WWW Authorization Gateway program written by Ray Chan fails to eliminate characters with special meaning to the shell prior to executing a command. As a result, an attacker can utilize certain characters to execute arbitrary commands on a system remotely, as whatever user invoked the cgi-bin.
This exploit is used to check for each script that has been posted on the BugTraq List. It uses fork() to log sites in the log_unicode.log. It uses Socket to connect to the target and send a GET request with the script name and directory for exploit. If the response is 200, it logs the site in the log_unicode.log.
There is a vulnerability in ProFTPD versions 1.2.0pre1 and earlier and in wu-ftpd 2.4.2 (beta 18) VR9 and earlier. This vulnerability is a buffer overflow triggered by unusually long path names (directory structures). For example, if a user has write privilages he or she may create an unusually long pathname which due to insuficient bounds checking in ProFTPD will overwrite the stack. This will allow the attacker to insert their own instruction set on the stack to be excuted thereby elavating their access. The problem is in a bad implementation of the "realpath" function.
Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.
This vulnerability affects Sun Source tapes installations, which have two setuid root files in the directory /usr/release/bin: makeinstall and winstall. These files are binary files which exec other programs without a full path or reseting the PATH environment variable. This makes it possible for users on that system to become root. An attacker can exploit this vulnerability by copying a shell to a writable directory, creating a makefile to set the permissions of the shell to 4777, setting the PATH environment variable to the writable directory, and then executing the makeinstall or winstall file.
This exploit allows an attacker to traverse directories on a vulnerable Microsoft IIS 4.0/5.0 server. The exploit works by sending a specially crafted HTTP request to the server, which then allows the attacker to traverse directories and execute commands.
This exploit is a buffer overflow vulnerability in PoPToP in Linux. It allows an attacker to execute arbitrary code on the target system by sending a maliciously crafted packet to the vulnerable system. The exploit is based off of code by einstein_dhtm@front.ru and was tested under Slackware. It allows for nulls in the shellcode and allows for ips and ports with nulls in them.
This exploit allows an attacker to execute arbitrary commands on a vulnerable IIS 4 or 5 server. The exploit works by sending a specially crafted HTTP request to the server, which then executes the command specified in the request.
This exploit allows an attacker to inject malicious commands into the mailing list & news version 1.7 application. The exploit is triggered when the application is used to send emails to subscribers. The malicious code is sent to the application via a POST request to the /cgi-bin/maillist.cgi script. The code attempts to bind a shell at port 60179/fido using inetd.
Listmail is a powerful, hands-free mailing list manager which is exploitable due to an insecure open call. This exploit will attempt to bind a shell at port 60179/fido by using inetd. Code to spawn an xterm is as always included.
Services By CQR