traceroute Local Root Exploit

Exploit for linux platform in category local exploits ============================= traceroute Local Root Exploit ============================= / MasterSecuritY openwall.c - Local root exploit in LBNL traceroute Copyright C 2000 Michel "MaXX" Kaempf Updated versions of this exploit and the...

LBL Traceroute - Local Privilege Escalation

/ MasterSecuritY openwall.c - Local root exploit in LBNL traceroute Copyright C 2000 Michel "MaXX" Kaempf Updated versions of this exploit and the corresponding advisory will be made available at: ftp://maxx.via.ecp.fr/traceroot/ This program is free software; you can redistribute it and/or modif...

Ntop -w remote exploit

Problem: ntop has a stack-based BOF when it's requested too long filename. 2. Tested Version ntop-1.2a1 I only tested this version. 3. Example 1. first run ntop -w 8080 2. run this script $ printf "GET /perl -e 'print "A"x240'rnrn" |nc localhost 8080 3. the ntop goes seg. fault. $ ntop -w 8080...

pine421.txt

/ PINE Exploit 4.21 bTm Proof of Concept: Pine 4.21 There exists a vulnerability in Pine 4.21 involving the portion of code in charge of peroidically checking email when a pine client is open. Run pine in one window, then send an email to the account owning that session. Switch back over and hit...

linux/x86 execve /bin/sh toupper evasion 55 bytes

linux/x86 execve /bin/sh toupper evasion 55 bytes. Shellcode exploit for linx86 platform / Linux/x86 toupper evasion, standard execve /bin/sh used eg. in various imapd exploits. Goes through a loop adding 0x20 to the /bin/sh -= 0x20 string ie. yields /bin/sh after addition. / include char c0de = ...

linux/x86 execve /bin/sh toupper() evasion 55 bytes

Exploit for linux/x86 platform in category shellcode =================================================== linux/x86 execve /bin/sh toupper evasion 55 bytes =================================================== / Linux/x86 toupper evasion, standard execve /bin/sh used eg. in various imapd exploits...

linux/x86 add user 70 bytes

linux/x86 add user 70 bytes. Shellcode exploit for linx86 platform / Linux/x86 Appends the line "z::0:0:::\n" to /etc/passwd. quite old, could be optimized further / include char c0de = / main: / "\xeb\x29" / jmp callz / / start: / "\x5e" / popl %esi / "\x29\xc0" / subl %eax, %eax / "\x88\x46\x0b...

linux/x86 add user 70 bytes

Exploit for linux/x86 platform in category shellcode =========================== linux/x86 add user 70 bytes =========================== / Linux/x86 Appends the line "z::0:0:::\n" to /etc/passwd. quite old, could be optimized further / include char c0de = / main: / "\xeb\x29" / jmp callz / / star...

Lots and lots of fun with rpc.statd

Last week was a little quiet, so I thought I'd throw some kindling on the fire. Here's another prime example of a format string bug: our old friend rpc.statd. Attached is an exploit. The offsets are for Linux/PowerPC, Debian 2.2. It isn't functional, though - and it's more than just kiddy-proofed...

Дырка в dalnet irc server

Переполнение буфера, но недостаточное место для вставки шел-кода...

Elm Development Group ELM 2.42.5.1 Mail for UNIX - ELM Buffer Overflow (2)

Elm Development Group ELM 2.42.5.1 Mail for UNIX - ELM Buffer Overflow 2 // source: https://www.securityfocus.com/bid/1276/info Buffer overflow vulnerabilities exist in elm Electronic Mail for Unix. / Elm 2.5 PL3 exploit Tested Under Linux Slackware 3.6, 4.0, 7.0 By xfer [email protected] ...

connect.asm

; Passive Connection Shellcode ; ; Coded by Scrippie - [email protected] - http://b0f.freebsd.lublin.pl ; ; Why? This evades firewalls... ; This is the well documented testing part of the shellcode ; The code isn't relocatable, isn't optimized and contains NULL chars ; ; YES, this is for NASM, I...

Solaris 7 x86 lpset exploit.

Solaris 7 x86 /usr/bin/lpset overflow, there is a small overflow32 bytes in lpset which will yield root access if properly exploited. There is a sparc version avail for this bug, the bug was discovered by duke some time ago. I am releasing this exploit because of a copy-cat exploit on hack.co.za...

Solaris 7 x86 lp exploit.

Setuid proggie /usr/bin/lp has an easily exploitable buffer overflow. This exploit is for Solaris 7 x86 version, no sparc exploit is available to my knowledge. later, DiGiT / solaris 2.7 /usr/bin/lp local exploit, i386. discovered by DiGiT. try offset 150-250 if sploit fails greets: !ADM,...

Solaris 2.67.0 - lpset -r Local Buffer Overflow (2)

Solaris 2.67.0 - lpset -r Local Buffer Overflow 2 // source: https://www.securityfocus.com/bid/1138/info A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. Howeve...

XFree86 server overflow - exploit issues

While trying to exploit this overflow, I noticed that the problem lies in lovely strcpy call, which overwrites stack. Unfortunately, any 'offending' non-alphanumeric characters are replaced with '' somewhere before. Uh, most of people will say "it's impossible to write alphanumeric shellcode, so ...

FreeBSD 3.3 - 'angband' Local Buffer Overflow

// source: https://www.securityfocus.com/bid/840/info The version angband shipped with FreeBSD 3.3-RELEASE is vulnerable to a local buffer overflow attack. Since it is setgid games, a compromise of files and directories owned by group games is possible. / FreeBSD 3.3 angband exploit yields egid o...

Qualcomm qpopper 3.03.0 b20 - Remote Buffer Overflow (1)

Qualcomm qpopper 3.03.0 b20 - Remote Buffer Overflow 1 // source: https://www.securityfocus.com/bid/830/info There is a buffer overflow vulnerability present in current 3.x versions of Qualcomm popper daemon. These vulnerabilities are remotely exploitable and since the daemon runs as root, the ho...

realown.asm

; The binary is available at http://www.beavuh.org. ; ; This exploits a buffer overflow in RealServers web authentication on ; the administrator port - hence the reason the shellcode is base64 encoded. ; This has been tested on the NT version with a default installation. ; If RealServer is...

crond_exploit.txt

Subject: Crond Scooby Snacks for Everyone. To: [email protected] Paul Vixie loves us all so much it's overflowing. For your own private use, standard disclaimer and transfer of responsibility to that of the end user applies. Oh yeah, and I made it semi-self cleaning just because I love yo...