The Apple Quicktime plugin for Windows is vulnerable to a remote buffer overflow vulnerability.
1adf5c5c72d01c4624b85ffdd0aae6d195be716d1822865789e2e22f95233ac4Shadow Penguin Security Advsory #37 - WinProxy 2.0.0/2.0.1 (now known as Black Jumbo dog) contains many remotely exploitable buffer overflows. Exploit for the POP3 service included, tested on Japanese Windows98.
78e8de82cf9348d47c5825f12d48e94baa226fdb5c9e134cadcd9e5e315b39a4Shadowpenguin Security Advisory #39 - Adobe Acrobat Series PDF File buffer overflow. Many versions of Acrobat for Windows95/98/NT/2000 overflows when reading the PDF file which has long Registry or Ordering. The EIP can be controled and arbitrary code can be executed on the machine which views the PDF file. Patches available here.
517e6a13e53bcce4434518e0ff0fb9a5d889fe202d03af6d287ea2a02993baafTiny FTPd 0.52 beta3 (Windows FTP Server) has remotely exploitable buffer overflow vulnerabilities. Even anonymous users can execute code. Exploit tested on Windows98(+IE5.01).
784d73176bc53e3f6a8141164175f061c982b7f2a9ab4e69dbf1be32a39bf336Remote exploit for VDO Live Player 3.02 for Windows95/98/NT. If VDO Live Player is installed on the system and the browser is configured default, .vdo file is downloaded and executed without confirmation. So, if the clients visit the webpage which is written the automatic download code of vdo file (such as META tag) that contains the attack code, the client machine will be cracked by the instructions which are written in vdo file.
f15115d6af33eda19fe9ada84b2ba454b0f0ec8435fd4fa8e073faaf327c2680Getcode assists you in coding windows exploits by getting the codes for jmp reg,call reg,push reg;ret from some loaded dlls.
7cbbdc5037e046422003cb81047ef31d48b67a030528f6863b9093acd02a86b4ex_inc.c exploits a bounds checking error in /usr/jp/bin/mh/inc which was distributed with the mh-6.8.3 package. Local root compromise.
64f2aa455cd466403bc433552e384ce9c8e0ca9b98c3b17c61c9298a5606d3eaex_bbc.c exploits a bounds checking error in /usr/jp/bin/mh/bbc which was distributed with the mh-6.8.3 package. Local root compromise.
473ed7b2b606ac73b513d39a31d17c1a0273bb06e15e9331e35c648649c833b8kcms_configure has a overflow bug with "-P" option and it has been reported(107339-01). But this program has another hole. This hole has not been not reported, and the paches are not published at this time. kcms_configure overflows if long string is specified in NETPATH environment, and it is exploitable. I have included an exploit for Solaris7 intel edition to obtain root privilege.
ea0a516a062e19771e9d6d970e1a6bd9a1fc9ee7ecf921fcb1848a66309b1ef1The vulnerability in kcms_configure also exists in Solaris 2.6 and 2.7 sparc edition. Exploit included.
ddad8f87f48eb849bc4bf6f56910e4be16715ce9dec57022ab5c00f69f2c1712The mailer programs (mailtool and dtmail) and mail message print filter (dtmailpr) which are installed on Solaris7 have exploitable buffer overflow bugs. These programs are sgid (mail group) programs, local user can obtain mail group. The mail files are generated with 660 permission, so any user can read/write other user's mail files. I coded the exploits to get mail gid(egid=6). There are for Intel Solaris7. There are same kind of problems on Sparc Solaris7 and Solaris2.6 (Intel,Sparc).
e92d0a93449cedf9a5f2e97de3948d9c6e4f86ade92541e2bae6d0f02e99dcf4Cgitest.exe CGI is distributed with W4-Server2.6a/32-bits has a buffer overflow. Any instructions can be executed on the victim host by using this buffer overflow exploit.
152b3ef6e55079125a83e4cd6e9842f7de802388a4ca59dc948071470fdfe4afMicrosoft Internet Explorer 4/5 overflows when the handling of "file://" specification. (file://test/AAAAAAAAAAAA....) This is a typical exploitable buffer overflow. Exploit for Japanese Win98 included.
0bbb99826ab282a9e58564f00c20bed11d1fe94dcf5363010665bfb51873d053The popular Image viewer "Irfan View32" contains the buffer overflow problem, this problem exists in the handling of Adobe Photoshop image file. Irfan view checks the image type by the image header, if "8BPS" pattern is found in the header, Irfan view judges this file as Photo Shop image. The overflow happens at the handling of reading this marker. Exploit included.
32bee5886fcf4b58ffe13ffdb75e2d80473d3015c25b82a34a4588b95cb22541Buffer overflow in E-MailClub Ver1.0.0.5. It overflows when that receives the long From: in POP3 handling. If the host recives the mail which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example generates the e-mail which contains the exploit code that reboot the target host. This exploit is coded for Windows98 Japanese edition, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
eb5bb461b617975286628c613e3683c4e15675996639c870d9fababc85a7a212At the initial authorization handling of WebBBS, If the long longin name or password has been received, this CGI overflows. This overflow overwrites the RET address, EIP can be controlled. This overflow is used to execute any instructions which are included in the user name and password.
6fabd952734503ddb8a5be6907794eb1cc3ef1ea5818b6ffc671fea9adf2308eWe found the overflow bug of Skyfull Mail Server 1.1.4. It overflows when that receives the long MAIL FROM: in SMTP handling.If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the Skyfull Mail Server 1.1.4. This exploit is coded for Windows98, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
7b7022754837ef1e8ca7d71ecc76392c26517feaabdc614ac4155671941716faWe found the overflow bug of ZOM-MAIL 1.09. It overflows when that receives the long attachment file name. If ZOM-MAIL 1.09 recives the e-mail which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This program can send the e-mail to any e-mail address, which is contained an exploit code that removes a "c:\windows\test.txt" file on the host. This exploit is coded for Windows98, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
07c753c59049fe7d66801fff3603cda1c34eb8c92c4971daaff04990e6c69ffaMidi-Plugin program "YAMAHA MidiPlug 1.10b" for Windows IE4/5 contains the buffer overflow bug. If the long "TEXT" variable is specified in EMBED tag, the buffer overflow occurs. If attacker sets the exploit on the webpage, visitor's host will be cracked by the any instructions written in the "TEXT" variable. here is a demo site which is generated by this exploit as demonstration. if this plugin is installed and the setting of ActiveX is default, "c:\windows\welcome.exe" will be executed(it's for Japanese Windows98 only).
a6cf3ee027eb2c8f278d2963fcdd2e0a73c63b1b3c2ff8487db82c7b3155e54cURL Live! 1.0 WebServer for Windows95/98/NT which is released by Pacific Software Publishing, Inc. (http://www.urllive.com/) also has a "../" security problem, any users can download any files on the victim host.
c64939edba329091851ebb821f527ea204471836402e1d30c11570c20750b105imagemap CGI which is distributed with OmniHTTPd 1.01 and Pro2.04 has a buffer overflow bug, I coded an exploit which can execute any command on the victim host. The Shadow Penguin Security.
934905f1f9f1cb9de1cc562db508da34d8ccefe4d46bd6355fecc4455384cec2I found the security vulnerability in canumm Japanese Kana-Kanji FEP. This program is installed on Turbolinux series with default. /usr/jp/canna/bin/canuum is a suid program. It overflows if the long argment is specified with many kind of options such as -k, -c, -n. I coded an exploit for the Linux, the local user can obtain a root privilege.
541df7e6ab602ad5a839835c476c08199b3ad305b9c2ab1b0611a680b6196c18I found the security vulnerability in uum Japanese Kana-Kanji FEP. This program is installed on many Japanese UNIX with default. /usr/bin/uum is a suid program, it overflows if the long argment is specified with -D option. I coded an exploit for the Linux, the local user can obtain a root privilege. I also confirmed this overflow on the following OSs. Solaris 2.6,2.7, IRIX 5.3,6.2,6.3,6.4,6.5.
75d10efd76a82f9cc72dc1429601602647de0c1bcc53dae1aed671cf4c40f5ed
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed