Stack too ;) Re: [pkc] remote heap buffer overflow in oops

Uups..!.!.!.. another hole in oops-1.4.6. just a code fragment: / check if this is full name / if !strchrname, '.' if domainname0 / join / strcpychartmpname, name; strncatchartmpname, domainname, sizeoftmpname-strlenchartmpname -1 ; name=chartmpname; if result = lookupdnscachechartmpname, NULL, 0...

expect (/usr/bin/expect) buffer overflow

Exploit for linux platform in category local exploits ======================================== expect /usr/bin/expect buffer overflow ======================================== / hhp-expectsmash.c 12/11/00 expect /usr/bin/expect buffer overflow. Tested 5.31.8 and 5.28.1, slackware 7.x Maybe others...

Solaris 2.6/7.0 - 'locale' Format Strings noexec stack Overflow

/ exploit for locale subsystem format strings bug In Solaris with noexec stack. Tested in Solaris 2.6/7.0 If it wont work, try adjust retloc offset. e.g. ./ex -o -4 $gcc -o ex ex.c ldd /usr/bin/passwd|sed -e 's/^.lib\0-9a-zA-Z\.so./-l\1/' usages: ./ex -h Thanks for Ivan Arce who found this bug...

SolarisSPARC 2.7 7 locale - Format String

SolarisSPARC 2.7 7 locale - Format String / Exploit for the locale format string vulnerability in Solaris/SPARC 2.7 / 7 Based on the exploit by Warning3 For additional information see http://www.phreedom.org/solar/localesol.txt By Solar Eclipse Assistant Editor, Phreedom Magazine...

ListMail v112 - Command Execution

Exploit for cgi platform in category web applications ================================= ListMail v112 - Command Execution ================================= !/usr/bin/perl -w Listmail v112 by P.M.Systems / PoC Exploit Listmail is a powerful, hands-free mailing list manager which is exploitable due...

anaconda Foundation 1.4 1.9 - Directory Traversal

anaconda Foundation 1.4 1.9 - Directory Traversal source: https://www.securityfocus.com/bid/2338/info A vulnerability exists in Anaconda Foundation Directory which allows a remote user to traverse the filesystem of a target computer. This may lead to the disclosure of file and directory contents...

lbl-traceroute.txt

LBL traceroute exploit. By Dvorak, Synnergy Networks www.synnergy.net Vulnerable: All versions of LBL traceroute using savestr. See Chris Evans post in bugtraq http://www.securityfocus.com/archive/1/136215 Discovery: Pekka Savola [email protected] Published to bugtraq by: Chris Evans...

Дырка во многих реализациях PHP

Из-за того, что сервер не сбрасывает некоторые переменные, которые могут задаваться пользователем, пользователь может указать временный файл, используемый при загрузке, что позволяет скомпрометировать системные файлы...

MS00-065: Still Image Service Privilege Escalation patch (272736)

The hotfix for the 'Still Image Service Privilege Escalation' problem has not been applied. This vulnerability allows a malicious user, who has the right to log on this host locally, to gain additional privileges on this host. C Tenable Network Security, Inc. include"compat.inc"; if description...

RobTex Viking Server 1.0.6 Build 355 - Remote Buffer Overflow

RobTex Viking Server 1.0.6 Build 355 - Remote Buffer Overflow // source: https://www.securityfocus.com/bid/1614/info A number of unchecked buffers exists in Robotex Viking Server. This enables a malicious user to either crash the application or execute arbitrary code, depending on the data...

[SECURITY] New version of xlockmore/xlockmore-gl released

------------------------------------------------------------------------ Debian Security Advisory [email protected] http://www.debian.org/security/ Michael Stone August 16, 2000 - ------------------------------------------------------------------------ Package: xlockmore, xlockmore-gl...

SUIDPerl 5.00503 - Mail Shell Escape (2)

SUIDPerl 5.00503 - Mail Shell Escape 2 source: https://www.securityfocus.com/bid/1547/info The interaction between some security checks performed by suidperl, the setuid version of perl, and the /bin/mail program creates a scenario that allows local malicious users to execute commands with root...

Roxen Web Server /%00/ Encoded Request Forced Directory Listing

The version of Roxen Web Server running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, by using a crafted URL request with '/%00/' appended to the URI, to display a listing of a remote directory, which may contain...

pop2d.fold.txt

While working to port ipop2d exploit to java discovered another hole in the FOLD command of ipop2d... The ability to read files that are readable via the pop2d userid. Attached is a ported exploit in java for bnc... as well as the pop2d exploit transcript. -d0tslash b10z EFnet 9x EFnet...

Max Feoktistov Small HTTP server 1.212 - Buffer Overflow

Max Feoktistov Small HTTP server 1.212 - Buffer Overflow source: https://www.securityfocus.com/bid/1355/info A buffer overflow is present in certain versions of the Small HTTP Server . The overflow in question is triggered by an overlong 65000 or more characters malformed HTTP GET request to the...

Microsoft IIS 4.05.0 - Malformed Filename Request

Microsoft IIS 4.05.0 - Malformed Filename Request source: https://www.securityfocus.com/bid/1193/info Requesting a known filename with the extension replaced with .htr preceeded by approximately 230 "%20" which is an escaped character that represents a space from Microsoft IIS 4.0/5.0 will cause...

FreeBSD-SA-00:17.libmytinfo

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:17 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in libmytinfo may yield increased privileges with third-party software. Category: core Module: libmytinfo...

Solaris 2.67.0 - lpset -r Local Buffer Overflow (2)

Solaris 2.67.0 - lpset -r Local Buffer Overflow 2 // source: https://www.securityfocus.com/bid/1138/info A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. Howeve...

LCDProc 0.4 - Remote Buffer Overflow

LCDProc 0.4 - Remote Buffer Overflow // source: https://www.securityfocus.com/bid/1131/info A vulnerability exists in the server portion of version 0.4 of the LCDProc package. Several remote buffer overflows exist that could allow a remote attacker to corrupt memory and execute arbitrary code. As...

Stalker CommuniGate Pro 3.2.4 - Arbitrary File Read

source: https://www.securityfocus.com/bid/1493/info A vulnerability exists in the CommuniGate Pro product, from Stalker. It is possible to exploit this vulnerability to read arbitrary files on the filesystem. As CommuniGate Pro runs as root, any file can be accessed. Using this flaw, it is possib...