| File Name |
Brief Description |
| 1.ntpptp.c |
NT 4.0 SP3 PPTP denial of service attack exploit. |
| 2.ntpwgrabber.txt |
A false DLL can be stored in the system32 directory under Windows NT
which collects passwords in plain text. |
| 3.libcrypt.tgz |
The libcrypt.so, _RDL_ROOT telnetd env var root exploit for irix
systems. |
|
| 4.imapd_scan.sh |
This script will scan (and exploit) an entire subnet for imap2
vulnerabilitles. |
|
| 5.qmail_dos.c |
Runs a qmail system out of memory by feeding an infinite amount of
recipients. |
|
| 6.ping_bug.txt |
Users of pine can overwrite any file in their home directory despite
permissions. |
|
| 7.latierra.c |
An enhanced version of land.c which works better against NT SP3 among
other things. |
| 8.rip.c |
RIP (Routing Information Protocol) Version 1 Spoofer |
| 9.imaps.tar.gz |
Serveral different versions of the remote imapd buffer overflow exploit. |
|
| 10.automount.c |
The automountd exploit for SunOS 5.5.1 let's you issue remote commands. |
|
| 11.xfree86.txt |
Using XFree86, oridinary users can read any file with root permissions. |
|
| 12.lownoise.txt |
Exploit for Digital Unix v4.0 that let's you create a writeable /.rhosts
file. |
|
| 13.land.c |
Crash Windows by sending a spoofed packet from a host on an open
port setting as source the same host and port. |
|
| 14.teardrop.c |
Exploits the overlapping IP fragment bug present in all Linux kernels
and NT 4.0 / Windows 95 (others?) |
|
| 15.pentium_bug.c |
Denial of service attack for the Intel Pentium CPU for any operating
system. |
|
| 16.linux_perl.txt |
It is still possible to overwrite a buffer a get root on Linux via sperl
5.003. |
|
| 17.lizards.txt |
Explains how to get root on Slakware 3.4 from the suid lizards game. |
|
| 18.evil-term.c |
This is the remote buffer overflow termcap exploit for BSDI BSD/OS 2.1. |
|
| 19.dgux_xterm.txt |
On Digital Unix 4.0B, causing, xterm to core can overwrite arbitrary
files. |
|
| 20.php_exploit.c |
mlog.html and mylog.html w/ PHP dist. can be used to read arbitrary
files. |
|
| 21.wwwcount.c |
Exploits Count.cgi, allowing remote exececution of arbitray commands. |
|
| 22.ciscocrack.c |
This contains script and source for decrypting cisco encrypted
passwords. |
|
| 23.wm_exploit.c |
Overwrites a buffer in 'wm' from Ideafix package for Linux, giving root. |
|
| 24.brute_ssl.c |
This program will brute force it's way into secure and non-secure
webservers. |
|
| 25.sr-crash.c |
Source routing exploit for Linux v1.0.x-v1.3.x that causes the kernel to
panic. |
|
| 26.aix_ping.c |
Overwrites a buffer in gethostbyname(), giving root access. |
|
| 27.aix_lchangelv.c |
Another buffer overrun that gives root on AIX 4.x machines. |
|
| 28.aix_xlock.c |
This will overwrite a buffer in /usr/bin/X11/xlock giving root. |
|
| 29.web_sniff.c |
A Linux sniffer that is designed to retrieve web usernames and
passwords. |
|
| 30.arp_fun.txt |
ICMP and arp can be used to deny service and spoof other hosts on the
LAN. |
|
| 31.xf86_ports.txt |
A normal user can run X on a reserved port thus blocking legitmate
daemons. |
|
| 32.hostscan.cmd |
OS/2 Rexx-script that scans hosts by IP-adresses |
| 33.solaris_telnet.c |
A program designed to attack a Solaris 2.5 box, making it totally
unresponsive. |
|
| 34.identd_attack.txt |
A massive amount of authorization requests can render a system unusable. |
|
| 35.secure_shell.txt |
Using SSH, a non-root user can open privleged ports and redirect them. |
|
| 36.sshd_redirect.txt |
Any normal user can redirect privileged ports using secure shell daemon. |
|
| 37.medax_linux.tgz |
A TCP sequence number predictor that also lets you execute commands. |
|
| 38.samba_exploit.txt |
Local and remote exploit for samba that sends an xterm back to your
display. |
|
| 39.bsd_procfs.c |
In /proc under FreeBSD 2.2.1, you can modify a setuid executable's
memory. |
|
| 40.zgv_exploit.c |
This will overwrite a buffer in /usr/bin/zgv on Redhat Linux systems,
giving root. |
|
| 41.heroin.c |
This sample source illustrates the dangers of Linux modules in the
kernel. |
|
| 42.sgi_html.txt |
It is possible to execute remote commands on IRIX 6.3 and 6.4 via /usr/sysadm. |
|
| 43.ipd_probe.txt |
The Internet Probe Droid can scan massive amounts of hosts very quickly. |
|
| 44.smurf.c |
Spoofs IMCP packets resulting in multiple replies to a host from a
single packet. |
|
| 45.in.comstat.txt |
If a user has biff y on, in.comstat can be used increase the system
load. |
|
| 46.bind_nuke.txt |
Bind8.1.(1) can't update the same RR more than once in the same DNS
packet. |
|
| 47.chkexploit_1.13.tgz |
A shell script for Linux that checks for some publicly available
exploits. |
|
| 48.syslog_deluxe.c |
Lets you write spoofed and arbitrary messages to another machine's
syslogd. |
|
| 49.dgux_fingerd.txt |
The fingerd that ships w/ dgux allows remote execution of arbitrary
commands. |
|
| 50.smb_mount.c |
This overwrites a buffer on Linux systems in smbmount from smbfs-2.0.1. |
|
| 51.nmap.1.25.tar.gz |
nmap is a utility for port scanning large networks and currently runs on
Linux. |
|
| 52.innd_exploit.c |
Overwrites a buffer in innd on Linux x86 systems thus giving a remote
shell. |
|
| 53.smlogic.c |
This is a fully functional logic bomb designed render Linux systems
unuseable. |
|
| 54.intruderf.c |
A trojan for Linux system that mails you user's names and passwords. |
|
| 55.ld.so.c |
Overwrites a buffer via LD_PRELOAD env. variable, giving root on Linux. |
|
| 56.sol_syslog.txt |
If Solaris syslogd gets a message and it can't resolve the sender's IP,
it dies. |
|
| 57.promisc.c |
This program will scan your network devices to detect running sniffers. |
|
| 58.solaris_ping.txt |
On Solaris 2.x systems, any user can crash or reboot the system using
ping. |
|
| 59.seyon_exploit.sh |
Exploit for seyon, giving you the euid or egid of whatever seyon is suid
to. |
|
| 60.aixdtaction.c |
Overwrites a buffer in /usr/dt/bin/dtaction giving root access. |
|
| 61.datapipe.c |
Makes a pipe between a listen port on localhost and a port on a remote
machine. |
|
| 62.sping.tar.gz |
Linux binary and source of 'sping' which causes Win95 machines to crash. |
|
| 63.linux_httpd.c |
Overwrites a buffer in NSCA httpd v1.3 on linux systems, giving a remote
shell. |
|
| 64.sgi_cgihandler.txt |
On IRIX systems, /cgi-bin/handler can be used to issue arbitrary
commands. |
|
| 65.wuftpd_umask.txt |
The umask for wuftpd 2.4.2-b13 is 002 making files group writeable by
anyone. |
|
| 66.majordomo.txt |
Local and remote users can execute arbitrary commands from majordomo. |
|
| 67.glimpse_http.txt |
Glimpse HTTP (Interface to Glimpse Search Tool) can issue remote
commands. |
|
| 68.pandora.tgz |
This is the Unix version of the Netware version 4.x NDS cracking
utility. |
|
| 69.telnet_core.txt |
On Linux systems, it is possible to get part of the shadow file w/
cores. |
|
| 70.fake_ps.txt |
Checks for 'ps' trojans by running 'ps' and checking results against
/proc. |
|
| 71.hpux-cue.txt |
On HP 10.20, users can truncate arbitrary files using the setuid cue
program. |
|
| 72.rpc.mountd_bug.txt |
One can see what files a machine contains by looking at rpc.mountd
responses. |
|
| 73.ircd_kill.c |
Overwrites a buffer in ircII daemons, causing a segmentation fault in
the server. |
|
| 74.lpboost.c |
A simple program demonstrating problems with PLP/LPRng user
authenticiation. |
|
| 75.imapd_4.1b.txt |
It's possible to crash imapd, thus leaving shadow and password files in
core file. |
|
| 76.sneakin.tgz |
A way to 'reverse telnet' from a box behind a firewall that allows ICMP
packets. |
|
| 77.qmail.tar.gz |
This is a replacement sendmail-binmail system providing security and
efficiency. |
|
| 78.h_rpcinfo.tar.gz |
Allows you to sneak past port filters on port 111 and get dumps of RPC
services. |
|
| 79.synlog-0.4.tar.gz |
Synlog monitors half open TCP connections such as synfloods or synscans. |
|
| 80.net_rpm.txt |
Redhat Package Manager (rpm) can be used to overwrite arbitrary files. |
|
| 90.wrapper-v2.tgz |
This is a generic wrapper to prevent the exploitation of suid/sgid
programs. |
|
| 91.solaris_ifreq.c |
On Solaris, users can do control requests on a root created socket
descriptor. |
|
| 92.longpath.sh |
Script that implements a long path attack causing various problems on
Linux. |
|
| 93.logarp.tar.gz |
Useful for seeing if users on your subnet are "stealing" IP
addresses. |
|
| 94.aix_dtterm.c |
This will overwrite a buffer in /usr/dt/bin/dtterm, giving root. |
|
| 95.campus_cgi_hole |
Describes a hole in campus cgi which allows execution of remote
commands. |
|
| 96.listhosts.c |
A host resolving program based on nslookup and other pieces of named
tools. |
|
| 97.irix-wrapper.c |
Wraps programs on IRIX to prevent command line argument buffer overruns. |
|
| 98.irix-df.c |
This will overwrite a buffer in /bin/df on IRIX systems, thus giving a
root shell. |
|
| 99.irix-dp.c |
Overwrites a buffer in /usr/lib/desktop/permissions, giving egid of sys
on IRIX. |
|
| 100.irix-login.c |
This will overwrite a buffer in /bin/login on IRIX systems, giving root. |
|
| 101.irix-xlock.c |
This will give root by overwriting a buffer in /usr/bin/X11/xlock on
IRIX. |
|
| 102.synsniff.tar.gz |
Script in perl which watches for inbound connections (SYN's) and logs
them. |
|
| 103.SunOS_crash.txt |
Reading /dev/tcx0 on a SunOS 4.1.4 Sparc 20 causes a system panic. |
|
| 104.imapd_exploit.c |
Get remote root access on Redhat systems by overwriting a buffer in
impad. |
|
| 105.xlock.c |
On Linux systems, this will overwrite a buffer in setuid xlock, giving
root access. |
|
| 106.phobia.tgz |
This utility does a scan of an internet host looking for various
vulnerabilities. |
|
| 107.elm_exploit.c |
Overwrites a buffer in Elm and Elm-ME+ on Linux via TERM environ.
variable. |
|
| 108.daynotify.sh |
This script will exploit a bug in SGI's Registration Software under IRIX
6.2. |
|
| 109.brute_web.c |
This program will brute force it's way into a web server giving a user
and passwd. |
|
| 110.tcpdump.tar.Z |
Tool for network monitoring and data acquisition (needs library packet
capture). |
|
| 111.winnuke.c |
Sends Out of Band Data to a Win95/NT computer causing panics and
reboots. |
|
| 112.sperl.tgz |
Overwrites a buffer in the sperl5.001 and sperl5.003, thus giving root
access. |
|
| 113.dip-prob.txt |
Dip will allow an ordinary user to gain control of arbitrary devices in
/dev. |
|
| 114.nlspath.txt |
Exploits for ping, minicom, su and others on Linux via NLSPATH env.
variable. |
|
| 115.solaris_lp.sh |
Script for Solaris that breaks lp, then use lp priv to break root (or
bin, etc...). |
|
| 116.AIX_mount.c |
Overwrites a buffer in /usr/sbin/mount on AIX 4.x systems. |
|
| 117.vold_prob.txt |
It is possible to corrupt CDROM management on Solaris by changing block
size. |
|
| 118.fdformat-ex.c |
This will overwrite a buffer in /usr/bin/fdformat on Solaris 2.x systems
giving root. |
|
| 119.sunos-ovf.tar.gz |
This program is designed to test buffer overflows on SunOS 4.1.x boxes. |
|
| 120.cxterm.c |
Overwrites a buffer in Chinese xterm Linux systems, thus giving root
access. |
|
| 121.color_xterm.c |
This will overwrite a buffer in /usr/X11/bin/color_xterm, giving root on
Linux. |
|
| 122.pepsi.c |
This program is a random source host UDP flooder that compiles under
Linux. |
|
| 123.tlnthide.c |
Allocates a port and sets up a telnet gateway making it difficult to
trace telnets. |
|
| 124.jping.tar.gz |
This is another simple IMCP flooding program that compiles under Linux. |
|
| 125.LPRng.tgz |
A light weight printing system especially designed with security in
mind. |
|
| 126.jolt.c |
Sends oversized fragmented packets to Win95 boxes causing them to lock
up. |
|
| 127utclean.c |
This will remove your presence from wtmp, wtmpx, utmp, utmpx, and
lastlog. |
|
| 128.eject.c |
Overwrites a buffer on Solaris 2.x systems in /usr/bin/eject, giving a
root shell. |
|
| 129puke.c |
Spoofs an ICMP unreachable error to a target, causing connection drops. |
|
| 130.webs099.tgz |
A minimalist web server designed primarily for security and handles
redirects. |
|
| 131.talkd.txt |
This explains how to get root remotely by overwriting a buffer in
in.talkd. |
|
| 132.pingmod.tar.gz |
A very flexible pinging program that is able to fake ICMP packets and
more. |
|
| 133.rbone.tar.gz |
Another IP spoofer type program that guesses TCP sequence numbers. |
|
| 134.bsd_cxterm.c |
This will overwrite a buffer in xterm_color on BSD systems, giving root. |
|
| 135.udpstorm.tgz |
This is an implenmentation of the udpstorm attack. Works with Linux. |
|
| 136.jakal.c |
Portscanner that avoids logging by not completing the 3-way TCP
handshake. |
|
| 137.lin_probe.c |
This overwrites a buffer in /usr/X11/bin/SuperProbe on Linux, thus
giving root. |
|
| 138.AIX_host.c |
Overwrites a buffer in gethostbyname() giving a root shell. |
|
| 139.sgi_systour.txt |
Exploit for /usr/lib/tour/bin/RemoveSystemTour on IRIX 5.3 & 6.2
that gives root. |
|
| 140.connect.c |
Crashes AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05. |
|
| 141.sol2.5_nis.txt |
This show how to exploit /usr/lib/nis/nispopulate on Solaris 2.5
systems. |
|
| 142.xdm_bugs.txt |
Shows how to deny service from xdm. It also doesn't close file handles
correctly. |
|
| 143.crack-2a.tgz |
Unix Password Cracker 2.0(a) by Scooter Corp. (Comes with crack
dictionary). |
|
| 144.lilo-exploit.txt |
Get root on the lastest versions of Linux (at the console) using
LD_PRELOAD. |
|
| 145.rsucker.pl |
Perl script that acts as a fake r* daemon and logs usernames sent from
clients. |
|
| 146.synk4.c |
An improved Syn Flooder that also supports a random IP spoofing mode. |
|
| 147.portmap_5b.tar.gz |
Portmapper that supports access control in the style of the tcp wrapper
package. |
|
| 148.irix-login.txt |
On Irix systems /var/adm/badlogin has failed logins and passwords in
clear text. |
|
| 149.iebugs.tar.gz |
Microsoft Internet Explorer bugs one through six in text and html
format. |
|
| 150.arnudp.c |
Shows how to send single UDP packets from an arbitray souce/destination. |
|
| 151.sun-reboot.txt |
By typing: perl -e 'print "\e[1J"' you can reboot a sun ultra
sparc at the console. |
|
| 152.cgiwrap-3.22.tgz |
This is a gateway that allows a more secure user access to CGI programs. |
|
| 153.fastcracker.tgz |
This program is designed to quickly crack DES encrypted passwords. |
|
| 154.pma.tar.gz |
Poor Man's Access - A daemon that lets you issue shell commands
remotely. |
|
| 155.lpr_bugs.txt |
It is possible to create, read, and delete any file on the system using
lpr/lpd. |
|
| 156.vsr.tar.gz |
A loadable module for SunOS systems that creates a virtual IP interface. |
|
| 157.makedir.txt |
Programs to create thousands of directories and to delete these
directories. |
|
| 158.tcpprobe.c |
This is a tcp portscanner that shows accepted connections on a remote
host. |
|
| 159.locktcp.c |
This program will freeze a Solaris/x86 2.5.1 systems, causing denial of
service. |
|
| 160.irix-wrap.txt |
This shows how to get a listing of directories (755) from cgi-bin/wrap
on Irix 6.2. |
|
| 161.block.c |
Stops users from logging in by monitoring utmp and closing down user's
tty ports. |
|
| 162.tin_problem.txt |
rtin/tin creates /tmp/.tin_log w/ mode of 0666 in /tmp and follows
symbolic links. |
|
| 163.sun_patch.sh |
If you have a sun SPARC, this script will stop all forms of buffer
overrun attacks. |
|
| 164.riputils.tgz |
This is a set of routing internet protocol utilities designed for Linux
systems. |
|
| 165.ipbomb.c |
This will attack a target host by sending various sizes and numbers of
IP packets. |
|
| 166.test-cgi.txt |
Using the CGI program test-cgi, you can inventory files on remote
systems. |
|
| 167.lquerypv.txt |
On AIX systems you can read any file (in hex) on the system with
lquerypv. |
|
| 168.cops_104.tar.gz |
(Computer Oracle & Password System) checks for Unix
misconfigurations. |
|
| 169.Crack v5.0 |
Got access to password or shadow file? Shows what other user's passwords
are. |
|
| 170.Crack Dictionary |
This is a general 50,000 word dictionary for use with Crack or other
programs. |
|
| 171.Esniff.c |
This is the source code for basic ethernet Sniffer. ( Straight out of
Phrack ). |
|
| 172.fakerwall.c |
Lets you send an rwall message from an arbitrary host of your choice. |
|
| 173.fping |
Like UNIX ping(1), but allows efficient pinging of a large list of
hosts. |
|
| 174.simping.c |
Simulates the "ping -l 65510 victim.host" from Win95 - also
compiles on Linux. |
|
| 175.bind.txt |
This describes a potenital denial of service problem with BIND-4.9.5-P1. |
|
| 176.pong.c |
Attacks an arbitrary host by sending a flood of spoofed ICMP packets. |
|
| 178.jizz.c |
A DNS spoofer that exploits the cache vulnerability in most BIND
daemons. |
|
| 179.any-erect.c |
Another DNS spoofing type program much like jizz.c. Compiles on Linux. |
|
| 180.hide.c |
Exploits a world-writeable /etc/utmp and allow the user to modify it
interactively. |
|
| 181.hsh002.c |
This is a neat little shell for experimentation with lots of interesting
features. |
|
| 182.netpipes4.0.tgz |
A package (that comes w/ Linux) to manipulate BSD TCP/IP stream sockets. |
|
| 183.nfswatch4.1.tar.Z |
This lets you monitor NFS requests to any given machine or the entire
network. |
|
| 184.nfstrace.tgz |
This nfstrace package lets you to perform NFS tracing by network
monitoring. |
|
| 185.wuftpd-owrite.sh |
Exploit for wu-ftpd to create or overwrite a file anywhere on the
filesystem. |
|
| 186.wuftpd-sdump.sh |
Exploit a bug in wu-ftpd to assemble and view the shadow password file. |
|
| 187.shadowyank.c |
Reconstructs the shadow entries from a core file from ftp daemon
segmenting. |
|
| 188.ICMPinfo V1.10 |
ICMPinfo is a tool for looking at ICMP messages received on the running
host. |
|
| 189.ident-scan.c |
TCP scanner that gets the username of the daemon running on the
specified port. |
|
| 190.ascend.txt |
Program for Linux designed to attack Ascend routers with zero length tcp
offsets. |
|
| 191.gzip.txt |
While a file is being compressed with gzip it is world readable to all
users. |
|
| 192.iss13.tar.gz |
The Internet Security Scanner scans subnets and collects info. about
hosts. |
|
| 193.libc.so.5 |
A hacked libc.so.5 for Linux that spawns a shell when a call is made to
crypt(). |
|
| 194.sdtcm_convert.txt |
Explains to how to exploit sdtcm_convert on Solaris boxes to get root
access. |
|
| 195.mnt.tar.gz |
Exploits a bug in HP-UX 9 rpc.mountd program and gives you NFS file
handles. |
|
| 196.netcat (V1.10) |
Like Unix cat(1) but this one talks network packets (TCP or UDP). |
|
| 197.NFS Shell |
This should be very useful if you have located an insecure NFS server. |
|
| 198.pmcrash.c |
This allows you to crash ANY Livingston PortMaster by overflowing
buffers. |
|
| 199.pop3.c |
Attemps mulitple username/password guesses on machines running POP3. |
|
| 200.psrace.c |
Exploits a race condition in Solaris, thus allowing you to make a root
shell. |
|
| 201.Root Kit |
Programs like ps, ls, & du that are modified to hide certain files
& processes. |
|
| 202.rpc_chk.sh |
Script to get a list of running hosts from a DNS nameserver for a given
domain. |
|
| 203.seq_number.c |
This is a program that exploits the TCP Sequence Number Generator bug. |
|
| 204.asppp.txt |
On Solaris 2.5x86, /tmp/.asppp.fifo can make a world writeable .rhosts
file. |
|
| 205.kcms.txt |
Get root on Solaris 2.5 by exploiting /usr/openwin/bin/kcms_calibrate. |
|
| 206.remove.c |
A universal utmp, wtmp, and lastlog editor that also compiles under AIX
& SCO. |
|
| 207.kmemthief.c |
If /dev/kmem is writeable by normal users, then this program will get
you root. |
|
| 208.slammer |
Slammer lets you issue arbitray commands on hosts by exploting yp
daemons. |
|
| 209.socket_demon13.zip |
Daemon that sits on a specified IP port and provides passworded shell
access. |
|
| 210.Solaris Sniffer |
This is a version of ESniff.c that has been modified for Solaris 2.X. |
|
| 211.xpusher.c |
This is a neat way to send keyboard events to another user's X window. |
|
| 212.xsnoop.c |
This program allows you to spy on another user's keyboard events like
xkey.c |
|
| 213.Strobe (V1.03) |
Scans TCP ports on a target host and reveals which daemons are running. |
|
| 214.Tiger (V2.2.3) |
Tiger attemps to exploit known bugs, holes, and misconfigurations to
attain root. |
|
| 215.lquerylv.c |
Overwrites a buffer in /usr/sbin/lquerylv on AIX systems, thus giving a
root shell. |
|
| 216.Traceroute |
Traceroute is an indispensable tool for troubleshooting and mapping your
network. |
|
| 217.open_bug.txt |
On {Free,Open,Net}BSD, open() returns a file descriptor to a protected
devices. |
|
| 218.udpscan.c |
Identifys open UDP ports by sending bogus UDP packets and wait for
responses. |
|
| 219.portd.c |
A daemon that listens on a port and provides passworded shell access. |
|
| 220.pingexploit.c |
This lets you send oversized ICMP packets from a unix box just like
Win95. |
|
| 221.checksyslog.tgz |
Analyze your system logs for security problems while ignoring normal
behavior. |
|
| 222.dosemu.txt |
On Debian v1.1, /usr/sbin/dos can be used to read any file on the
system. |
|
| 223.yaping.0.1.tgz |
Yet another ping for Linux. Packets of size > 65535 octets are
supported. |
|
| 224.xcrowbar.c |
Source code that gets you a pointer to an X Display even after an xhost
- |
|
| 225.xkey.c |
Attach to any X server you have permission to and watch the user's
keyboard. |
|
| 226.xwatchwin.tar.gz |
If you got access to another's X server,this shows the window on your
X-server. |
|
| 227.messages.sh |
Parses through /var/adm/messages to see if user typed password at login
prompt. |
|
| 228.FreeBSDmail.txt |
This exploit will overwrite a buffer on sendmail 8.6.12 running on
FreeBSD 2.1.0. |
|
| 229.securelib.tar.Z |
Shared library for SunOS 4.1 and later that will help protect your RPC
daemons. |
|
| 230.ypsnarf.c |
This handy little program will get you yp domain names, yp maps, and yp
maplists. |
|
| 231.ypx.tgz |
Guesses NIS domain namesand also extract the maps directly from domains. |
|
| 232.ftp-scan.c |
This program exploits the ftp protocol to let you scan services on
firewalls. |
|
| 233.rdist-ex.c |
Writes past a buffer, straight onto the stack, giving a root shell on
FreeBSD. |
|
| 234.ttywatcher-1.1b.tgz |
ttywatcher lets a user monitor and interact with every tty on the
system. |
|
| 235.splitvt.c |
An older exploit for Linux that overwrites a buffer in /usr/bin/splitvt,
giving root. |
|
| 236.mount-ex.c |
All Linux versions are vulnerable to this buffer overflow attack on suid
mount. |
|
| 237.perl-ex.sh |
perl-ex.sh is a simple little sperl script that gives you a root shell
via suidperl. |
|
| 238.sndmail8.8.4.txt |
This will explain how to exploit sendmail version 8.8.4 to get root
access. |
|
| 239.irix-xhost.txt |
In the default setup on Irix, xhost is set to global access for console
logins. |
|
| aix_bugfiler.txt |
On AIX 3.x, /lib/bugfiler can be used to circumvent file access
restrictions. |
|
| 241.mod_ldt.c |
Gives access to all of Linux's linear memory to user processes at will. |
|
| 242.dipExploit.c |
Linux dip Exploit. Overwrite a buffer in do_chatkey(), thus giving you a
root shell. |
|
| 243.rexecscan.txt |
The rexecd can be used easily to scan the client host from the server
host. |
|
| 244.rpcs.01b.tar.gz |
This is program that is designed to scan subnets for rpc services. |
|
| 245.rxvtExploit.txt |
Exploits a popen() call issued by rxvt on Linux machines, thus giving a
root shell. |
|
| 246.nfsbug.c |
Demonstates a security problem in unfsd guessing the file handle of the
root FS. |
|
| 247.abuse.txt |
Exploit for Red Hat 2.1 that gives a root shell by exploitng
abuse.console. |
|
| 248.xtermOverflo.c |
A program that overwrites a buffer in libXt.so while xterm is suid to
root. |
|
| 249.resolv+.exp |
Quick and Simple way to read the /etc/shadow file as well as many other
things. |
|
| 250.resizeExp.txt |
Another Red Hat 2.1 exploit for resizecons due to lack of absolute
pathnames. |
|
| 251.qcrack.tar.gz |
qcrack gives increased cracking speeds at the expense of disk space. |
|
| 252.Linux rootkit |
A rootkit designed for Linux systems. Comes with ps, netstat, and login. |
|
| 253.X webcomber |
A cool little tool that lets you search for things (like hacking) on the
web. |
|
| 254.gpm-exploit.txt |
This will get root on Linux systems using /usr/games/doom/killmouse. |
|
| 255.pingflood.c |
This pings floods a host, thus wasting bandwidth and denying service. |
|
| 256.telnetd exploit |
This will create a shared library that gives a root shell remotely or
locally. |
|
| 257.balk.pl |
This is a perl script that will mess up another's users tty using talk/ntalk. |
|
| 258.wallflash.c |
This will mess up another user's tty remotely via remote write all (rwall). |
|
| 259.pop3d exploit |
Read the contents of the mail spool of a user when they connect to
in.popd. |
|
| 260.popper.txt |
Some versions of (q)popper from qualcomm allow you to read other user's
mail. |
|
| 261.vif.tar.gz |
This code lets you have multiple IP addresses for a single interface. |
|
| 262.amod.tar.gz |
Amodload is a tool which allows the loading of arbitrary code into SunOS
kernels. |
|
| 263.getethers1.6.tgz |
getthers scans all address on an ethernet and producing a hostname/ethernet
list. |
|
| 264.rootkitSunOS.tgz |
Here is another root kit designed for SunOS operating systems. Lots of
cool stuff. |
|
| 265.demonKit-1.0.tar.gz |
A suite of trojan programs opening back doors to root on a Linux system. |
|
| 266.eviltelnetd |
telnet-hacked.tgz is a hacked telnet daemon that gives a root shell w/o
password. |
|
| 267.cfexec.sh |
This let's you issue arbitrary commands as root on GNU cfingerd 1.0.1. |
|
| 268.NFS Problems |
Shows some potential problems with Linux in.nfsd concerning read-only
exports. |
|
| 269.cdromvuln.txt |
If Linux CD is mounted w/ suid flag, old exploits still work on live
filesystem. |
|
| 270.vixie.c |
On Redhat Linux systems this will overwrite a buffer in crontab, thus
giving root. |
|
| 271.linsniffer.c |
A Linux Sniffer that shows you incoming TCP packets on most ports. |
|
| 272.rshd_problem.txt |
You can figure out valid usernames by examining the response from
in.rshd. |
|
| 273.linux_sniffer.c |
Another Linux sniffer much like the one above. Shows more detailed TCP
info. |
|
| 274.sniffit.0.3.5.tar.gz |
A very flexible network sniffer that has many interesting features (like
curses). |
|
| 275.Sol2.4Core.txt |
Solaris 2.4 exploit that lets you to overwrite files when a suid prog.
core dumps. |
|
| 276.SolAdmtool.txt |
On Solaris 2.5, the Admintool can be used to create a writeable /.rhosts
file. |
|
| 277.irix-netprint.txt |
On IRIX, /usr/lib/print/netprint calls 'disable' without specifying
absolute path. |
|
| 278.SYNpacket.tgz |
Floods a port with TCP packets w/ SYN bit turned on causing inetd to
segment. |
|
| 279.login_trojan.c |
A login trojan program to be run at the console to get other user's
passwords. |
|
| 280.phf.c |
A quick way to scan for hosts that still have the phf bug which gives
/etc/passwd. |
|
| 281.phfprobe.pl |
This tries to find out as much information about the person calling phf
as possible. |
|
| 282.SYNWatch.tar.gz |
This program watches for TCP packets with the SYN bit turned on. |
|
| 283.pinglogger.tar.gz |
Logs all ICMP packets to a log file so you can see who is ping flooding
you. |
|
| 284.screen.txt |
On BSDi boxes, you can use /usr/contrbi/bin/screen to read /etc/master.passwd. |
|
| 285.ftpBounceAttack |
Implementation of the ftp Bounce Attack allowing you to anonymously do
things. |
|
| 286.grabem.c |
A very simple program to get passwords from users logging in on the
console. |
|
| 287.tcpview.c |
Another sniffer type program designed for Sun OS 4.1 architectures using
/dev/nit. |
|
| 288.pcnfsd.c |
Allows local users to chmod arbitrary directories on hosts running
pcnfsd. |
|
| 289.netcraft.tgz |
Contains various (and older) web security issues and exploits from
Netcraft. |
|
| 290.superforker.c |
This is a supercharged version of the classic fork() denial of service
attack. |
|
| 291.tripwire-1.2.tgz |
Creates a signature of binary files, and checks to see if these file
were modified. |
|
| 292.tcpr-1.3.tar.gz |
Set of perl scripts that let you to run ftp and telnet commands across a
firewall. |
|
| 293.syslogFogger.c |
This allows you to write to system logging facilites via UDP packets to
port 514. |
|
| 294.ypbreak.c |
Lets you change your username, password, gecos, or shell via yppasswd
daemon. |
|
| 295.hdtraq.c |
This runs as a daemon and purportedly creates bad sectors on a hard
drive. |
|
| 296.finger_attack.txt |
By recursively fingering a host, you can cause a possible crash of
in.fingerd. |
|
| 297.logdaemon.tar.gz |
Version 5.6 of a suite of tcp/ip programs that enhance network system
logging. |
|
| 298.suTrojan.c |
A replacement program for su that mails you when an attempt to su is
made. |
|
| 299.sigurg.c |
This code allows up to kill any process on Linux boxes running older
kernels. |
|
| 300.sushiPing.c |
On Sun OS 4.x, this trojan ping gives you a root shell when you make a
triggerfile. |
|
| 301.webgais.txt |
This will explain how to issue shell commands remotely using /cgi-bin/webgais. |
|
| 302.sushiQuota.c |
Another trojan for Sun 4 machines that is trigger with a triggerfile. |
|
| 303.swap-uid.c |
On Solaris, an I_PUSH call on an open tty followed by lseek() gived euid=0. |
|
| 304.pcs.tgz |
A libpcap based sniffer that supports multiple interfaces as well as
PPP. |
|
| 305.sfingerd-1.8.tgz |
A replacement for the standard unix finger daemon designed for security. |
|
| 306.snifftest.c |
snifftest.c will try to tell you if a sniffer is running on Sun
machines. |
|
| 307.IPInvestigator.tgz |
IPIvestigator is another sniffer that lets you watch traffic between
machines. |
|
| 308.gnmp.tar.gz |
Generic Network Message Passing is a simple client server messaging
system. |
|
| 309.irixmail.sh |
This is an exploit shell script that will give a root shell on IRIX
systems. |
|
| 310.lpr Exploit |
This small program exploit the suid root lpr program giving root. |
|
| 311.Xfree86 Exploit |
There is a problem with XFree86 3.1.2 that lets you overwrite files. |
|
| 312.wipehd.asm |
Assembly Language program that will remove the first 10 sectors of a
hardrive. |
|
| 313.minicom.c |
This is an exploit for minicom on Linux systems that will overwrite a
buffer. |
|
| 314.sam.txt |
On HP-UX, the System Administration Manager (sam) can truncate files. |
|
| 315.DenialofService |
zip file illustrating five simple denial of service attacks on a unix. |
|
| 316.xspy.tar.gz |
xspy is a program that will make user's logins appear on your display. |
|
| 317.scan.sh |
This is a perl script that scans subnets and reports if rexd or ypserv
is running. |
|
| 318.xscan.tar.gz |
scans subnets for unsecured X clients and automatically logs results. |
|
| 319.BSDcron-ex.c |
BSD cron exploit. This program overruns a buffer, giving root access. |
|
| 320.OSF1_dxchpwd |
On OSF1, /usr/tcb/bin/dxchpwd can be used to overwrite any file on the
system. |
|
| 321.bindExploit.txt |
Setting SO_REUSEADDR and calling bind allows user to steal udp packets. |
|
| 322.cloak.c |
This program wipes all traces of a user from a UNIX system. |
|
| 323.convfontExploit.sh |
Script that exploits /usr/bin/convfont on Linux systems to get root
access. |
|
| 324.ipspoof.c |
This program demonstrates how to send arbitrary tcp/ip packets. |
|
| 325.marry.c |
This program is a log editor with lots of interesting features. |
|
| 326.juju.c |
This is an ICMP-router type program that will redirect ICMP packets. |
|
| 327.redirect.c |
This program is a generic ICMP redirect sender for Solaris machines. |
|
| 328.portscan.c |
A Linux port scanner that reports the services running on another host. |
|
| 329.dumpExploit.txt |
On Linux systems /sbin/dump can be used to read arbitrary files. |
|
| 330.fingerd.c |
This program is another finger type daemon trojan program. |
|
| 331.ttysurf.c |
This program listens on ttys and tries to get login and passwords. |
|
| 332.ttystuff.c |
This program let's you input commands into another user's terminal. |
|
| 333.generic_buffer.tgz |
Generic buffer overrun program for Linux, SunOS, and Solaris. |
|
| 334.linux_lpr.c |
This program overwrites a buffer in the suid program lpr, thus giving a
root shell. |
|
| 335.SunOS_user.txt |
On SunOS, chsh and chfn use getenv("USER") to validate userid
of the caller. |
|
| 336.kill_inetd.c |
This program causes denial of service by attacking inetd. Runs on Linux
systems. |
|
| 337.grabBag.tgz |
Tons of old and miscellaneous exploits from different versions of unix. |
|
| 338.wu-ftpd.sh |
This shell script lets you create a file anywhere on the system. |
|
| 339.sol_mailx.txt |
An old security hole in /usr/bin/mailx still exists in the mailx on
Solaris 2.5 |
|
| 340.oracle.txt |
Discusses a denial of service attack against older versions of Oracle
Webserver. |
|
| 350.hp_stuff.tgz |
Lots of exploits for HP/UX from the Scriptors of Doom. |
|
| 360.hpjetadmin.txt |
hpjetadmin can be tricked giving away root by a writeable .rhosts file. |
|
| 370.irix-buffer.txt |
IRIX buffer overruns for df, eject, /sbin/pset, /usr/bsd/ordist, and
xlock. |
|
| 371.irix-xterm.c |
This will overwrite a buffer in xterm on IRIX systems, giving a root
shell. |
|
| 372.irix-iwsh.c |
This will overwrite a buffer in /usr/sbin/iwsh on IRIX 5.3, giving root
access. |
|
| 373.irix-printers.c |
This will overwrite a buffer in /usr/sbin/printers on IRIX systems
giving root. |
|
| 374.spaceball.txt |
spaceball.sh can be exploited to give a setuid root shell on IRIX 6.2
boxes. |
|
| 375.flash.c |
Messes up user's terminals by issuing a talk request with vt100 escape
chars. |
|
| 376.modstat.c |
This program will overrun a buffer in /usr/bin/modstat on FreeBSD
systems. |
|
| 377.pine_exploit.sh |
This script is an exploit for pine. It can be used to create .rhosts
files. |
|
| 378.view_source.txt |
On some httpd distributions, /cgi-bin/view-source can be used to read
files. |
|
| 379.sendmail-ex.sh |
This is an exploit script for sendmail 8.7-8.8.2 for FreeBSD and Linux.
Gives root. |
|
| 379.smh.c |
smh.c is an exploit for sendmail 8.6.9. It gives a bin owned setuid
shell. |
|
| 380.rlogin_exploit.c |
This overwrites a buffer in gethostbyame() on Solaris 2.5.1, giving a
root shell. |
|
| 381.octopus.c |
A denial of service attack by opening tons of connections to a remote
host. |
|
| 382.expect_bug.txt |
Expect does not make handles to pseudo tty's inaccessable to other
processes. |
|
| 383.html.txt |
Shows interesting links to put in your HTML pages causing denial of
service. |
|
| 384.autoreply.txt |
autoreply(1) can be used to create root owned files with a mode of 666. |
|
| 385.bdexp.c |
On older versions of Linux, this will overwrite a buffer in suid bdash,
giving root. |
|
| 386.irix-csetup.txt |
Get root on IRIX via /usr/Cadmin/bin/csetup in conjunction with /usr/sbin/sgihelp. |
|
| 387.solsocket.txt |
On Solaris-x86 2.5, any normal user can connect to unix domain sockets. |
|
| 388.lemon25.c |
Exploit for Solaris 2.5.(1) that overwrites a buffer in passwd, giving
root access. |
|
| 389.reflscan.c |
Another TCP port scanner that escapes logging by using half open
connections. |
|
| 390.yp.txt |
On YP systems, when a password expires, the old password is not
required. |
|
| 391.bsd_core.txt |
On BSDi 3.x, users arbitrarly write files with binary data, but not
overwrite them. |
|
| 392.ffbconfig-ex.c |
This program overwrites a buffer in /usr/sbin/ffbconfig on Solaris 2.5.1
giving root. |
|
| 393.FreeBSD-ppp.c |
This will overwrite a buffer in pppd on FreeBSD systems, giving a root
shell. |
|
| 394.sol-license.txt |
On Solaris 2.4, if the license manager is running, root can be obtained. |
|
| 395.sparc_cpu.txt |
Compiling main(){while(1);} with optimizations turned on will hose a
sparc. |
|
| 396.lin-pkgtool.txt |
This file explains how to get root on Linux system with the pkgtool
program. |
|
| 397.startmidi.txt |
On IRIX systems, startmidi can be exploited to obtain root privileges. |
|
| 398.linux_rcp.txt |
On Linux, if you have access to uid 65535 (nobody), then root can be
obtained. |
|
| 399.doomsnd.txt |
This will get root on Linux systems by exploiting the doom sndserver. |
|
| 400.solaris_ps.txt |
Exploit /usr/bin/ps and /usr/ucb/ps on Solaris systems, giving root
access. |
|
| 401.dec_osf1.sh |
Exploits /usr/sbin/dop on DEC unix 4.0, 4.0A, and 4.0B, giving a root
shell. |
|
|
| 402.tcp_wrapper.tgz |
Version 7.5 of the tcp/ip wrapper for inetd. (Does logging and
monitoring). |
|
| 403.rpcbind_1.1.tgz |
This is an rpcbind replacement that includes tcp wrapper style access
control. |
|
| 404.breaksk.txt |
Netscape's server key format is susceptible to dictionary attacks. |
|
| 405.IP-spoof.txt |
Examples and text on the art of IP spoofing. (For Linux 1.3.x kernels). |
|
| 406.irix-dataman.txt |
This file show how to exploit dataman on irix system to obtain root
access. |
|
| 407.irix-fsdump.txt |
This is an exploit for /var/rfindd/fsdump that gives root on irix
systems. |
|
