Tuesday September 02 1997, Boris Tobotras writes to Sergey Okhapkin:
Sergey>> Hello All! Рекомендую заглянуть на
Sergey>> http://www.h0ar.org/myn/#unixfiles :-)
BT> While trying to retrieve the URL: http://www.h0ar.org/myn/
BT> The following error was encountered:
BT> Connection Failed
BT> The system returned:
BT> (61) Connection refused
BT> This means that:
BT> The remote site or server may be busy or down. Please try again
BT> later.
BT> Так что сам давай рассказывай про дыры ;)
Я тоже не с первого раза туда попал ;-) Видать, они в очередную дыру вляпались
:-)
aix_ping.c Overwrites a buffer in gethostbyname(), giving root on AIX 4.x PPC
systems.
aix_lchangelv.c Another buffer overrun exploit that gives root on AIX 4.x PPC
from lchangelv.
aix_xlock.c This will overwrite a buffer in /usr/bin/X11/xlock on AIX 4.x PPC,
giving root.
web_sniff.c A Linux sniffer that is designed to retrieve web usernames and
passwords.
xf86_ports.txt A normal user can run X on a reserved port thus blocking
legitmate daemons.
solaris_telnet.c A program designed to attack a Solaris 2.5 box, making it
totally unresponsive.
identd_attack.txt A massive amount of authorization requests can render a system
unusable.
secure_shell.txt Using SSH, a non-root user can open privleged ports and
redirect them.
bsd_procfs.c In /proc under FreeBSD 2.2.1, you can modify a setuid executable's
memory.
zgv_exploit.c This will overwrite a buffer in /usr/bin/zgv on Redhat Linux
systems, giving root.
sgi_html.txt It is possible to execute remote commands on IRIX 6.3 and 6.4 via
/usr/sysadm.
smurf.c Spoofs IMCP packets resulting in multiple replies to a host from a
single packet.
bind_nuke.txt Bind8.1.(1) can't update the same RR more than once in the same
DNS packet.
dgux_fingerd.txt The fingerd that ships w/ dgux allows remote execution of
arbitrary commands.
smb_mount.c This overwrites a buffer on Linux systems in smbmount from
smbfs-2.0.1.
innd_exploit.c Overwrites a buffer in innd on Linux x86 systems thus giving a
remote shell.
smlogic.c This is a fully functional logic bomb designed render Linux systems
unuseable.
ld.so.c Overwrites a buffer via LD_PRELOAD env. variable, giving root on Linux.
solaris_ping.txt On Solaris 2.x systems, any user can crash or reboot the system
using ping.
seyon_exploit.sh Exploit for seyon, giving you the euid or egid of whatever
seyon is suid to.
aixdtaction.c Overwrites a buffer in /usr/dt/bin/dtaction via HOME env.
variable, giving root.
datapipe.c Makes a pipe between a listen port on localhost and a port on a
remote machine.
sping.tar.gz Linux binary and source of 'sping' which causes Win95 machines to
crash.
linux_httpd.c Overwrites a buffer in NSCA httpd v1.3 on linux systems, giving a
remote shell.
sgi_cgihandler.txt On IRIX systems, /cgi-bin/handler can be used to issue
arbitrary commands.
wuftpd_umask.txt The umask for wuftpd 2.4.2-b13 is 002 making files group
writeable by anyone.
glimpse_http.txt Glimpse HTTP (Interface to Glimpse Search Tool) can issue
remote commands.
telnet_core.txt On Linux systems, it is possible to get part of the shadow file
w/ cores.
ircd_kill.c Overwrites a buffer in ircII daemons, causing a segmentation fault
in the server.
sneakin.tgz A way to 'reverse telnet' from a box behind a firewall that allows
ICMP packets.
qmail_exploit.c Runs a qmail system out of memory by feeding an infinite amount
of recipients.
qmail.tar.gz This is a replacement sendmail-binmail system providing security
and efficiency.
h_rpcinfo.tar.gz Allows you to sneak past port filters on port 111 and get dumps
of RPC services.
synlog-0.1.tar.gz Synlog monitors half open TCP connections such as synfloods or
synscans.
net_rpm.txt Redhat Package Manager (rpm) can be used to overwrite arbitrary
files.
wrapper-v2.tgz This is a generic wrapper to prevent the exploitation of
suid/sgid programs.
solaris_ifreq.c On Solaris, users can do control requests on a root created
socket descriptor.
longpath.sh Shell script that implements a long path attack causing various
problems on Linux.
logarp.tar.gz Useful for seeing if users on your subnet are "stealing" IP
addresses.
aix_dtterm.c This will overwrite a buffer in /usr/dt/bin/dtterm on AIX 4.2 PPC,
giving root.
listhosts.c A host resolving program based on nslookup and other pieces of named
tools.
irix-wrapper.c Wraps programs on IRIX to prevent command line argument buffer
overruns.
irix-df.c This will overwrite a buffer in /bin/df on IRIX systems, thus giving a
root shell.
irix-dp.c This overwrites a buffer in /usr/lib/desktop/permissions, giving egid
of sys on IRIX.
irix-login.c This will overwrite a buffer in /bin/login on IRIX systems, giving
root.
irix-xlock.c This will give root by overwriting a buffer in /usr/bin/X11/xlock
on IRIX.
synsniff.tar.gz Script in perl which watches for inbound connections (SYN's) and
logs them.
SunOS_crash.txt Reading /dev/tcx0 on a SunOS 4.1.4 Sparc 20 causes a system
panic.
imapd_exploit.c Get remote root access on Redhat Linux systems by overwriting a
buffer in impad.
xlock.c On Linux systems, this will overwrite a buffer in setuid xlock, giving
root access.
phobia.tgz This utility does a scan of an internet host looking for various
vulnerabilities.
elm_exploit.c Overwrites a buffer in Elm and Elm-ME+ on Linux via TERM environ.
variable.
daynotify.sh This script will exploit a bug in SGI's Registration Software under
IRIX 6.2.
brute_web.c This program will brute force it's way into a web server giving a
user and passwd.
tcpdump.tar.Z A tool for network monitoring and data acquisition. (needs library
packet capture.)
winnuke.c This sends Out of Band Data to Win95/NT computers causing panics and
reboots.
sperl.tgz Overwrites a buffer in the sperl5.001 and sperl5.003, thus giving root
access.
dip-prob.txt Dip will allow an ordinary user to gain control of arbitrary
devices in /dev.
nlspath.txt Exploits for ping, minicom, su and others on Linux via NLSPATH env.
variable.
solaris_lp.sh Script for Solaris that breaks lp, then use lp priv to break root
(or bin, etc...).
AIX_mount.c Overwrites a buffer in /usr/sbin/mount on AIX 4.x systems via
LC_MESSAGES.
fdformat-ex.c This will overwrite a buffer in /usr/bin/fdformat on Solaris 2.x
systems giving root.
sunos-ovf.tar.gz This program is designed to test buffer overflows on SunOS
4.1.x boxes.
cxterm.c This overwrites a buffer in Chinese xterm Linux systems, thus giving
root access.
color_xterm.c This will overwrite a buffer in /usr/X11/bin/color_xterm, giving
root on Linux.
pepsi.c This program is a random source host UDP flooder that compiles under
Linux.
tlnthide.c Allocates a port and sets up a telnet gateway making it difficult to
trace telnets.
jping.tar.gz This is another simple IMCP flooding program that compiles under
Linux.
LPRng.tgz A light weight printing system especially designed with security in
mind.
jolt.c Sends oversized fragmented packets to Win95 boxes causing them to lock
up.
utclean.c This will remove your presence from wtmp, wtmpx, utmp, utmpx, and
lastlog.
eject.c Overwrites a buffer on Solaris 2.x systems in /usr/bin/eject, giving a
root shell.
bind-8.1.1.tgz Version 8.1.1 of bind with many improvements - (includes
documentation).
puke.c Spoofs an ICMP unreachable error to a target, causing connection drops.
webs099.tgz A minimalist web server designed primarily for security and handles
redirects.
talkd.txt This explains how to get root remotely by overwriting a buffer in
in.talkd.
udpstorm.tgz This is an implenmentation of the udpstorm attack. Works with
Linux.
jakal.c A portscanner that avoids tcp-logging by not completing the 3-way TCP
handshake.
lin_probe.c This overwrites a buffer in /usr/X11/bin/SuperProbe on Linux, thus
giving root.
AIX_host.c Overwrites a buffer in gethostbyname() on AIX 4.2 Power PC, giving a
root shell.
sgi_systour.txt Exploit for /usr/lib/tour/bin/RemoveSystemTour on IRIX 5.3 & 6.2
that gives root.
connect.c Lets a normal user crash AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX
9.05
sol2.5_nis.txt This show how to exploit /usr/lib/nis/nispopulate on Solaris 2.5
systems.
xdm_bugs.txt It is possible to deny service from xdm and xdm does not close file
handles correctly.
crack-2a.tgz Unix Password Cracker 2.0(a) by Scooter Corp. (Comes with crack
dictionary).
lilo-exploit.txt Get root on the lastest versions of Linux (at the console)
using LD_PRELOAD.
rsucker.pl Perl script that acts as a fake r* daemon and logs the usernames sent
from clients.
synk4.c An improved and updated Syn Flooder that also supports a random IP
spoofing mode.
portmap_5b.tar.gz A portmapper that supports access control in the style of the
tcp wrapper package.
irix-login.txt On Irix systems /var/adm/badlogin contains failed logins and
passwords in clear text.
iebugs.tar.gz Microsoft Internet Explorer bugs one through six in text and html
format.
arnudp.c Demonstrates how to send single UDP packets from an arbitray
souce/destination.
sun-reboot.txt By typing: perl -e 'print "e[1J"' you can reboot a sun ultra
sparc at the console.
cgiwrap-3.22.tgz This is a gateway that allows a more secure user access to CGI
programs.
fastcracker.tgz This program is designed to quickly crack DES encrypted
passwords.
pma.tar.gz Poor Man's Access - A daemon that lets you issue shell commands
remotely.
makedir.txt Programs to create thousands of directories and to delete these
directories.
tcpprobe.c This is a tcp portscanner that shows accepted connections on a remote
host.
locktcp.c This program will freeze a Solaris/x86 2.5.1 systems, causing denial
of service.
irix-wrap.txt This shows how to get a listing of directories (755) from
cgi-bin/wrap on Irix 6.2.
block.c Prevents users from logging in by monitoring utmp and closing down
user's tty ports.
tin_problem.txt rtin/tin will create /tmp/.tin_log with mode of 0666 in /tmp and
follows symbolic links.
sun_patch.sh If you have a sun SPARC, this script will stop all forms of buffer
overrun attacks.
riputils.tgz This is a set of routing internet protocol utilities designed for
Linux systems.
ipbomb.c This will attack a target host by sending various sizes and numbers of
IP packets.
test-cgi.txt Using the CGI program test-cgi, you can inventory files on remote
systems.
lquerypv.txt On AIX systems you can read any file (in hex) on the system with
lquerypv.
COPS (Computer Oracle & Password System) checks for Unix system
misconfigurations.
Crack v5.0 Got access to password or shadow file? Shows what other user's
passwords are.
Crack Dictionary This is a general 50,000 word dictionary for use with Crack or
other programs.
Esniff.c Source code for basic ethernet Sniffer. ( Straight out of Phrack ).
fakerwall.c This program lets you send an rwall message from an arbitrary host
of your choice.
fping Like UNIX ping(1), but allows efficient pinging of a large list of hosts.
simping.c Simulates the "ping -l 65510 victim.host" from Windows95 - also
compiles on Linux.
bind.txt This describes a potenital denial of service problem with
BIND-4.9.5-P1.
pong.c Attacks an arbitrary host by sending a flood of spoofed ICMP packets.
jizz.c A DNS spoofer that exploits the cache vulnerability in most BIND daemons.
any-erect.c Another DNS spoofing type program much like jizz.c. Compiles on
Linux.
hide.c Exploits a world-writeable /etc/utmp and allow the user to modify it
interactively.
hsh002.c This is a neat little shell for experimentation with lots of
interesting features.
nfswatch4.1.tar.Z This lets you monitor NFS requests to any given machine or the
entire network.
nfstrace.tgz This nfstrace package lets you to perform NFS tracing by network
monitoring.
wuftpd-owrite.sh Exploits a bug in wu-ftpd to create or overwrite a file
anywhere on the filesystem.
wuftpd-sdump.sh Exploit a bug in wu-ftpd to assemble and view the shadow
password file.
shadowyank.c This will reconstruct shadow entries from the core file from ftp
daemon segmenting.
ICMPinfo V1.10 ICMPinfo is a tool for looking at ICMP messages received on the
running host.
ident-scan.c TCP scanner that gets the username of the daemon running on the
specified port.
ascend.txt Program for Linux designed to attack Ascend routers with zero length
tcp offsets.
gzip.txt While a file is being compressed with gzip it is world readable.
ISS (V1.3) Internet Security Scanner. Scans subnets and gathers info. about the
hosts it finds.
libc.so.5 This is a hacked libc.so.5 for Linux that spawns a shell when a call
is made to crypt().
sdtcm_convert.txt This explains to how exploit sdtcm_convert on Solaris machines
to get root access.
mnt Exploits a hole in HP-UX 9 rpc.mountd program and lets you steal NFS file
handles.
netcat (V1.10) Like Unix cat(1) but this one talks network packets (TCP or UDP).
Excellent tool.
NFS Shell This should be very useful if you have located an insecure NFS server.
pmcrash.c This allows you to crash ANY Livingston PortMaster by overflowing
buffers.
pop3.c Attemps mulitple username/password guesses on machines running POP3.
psrace.c This code exploits a race condition in Solaris, thus allowing you to
make a root shell.
Root Kit Programs like ps, ls, & du which have been modified to hide certain
files & processes.
rpc_chk.sh Shell Script to get a list of running hosts from a DNS nameserver for
a given domain.
seq_number.c This is a program that exploits the TCP Sequence Number Generator
bug.
asppp.txt On Solaris 2.5x86, /tmp/.asppp.fifo can be used to make a world
writeable .rhosts file.
kcms.txt Explains how to get root on solaris 2.5 by exploiting
/usr/openwin/bin/kcms_calibrate.
remove.c A universal utmp, wtmp, and lastlog editor that also compiles under AIX
& SCO.
kmemthief.c If /dev/kmem is writeable by normal users, then this program will
get you root.
slammer Slammer lets you issue arbitray commands on hosts by exploting yp
daemons.
Socket Demon (V1.3) Daemon that sits on a specified IP port and provides
passworded shell access.
Solaris Sniffer This is a version of ESniff.c that has been modified for Solaris
2.X.
xpusher.c This is a neat way to send keyboard events to another user's X window.
xsnoop.c This program allows you to spy on another user's keyboard events like
xkey.c
Strobe (V1.03) Scans TCP ports on a target host and reveals which daemons are
running.
Tiger (V2.2.3) Tiger attemps to exploit known bugs, holes, and misconfigurations
to attain root.
lquerylv.c This overwrites a buffer in /usr/sbin/lquerylv on AIX systems, thus
giving a root shell.
Traceroute Traceroute is an indispensable tool for troubleshooting and mapping
your network.
udpscan.c Identifys open UDP ports by sending a bogus UDP packet and wait for a
response.
portd.c A daemon that listens on a port and provides passworded shell access.
pingexploit.c This lets you send oversized ICMP packets from a unix box just
like Win95.
checksyslog.tgz Analyze your system logs for security problems while ignoring
normal behavior.
dosemu.txt On Debian v1.1, /usr/sbin/dos can be used to read any file on the
system.
yaping.0.1.tgz Yet another ping for Linux. Packets of size > 65535 octets are
supported.
xcrowbar.c Source code that gets you a pointer to an X Display even after an
xhost -
xkey.c Attach to any X server you have permission to and watch the user's
keyboard.
X Watch Window If you have access on a host's X server,this will show the window
on your X-server.
messages.sh Parses through /var/adm/messages to see if user typed password at
login prompt.
FreeBSDmail.txt This exploit will overwrite a buffer on sendmail 8.6.12 running
on FreeBSD 2.1.0.
securelib.tar.Z Shared library for SunOS 4.1 and later that will help protect
your RPC daemons.
ypsnarf.c This handy little program will get you yp domain names, yp maps, and
yp maplists.
YPX YPX guesses NIS domain names.YPX will extract the maps directly from
domains.
ftp-scan.c This program exploits the ftp protocol to let you scan services on
firewalls.
rdist-ex.c This will write past a buffer, straight onto the stack, giving a root
shell on FreeBSD.
ttywatcher-1.1b.tgz ttywatcher lets a user monitor and interact with every tty
on the system.
splitvt.c An older exploit for Linux that overwrites a buffer in
/usr/bin/splitvt, giving root.
mount-ex.c All Linux versions are vulnerable to this buffer overflow attack on
suid mount.
perl-ex.sh perl-ex.sh is a simple little sperl script that gives you a root
shell via suidperl.
sndmail8.8.4.txt This will explain how to exploit sendmail version 8.8.4 to get
root access.
irix-xhost.txt In default setup for irix, xhost is set to global acess when
someone logs into console.
mod_ldt.c Gives access to all of Linux's linear memory to user processes at
will, and thus root.
dipExploit.c Linux dip Exploit. Overwrite a buffer in do_chatkey(), thus giving
you a root shell.
rexecscan.txt The rexecd can be used easily to scan the client host from the
server host.
rpcs.01b.tar.gz This is program that is designed to scan subnets for rpc
services.
rxvtExploit.txt Exploits a popen() call issued by rxvt on Linux machines, thus
giving a root shell.
nfsbug.c Demonstates a security problem in unfsd guessing the file handle of the
root FS.
abuse.txt A Linux exploit for Red Hat 2.1. This gives a root shell by exploitng
abuse.console.
xtermOverflo.c A program that overwrites a buffer in libXt.so while xterm is
suid to root.
resolv+.exp Quick and Simple way to read the /etc/shadow file as well as many
other things.
resizeExp.txt Another Red Hat 2.1 exploit for resizecons due to lack of absolute
pathnames.
qcrack.tar.gz Like crack except this gives increased cracking speeds at the
expense of disk space.
Linux rootkit A rootkit designed for Linux systems. Comes with ps, netstat, and
login.
X webcomber A cool little tool that lets you search for things (like hacking) on
the web.
gpm-exploit.txt This will get root on Linux systems using
/usr/games/doom/killmouse.
pingflood.c This pings floods a host, thus wasting bandwidth and denying
service.
telnetd exploit This will create a shared library that gives a root shell
remotely or locally.
pop3d exploit Read the contents of the mail spool of a user when they connect to
in.popd.
popper.txt Some versions of (q)popper from qualcomm allow you to read other
user's mail.
vif.tar.gz This code lets you have multiple IP addresses for a single interface.
amod.tar.gz Amodload is a tool which allows the loading of arbitrary code into
SunOS kernels.
getethers1.6.tgz getthers scans all address on an ethernet and producing a
hostname/ethernet list.
rootkitSunOS.tgz Here is another root kit designed for SunOS operating systems.
Lots of cool stuff.
demonKit-1.0.tar.gz A suite of trojan programs opening back doors to root on a
Linux system.
eviltelnetd telnet-hacked.tgz is a hacked telnet daemon that gives a root shell
w/o password.
cfexec.sh This let's you issue arbitrary commands as root on GNU cfingerd 1.0.1.
NFS Problems Shows some potential problems with Linux in.nfsd concerning
read-only exports.
cdromvuln.txt If Linux CD is mounted w/ suid flag, older suid exploits will work
on live filesystem.
vixie.c On Redhat Linux systems this will overwrite a buffer in crontab, thus
giving root.
linsniffer.c This is a simple Linux Sniffer that shows you incoming TCP packets
on most ports.
rshd_problem.txt You can figure out valid usernames by examining the response
from in.rshd.
linux_sniffer.c Another Linux sniffer much like the one above. Shows more
detailed TCP info.
sniffit.0.3.5.tar.gz A very flexible network sniffer that has many interesting
features (like curses).
Sol2.4Core.txt Solaris 2.4 exploit that allows you to overwrite files when a
suid prog. core dumps.
SolAdmtool.txt On Solaris 2.5, the Admintool can be used to create a writeable
/.rhosts file.
irix-netprint.txt On IRIX, /usr/lib/print/netprint calls 'disable' without
specifying absolute path.
SYNpacket.tgz Floods a port with TCP packets with the SYN bit turned on causing
inetd to segment.
login_trojan.c A login trojan program to be run at the console to get other
user's passwords.
phf.c A quick and easy to scan for hosts that still have the phf bug which gives
/etc/passwd.
phfprobe.pl This tries to find out as much information about the person calling
phf as possible.
SYNWatch.tar.gz This program watches for TCP packets with the SYN bit turned on.
pinglogger.tar.gz Logs all ICMP packets to a log file so you can see who is ping
flooding you.
screen.txt On BSDi systems, you can use /usr/contrbi/bin/screen to read
/etc/master.passwd.
ftpBounceAttack Implementation of the ftp Bounce Attack allowing you to
anonymously do things.
grabem.c A very stupid/simple program to get passwords from users logging in on
the consol.
tcpview.c Another sniffer type program designed for Sun OS 4.1 architectures
using /dev/nit.
pcnfsd.c Exploit that allows local users to chmod arbitrary directories on hosts
running pcnfsd.
netcraft.tgz Contains various (and older) web security issues and exploits from
Netcraft.
superforker.c This is a supercharged version of the classic fork() denial of
service attack.
tripwire-1.2.tgz Creates a signature of binary files, and then checks to see if
these file were modified.
tcpr-1.3.tar.gz A set of perl scripts that enable you to run ftp and telnet
commands across a firewall.
syslogFogger.c This allows you to write to system logging facilites via UDP
packets to port 514.
ypbreak.c Lets you change your username, password, gecos, or shell via yppasswd
daemon.
hdtraq.c This runs as a daemon and purportedly creates bad sectors on a hard
drive.
finger_attack.txt By recursively fingering a host, you can cause a possible
crash of in.fingerd.
logdaemon.tar.gz Version 5.6 of a suite of tcp/ip programs that enhance network
system logging.
suTrojan.c This is a replacement program for su that mails you when an attempt
to su is made.
sigurg.c This code allows up to kill any process on Linux boxes running older
kernels.
sushiPing.c On Sun 4 platforms, this trojan ping gives you a root shell when you
make a triggerfile.
webgais.txt This will explain how to issue shell commands remotely using
/cgi-bin/webgais.
sushiQuota.c Another trojan for Sun 4 machines that is trigger with a
triggerfile.
pcs.tgz A libpcap based sniffer that supports multiple interfaces and PPP (with
no filtering).
sfingerd-1.8.tgz A replacement for the standard unix finger daemon designed for
security.
snifftest.c snifftest.c will try to tell you if a sniffer is running on Sun
machines.
IPInvestigator.tgz IPIvestigator is another sniffer that lets you watch traffic
between machines.
gnmp.tar.gz Generic Network Message Passing is a simple client server messaging
system.
irixmail.sh Exploit shell script that gives a root shell on IRIX systems.
lpr Exploit This small program exploit the suid root lpr program giving root.
Xfree86 Exploit There is a problem with XFree86 3.1.2 that lets you overwrite
files.
wipehd.asm Assembly Language program that will remove the first 10 sectors of a
hardrive.
minicom.c This is an exploit for minicom on Linux systems that will overwrite a
buffer.
sam.txt On HP-UX, the System Administration Manager (sam) can be used to
truncate files.
DenialofService zip file illustrating five simple denial of service attacks on a
unix.
xspy.tar.gz xspy is a program that makes logins appear on your display.
scan.sh This is a perl script that scans subnets and reports if rexd or ypserv
is running.
xscan.tar.gz scans subnets for unsecured X clients and automatically logs
results.
BSDcron-ex.c BSD cron exploit. This program overruns a buffer, giving root
access.
OSF1_dxchpwd On OSF1, /usr/tcb/bin/dxchpwd can be used to overwrite any file on
the system.
bindExploit.txt Setting SO_REUSEADDR options and calling bind allows user to
steal udp packets.
cloak.c This program wipes all traces of a user from a UNIX system.
convfontExploit.sh Script that exploits /usr/bin/convfont on Linux systems to
get root access.
ipspoof.c This program demonstrates how to send arbitrary tcp/ip packets.
marry.c This program is a log editor with lots of interesting features.
portscan.c A Linux port scanner program that reports the services running on
another host.
dumpExploit.txt On Linux systems /sbin/dump can be used to read arbitrary files.
fingerd.c This program is another finger daemon trojan program.
ttysurf.c This program listens on ttys and tries to get login and passwords.
generic_buffer.tgz Generic buffer overrun program for Linux, SunOS, and Solaris.
linux_lpr.c This program overwrites a buffer in the suid program lpr, thus
giving a root shell.
SunOS_user.txt On SunOS, chsh and chfn use getenv("USER") to validate the userid
of the caller.
kill_inetd.c This program causes denial of service by attacking inetd. Runs on
Linux systems.
grabBag.tgz Tons of old and miscellaneous exploits from different versions of
unix.
wu-ftpd.sh This shell script lets you create a file anywhere on the system.
sol_mailx.txt An old security hole in /usr/bin/mailx still exists in the mailx
on Solaris 2.5
oracle.txt Discusses a denial of service attack against older versions of Oracle
Webserver.
hp_stuff.tgz Lots of exploits for HP/UX from the Scriptors of Doom.
hpjetadmin.txt hpjetadmin can be tricked giving away root by a writeable .rhosts
file.
irix-buffer.txt IRIX buffer overruns for df, eject, /sbin/pset, /usr/bsd/ordist,
and xlock.
irix-xterm.c This will overwrite a buffer in xterm on IRIX systems, giving a
root shell.
irix-iwsh.c This will overwrite a buffer in /usr/sbin/iwsh on IRIX 5.3, giving
root access.
irix-printers.c This will overwrite a buffer in /usr/sbin/printers on IRIX
systems giving root.
flash.c Messes up another user's terminal by issuing a talk request with vt100
escape chars.
modstat.c This program will overrun a buffer in /usr/bin/modstat on FreeBSD
systems.
pine_exploit.sh This script is an exploit for pine. It can be used to create
.rhosts files.
view_source.txt On some httpd distributions, you can use cgi-bin/view-source to
read arbitray files.
sendmail-ex.sh This is an exploit script for sendmail 8.7-8.8.2 for FreeBSD and
Linux. Gives root.
smh.c smh.c is an exploit for sendmail 8.6.9. It gives a bin owned setuid shell.
rlogin_exploit.c This overwrites a buffer in gethostbyame() on Solaris 2.5.1,
giving a root shell.
octopus.c A denial of service attack by opening tons of socket connections to a
remote host.
expect_bug.txt Expect does not make handles to pseudo tty's inaccessable to
other processes.
html.txt Shows interesting links to put in your HTML pages causing denial of
service.
autoreply.txt autoreply(1) can be used to create root owned files with a mode of
666.
bdexp.c On older versions of Linux, this will overwrite a buffer in suid bdash,
giving root.
irix-csetup.txt Get root on IRIX via /usr/Cadmin/bin/csetup in conjunction with
/usr/sbin/sgihelp.
solsocket.txt On Solaris-x86 2.5, any normal user can connect to unix domain
sockets.
lemon25.c Exploit for Solaris 2.5.(1) that overwrites a buffer in passwd, giving
root access.
reflscan.c Another TCP port scanner that escapes logging by using half open
connections.
yp.txt On YP systems, when a password expires, the old password is not required.
bsd_core.txt On BSDi 3.x, users arbitrarly write files with binary data, but not
overwrite them.
ffbconfig-ex.c This program overwrites a buffer in /usr/sbin/ffbconfig on
Solaris 2.5.1 giving root.
FreeBSD-ppp.c This will overwrite a buffer in pppd on FreeBSD systems, giving a
root shell.
sol-license.txt On Solaris 2.4, if the license manager is running, root can be
obtained.
lin-pkgtool.txt This file explains how to get root on Linux system with the
pkgtool program.
startmidi.txt On IRIX systems, startmidi can be exploited to obtain root
privileges.
linux_rcp.txt On Linux, if you have access to uid 65535 (nobody), then root can
be obtained.
doomsnd.txt This will get root on Linux systems by exploiting the doom
sndserver.
solaris_ps.txt This will exploit /usr/bin/ps and /usr/ucb/ps on Solaris systems,
giving root access.
dec_osf1.sh This script exploits /usr/sbin/dop on DEC unix 4.0, 4.0A, and 4.0B,
giving a root shell.
tcp_wrapper.tgz Version 7.5 (the latest) of the tcp/ip wrapper for inetd. (Does
logging and monitoring).
rpcbind_1.1.tgz This is an rpcbind replacement that includes tcp wrapper style
access control.
breaksk.txt Netscape's server key format is susceptible to dictionary attacks.
IP-spoof.txt Examples and text on the art of IP spoofing. (For Linux 1.3.x
kernels).
irix-dataman.txt This file show how to exploit dataman on irix system to obtain
root access.
irix-fsdump.txt This is an exploit for /var/rfindd/fsdump that gives root on
irix systems.