File Name |
Brief Description |
1.ntpptp.c |
NT 4.0 SP3 PPTP denial of service attack exploit. |
2.ntpwgrabber.txt |
A false DLL can be stored in the system32 directory under Windows NT
which collects passwords in plain text. |
3.libcrypt.tgz |
The libcrypt.so, _RDL_ROOT telnetd env var root exploit for irix
systems. |
|
4.imapd_scan.sh |
This script will scan (and exploit) an entire subnet for imap2
vulnerabilitles. |
|
5.qmail_dos.c |
Runs a qmail system out of memory by feeding an infinite amount of
recipients. |
|
6.ping_bug.txt |
Users of pine can overwrite any file in their home directory despite
permissions. |
|
7.latierra.c |
An enhanced version of land.c which works better against NT SP3 among
other things. |
8.rip.c |
RIP (Routing Information Protocol) Version 1 Spoofer |
9.imaps.tar.gz |
Serveral different versions of the remote imapd buffer overflow exploit. |
|
10.automount.c |
The automountd exploit for SunOS 5.5.1 let's you issue remote commands. |
|
11.xfree86.txt |
Using XFree86, oridinary users can read any file with root permissions. |
|
12.lownoise.txt |
Exploit for Digital Unix v4.0 that let's you create a writeable /.rhosts
file. |
|
13.land.c |
Crash Windows by sending a spoofed packet from a host on an open
port setting as source the same host and port. |
|
14.teardrop.c |
Exploits the overlapping IP fragment bug present in all Linux kernels
and NT 4.0 / Windows 95 (others?) |
|
15.pentium_bug.c |
Denial of service attack for the Intel Pentium CPU for any operating
system. |
|
16.linux_perl.txt |
It is still possible to overwrite a buffer a get root on Linux via sperl
5.003. |
|
17.lizards.txt |
Explains how to get root on Slakware 3.4 from the suid lizards game. |
|
18.evil-term.c |
This is the remote buffer overflow termcap exploit for BSDI BSD/OS 2.1. |
|
19.dgux_xterm.txt |
On Digital Unix 4.0B, causing, xterm to core can overwrite arbitrary
files. |
|
20.php_exploit.c |
mlog.html and mylog.html w/ PHP dist. can be used to read arbitrary
files. |
|
21.wwwcount.c |
Exploits Count.cgi, allowing remote exececution of arbitray commands. |
|
22.ciscocrack.c |
This contains script and source for decrypting cisco encrypted
passwords. |
|
23.wm_exploit.c |
Overwrites a buffer in 'wm' from Ideafix package for Linux, giving root. |
|
24.brute_ssl.c |
This program will brute force it's way into secure and non-secure
webservers. |
|
25.sr-crash.c |
Source routing exploit for Linux v1.0.x-v1.3.x that causes the kernel to
panic. |
|
26.aix_ping.c |
Overwrites a buffer in gethostbyname(), giving root access. |
|
27.aix_lchangelv.c |
Another buffer overrun that gives root on AIX 4.x machines. |
|
28.aix_xlock.c |
This will overwrite a buffer in /usr/bin/X11/xlock giving root. |
|
29.web_sniff.c |
A Linux sniffer that is designed to retrieve web usernames and
passwords. |
|
30.arp_fun.txt |
ICMP and arp can be used to deny service and spoof other hosts on the
LAN. |
|
31.xf86_ports.txt |
A normal user can run X on a reserved port thus blocking legitmate
daemons. |
|
32.hostscan.cmd |
OS/2 Rexx-script that scans hosts by IP-adresses |
33.solaris_telnet.c |
A program designed to attack a Solaris 2.5 box, making it totally
unresponsive. |
|
34.identd_attack.txt |
A massive amount of authorization requests can render a system unusable. |
|
35.secure_shell.txt |
Using SSH, a non-root user can open privleged ports and redirect them. |
|
36.sshd_redirect.txt |
Any normal user can redirect privileged ports using secure shell daemon. |
|
37.medax_linux.tgz |
A TCP sequence number predictor that also lets you execute commands. |
|
38.samba_exploit.txt |
Local and remote exploit for samba that sends an xterm back to your
display. |
|
39.bsd_procfs.c |
In /proc under FreeBSD 2.2.1, you can modify a setuid executable's
memory. |
|
40.zgv_exploit.c |
This will overwrite a buffer in /usr/bin/zgv on Redhat Linux systems,
giving root. |
|
41.heroin.c |
This sample source illustrates the dangers of Linux modules in the
kernel. |
|
42.sgi_html.txt |
It is possible to execute remote commands on IRIX 6.3 and 6.4 via /usr/sysadm. |
|
43.ipd_probe.txt |
The Internet Probe Droid can scan massive amounts of hosts very quickly. |
|
44.smurf.c |
Spoofs IMCP packets resulting in multiple replies to a host from a
single packet. |
|
45.in.comstat.txt |
If a user has biff y on, in.comstat can be used increase the system
load. |
|
46.bind_nuke.txt |
Bind8.1.(1) can't update the same RR more than once in the same DNS
packet. |
|
47.chkexploit_1.13.tgz |
A shell script for Linux that checks for some publicly available
exploits. |
|
48.syslog_deluxe.c |
Lets you write spoofed and arbitrary messages to another machine's
syslogd. |
|
49.dgux_fingerd.txt |
The fingerd that ships w/ dgux allows remote execution of arbitrary
commands. |
|
50.smb_mount.c |
This overwrites a buffer on Linux systems in smbmount from smbfs-2.0.1. |
|
51.nmap.1.25.tar.gz |
nmap is a utility for port scanning large networks and currently runs on
Linux. |
|
52.innd_exploit.c |
Overwrites a buffer in innd on Linux x86 systems thus giving a remote
shell. |
|
53.smlogic.c |
This is a fully functional logic bomb designed render Linux systems
unuseable. |
|
54.intruderf.c |
A trojan for Linux system that mails you user's names and passwords. |
|
55.ld.so.c |
Overwrites a buffer via LD_PRELOAD env. variable, giving root on Linux. |
|
56.sol_syslog.txt |
If Solaris syslogd gets a message and it can't resolve the sender's IP,
it dies. |
|
57.promisc.c |
This program will scan your network devices to detect running sniffers. |
|
58.solaris_ping.txt |
On Solaris 2.x systems, any user can crash or reboot the system using
ping. |
|
59.seyon_exploit.sh |
Exploit for seyon, giving you the euid or egid of whatever seyon is suid
to. |
|
60.aixdtaction.c |
Overwrites a buffer in /usr/dt/bin/dtaction giving root access. |
|
61.datapipe.c |
Makes a pipe between a listen port on localhost and a port on a remote
machine. |
|
62.sping.tar.gz |
Linux binary and source of 'sping' which causes Win95 machines to crash. |
|
63.linux_httpd.c |
Overwrites a buffer in NSCA httpd v1.3 on linux systems, giving a remote
shell. |
|
64.sgi_cgihandler.txt |
On IRIX systems, /cgi-bin/handler can be used to issue arbitrary
commands. |
|
65.wuftpd_umask.txt |
The umask for wuftpd 2.4.2-b13 is 002 making files group writeable by
anyone. |
|
66.majordomo.txt |
Local and remote users can execute arbitrary commands from majordomo. |
|
67.glimpse_http.txt |
Glimpse HTTP (Interface to Glimpse Search Tool) can issue remote
commands. |
|
68.pandora.tgz |
This is the Unix version of the Netware version 4.x NDS cracking
utility. |
|
69.telnet_core.txt |
On Linux systems, it is possible to get part of the shadow file w/
cores. |
|
70.fake_ps.txt |
Checks for 'ps' trojans by running 'ps' and checking results against
/proc. |
|
71.hpux-cue.txt |
On HP 10.20, users can truncate arbitrary files using the setuid cue
program. |
|
72.rpc.mountd_bug.txt |
One can see what files a machine contains by looking at rpc.mountd
responses. |
|
73.ircd_kill.c |
Overwrites a buffer in ircII daemons, causing a segmentation fault in
the server. |
|
74.lpboost.c |
A simple program demonstrating problems with PLP/LPRng user
authenticiation. |
|
75.imapd_4.1b.txt |
It's possible to crash imapd, thus leaving shadow and password files in
core file. |
|
76.sneakin.tgz |
A way to 'reverse telnet' from a box behind a firewall that allows ICMP
packets. |
|
77.qmail.tar.gz |
This is a replacement sendmail-binmail system providing security and
efficiency. |
|
78.h_rpcinfo.tar.gz |
Allows you to sneak past port filters on port 111 and get dumps of RPC
services. |
|
79.synlog-0.4.tar.gz |
Synlog monitors half open TCP connections such as synfloods or synscans. |
|
80.net_rpm.txt |
Redhat Package Manager (rpm) can be used to overwrite arbitrary files. |
|
90.wrapper-v2.tgz |
This is a generic wrapper to prevent the exploitation of suid/sgid
programs. |
|
91.solaris_ifreq.c |
On Solaris, users can do control requests on a root created socket
descriptor. |
|
92.longpath.sh |
Script that implements a long path attack causing various problems on
Linux. |
|
93.logarp.tar.gz |
Useful for seeing if users on your subnet are "stealing" IP
addresses. |
|
94.aix_dtterm.c |
This will overwrite a buffer in /usr/dt/bin/dtterm, giving root. |
|
95.campus_cgi_hole |
Describes a hole in campus cgi which allows execution of remote
commands. |
|
96.listhosts.c |
A host resolving program based on nslookup and other pieces of named
tools. |
|
97.irix-wrapper.c |
Wraps programs on IRIX to prevent command line argument buffer overruns. |
|
98.irix-df.c |
This will overwrite a buffer in /bin/df on IRIX systems, thus giving a
root shell. |
|
99.irix-dp.c |
Overwrites a buffer in /usr/lib/desktop/permissions, giving egid of sys
on IRIX. |
|
100.irix-login.c |
This will overwrite a buffer in /bin/login on IRIX systems, giving root. |
|
101.irix-xlock.c |
This will give root by overwriting a buffer in /usr/bin/X11/xlock on
IRIX. |
|
102.synsniff.tar.gz |
Script in perl which watches for inbound connections (SYN's) and logs
them. |
|
103.SunOS_crash.txt |
Reading /dev/tcx0 on a SunOS 4.1.4 Sparc 20 causes a system panic. |
|
104.imapd_exploit.c |
Get remote root access on Redhat systems by overwriting a buffer in
impad. |
|
105.xlock.c |
On Linux systems, this will overwrite a buffer in setuid xlock, giving
root access. |
|
106.phobia.tgz |
This utility does a scan of an internet host looking for various
vulnerabilities. |
|
107.elm_exploit.c |
Overwrites a buffer in Elm and Elm-ME+ on Linux via TERM environ.
variable. |
|
108.daynotify.sh |
This script will exploit a bug in SGI's Registration Software under IRIX
6.2. |
|
109.brute_web.c |
This program will brute force it's way into a web server giving a user
and passwd. |
|
110.tcpdump.tar.Z |
Tool for network monitoring and data acquisition (needs library packet
capture). |
|
111.winnuke.c |
Sends Out of Band Data to a Win95/NT computer causing panics and
reboots. |
|
112.sperl.tgz |
Overwrites a buffer in the sperl5.001 and sperl5.003, thus giving root
access. |
|
113.dip-prob.txt |
Dip will allow an ordinary user to gain control of arbitrary devices in
/dev. |
|
114.nlspath.txt |
Exploits for ping, minicom, su and others on Linux via NLSPATH env.
variable. |
|
115.solaris_lp.sh |
Script for Solaris that breaks lp, then use lp priv to break root (or
bin, etc...). |
|
116.AIX_mount.c |
Overwrites a buffer in /usr/sbin/mount on AIX 4.x systems. |
|
117.vold_prob.txt |
It is possible to corrupt CDROM management on Solaris by changing block
size. |
|
118.fdformat-ex.c |
This will overwrite a buffer in /usr/bin/fdformat on Solaris 2.x systems
giving root. |
|
119.sunos-ovf.tar.gz |
This program is designed to test buffer overflows on SunOS 4.1.x boxes. |
|
120.cxterm.c |
Overwrites a buffer in Chinese xterm Linux systems, thus giving root
access. |
|
121.color_xterm.c |
This will overwrite a buffer in /usr/X11/bin/color_xterm, giving root on
Linux. |
|
122.pepsi.c |
This program is a random source host UDP flooder that compiles under
Linux. |
|
123.tlnthide.c |
Allocates a port and sets up a telnet gateway making it difficult to
trace telnets. |
|
124.jping.tar.gz |
This is another simple IMCP flooding program that compiles under Linux. |
|
125.LPRng.tgz |
A light weight printing system especially designed with security in
mind. |
|
126.jolt.c |
Sends oversized fragmented packets to Win95 boxes causing them to lock
up. |
|
127utclean.c |
This will remove your presence from wtmp, wtmpx, utmp, utmpx, and
lastlog. |
|
128.eject.c |
Overwrites a buffer on Solaris 2.x systems in /usr/bin/eject, giving a
root shell. |
|
129puke.c |
Spoofs an ICMP unreachable error to a target, causing connection drops. |
|
130.webs099.tgz |
A minimalist web server designed primarily for security and handles
redirects. |
|
131.talkd.txt |
This explains how to get root remotely by overwriting a buffer in
in.talkd. |
|
132.pingmod.tar.gz |
A very flexible pinging program that is able to fake ICMP packets and
more. |
|
133.rbone.tar.gz |
Another IP spoofer type program that guesses TCP sequence numbers. |
|
134.bsd_cxterm.c |
This will overwrite a buffer in xterm_color on BSD systems, giving root. |
|
135.udpstorm.tgz |
This is an implenmentation of the udpstorm attack. Works with Linux. |
|
136.jakal.c |
Portscanner that avoids logging by not completing the 3-way TCP
handshake. |
|
137.lin_probe.c |
This overwrites a buffer in /usr/X11/bin/SuperProbe on Linux, thus
giving root. |
|
138.AIX_host.c |
Overwrites a buffer in gethostbyname() giving a root shell. |
|
139.sgi_systour.txt |
Exploit for /usr/lib/tour/bin/RemoveSystemTour on IRIX 5.3 & 6.2
that gives root. |
|
140.connect.c |
Crashes AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05. |
|
141.sol2.5_nis.txt |
This show how to exploit /usr/lib/nis/nispopulate on Solaris 2.5
systems. |
|
142.xdm_bugs.txt |
Shows how to deny service from xdm. It also doesn't close file handles
correctly. |
|
143.crack-2a.tgz |
Unix Password Cracker 2.0(a) by Scooter Corp. (Comes with crack
dictionary). |
|
144.lilo-exploit.txt |
Get root on the lastest versions of Linux (at the console) using
LD_PRELOAD. |
|
145.rsucker.pl |
Perl script that acts as a fake r* daemon and logs usernames sent from
clients. |
|
146.synk4.c |
An improved Syn Flooder that also supports a random IP spoofing mode. |
|
147.portmap_5b.tar.gz |
Portmapper that supports access control in the style of the tcp wrapper
package. |
|
148.irix-login.txt |
On Irix systems /var/adm/badlogin has failed logins and passwords in
clear text. |
|
149.iebugs.tar.gz |
Microsoft Internet Explorer bugs one through six in text and html
format. |
|
150.arnudp.c |
Shows how to send single UDP packets from an arbitray souce/destination. |
|
151.sun-reboot.txt |
By typing: perl -e 'print "\e[1J"' you can reboot a sun ultra
sparc at the console. |
|
152.cgiwrap-3.22.tgz |
This is a gateway that allows a more secure user access to CGI programs. |
|
153.fastcracker.tgz |
This program is designed to quickly crack DES encrypted passwords. |
|
154.pma.tar.gz |
Poor Man's Access - A daemon that lets you issue shell commands
remotely. |
|
155.lpr_bugs.txt |
It is possible to create, read, and delete any file on the system using
lpr/lpd. |
|
156.vsr.tar.gz |
A loadable module for SunOS systems that creates a virtual IP interface. |
|
157.makedir.txt |
Programs to create thousands of directories and to delete these
directories. |
|
158.tcpprobe.c |
This is a tcp portscanner that shows accepted connections on a remote
host. |
|
159.locktcp.c |
This program will freeze a Solaris/x86 2.5.1 systems, causing denial of
service. |
|
160.irix-wrap.txt |
This shows how to get a listing of directories (755) from cgi-bin/wrap
on Irix 6.2. |
|
161.block.c |
Stops users from logging in by monitoring utmp and closing down user's
tty ports. |
|
162.tin_problem.txt |
rtin/tin creates /tmp/.tin_log w/ mode of 0666 in /tmp and follows
symbolic links. |
|
163.sun_patch.sh |
If you have a sun SPARC, this script will stop all forms of buffer
overrun attacks. |
|
164.riputils.tgz |
This is a set of routing internet protocol utilities designed for Linux
systems. |
|
165.ipbomb.c |
This will attack a target host by sending various sizes and numbers of
IP packets. |
|
166.test-cgi.txt |
Using the CGI program test-cgi, you can inventory files on remote
systems. |
|
167.lquerypv.txt |
On AIX systems you can read any file (in hex) on the system with
lquerypv. |
|
168.cops_104.tar.gz |
(Computer Oracle & Password System) checks for Unix
misconfigurations. |
|
169.Crack v5.0 |
Got access to password or shadow file? Shows what other user's passwords
are. |
|
170.Crack Dictionary |
This is a general 50,000 word dictionary for use with Crack or other
programs. |
|
171.Esniff.c |
This is the source code for basic ethernet Sniffer. ( Straight out of
Phrack ). |
|
172.fakerwall.c |
Lets you send an rwall message from an arbitrary host of your choice. |
|
173.fping |
Like UNIX ping(1), but allows efficient pinging of a large list of
hosts. |
|
174.simping.c |
Simulates the "ping -l 65510 victim.host" from Win95 - also
compiles on Linux. |
|
175.bind.txt |
This describes a potenital denial of service problem with BIND-4.9.5-P1. |
|
176.pong.c |
Attacks an arbitrary host by sending a flood of spoofed ICMP packets. |
|
178.jizz.c |
A DNS spoofer that exploits the cache vulnerability in most BIND
daemons. |
|
179.any-erect.c |
Another DNS spoofing type program much like jizz.c. Compiles on Linux. |
|
180.hide.c |
Exploits a world-writeable /etc/utmp and allow the user to modify it
interactively. |
|
181.hsh002.c |
This is a neat little shell for experimentation with lots of interesting
features. |
|
182.netpipes4.0.tgz |
A package (that comes w/ Linux) to manipulate BSD TCP/IP stream sockets. |
|
183.nfswatch4.1.tar.Z |
This lets you monitor NFS requests to any given machine or the entire
network. |
|
184.nfstrace.tgz |
This nfstrace package lets you to perform NFS tracing by network
monitoring. |
|
185.wuftpd-owrite.sh |
Exploit for wu-ftpd to create or overwrite a file anywhere on the
filesystem. |
|
186.wuftpd-sdump.sh |
Exploit a bug in wu-ftpd to assemble and view the shadow password file. |
|
187.shadowyank.c |
Reconstructs the shadow entries from a core file from ftp daemon
segmenting. |
|
188.ICMPinfo V1.10 |
ICMPinfo is a tool for looking at ICMP messages received on the running
host. |
|
189.ident-scan.c |
TCP scanner that gets the username of the daemon running on the
specified port. |
|
190.ascend.txt |
Program for Linux designed to attack Ascend routers with zero length tcp
offsets. |
|
191.gzip.txt |
While a file is being compressed with gzip it is world readable to all
users. |
|
192.iss13.tar.gz |
The Internet Security Scanner scans subnets and collects info. about
hosts. |
|
193.libc.so.5 |
A hacked libc.so.5 for Linux that spawns a shell when a call is made to
crypt(). |
|
194.sdtcm_convert.txt |
Explains to how to exploit sdtcm_convert on Solaris boxes to get root
access. |
|
195.mnt.tar.gz |
Exploits a bug in HP-UX 9 rpc.mountd program and gives you NFS file
handles. |
|
196.netcat (V1.10) |
Like Unix cat(1) but this one talks network packets (TCP or UDP). |
|
197.NFS Shell |
This should be very useful if you have located an insecure NFS server. |
|
198.pmcrash.c |
This allows you to crash ANY Livingston PortMaster by overflowing
buffers. |
|
199.pop3.c |
Attemps mulitple username/password guesses on machines running POP3. |
|
200.psrace.c |
Exploits a race condition in Solaris, thus allowing you to make a root
shell. |
|
201.Root Kit |
Programs like ps, ls, & du that are modified to hide certain files
& processes. |
|
202.rpc_chk.sh |
Script to get a list of running hosts from a DNS nameserver for a given
domain. |
|
203.seq_number.c |
This is a program that exploits the TCP Sequence Number Generator bug. |
|
204.asppp.txt |
On Solaris 2.5x86, /tmp/.asppp.fifo can make a world writeable .rhosts
file. |
|
205.kcms.txt |
Get root on Solaris 2.5 by exploiting /usr/openwin/bin/kcms_calibrate. |
|
206.remove.c |
A universal utmp, wtmp, and lastlog editor that also compiles under AIX
& SCO. |
|
207.kmemthief.c |
If /dev/kmem is writeable by normal users, then this program will get
you root. |
|
208.slammer |
Slammer lets you issue arbitray commands on hosts by exploting yp
daemons. |
|
209.socket_demon13.zip |
Daemon that sits on a specified IP port and provides passworded shell
access. |
|
210.Solaris Sniffer |
This is a version of ESniff.c that has been modified for Solaris 2.X. |
|
211.xpusher.c |
This is a neat way to send keyboard events to another user's X window. |
|
212.xsnoop.c |
This program allows you to spy on another user's keyboard events like
xkey.c |
|
213.Strobe (V1.03) |
Scans TCP ports on a target host and reveals which daemons are running. |
|
214.Tiger (V2.2.3) |
Tiger attemps to exploit known bugs, holes, and misconfigurations to
attain root. |
|
215.lquerylv.c |
Overwrites a buffer in /usr/sbin/lquerylv on AIX systems, thus giving a
root shell. |
|
216.Traceroute |
Traceroute is an indispensable tool for troubleshooting and mapping your
network. |
|
217.open_bug.txt |
On {Free,Open,Net}BSD, open() returns a file descriptor to a protected
devices. |
|
218.udpscan.c |
Identifys open UDP ports by sending bogus UDP packets and wait for
responses. |
|
219.portd.c |
A daemon that listens on a port and provides passworded shell access. |
|
220.pingexploit.c |
This lets you send oversized ICMP packets from a unix box just like
Win95. |
|
221.checksyslog.tgz |
Analyze your system logs for security problems while ignoring normal
behavior. |
|
222.dosemu.txt |
On Debian v1.1, /usr/sbin/dos can be used to read any file on the
system. |
|
223.yaping.0.1.tgz |
Yet another ping for Linux. Packets of size > 65535 octets are
supported. |
|
224.xcrowbar.c |
Source code that gets you a pointer to an X Display even after an xhost
- |
|
225.xkey.c |
Attach to any X server you have permission to and watch the user's
keyboard. |
|
226.xwatchwin.tar.gz |
If you got access to another's X server,this shows the window on your
X-server. |
|
227.messages.sh |
Parses through /var/adm/messages to see if user typed password at login
prompt. |
|
228.FreeBSDmail.txt |
This exploit will overwrite a buffer on sendmail 8.6.12 running on
FreeBSD 2.1.0. |
|
229.securelib.tar.Z |
Shared library for SunOS 4.1 and later that will help protect your RPC
daemons. |
|
230.ypsnarf.c |
This handy little program will get you yp domain names, yp maps, and yp
maplists. |
|
231.ypx.tgz |
Guesses NIS domain namesand also extract the maps directly from domains. |
|
232.ftp-scan.c |
This program exploits the ftp protocol to let you scan services on
firewalls. |
|
233.rdist-ex.c |
Writes past a buffer, straight onto the stack, giving a root shell on
FreeBSD. |
|
234.ttywatcher-1.1b.tgz |
ttywatcher lets a user monitor and interact with every tty on the
system. |
|
235.splitvt.c |
An older exploit for Linux that overwrites a buffer in /usr/bin/splitvt,
giving root. |
|
236.mount-ex.c |
All Linux versions are vulnerable to this buffer overflow attack on suid
mount. |
|
237.perl-ex.sh |
perl-ex.sh is a simple little sperl script that gives you a root shell
via suidperl. |
|
238.sndmail8.8.4.txt |
This will explain how to exploit sendmail version 8.8.4 to get root
access. |
|
239.irix-xhost.txt |
In the default setup on Irix, xhost is set to global access for console
logins. |
|
aix_bugfiler.txt |
On AIX 3.x, /lib/bugfiler can be used to circumvent file access
restrictions. |
|
241.mod_ldt.c |
Gives access to all of Linux's linear memory to user processes at will. |
|
242.dipExploit.c |
Linux dip Exploit. Overwrite a buffer in do_chatkey(), thus giving you a
root shell. |
|
243.rexecscan.txt |
The rexecd can be used easily to scan the client host from the server
host. |
|
244.rpcs.01b.tar.gz |
This is program that is designed to scan subnets for rpc services. |
|
245.rxvtExploit.txt |
Exploits a popen() call issued by rxvt on Linux machines, thus giving a
root shell. |
|
246.nfsbug.c |
Demonstates a security problem in unfsd guessing the file handle of the
root FS. |
|
247.abuse.txt |
Exploit for Red Hat 2.1 that gives a root shell by exploitng
abuse.console. |
|
248.xtermOverflo.c |
A program that overwrites a buffer in libXt.so while xterm is suid to
root. |
|
249.resolv+.exp |
Quick and Simple way to read the /etc/shadow file as well as many other
things. |
|
250.resizeExp.txt |
Another Red Hat 2.1 exploit for resizecons due to lack of absolute
pathnames. |
|
251.qcrack.tar.gz |
qcrack gives increased cracking speeds at the expense of disk space. |
|
252.Linux rootkit |
A rootkit designed for Linux systems. Comes with ps, netstat, and login. |
|
253.X webcomber |
A cool little tool that lets you search for things (like hacking) on the
web. |
|
254.gpm-exploit.txt |
This will get root on Linux systems using /usr/games/doom/killmouse. |
|
255.pingflood.c |
This pings floods a host, thus wasting bandwidth and denying service. |
|
256.telnetd exploit |
This will create a shared library that gives a root shell remotely or
locally. |
|
257.balk.pl |
This is a perl script that will mess up another's users tty using talk/ntalk. |
|
258.wallflash.c |
This will mess up another user's tty remotely via remote write all (rwall). |
|
259.pop3d exploit |
Read the contents of the mail spool of a user when they connect to
in.popd. |
|
260.popper.txt |
Some versions of (q)popper from qualcomm allow you to read other user's
mail. |
|
261.vif.tar.gz |
This code lets you have multiple IP addresses for a single interface. |
|
262.amod.tar.gz |
Amodload is a tool which allows the loading of arbitrary code into SunOS
kernels. |
|
263.getethers1.6.tgz |
getthers scans all address on an ethernet and producing a hostname/ethernet
list. |
|
264.rootkitSunOS.tgz |
Here is another root kit designed for SunOS operating systems. Lots of
cool stuff. |
|
265.demonKit-1.0.tar.gz |
A suite of trojan programs opening back doors to root on a Linux system. |
|
266.eviltelnetd |
telnet-hacked.tgz is a hacked telnet daemon that gives a root shell w/o
password. |
|
267.cfexec.sh |
This let's you issue arbitrary commands as root on GNU cfingerd 1.0.1. |
|
268.NFS Problems |
Shows some potential problems with Linux in.nfsd concerning read-only
exports. |
|
269.cdromvuln.txt |
If Linux CD is mounted w/ suid flag, old exploits still work on live
filesystem. |
|
270.vixie.c |
On Redhat Linux systems this will overwrite a buffer in crontab, thus
giving root. |
|
271.linsniffer.c |
A Linux Sniffer that shows you incoming TCP packets on most ports. |
|
272.rshd_problem.txt |
You can figure out valid usernames by examining the response from
in.rshd. |
|
273.linux_sniffer.c |
Another Linux sniffer much like the one above. Shows more detailed TCP
info. |
|
274.sniffit.0.3.5.tar.gz |
A very flexible network sniffer that has many interesting features (like
curses). |
|
275.Sol2.4Core.txt |
Solaris 2.4 exploit that lets you to overwrite files when a suid prog.
core dumps. |
|
276.SolAdmtool.txt |
On Solaris 2.5, the Admintool can be used to create a writeable /.rhosts
file. |
|
277.irix-netprint.txt |
On IRIX, /usr/lib/print/netprint calls 'disable' without specifying
absolute path. |
|
278.SYNpacket.tgz |
Floods a port with TCP packets w/ SYN bit turned on causing inetd to
segment. |
|
279.login_trojan.c |
A login trojan program to be run at the console to get other user's
passwords. |
|
280.phf.c |
A quick way to scan for hosts that still have the phf bug which gives
/etc/passwd. |
|
281.phfprobe.pl |
This tries to find out as much information about the person calling phf
as possible. |
|
282.SYNWatch.tar.gz |
This program watches for TCP packets with the SYN bit turned on. |
|
283.pinglogger.tar.gz |
Logs all ICMP packets to a log file so you can see who is ping flooding
you. |
|
284.screen.txt |
On BSDi boxes, you can use /usr/contrbi/bin/screen to read /etc/master.passwd. |
|
285.ftpBounceAttack |
Implementation of the ftp Bounce Attack allowing you to anonymously do
things. |
|
286.grabem.c |
A very simple program to get passwords from users logging in on the
console. |
|
287.tcpview.c |
Another sniffer type program designed for Sun OS 4.1 architectures using
/dev/nit. |
|
288.pcnfsd.c |
Allows local users to chmod arbitrary directories on hosts running
pcnfsd. |
|
289.netcraft.tgz |
Contains various (and older) web security issues and exploits from
Netcraft. |
|
290.superforker.c |
This is a supercharged version of the classic fork() denial of service
attack. |
|
291.tripwire-1.2.tgz |
Creates a signature of binary files, and checks to see if these file
were modified. |
|
292.tcpr-1.3.tar.gz |
Set of perl scripts that let you to run ftp and telnet commands across a
firewall. |
|
293.syslogFogger.c |
This allows you to write to system logging facilites via UDP packets to
port 514. |
|
294.ypbreak.c |
Lets you change your username, password, gecos, or shell via yppasswd
daemon. |
|
295.hdtraq.c |
This runs as a daemon and purportedly creates bad sectors on a hard
drive. |
|
296.finger_attack.txt |
By recursively fingering a host, you can cause a possible crash of
in.fingerd. |
|
297.logdaemon.tar.gz |
Version 5.6 of a suite of tcp/ip programs that enhance network system
logging. |
|
298.suTrojan.c |
A replacement program for su that mails you when an attempt to su is
made. |
|
299.sigurg.c |
This code allows up to kill any process on Linux boxes running older
kernels. |
|
300.sushiPing.c |
On Sun OS 4.x, this trojan ping gives you a root shell when you make a
triggerfile. |
|
301.webgais.txt |
This will explain how to issue shell commands remotely using /cgi-bin/webgais. |
|
302.sushiQuota.c |
Another trojan for Sun 4 machines that is trigger with a triggerfile. |
|
303.swap-uid.c |
On Solaris, an I_PUSH call on an open tty followed by lseek() gived euid=0. |
|
304.pcs.tgz |
A libpcap based sniffer that supports multiple interfaces as well as
PPP. |
|
305.sfingerd-1.8.tgz |
A replacement for the standard unix finger daemon designed for security. |
|
306.snifftest.c |
snifftest.c will try to tell you if a sniffer is running on Sun
machines. |
|
307.IPInvestigator.tgz |
IPIvestigator is another sniffer that lets you watch traffic between
machines. |
|
308.gnmp.tar.gz |
Generic Network Message Passing is a simple client server messaging
system. |
|
309.irixmail.sh |
This is an exploit shell script that will give a root shell on IRIX
systems. |
|
310.lpr Exploit |
This small program exploit the suid root lpr program giving root. |
|
311.Xfree86 Exploit |
There is a problem with XFree86 3.1.2 that lets you overwrite files. |
|
312.wipehd.asm |
Assembly Language program that will remove the first 10 sectors of a
hardrive. |
|
313.minicom.c |
This is an exploit for minicom on Linux systems that will overwrite a
buffer. |
|
314.sam.txt |
On HP-UX, the System Administration Manager (sam) can truncate files. |
|
315.DenialofService |
zip file illustrating five simple denial of service attacks on a unix. |
|
316.xspy.tar.gz |
xspy is a program that will make user's logins appear on your display. |
|
317.scan.sh |
This is a perl script that scans subnets and reports if rexd or ypserv
is running. |
|
318.xscan.tar.gz |
scans subnets for unsecured X clients and automatically logs results. |
|
319.BSDcron-ex.c |
BSD cron exploit. This program overruns a buffer, giving root access. |
|
320.OSF1_dxchpwd |
On OSF1, /usr/tcb/bin/dxchpwd can be used to overwrite any file on the
system. |
|
321.bindExploit.txt |
Setting SO_REUSEADDR and calling bind allows user to steal udp packets. |
|
322.cloak.c |
This program wipes all traces of a user from a UNIX system. |
|
323.convfontExploit.sh |
Script that exploits /usr/bin/convfont on Linux systems to get root
access. |
|
324.ipspoof.c |
This program demonstrates how to send arbitrary tcp/ip packets. |
|
325.marry.c |
This program is a log editor with lots of interesting features. |
|
326.juju.c |
This is an ICMP-router type program that will redirect ICMP packets. |
|
327.redirect.c |
This program is a generic ICMP redirect sender for Solaris machines. |
|
328.portscan.c |
A Linux port scanner that reports the services running on another host. |
|
329.dumpExploit.txt |
On Linux systems /sbin/dump can be used to read arbitrary files. |
|
330.fingerd.c |
This program is another finger type daemon trojan program. |
|
331.ttysurf.c |
This program listens on ttys and tries to get login and passwords. |
|
332.ttystuff.c |
This program let's you input commands into another user's terminal. |
|
333.generic_buffer.tgz |
Generic buffer overrun program for Linux, SunOS, and Solaris. |
|
334.linux_lpr.c |
This program overwrites a buffer in the suid program lpr, thus giving a
root shell. |
|
335.SunOS_user.txt |
On SunOS, chsh and chfn use getenv("USER") to validate userid
of the caller. |
|
336.kill_inetd.c |
This program causes denial of service by attacking inetd. Runs on Linux
systems. |
|
337.grabBag.tgz |
Tons of old and miscellaneous exploits from different versions of unix. |
|
338.wu-ftpd.sh |
This shell script lets you create a file anywhere on the system. |
|
339.sol_mailx.txt |
An old security hole in /usr/bin/mailx still exists in the mailx on
Solaris 2.5 |
|
340.oracle.txt |
Discusses a denial of service attack against older versions of Oracle
Webserver. |
|
350.hp_stuff.tgz |
Lots of exploits for HP/UX from the Scriptors of Doom. |
|
360.hpjetadmin.txt |
hpjetadmin can be tricked giving away root by a writeable .rhosts file. |
|
370.irix-buffer.txt |
IRIX buffer overruns for df, eject, /sbin/pset, /usr/bsd/ordist, and
xlock. |
|
371.irix-xterm.c |
This will overwrite a buffer in xterm on IRIX systems, giving a root
shell. |
|
372.irix-iwsh.c |
This will overwrite a buffer in /usr/sbin/iwsh on IRIX 5.3, giving root
access. |
|
373.irix-printers.c |
This will overwrite a buffer in /usr/sbin/printers on IRIX systems
giving root. |
|
374.spaceball.txt |
spaceball.sh can be exploited to give a setuid root shell on IRIX 6.2
boxes. |
|
375.flash.c |
Messes up user's terminals by issuing a talk request with vt100 escape
chars. |
|
376.modstat.c |
This program will overrun a buffer in /usr/bin/modstat on FreeBSD
systems. |
|
377.pine_exploit.sh |
This script is an exploit for pine. It can be used to create .rhosts
files. |
|
378.view_source.txt |
On some httpd distributions, /cgi-bin/view-source can be used to read
files. |
|
379.sendmail-ex.sh |
This is an exploit script for sendmail 8.7-8.8.2 for FreeBSD and Linux.
Gives root. |
|
379.smh.c |
smh.c is an exploit for sendmail 8.6.9. It gives a bin owned setuid
shell. |
|
380.rlogin_exploit.c |
This overwrites a buffer in gethostbyame() on Solaris 2.5.1, giving a
root shell. |
|
381.octopus.c |
A denial of service attack by opening tons of connections to a remote
host. |
|
382.expect_bug.txt |
Expect does not make handles to pseudo tty's inaccessable to other
processes. |
|
383.html.txt |
Shows interesting links to put in your HTML pages causing denial of
service. |
|
384.autoreply.txt |
autoreply(1) can be used to create root owned files with a mode of 666. |
|
385.bdexp.c |
On older versions of Linux, this will overwrite a buffer in suid bdash,
giving root. |
|
386.irix-csetup.txt |
Get root on IRIX via /usr/Cadmin/bin/csetup in conjunction with /usr/sbin/sgihelp. |
|
387.solsocket.txt |
On Solaris-x86 2.5, any normal user can connect to unix domain sockets. |
|
388.lemon25.c |
Exploit for Solaris 2.5.(1) that overwrites a buffer in passwd, giving
root access. |
|
389.reflscan.c |
Another TCP port scanner that escapes logging by using half open
connections. |
|
390.yp.txt |
On YP systems, when a password expires, the old password is not
required. |
|
391.bsd_core.txt |
On BSDi 3.x, users arbitrarly write files with binary data, but not
overwrite them. |
|
392.ffbconfig-ex.c |
This program overwrites a buffer in /usr/sbin/ffbconfig on Solaris 2.5.1
giving root. |
|
393.FreeBSD-ppp.c |
This will overwrite a buffer in pppd on FreeBSD systems, giving a root
shell. |
|
394.sol-license.txt |
On Solaris 2.4, if the license manager is running, root can be obtained. |
|
395.sparc_cpu.txt |
Compiling main(){while(1);} with optimizations turned on will hose a
sparc. |
|
396.lin-pkgtool.txt |
This file explains how to get root on Linux system with the pkgtool
program. |
|
397.startmidi.txt |
On IRIX systems, startmidi can be exploited to obtain root privileges. |
|
398.linux_rcp.txt |
On Linux, if you have access to uid 65535 (nobody), then root can be
obtained. |
|
399.doomsnd.txt |
This will get root on Linux systems by exploiting the doom sndserver. |
|
400.solaris_ps.txt |
Exploit /usr/bin/ps and /usr/ucb/ps on Solaris systems, giving root
access. |
|
401.dec_osf1.sh |
Exploits /usr/sbin/dop on DEC unix 4.0, 4.0A, and 4.0B, giving a root
shell. |
|
|
402.tcp_wrapper.tgz |
Version 7.5 of the tcp/ip wrapper for inetd. (Does logging and
monitoring). |
|
403.rpcbind_1.1.tgz |
This is an rpcbind replacement that includes tcp wrapper style access
control. |
|
404.breaksk.txt |
Netscape's server key format is susceptible to dictionary attacks. |
|
405.IP-spoof.txt |
Examples and text on the art of IP spoofing. (For Linux 1.3.x kernels). |
|
406.irix-dataman.txt |
This file show how to exploit dataman on irix system to obtain root
access. |
|
407.irix-fsdump.txt |
This is an exploit for /var/rfindd/fsdump that gives root on irix
systems. |
|