr+0xe98 = 0 / define SAFEADDR unsigned0xefff20...