Section: .. / groups / shadowpenguin / windows-exploits /
| /// File Name: |
ex_winproxy.c |
Description:
|
Shadow Penguin Security Advsory #37 - WinProxy 2.0.0/2.0.1 (now known as Black Jumbo dog) contains many remotely exploitable buffer overflows. Exploit for the POP3 service included, tested on Japanese Windows98.
| | Author: | UNYUN | | Homepage: | http://shadowpenguin.backsection.net | | File Size: | 8392 | | Last Modified: | Nov 14 22:47:25 2000 |
| MD5 Checksum: | 198c837d86b4acc67f7042d7d8ed65f9 |
|
| /// File Name: |
ex_zommail.c |
Description:
|
We found the overflow bug of ZOM-MAIL 1.09. It overflows when that receives the long attachment file name. If ZOM-MAIL 1.09 recives the e-mail which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This program can send the e-mail to any e-mail address, which is contained an exploit code that removes a "c:\windows\test.txt" file on the host.
| | File Size: | 4321 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | b822ed6e20a939f6985ecd735ab98cf7 |
|
| /// File Name: |
ex_webbbs.c |
Description:
|
At the initial authorization handling of WebBBS, If the long longin name or password has been received, this CGI overflows. This overflow overwrites the RET address, EIP can be controlled. This overflow is used to execute any instructions which are included in the user name and password.
| | Author: | UNYUN | | Homepage: | http://shadowpenguin.backsection.net | | File Size: | 3857 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 39f137e50459f957f97c268bb91c6bb0 |
|
| /// File Name: |
ex_w4server.c |
Description:
|
Cgitest.exe CGI is distributed with W4-Server2.6a/32-bits has a buffer overflow. Any instructions can be executed on the victim host by using this buffer overflow exploit.
| | Author: | UNYUN | | Homepage: | http://shadowpenguin.backsection.net | | File Size: | 5060 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | b6ac9a29a2b6efd91a2dd9a7ccd261da |
|
| /// File Name: |
ex_vdolive.c |
Description:
|
Unavailable.
| | File Size: | 5107 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | bce11829416919e33e0c0811420694b1 |
|
| /// File Name: |
ex_urllive.txt |
Description:
|
URL Live! 1.0 WebServer for Windows95/98/NT which is released by Pacific Software Publishing, Inc. (http://www.urllive.com/) has a "../" security problem, any users can download any files on the victim host.
| | File Size: | 273 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 650b5d71e6650071a9028cd53b722d75 |
|
| /// File Name: |
ex_tinyftpd.c |
Description:
|
We found the overflow bug of TinyFTPd Ver0.51. It overflows when that receives the long user name. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the TinyFTPd Ver0.51.
| | File Size: | 3324 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 503a50eaf523c1944af65290fded53ab |
|
| /// File Name: |
ex_ssmail.c |
Description:
|
We found the overflow bug of Skyfull Mail Server 1.1.4. It overflows when that receives the long MAIL FROM: in SMTP handling.If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the Skyfull Mail Server 1.1.4.
| | File Size: | 3474 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 8502506c28d3d225385b36a323f29376 |
|
| /// File Name: |
ex_servu.c |
Description:
|
The buffer overflow bug is also in Serv-U Versuin 2.5 ftp daemon. In this case, the buffer overflow is cased if the daemon recives the long "cwd" message, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the Serv-U Versuin 2.5. This exploit is coded for Windows98, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
| | File Size: | 4136 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 72facf15fe83d5d0640ff44891043b28 |
|
| /// File Name: |
ex_pms.c |
Description:
|
We found the overflow bug of Personal Mail Server 3.072-3.09. It overflows when that receives the long MAIL FROM: in SMTP handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the Personal Mail Server 3.072-3.09
| | File Size: | 3388 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | fa5e4b5e885182d96839287f68c08942 |
|
| /// File Name: |
ex_pms-tr.c |
Description:
|
This is another personal mail server remote exploit. I also publish the exploit program that can send a trojan program which is prepared in the attacker host. Of course, it can be executed remotely. If the trojan program is sent, the victim machine will be controlled remotely.
| | File Size: | 6681 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 5a7a80b985fcb7d75f37d8728e5efca1 |
|
| /// File Name: |
ex_nextftp.c |
Description:
|
We found the overflow bug of NextFTP Ver1.82. It overflows when that receives the long message of CWD reply. This exploit code execute any command on the target windows, but, if you modify the exploit code, you can send any codes such as the format or remove program, virus, trojan, and so on.
| | File Size: | 8809 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | db519da823a966c611543097194f6ba9 |
|
| /// File Name: |
ex_netsrv.c |
Description:
|
We found the overflow bug of NetcPlus SmartServer3. It overflows when that receives the long MAIL FROM: in SMTP handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the NetcPlus SmartServer3. T
| | File Size: | 3317 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 3f7081e0719ded1a9b93b4fc3be98dc0 |
|
| /// File Name: |
ex_midiplug.c |
Description:
|
Midi-Plugin program "YAMAHA MidiPlug 1.10b" for Windows IE4/5 contains the buffer overflow bug. If the long "TEXT" variable is specified in EMBED tag, the buffer overflow occurs. If attacker sets the exploit on the webpage, visitor's host will be cracked by the any instructions written in the "TEXT" variable.
| | File Size: | 2873 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 4e23d1169262502ad9b3b4bf27d33914 |
|
| /// File Name: |
ex_irfan.c |
Description:
|
The popular Image viewer "Irfan View32" contains the buffer overflow problem, this problem exists in the handling of Adobe Photoshop image file. This code generates the jpg file which contains the exploit code that generates "exp.com" in "c:\" and executes it. "exp.com" is a simple demo program, there is no danger.
| | File Size: | 3790 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 21678e1095ed9bf229ab8c6803678bfc |
|
| /// File Name: |
ex_imagemap.c |
Description:
|
Imagemap CGI which is written by C language is distributed with OmniHTTPd Pro2.04(shareware) and Ver1.01 (freeware), it has a security hole by the buffer overflow. Any instructions can be executed on the victim host by using this buffer overflow bug.
| | File Size: | 4137 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | b85e476f7a4a74c9fae25a19f31a3f46 |
|
| /// File Name: |
ex_ie5.c |
Description:
|
This is overflow exploit for IE5.
| | File Size: | 1804 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 6ac8ac08d5a0b80ab44588d211625499 |
|
| /// File Name: |
ex_ie4.c |
Description:
|
Microsoft Internet Explorer 4/5 overflows when the handling of "file://" specification. We coded the following sample codes. This codes generates the HTML file that reboots the client PC if the visitor uses IE4 for Windows98.
| | File Size: | 2407 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 706d99f197cfd8f922486be4a951d4e1 |
|
| /// File Name: |
ex_hpprint.c |
Description:
|
We found the overflow bug of IBM HomePagePrint 1.0.7. If the visitors "print" or "preview" the web page which contains the long IMG SRC tags, the buffer overflow occurs. If this application reads the IMG SRC tag which is contained the exploit code, the host will be cracked. This sample generates a HTML file which is contained the exploit code that executes any command on the users' host.
| | File Size: | 2751 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 2a77280e95e84112cb74a84234c723a8 |
|
| /// File Name: |
ex_fuse.c |
Description:
|
We found the overflow bug of FuseMail 2.7. It overflows when that receives the long USER or PASS in POP3 handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the CMail FuseMail 2.7.
| | File Size: | 3001 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 84fd9aa0fb63734015ecee0164137530 |
|
| /// File Name: |
ex_emc.c |
Description:
|
Buffer overflow in E-MailClub Ver1.0.0.5. It overflows when that receives the long From: in POP3 handling. If the host recives the mail which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example generates the e-mail which contains the exploit code that reboot the target host. This exploit is coded for Windows98 Japanese edition, but if you change some parameters written in the sample exploit program, it will may works on Windows95 and WindowsNT.
| | Author: | UNYUN | | Homepage: | http://shadowpenguin.backsection.net | | File Size: | 1748 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | f1fa3e703ec2bd44f3d36fa744003039 |
|
| /// File Name: |
ex_cmail.c |
Description:
|
We found the overflow bug of CMail Server 2.3 SP2. It overflows when that receives the long MAIL FROM: in SMTP handling. If the host recives the packet which contains the exploit code, the host has been cracked by any instructions which are coded in the exploit code. This example sends the exploit code that executes any command on the host which is running the CMail Server 2.3 SP2.
| | File Size: | 3348 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 4639d4625068233955e1ce9df9281ac7 |
|
| /// File Name: |
ex_chocoa.c |
Description:
|
We found the overflow bug of CHOCOA 1.0beta7R. It overflows when that receives the long TOPIC. If the server send the long TOPIC that contains the exploit code, client executes any code. This exploit code execute any command on the target windows.
| | File Size: | 4096 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | 6d894b1c72bd7f83bb486b38132a9c97 |
|
| /// File Name: |
ex_anhttpd.txt |
Description:
|
The test CGIs which are distributed with AN-HTTPd 1.20b contain the remote command execution problem.
| | File Size: | 747 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | ee1ef9dca35316c2d83174c399085960 |
|
| /// File Name: |
ex_almail.c |
Description:
|
We found the overflow bug of AL-Mail32 Ver1.10. It overflows when that receives the long message of From: or Reply-To:. If the POP3 server send the long reply message that contains the exploit code, client executes any code. This exploit code execute any command on the target windows.
| | File Size: | 2503 | | Last Modified: | Nov 5 23:24:09 1999 |
| MD5 Checksum: | bbb93b32d0fbcc24ab0bd8704e8d3ed6 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
