This vulnerability allows a remote unauthenticated user to overwrite big chunks of the heap used by the inetinfo.exe process. The exploit sends a negative value to overwrite random heap bits.
This exploit (ab)uses the bug in irc:// URI handling. It contains a buffer-overflow, and when more then 998 bytes are given EIP will be overwritten. At first I was thinking of a simple solution to get this exploitable. Since giving an URI with > 998 chars to someone on IRC is simply NOT done. Then I remember the iframe-irc:// flaw found by uuuppzz. This exploit will write an malicious HTML file containing an iframe executing the irc:// address. So you can give this to anyone on IRC for example. The shellcode included does only execute cmd.exe, because I don't want to be this a scriptkiddy util. But, replacing the shellcode with your own is also possible. An 400 bytes shellcode (bindshell etc.) easily fits in the buffer, but it may require some tweaking. After exiting the cmd.exe mIRC will crash, so shellcode its not 100% clean, but who carez. Oh yeah, I almost forgot.. this exploit also works even if mIRC isn't started. mIRC will start automatically when an irc:// is executed, so you can also send somebody and HTML email containing the evil HTML code. (only for poor clients like Outlook Express).
This exploit allows an attacker to execute any command on a remote system as root. It is vulnerable on every OmniBack system, including HP-UX, Linux, and Windows. The exploit works by sending a GET request to the cgi-bin/omniback.cgi file with a command as a parameter.
The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. When a character 0x14 in encountered in the 'body' part of the message, it is replaced by a CR+LF. The buffer allocated for this operation is twice the size of the string, which is the way to go, but is then copied to a buffer which was only allocated 11CAh bytes. This allows to bypass the length checks and overflow the fixed size buffer.
This exploit builds on the work of bkbll to create a working, brute-force remote exploit for the procesing bug in ProFTPd. It works quite well on SuSE 8.0, 8.1 and RedHat 7.2/8.0. It breaks chroot (if any) and spawns a shell bound to port 4660.
This program sends 8000000 's to exploit the Apache memory leak. Works from scratch under Linux, as opposed to apache-massacre.c.
This exploit is for IBM db2 v 7.1 Linux/x86. It is a buffer overflow exploit which uses an overflowing arvg[2] to execute a shellcode. The shellcode is setuid (0) and is backward aligned to 0xC0000000. The alignment is done by adding trailing bytes to the shellcode. The overflow buffer is filled with the address of the shellcode.
DSR-cfengine.pl is a perl script which exploits a buffer overflow vulnerability in cfengine2-2.0.3 from freebsd ports. The bug was discovered by nick cleaton and tested on FreeBSD 4.8-RELEASE. The exploit sends a malicious payload to the vulnerable host on the specified port, which then allows the attacker to execute arbitrary code on the target system.
This exploit is a local privilege escalation exploit for hztty 2.0. It is coded in C and uses a buffer overflow to overwrite the return address of the stack and execute a shellcode. It was tested against Red Hat 9.0 and was coded by c0wboy.
NULLs out least significant byte of EBP to pull EIP out of overflow buffer. A previous request forces a large allocation of NOP's + shellcode in heap memory. Find additional targets by searching the heap for NOP's after a crash. safeaddr must point to any area of memory that is read/writable and won't mess with program/shellcode flow.
Services By CQR