home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
Exploits Index
< prev
next >
Wrap
Text File
|
1998-07-17
|
30KB
|
567 lines
Exploits Archive
This is my Unsorted Exploits Archive. You can find exploits that range from Denial of Service Attacks to buffer overflows.
Targa
Multi-platform DoS attack which integrates bonk, jolt, land, nestea, newtear, syndrop, teardrop, and winnuke.
IP Scan
A simple to use Unix IP scanner coded by myself.
AOL DoS
Denial of Service Attacks for AOL Instant Messager and AOL Mail.
ICQ Hijacking
Take over someone's ICQ UIN.
Garbage Generator
Generate a file full of garbage to be used later.
mIRC Worm
A mIRC Worm that traveled on around IRC for a long time.
Overdrop
Linux 2.0.33 printk abuse(based on teardrop).
Nestea2
Exploits the "off by one ip header" bug in the linux ip frag code(second version of nestea).
Nestea
Exploits the "off by one ip header" bug in the linux ip frag code(rip of Teardrop).
Ascend Kill II
Sends a specially constructed UDP packet on the discard port (9) which cause Ascend routers to reboot.
IE 4.01 bugs
Crashes Internet Explorer 4.01 on Win95/NT.
Fraggle
A version smurf.c with a udp twist.
smurf.c
Spoofs IMCP packets resulting in multiple replies to a host from a single packet.
Syndrop
A version of teardrop with a mix of SYN.
NewTear
A new teardrop(known as NewTear or Teardrop II) type exploit. Affects NT4, and Win95.
Boink.c
Modified version of Bonk that Crashes *patched* win95/NT machines.
Bonk.c
Modified version of Teardrop that effects "patched" Win95/NT.
Hanson.c
Exploit mIRC Version 5.3's new socket feature and crash the client and make the windows95/NT environment run very very
slow (Pentium will now be sluggish as a 286).
Teardrop.c
Exploits the the overlapping IP fragment bug.
PFOBug.c
Exploits the Pentium FO or FOOF Bug.
FOOFBUG.C
Exploits the Pentium FO or FOOF Bug.
web_sniff.c
A Linux sniffer that is designed to retrieve web usernames and passwords.
xf86_ports.txt
A normal user can run X on a reserved port thus blocking legitmate daemons.
identd_attack.txt
A massive amount of authorization requests can render a system unusable.
secure_shell.txt
Using SSH, a non-root user can open privleged ports and redirect them.
zgv_exploit.c
This will overwrite a buffer in /usr/bin/zgv on Redhat Linux systems, giving root.
sgi_html.txt
It is possible to execute remote commands on IRIX 6.3 and 6.4 via /usr/sysadm.
bind_nuke.txt
Bind8.1.(1) can't update the same RR more than once in the same DNS packet.
dgux_fingerd.txt
The fingerd that ships w/ dgux allows remote execution of arbitrary commands.
smb_mount.c
This overwrites a buffer on Linux systems in smbmount from smbfs-2.0.1.
innd_exploit.c
Overwrites a buffer in innd on Linux x86 systems thus giving a remote shell.
smlogic.c
This is a fully functional logic bomb designed render Linux systems unuseable.
ld.so.c
Overwrites a buffer via LD_PRELOAD env. variable, giving root on Linux.
seyon_exploit.sh
Exploit for seyon, giving you the euid or egid of whatever seyon is suid to.
aixdtaction.c
Overwrites a buffer in /usr/dt/bin/dtaction via HOME env. variable, giving root.
datapipe.c
Makes a pipe between a listen port on localhost and a port on a remote machine.
sping.tar.gz
Linux binary and source of 'sping' which causes Win95 machines to crash.
linux_httpd.c
Overwrites a buffer in NSCA httpd v1.3 on linux systems, giving a remote shell.
sgi_cgihandler.txt
On IRIX systems, /cgi-bin/handler can be used to issue arbitrary commands.
wuftpd_umask.txt
The umask for wuftpd 2.4.2-b13 is 002 making files group writeable by anyone.
glimpse_http.txt
Glimpse HTTP (Interface to Glimpse Search Tool) can issue remote commands.
telnet_core.txt
On Linux systems, it is possible to get part of the shadow file w/ cores.
ircd_kill.c
Overwrites a buffer in ircII daemons, causing a segmentation fault in the server.
sneakin.tgz
A way to 'reverse telnet' from a box behind a firewall that allows ICMP packets.
qmail_exploit.c
Runs a qmail system out of memory by feeding an infinite amount of recipients.
qmail.tar.gz
This is a replacement sendmail-binmail system providing security and efficiency.
h_rpcinfo.tar.gz
Allows you to sneak past port filters on port 111 and get dumps of RPC services.
synlog-0.1.tar.gz
Synlog monitors half open TCP connections such as synfloods or synscans.
net_rpm.txt
Redhat Package Manager (rpm) can be used to overwrite arbitrary files.
wrapper-v2.tgz
This is a generic wrapper to prevent the exploitation of suid/sgid programs.
longpath.sh
Shell script that implements a long path attack causing various problems on Linux.
logarp.tar.gz
Useful for seeing if users on your subnet are "stealing" IP addresses.
listhosts.c
A host resolving program based on nslookup and other pieces of named tools.
synsniff.tar.gz
Script in perl which watches for inbound connections (SYN's) and logs them.
imapd_exploit.c
Get remote root access on Redhat Linux systems by overwriting a buffer in impad.
xlock.c
On Linux systems, this will overwrite a buffer in setuid xlock, giving root access.
phobia.tgz
This utility does a scan of an internet host looking for various vulnerabilities.
elm_exploit.c
Overwrites a buffer in Elm and Elm-ME+ on Linux via TERM environ. variable.
daynotify.sh
This script will exploit a bug in SGI's Registration Software under IRIX 6.2.
brute_web.c
This program will brute force it's way into a web server giving a user and passwd.
tcpdump.tar.Z
A tool for network monitoring and data acquisition. (needs library packet capture.)
winnuke.c
This sends Out of Band Data to Win95/NT computers causing panics and reboots.
sperl.tgz
Overwrites a buffer in the sperl5.001 and sperl5.003, thus giving root access.
dip-prob.txt
Dip will allow an ordinary user to gain control of arbitrary devices in /dev.
nlspath.txt
Exploits for ping, minicom, su and others on Linux via NLSPATH env. variable.
fdformat-ex.c
This will overwrite a buffer in /usr/bin/fdformat on Solaris 2.x systems giving root.
sunos-ovf.tar.gz
This program is designed to test buffer overflows on SunOS 4.1.x boxes.
cxterm.c
This overwrites a buffer in Chinese xterm Linux systems, thus giving root access.
color_xterm.c
This will overwrite a buffer in /usr/X11/bin/color_xterm, giving root on Linux.
pepsi.c
This program is a random source host UDP flooder that compiles under Linux.
tlnthide.c
Allocates a port and sets up a telnet gateway making it difficult to trace telnets.
jping.tar.gz
This is another simple IMCP flooding program that compiles under Linux.
LPRng.tgz
A light weight printing system especially designed with security in mind.
jolt.c
Sends oversized fragmented packets to Win95 boxes causing them to lock up.
utclean.c
This will remove your presence from wtmp, wtmpx, utmp, utmpx, and lastlog.
eject.c
Overwrites a buffer on Solaris 2.x systems in /usr/bin/eject, giving a root shell.
bind-8.1.1.tgz
Version 8.1.1 of bind with many improvements - (includes documentation).
puke.c
Spoofs an ICMP unreachable error to a target, causing connection drops.
webs099.tgz
A minimalist web server designed primarily for security and handles redirects.
talkd.txt
This explains how to get root remotely by overwriting a buffer in in.talkd.
udpstorm.tgz
This is an implenmentation of the udpstorm attack. Works with Linux.
jakal.c
A portscanner that avoids tcp-logging by not completing the 3-way TCP handshake.
lin_probe.c
This overwrites a buffer in /usr/X11/bin/SuperProbe on Linux, thus giving root.
AIX_host.c
Overwrites a buffer in gethostbyname() on AIX 4.2 Power PC, giving a root shell.
sgi_systour.txt
Exploit for /usr/lib/tour/bin/RemoveSystemTour on IRIX 5.3 & 6.2 that gives root.
connect.c
Lets a normal user crash AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05
sol2.5_nis.txt
This show how to exploit /usr/lib/nis/nispopulate on Solaris 2.5 systems.
xdm_bugs.txt
It is possible to deny service from xdm and xdm does not close file handles correctly.
lilo-exploit.txt
Get root on the lastest versions of Linux (at the console) using LD_PRELOAD.
rsucker.pl
Perl script that acts as a fake r* daemon and logs the usernames sent from clients.
synk4.c
An improved and updated Syn Flooder that also supports a random IP spoofing mode.
portmap_5b.tar.gz
A portmapper that supports access control in the style of the tcp wrapper package.
iebugs.tar.gz
Microsoft Internet Explorer bugs one through six in text and html format.
arnudp.c
Demonstrates how to send single UDP packets from an arbitray souce/destination.
sun-reboot.txt
By typing: perl -e 'print "\e[1J"' you can reboot a sun ultra sparc at the console.
cgiwrap-3.22.tgz
This is a gateway that allows a more secure user access to CGI programs.
pma.tar.gz
Poor Man's Access - A daemon that lets you issue shell commands remotely.
makedir.txt
Programs to create thousands of directories and to delete these directories.
tcpprobe.c
This is a tcp portscanner that shows accepted connections on a remote host.
locktcp.c
This program will freeze a Solaris/x86 2.5.1 systems, causing denial of service.
block.c
Prevents users from logging in by monitoring utmp and closing down user's tty ports.
tin_problem.txt
rtin/tin will create /tmp/.tin_log with mode of 0666 in /tmp and follows symbolic links.
sun_patch.sh
If you have a sun SPARC, this script will stop all forms of buffer overrun attacks.
riputils.tgz
This is a set of routing internet protocol utilities designed for Linux systems.
ipbomb.c
This will attack a target host by sending various sizes and numbers of IP packets.
test-cgi.txt
Using the CGI program test-cgi, you can inventory files on remote systems.
lquerypv.txt
On AIX systems you can read any file (in hex) on the system with lquerypv.
COPS
(Computer Oracle & Password System) checks for Unix system misconfigurations.
Esniff.c
Source code for basic ethernet Sniffer. ( Straight out of Phrack ).
fakerwall.c
This program lets you send an rwall message from an arbitrary host of your choice.
fping
Like UNIX ping(1), but allows efficient pinging of a large list of hosts.
simping.c
Simulates the "ping -l 65510 victim.host" from Windows95 - also compiles on Linux.
bind.txt
This describes a potenital denial of service problem with BIND-4.9.5-P1.
pong.c
Attacks an arbitrary host by sending a flood of spoofed ICMP packets.
jizz.c
A DNS spoofer that exploits the cache vulnerability in most BIND daemons.
any-erect.c
Another DNS spoofing type program much like jizz.c. Compiles on Linux.
hide.c
Exploits a world-writeable /etc/utmp and allow the user to modify it interactively.
hsh002.c
This is a neat little shell for experimentation with lots of interesting features.
nfswatch4.1.tar.Z
This lets you monitor NFS requests to any given machine or the entire network.
nfstrace.tgz
This nfstrace package lets you to perform NFS tracing by network monitoring.
wuftpd-owrite.sh
Exploits a bug in wu-ftpd to create or overwrite a file anywhere on the filesystem.
wuftpd-sdump.sh
Exploit a bug in wu-ftpd to assemble and view the shadow password file.
shadowyank.c
This will reconstruct shadow entries from the core file from ftp daemon segmenting.
ICMPinfo V1.10
ICMPinfo is a tool for looking at ICMP messages received on the running host.
ident-scan.c
TCP scanner that gets the username of the daemon running on the specified port.
ascend.txt
Program for Linux designed to attack Ascend routers with zero length tcp offsets.
gzip.txt
While a file is being compressed with gzip it is world readable.
ISS (V1.3)
Internet Security Scanner. Scans subnets and gathers info. about the hosts it finds.
libc.so.5
This is a hacked libc.so.5 for Linux that spawns a shell when a call is made to crypt().
sdtcm_convert.txt
This explains to how exploit sdtcm_convert on Solaris machines to get root access.
mnt
Exploits a hole in HP-UX 9 rpc.mountd program and lets you steal NFS file handles.
NFS Shell
This should be very useful if you have located an insecure NFS server.
pmcrash.c
This allows you to crash ANY Livingston PortMaster by overflowing buffers.
pop3.c
Attemps mulitple username/password guesses on machines running POP3.
psrace.c
This code exploits a race condition in Solaris, thus allowing you to make a root shell.
rpc_chk.sh
Shell Script to get a list of running hosts from a DNS nameserver for a given domain.
seq_number.c
This is a program that exploits the TCP Sequence Number Generator bug.
asppp.txt
On Solaris 2.5x86, /tmp/.asppp.fifo can be used to make a world writeable .rhosts file.
kcms.txt
Explains how to get root on solaris 2.5 by exploiting /usr/openwin/bin/kcms_calibrate.
remove.c
A universal utmp, wtmp, and lastlog editor that also compiles under AIX & SCO.
kmemthief.c
If /dev/kmem is writeable by normal users, then this program will get you root.
slammer
Slammer lets you issue arbitray commands on hosts by exploting yp daemons.
Solaris Sniffer
This is a version of ESniff.c that has been modified for Solaris 2.X.
xpusher.c
This is a neat way to send keyboard events to another user's X window.
xsnoop.c
This program allows you to spy on another user's keyboard events like xkey.c
Strobe (V1.03)
Scans TCP ports on a target host and reveals which daemons are running.
Tiger (V2.2.3)
Tiger attemps to exploit known bugs, holes, and misconfigurations to attain root.
lquerylv.c
This overwrites a buffer in /usr/sbin/lquerylv on AIX systems, thus giving a root shell.
udpscan.c
Identifys open UDP ports by sending a bogus UDP packet and wait for a response.
portd.c
A daemon that listens on a port and provides passworded shell access.
pingexploit.c
This lets you send oversized ICMP packets from a unix box just like Win95.
checksyslog.tgz
Analyze your system logs for security problems while ignoring normal behavior.
dosemu.txt
On Debian v1.1, /usr/sbin/dos can be used to read any file on the system.
yaping.0.1.tgz
Yet another ping for Linux. Packets of size > 65535 octets are supported.
xcrowbar.c
Source code that gets you a pointer to an X Display even after an xhost -
xkey.c
Attach to any X server you have permission to and watch the user's keyboard.
X Watch Window
If you have access on a host's X server,this will show the window on your X-server.
messages.sh
Parses through /var/adm/messages to see if user typed password at login prompt.
securelib.tar.Z
Shared library for SunOS 4.1 and later that will help protect your RPC daemons.
ypsnarf.c
This handy little program will get you yp domain names, yp maps, and yp maplists.
YPX
YPX guesses NIS domain names.YPX will extract the maps directly from domains.
ftp-scan.c
This program exploits the ftp protocol to let you scan services on firewalls.
rdist-ex.c
This will write past a buffer, straight onto the stack, giving a root shell on FreeBSD.
ttywatcher-1.1b.tgz
ttywatcher lets a user monitor and interact with every tty on the system.
splitvt.c
An older exploit for Linux that overwrites a buffer in /usr/bin/splitvt, giving root.
mount-ex.c
All Linux versions are vulnerable to this buffer overflow attack on suid mount.
perl-ex.sh
perl-ex.sh is a simple little sperl script that gives you a root shell via suidperl.
sndmail8.8.4.txt
This will explain how to exploit sendmail version 8.8.4 to get root access.
mod_ldt.c
Gives access to all of Linux's linear memory to user processes at will, and thus root.
dipExploit.c
Linux dip Exploit. Overwrite a buffer in do_chatkey(), thus giving you a root shell.
rexecscan.txt
The rexecd can be used easily to scan the client host from the server host.
rpcs.01b.tar.gz
This is program that is designed to scan subnets for rpc services.
rxvtExploit.txt
Exploits a popen() call issued by rxvt on Linux machines, thus giving a root shell.
nfsbug.c
Demonstates a security problem in unfsd guessing the file handle of the root FS.
abuse.txt
A Linux exploit for Red Hat 2.1. This gives a root shell by exploitng abuse.console.
xtermOverflo.c
A program that overwrites a buffer in libXt.so while xterm is suid to root.
resolv+.exp
Quick and Simple way to read the /etc/shadow file as well as many other things.
resizeExp.txt
Another Red Hat 2.1 exploit for resizecons due to lack of absolute pathnames.
qcrack.tar.gz
Like crack except this gives increased cracking speeds at the expense of disk space.
gpm-exploit.txt
This will get root on Linux systems using /usr/games/doom/killmouse.
pingflood.c
This pings floods a host, thus wasting bandwidth and denying service.
telnetd exploit
This will create a shared library that gives a root shell remotely or locally.
pop3d exploit
Read the contents of the mail spool of a user when they connect to in.popd.
popper.txt
Some versions of (q)popper from qualcomm allow you to read other user's mail.
vif.tar.gz
This code lets you have multiple IP addresses for a single interface.
amod.tar.gz
Amodload is a tool which allows the loading of arbitrary code into SunOS kernels.
getethers1.6.tgz
getthers scans all address on an ethernet and producing a hostname/ethernet list.
cfexec.sh
This let's you issue arbitrary commands as root on GNU cfingerd 1.0.1.
NFS Problems
Shows some potential problems with Linux in.nfsd concerning read-only exports.
cdromvuln.txt
If Linux CD is mounted w/ suid flag, older suid exploits will work on live filesystem.
vixie.c
On Redhat Linux systems this will overwrite a buffer in crontab, thus giving root.
linsniffer.c
This is a simple Linux Sniffer that shows you incoming TCP packets on most ports.
rshd_problem.txt
You can figure out valid usernames by examining the response from in.rshd.
linux_sniffer.c
Another Linux sniffer much like the one above. Shows more detailed TCP info.
Sol2.4Core.txt
Solaris 2.4 exploit that allows you to overwrite files when a suid prog. core dumps.
SolAdmtool.txt
On Solaris 2.5, the Admintool can be used to create a writeable /.rhosts file.
SYNpacket.tgz
Floods a port with TCP packets with the SYN bit turned on causing inetd to segment.
login_trojan.c
A login trojan program to be run at the console to get other user's passwords.
phf.c
A quick and easy to scan for hosts that still have the phf bug which gives /etc/passwd.
phfprobe.pl
This tries to find out as much information about the person calling phf as possible.
SYNWatch.tar.gz
This program watches for TCP packets with the SYN bit turned on.
pinglogger.tar.gz
Logs all ICMP packets to a log file so you can see who is ping flooding you.
screen.txt
On BSDi systems, you can use /usr/contrbi/bin/screen to read /etc/master.passwd.
ftpBounceAttack
Implementation of the ftp Bounce Attack allowing you to anonymously do things.
grabem.c
A very stupid/simple program to get passwords from users logging in on the consol.
tcpview.c
Another sniffer type program designed for Sun OS 4.1 architectures using /dev/nit.
pcnfsd.c
Exploit that allows local users to chmod arbitrary directories on hosts running pcnfsd.
netcraft.tgz
Contains various (and older) web security issues and exploits from Netcraft.
superforker.c
This is a supercharged version of the classic fork() denial of service attack.
tripwire-1.2.tgz
Creates a signature of binary files, and then checks to see if these file were modified.
tcpr-1.3.tar.gz
A set of perl scripts that enable you to run ftp and telnet commands across a firewall.
syslogFogger.c
This allows you to write to system logging facilites via UDP packets to port 514.
ypbreak.c
Lets you change your username, password, gecos, or shell via yppasswd daemon.
hdtraq.c
This runs as a daemon and purportedly creates bad sectors on a hard drive.
finger_attack.txt
By recursively fingering a host, you can cause a possible crash of in.fingerd.
logdaemon.tar.gz
Version 5.6 of a suite of tcp/ip programs that enhance network system logging.
suTrojan.c
This is a replacement program for su that mails you when an attempt to su is made.
sigurg.c
This code allows up to kill any process on Linux boxes running older kernels.
sushiPing.c
On Sun 4 platforms, this trojan ping gives you a root shell when you make a triggerfile.
webgais.txt
This will explain how to issue shell commands remotely using /cgi-bin/webgais.
sushiQuota.c
Another trojan for Sun 4 machines that is trigger with a triggerfile.
pcs.tgz
A libpcap based sniffer that supports multiple interfaces and PPP (with no filtering).
sfingerd-1.8.tgz
A replacement for the standard unix finger daemon designed for security.
snifftest.c
snifftest.c will try to tell you if a sniffer is running on Sun machines.
IPInvestigator.tgz
IPIvestigator is another sniffer that lets you watch traffic between machines.
gnmp.tar.gz
Generic Network Message Passing is a simple client server messaging system.
lpr Exploit
This small program exploit the suid root lpr program giving root.
Xfree86 Exploit
There is a problem with XFree86 3.1.2 that lets you overwrite files.
wipehd.asm
Assembly Language program that will remove the first 10 sectors of a hardrive.
minicom.c
This is an exploit for minicom on Linux systems that will overwrite a buffer.
sam.txt
On HP-UX, the System Administration Manager (sam) can be used to truncate files.
DenialofService
zip file illustrating five simple denial of service attacks on a unix.
xspy.tar.gz
xspy is a program that makes logins appear on your display.
scan.sh
This is a perl script that scans subnets and reports if rexd or ypserv is running.
xscan.tar.gz
scans subnets for unsecured X clients and automatically logs results.
OSF1_dxchpwd
On OSF1, /usr/tcb/bin/dxchpwd can be used to overwrite any file on the system.
bindExploit.txt
Setting SO_REUSEADDR options and calling bind allows user to steal udp packets.
cloak.c
This program wipes all traces of a user from a UNIX system.
convfontExploit.sh
Script that exploits /usr/bin/convfont on Linux systems to get root access.
ipspoof.c
This program demonstrates how to send arbitrary tcp/ip packets.
marry.c
This program is a log editor with lots of interesting features.
portscan.c
A Linux port scanner program that reports the services running on another host.
dumpExploit.txt
On Linux systems /sbin/dump can be used to read arbitrary files.
fingerd.c
This program is another finger daemon trojan program.
ttysurf.c
This program listens on ttys and tries to get login and passwords.
generic_buffer.tgz
Generic buffer overrun program for Linux, SunOS, and Solaris.
linux_lpr.c
This program overwrites a buffer in the suid program lpr, thus giving a root shell.
kill_inetd.c
This program causes denial of service by attacking inetd. Runs on Linux systems.
grabBag.tgz
Tons of old and miscellaneous exploits from different versions of unix.
wu-ftpd.sh
This shell script lets you create a file anywhere on the system.
sol_mailx.txt
An old security hole in /usr/bin/mailx still exists in the mailx on Solaris 2.5
oracle.txt
Discusses a denial of service attack against older versions of Oracle Webserver.
hp_stuff.tgz
Lots of exploits for HP/UX from the Scriptors of Doom.
hpjetadmin.txt
hpjetadmin can be tricked giving away root by a writeable .rhosts file.
flash.c
Messes up another user's terminal by issuing a talk request with vt100 escape chars.
modstat.c
This program will overrun a buffer in /usr/bin/modstat on FreeBSD systems.
pine_exploit.sh
This script is an exploit for pine. It can be used to create .rhosts files.
view_source.txt
On some httpd distributions, you can use cgi-bin/view-source to read arbitray files.
sendmail-ex.sh
This is an exploit script for sendmail 8.7-8.8.2 for FreeBSD and Linux. Gives root.
smh.c
smh.c is an exploit for sendmail 8.6.9. It gives a bin owned setuid shell.
rlogin_exploit.c
This overwrites a buffer in gethostbyame() on Solaris 2.5.1, giving a root shell.
octopus.c
A denial of service attack by opening tons of socket connections to a remote host.
expect_bug.txt
Expect does not make handles to pseudo tty's inaccessable to other processes.
html.txt
Shows interesting links to put in your HTML pages causing denial of service.
autoreply.txt
autoreply(1) can be used to create root owned files with a mode of 666.
bdexp.c
On older versions of Linux, this will overwrite a buffer in suid bdash, giving root.
solsocket.txt
On Solaris-x86 2.5, any normal user can connect to unix domain sockets.
lemon25.c
Exploit for Solaris 2.5.(1) that overwrites a buffer in passwd, giving root access.
reflscan.c
Another TCP port scanner that escapes logging by using half open connections.
yp.txt
On YP systems, when a password expires, the old password is not required.
ffbconfig-ex.c
This program overwrites a buffer in /usr/sbin/ffbconfig on Solaris 2.5.1 giving root.
lin-pkgtool.txt
This file explains how to get root on Linux system with the pkgtool program.
startmidi.txt
On IRIX systems, startmidi can be exploited to obtain root privileges.
linux_rcp.txt
On Linux, if you have access to uid 65535 (nobody), then root can be obtained.
doomsnd.txt
This will get root on Linux systems by exploiting the doom sndserver.
dec_osf1.sh
This script exploits /usr/sbin/dop on DEC unix 4.0, 4.0A, and 4.0B, giving a root shell.
rpcbind_1.1.tgz
This is an rpcbind replacement that includes tcp wrapper style access control.
breaksk.txt
Netscape's server key format is susceptible to dictionary attacks.
