| quake.c
- remote exploit that sends a couple of spoofed udp packets causing the system to crash. |
| gcc-exploit-2 - Simple GCC
exploit (tested under 2.7.2.3.f.1) |
| dgux_fingerd.txt - The
fingerd that ships w/ dgux allows remote execution of arbitrary commands. |
| exchange5.txt - Microsoft
Exchange Server v5 buffer overflow |
| dally.zip - boink clone that runs
under Windows NT as a new protocol. (UNTESTED) |
| sharepw.c - Windows 95 Share
Password recovery tool (source code) |
| sharepw.exe - Windows 95 Share
Password recovery tool (windows binary) |
| newtear.c - Another variant of
teardrop.c which is slightly different than bonk.c |
| newpep.c - Solaris version of the
random UDP flooder pepsi.c |
| boink.c
- An improved version of bonk.c that allows UDP port ranges. |
| ld.so.c
- Overwrites a buffer via LD_PRELOAD env. variable, giving root on Linux. |
| riptrace.c - BSD 4.4 based
routed trace file exploit |
| Strobe (V1.03) - Scans TCP
ports on a target host and reveals which daemons are running. |
| wuftpd-sploit.tar.gz -
wu-ftpd 2.4 signal exploit |
| statd-scan.c - A program which
scans hosts for the RPC service statd. |
| xdmpasswd - Overwrite files with
xdmpasswd. |
| sliplogin.c - Buffer overflow
in BSDI's sliplogin allowing root access. |
| solaris-ping.c - Sparc
Solaris 2.5 and 2.5.1 root exploit for ping (buffer overflow). |
| NTsunkill.c - A port of
sunkill.c for Windows NT machines (also compiles under unix). |
| cisco76x.txt - On Cisco 76x
routers, a long string for the password causes a reboot. |
| icq_sniff.c - Source that Sniff
plaintext ICQ passwords that are sent once per session. |
| ipwatcher.txt - A Linux
network tool that lets you view, hijack, or disconnect connections. (removed due to
copyright violation) |
| mozilla_killer.c - This
CGI code will crash all Windows Netscape browsers v2.0-3.0. |
| sun4_tmpfs.txt - Show how an
ordinary user can cause the SunOS 4.1.4 kernel to panic. |
| sunkill.c - An effective denial
of service attack against sun boxes running Solaris. A port of sunkill.c for Windows NT
machines (also compiles under unix). |
| xdm_problem.txt - Anyone
can connect to xdm/cde via XDMCP and get a login screen. |
| xotpcalc-1.0.tar.gz -
An OTP calculator that works w/ S/Key and conforms to RFC 1938. |
| aix_mount.txt - Shows how a
normal user on AIX 4.x boxes can mount any filesystem |
| beck.tar.gz - Exploits that
will increase the load averages using Apache httpd v1.2.x. |
| bliss.tar.gz - An example of a
virus that will execute on unix systems such as Linux |
| ccdconfig.txt - On
Free/NetBSD, ccfconfig w/ -f option can be used to read arbitrary files. |
| linux_stack.tar.gz -
Solaris Designer's non-executable user stack area and symlink fix patch. |
| phant0m.c - Makes an XTACACS
server believe that you are disconnected from it. |
| trace_shell.c - This will
overwrite a buffer on Redhat 5.0 in traceroute, thus giving root. |
| userv.tar.gz - Allows one
program to invoke another with limited trust between them. |
| digital_dbx.txt - Shows how
to get root on Digital Unix 4.0*, by using dbx on a suid program. |
| solaris_land.c - A version
of the land.c attack with Solaris 2.5 as the attacking platform. |
| seyon_exploit.sh - Exploit
for seyon, giving you the euid or egid of whatever seyon is suid to. |
| linux_httpd.c - Overwrites a
buffer in NSCA httpd v1.3 on linux systems, giving a remote shell. |
| xtacacs.c - exploit to trick
XTACACS servers to believe that you've disconnected. |
| vsyslog.txt - Linux exploit for
libc 5.4.38's vsyslog(). |
| innd_exploit.c - Overwrites
a buffer in innd on Linux x86 systems thus giving a remote shell. |
| ntpptp.c - NT 4.0 SP3 PPTP denial
of service attack exploit |
| ntpwgrabber.txt - A false
FPNWCLNT.DLL can be stored in the %systemroot%\system32 directory under Windows NT 3,
3.51, 4 which collects passwords in plain text. |
| latierra.c - An enhanced version
of land.c which works better against NT SP3 among other things. |
| rip.c
- RIP (Routing Information Protocol) Version 1 Spoofer |
| lownoise.txt - Exploit for
Digital Unix v4.0 that let's you create a writeable /.rhosts file. |
| sgi_cgihandler.txt - On
IRIX systems, /cgi-bin/handler can be used to issue arbitrary commands. |
| medax_linux.tgz - A TCP
sequence number predictor that also lets you execute commands. |
| wm_exploit.c - Overwrites a
buffer in 'wm' from Ideafix package for Linux, giving root. |
| udpscan.c - Identifys open UDP
ports by sending a bogus UDP packet and wait for a response |
| lizards.txt - Explains how to
get root on Slakware 3.4 from the suid lizards game |
| ciscocrack.c - This contains
script and source for decrypting cisco encrypted passwords. |
| imaps.tar.gz - Serveral
different versions of the remote imapd buffer overflow exploit. |
| evil-term.c - This is the
remote buffer overflow termcap exploit for BSDI BSD/OS 2.1. |
| portd.c
- A daemon that listens on a port and provides passworded shell access. |
| pingexploit.c - This lets you
send oversized ICMP packets from a unix box just like Win95. |
| checksyslog.tgz - Analyze
your system logs for security problems while ignoring normal behavior |
| dosemu.txt - On Debian v1.1,
/usr/sbin/dos can be used to read any file on the system |
| yaping.0.1.tgz - Yet another
ping for Linux. Packets of size > 65535 octets are supported |
| messages.sh - Parses through
/var/adm/messages to see if user typed password at login prompt. |
| FreeBSDmail.txt - This
exploit will overwrite a buffer on sendmail 8.6.12 running on FreeBSD 2.1.0. |
| securelib.tar.Z - Shared
library for SunOS 4.1 and later that will help protect your RPC daemons |
| ypsnarf.c - This handy little
program will get you yp domain names, yp maps, and yp maplists. |
| YPX
- YPX guesses NIS domain names.YPX will extract the maps directly from domains. |
| ftp-scan.c - This program
exploits the ftp protocol to let you scan services on firewalls. |
| rdist-ex.c - This will write
past a buffer, straight onto the stack, giving a root shell on FreeBSD. |
| ttywatcher-1.1b.tgz -
ttywatcher lets a user monitor and interact with every tty on the system. |
| splitvt.c - An older exploit for
Linux that overwrites a buffer in /usr/bin/splitvt, giving root. |
| mount-ex.c - All Linux versions
are vulnerable to this buffer overflow attack on suid mount. |
| perl-ex.sh - perl-ex.sh is a
simple little sperl script that gives you a root shell via suidperl. |
| sndmail8.8.4.txt - This
will explain how to exploit sendmail version 8.8.4 to get root access |
| irix-xhost.txt - In default
setup for irix, xhost is set to global acess when someone logs into console |
| mod_ldt.c - Gives access to all
of Linux's linear memory to user processes at will, and thus root. |
| dipExploit.c - Linux dip
Exploit. Overwrite a buffer in do_chatkey(), thus giving you a root shell. |
| rexecscan.txt - The rexecd
can be used easily to scan the client host from the server host. |
| rpcs.01b.tar.gz - This is
program that is designed to scan subnets for rpc services. |
| rxvtExploit.txt - Exploits
a popen() call issued by rxvt on Linux machines, thus giving a root shell. |
| nfsbug.c - Demonstates a security
problem in unfsd guessing the file handle of the root FS. |
| abuse.txt - A Linux exploit for
Red Hat 2.1. This gives a root shell by exploitng abuse.console. |
| xtermOverflo.c - A program
that overwrites a buffer in libXt.so while xterm is suid to root. |
| resolv+.exp - Quick and Simple
way to read the /etc/shadow file as well as many other things |
| resizeExp.txt - Another Red
Hat 2.1 exploit for resizecons due to lack of absolute pathnames. |
| aixdtaction.c - Overwrites a
buffer in /usr/dt/bin/dtaction via HOME env. variable, giving root. |
| gpm-exploit.txt - This will
get root on Linux systems using /usr/games/doom/killmouse |
| sneakin.tgz - A way to 'reverse
telnet' from a box behind a firewall that allows ICMP packets. |
| telnetd exploit - This
will create a shared library that gives a root shell remotely or locally. |
| pop3d exploit - Read the
contents of the mail spool of a user when they connect to in.popd. |
| xpusher.c - This is a neat way to
send keyboard events to another user's X window. |
| vif.tar.gz - This code lets you
have multiple IP addresses for a single interface. |
| amod.tar.gz - Amodload is a
tool which allows the loading of arbitrary code into SunOS kernels. |
| getethers1.6.tgz -
getthers scans all address on an ethernet and producing a hostname/ethernet list. |
| rootkitSunOS.tgz - Here is
another root kit designed for SunOS operating systems. Lots of cool stuff. |
| demonKit-1.0.tar.gz - A
suite of trojan programs opening back doors to root on a Linux system. |
| eviltelnetd -
telnet-hacked.tgz is a hacked telnet daemon that gives a root shell w/o password. |
| cfexec.sh - This let's you issue
arbitrary commands as root on GNU cfingerd 1.0.1. |
| NFS Problems - Shows some
potential problems with Linux in.nfsd concerning read-only exports. |
| cdromvuln.txt - If Linux CD
is mounted w/ suid flag, older suid exploits will work on live filesystem |
| vixie.c
- On Redhat Linux systems this will overwrite a buffer in crontab, thus giving root. |
| rshd_problem.txt - You can
figure out valid usernames on hosts by examining the response from in.rshd. |
| Sol2.4Core.txt - Solaris 2.4
exploit that allows you to overwrite files when a suid prog. core dumps. |
| SolAdmtool.txt - On Solaris
2.5, the Admintool can be used to create a writeable /.rhosts file. |
| irix-netprint.txt - On
IRIX, /usr/lib/print/netprint calls 'disable' without specifying absolute path. |
| SYNpacket.tgz - Floods a port
with TCP packets with the SYN bit turned on causing inetd to segment |
| login_trojan.c - A login
trojan program to be run at the console to get other user's passwords. |
| Sendmail.c - Sendmail exploit.
|
| telnet_core.txt - On Linux
systems, it is possible to get part of the shadow file w/ cores |
| SYNWatch.tar.gz - This
program watches for TCP packets with the SYN bit turned on. |
| pinglogger.tar.gz - Logs
all ICMP packets to a log file so you can see who is ping flooding you. |
| screen.txt - On BSDi systems,
you can use /usr/contrbi/bin/screen to read /etc/master.passwd. |
| ftpBounceAttack -
Implementation of the ftp Bounce Attack allowing you to anonymously do things. |
| Traceroute - Traceroute
is an indispensable tool for troubleshooting and mapping your network. |
| pcnfsd.c - Exploit that allows
local users to chmod arbitrary directories on hosts running pcnfsd. |
| netcraft.tgz - Contains
various (and older) web security issues and exploits from Netcraft. |
| superforker.c - This is a
supercharged version of the classic fork() denial of service attack |
| tripwire-1.2.tgz - Creates
a signature of binary files, and then checks to see if these file were modified. |
| tcpr-1.3.tar.gz - A set of
perl scripts that enable you to run ftp and telnet commands across a firewall |
| syslogFogger.c - This allows
you to write to system logging facilites via UDP packets to port 514. |
| ypbreak.c - Lets you change your
username, password, gecos, or shell via yppasswd daemon. |
| hdtraq.c - This runs as a daemon
and purportedly creates bad sectors on a hard drive. |
| bind_nuke.txt - Bind8.1.(1)
can't update the same RR more than once in the same DNS packet. |
| logdaemon.tar.gz - Version
5.6 of a suite of tcp/ip programs that enhance network system logging. |
| suTrojan.c - This is a
replacement program for su that mails you when an attempt to su is made. |
| Tcpmon.c - TCP Monitor v1.0 |
| sushiPing.c - On Sun 4
platforms, this trojan ping gives you a root shell when you make a triggerfile. |
| webgais.txt - This will explain
how to issue shell commands remotely using /cgi-bin/webgais. |
| socket_demon13.zip -
Daemon that sits on a specified IP port and provides passworded shell access. |
| pcs.tgz
- A libpcap based sniffer that supports multiple interfaces and PPP (with no filtering). |
| sfingerd-1.8.tgz - A
replacement for the standard unix finger daemon designed for security. |
| gnmp.tar.gz - Generic Network
Message Passing is a simple client server messaging system |
| irixmail.sh - Exploit shell
script that gives a root shell on IRIX systems. |
| lpr Exploit - This small
program exploit the suid root lpr program giving root. |
| Xfree86 Exploit - There is a
problem with XFree86 3.1.2 that lets you overwrite files. |
| wipehd.asm - Assembly Language
program that will remove the first 10 sectors of a hardrive |
| minicom.c - This is an exploit
for minicom on Linux systems that will overwrite a buffer. |
| sam.txt
- On HP-UX, the System Administration Manager (sam) can be used to truncate files. |
| wuftpd_umask.txt - The
umask for wuftpd 2.4.2-b13 is 002 making files group writeable by anyone |
| xspy.tar.gz - xspy is a program
that makes logins appear on your display. |
| scan.sh
- This is a perl script that scans subnets and reports if rexd or ypserv is running. |
| xscan.tar.gz - scans subnets
for unsecured X clients and automatically logs results |
| BSDcron-ex.c - BSD cron
exploit. This program overruns a buffer, giving root access. |
| OSF1_dxchpwd - On OSF1,
/usr/tcb/bin/dxchpwd can be used to overwrite any file on the system. |
| bindExploit.txt - Setting
SO_REUSEADDR options and calling bind allows user to steal udp packets. |
| cloak.c
- This program wipes all traces of a user from a UNIX system. |
| convfontExploit.sh -
Script that exploits /usr/bin/convfont on Linux systems to get root access. |
| marry.c
- This program is a log editor with lots of interesting features. |
| portscan.c - A Linux port
scanner program that reports the services running on another host. |
| dumpExploit.txt - On Linux
systems /sbin/dump can be used to read arbitrary files. |
| fingerd.c - This program is
another finger daemon trojan program. |
| solaris_ping.txt - On
Solaris 2.x systems, any user can crash or reboot the system using ping. |
| generic_buffer.tgz -
Generic buffer overrun program for Linux, SunOS, and Solaris. |
| linux_lpr.c - This program
overwrites a buffer in the suid program lpr, thus giving a root shell. |
| SunOS_user.txt - On SunOS,
chsh and chfn use getenv("USER") to validate the userid of the caller. |
| secure_shell.txt - Using
SSH, a non-root user can open privleged ports and redirect them. |
| grabBag.tgz - Tons of old and
miscellaneous exploits from different versions of unix. |
| wu-ftpd.sh - This shell script
lets you create a file anywhere on the system. |
| sol_mailx.txt - An old
security hole in /usr/bin/mailx still exists in the mailx on Solaris 2.5 |
| glimpse_http.txt - Glimpse
HTTP (Interface to Glimpse Search Tool) can issue remote commands. |
| hp_stuff.tgz - Lots of
exploits for HP/UX from the Scriptors of Doom. |
| hpjetadmin.txt - hpjetadmin
can be tricked giving away root by a writeable .rhosts file. |
| irix-buffer.txt - IRIX
buffer overruns for df, eject, /sbin/pset, /usr/bsd/ordist, and xlock. |
| irix-xterm.c - This will
overwrite a buffer in xterm on IRIX systems, giving a root shell. |
| irix-iwsh.c - This will
overwrite a buffer in /usr/sbin/iwsh on IRIX 5.3, giving root access. |
| irix-printers.c - This will
overwrite a buffer in /usr/sbin/printers on IRIX systems giving root. |
| modstat.c - This program will
overrun a buffer in /usr/bin/modstat on FreeBSD systems. |
| pine_exploit.sh - This
script is an exploit for pine. It can be used to create .rhosts files |
| view_source.txt - On some
httpd distributions, you can use cgi-bin/view-source to read arbitray files. |
| sendmail-ex.sh - This is an
exploit script for sendmail 8.7-8.8.2 for FreeBSD and Linux. Gives root. |
| smh.c
- smh.c is an exploit for sendmail 8.6.9. It gives a bin owned setuid shell. |
| rlogin_exploit.c - This
overwrites a buffer in gethostbyame() on Solaris 2.5.1, giving a root shell. |
| expect_bug.txt - Expect does
not make handles to pseudo tty's inaccessable to other processes. |
| html.txt - Shows interesting links
to put in your HTML pages causing denial of service. |
| autoreply.txt - autoreply(1)
can be used to create root owned files with a mode of 666. |
| bdexp.c
- On older versions of Linux, this will overwrite a buffer in suid bdash, giving root. |
| irix-csetup.txt - Get root
on IRIX via /usr/Cadmin/bin/csetup in conjunction with /usr/sbin/sgihelp |
| solsocket.txt - On
Solaris-x86 2.5, any normal user can connect to unix domain sockets. |
| lemon25.c - Exploit for Solaris
2.5.(1) that overwrites a buffer in passwd, giving root access |
| reflscan.c - Another TCP port
scanner that escapes logging by using half open connections. |
| yp.txt
- On YP systems, when a password expires, the old password is not required. |
| bsd_core.txt - On BSDi 3.x,
users arbitrarly write files with binary data, but not overwrite them. |
| ffbconfig-ex.c - This
program overwrites a buffer in /usr/sbin/ffbconfig on Solaris 2.5.1 giving root. |
| FreeBSD-ppp.c - This will
overwrite a buffer in pppd on FreeBSD systems, giving a root shell. |
| sol-license.txt - On
Solaris 2.4, if the license manager is running, root can be obtained. |
| lin-pkgtool.txt - This file
explains how to get root on Linux system with the pkgtool program. |
| startmidi.txt - On IRIX
systems, startmidi can be exploited to obtain root privileges. |
| linux_rcp.txt - On Linux, if
you have access to uid 65535 (nobody), then root can be obtained. |
| doomsnd.txt - This will get
root on Linux systems by exploiting the doom sndserver. |
| solaris_ps.txt - This will
exploit /usr/bin/ps and /usr/ucb/ps on Solaris systems, giving root access. |
| dec_osf1.sh - This script
exploits /usr/sbin/dop on DEC unix 4.0, 4.0A, and 4.0B, giving a root shell. |
| tcp_wrapper.tgz - Version
7.5 (the latest) of the tcp/ip wrapper for inetd. (Does logging and monitoring) |
| rpcbind_1.1.tgz - This is
an rpcbind replacement that includes tcp wrapper style access control. |
| breaksk.txt - Netscape's server
key format is susceptible to dictionary attacks. |
| irix-dataman.txt - This
file show how to exploit dataman on irix system to obtain root access. |
| irix-fsdump.txt - This is
an exploit for /var/rfindd/fsdump that gives root on irix systems. |
| qmail.tar.gz - This is a
replacement sendmail-binmail system providing security and efficiency. |
| h_rpcinfo.tar.gz - Allows
you to sneak past port filters on port 111 and get dumps of RPC services. |
| synlog-0.1.tar.gz -
Synlog monitors half open TCP connections such as synfloods or synscans. |
| wrapper-v2.tgz - This is a
generic wrapper to prevent the exploitation of suid/sgid programs. |
| solaris_ifreq.c - On
Solaris, users can do control requests on a root created socket descriptor. |
| longpath.sh - Shell script that
implements a long path attack causing various problems on Linux. |
| logarp.tar.gz - Useful for
seeing if users on your subnet are "stealing" IP addresses. |
| aix_dtterm.c - This will
overwrite a buffer in /usr/dt/bin/dtterm on AIX 4.2 PPC, giving root. |
| irix-wrapper.c - Wraps
programs on IRIX to prevent command line argument buffer overruns. |
| irix-df.c - This will overwrite a
buffer in /bin/df on IRIX systems, thus giving a root shell. |
| irix-dp.c - This overwrites a
buffer in /usr/lib/desktop/permissions, giving egid of sys on IRIX. |
| irix-login.c - This will
overwrite a buffer in /bin/login on IRIX systems, giving root. |
| irix-xlock.c - This will give
root by overwriting a buffer in /usr/bin/X11/xlock on IRIX. |
| synsniff.tar.gz - Script in
perl which watches for inbound connections (SYN's) and logs them. |
| SunOS_crash.txt - Reading
/dev/tcx0 on a SunOS 4.1.4 Sparc 20 causes a system panic. |
| imapd_exploit.c - Get
remote root access on Redhat Linux systems by overwriting a buffer in impad. |
| xlock.c
- On Linux systems, this will overwrite a buffer in setuid xlock, giving root access. |
| elm_exploit.c - Overwrites a
buffer in Elm and Elm-ME+ on Linux via TERM environ. variable. |
| daynotify.sh - This script
will exploit a bug in SGI's Registration Software under IRIX 6.2. |
| tcpdump.tar.Z - A tool for
network monitoring and data acquisition. (needs library packet capture.) |
| sperl.tgz - Overwrites a buffer
in the sperl5.001 and sperl5.003, thus giving root access. |
| dip-prob.txt - Dip will allow
an ordinary user to gain control of arbitrary devices in /dev. |
| nlspath.txt - Exploits for
ping, minicom, su and others on Linux via NLSPATH env. variable. |
| solaris_lp.sh - Script for
Solaris that breaks lp, then use lp priv to break root (or bin, etc...). |
| AIX_mount.c - Overwrites a
buffer in /usr/sbin/mount on AIX 4.x systems via LC_MESSAGES. |
| fdformat-ex.c - This will
overwrite a buffer in /usr/bin/fdformat on Solaris 2.x systems giving root. |
| sunos-ovf.tar.gz - This
program is designed to test buffer overflows on SunOS 4.1.x boxes. |
| slammer.tar.gz - Slammer
lets you issue arbitray commands on hosts by exploting yp daemons. |
| color_xterm.c - This will
overwrite a buffer in /usr/X11/bin/color_xterm, giving root on Linux. |
| tlnthide.c - Allocates a port
and sets up a telnet gateway making it difficult to trace telnets. |
| LPRng.tgz - A light weight
printing system especially designed with security in mind. |
| utclean.c - This will remove your
presence from wtmp, wtmpx, utmp, utmpx, and lastlog. |
| eject.c
- Overwrites a buffer on Solaris 2.x systems in /usr/bin/eject, giving a root shell. |
| bind-8.1.1.tgz - Version
8.1.1 of bind with many improvements - (includes documentation) |
| webs099.tgz - A minimalist web
server designed primarily for security and handles redirects. |
| talkd.txt - This explains how to
get root remotely by overwriting a buffer in in.talkd. |
| udpstorm.tgz - This is an
implenmentation of the udpstorm attack. Works with Linux. |
| jakal.c
- A portscanner that avoids tcp-logging by not completing the 3-way TCP handshake. |
| lin_probe.c - This overwrites a
buffer in /usr/X11/bin/SuperProbe on Linux, thus giving root. |
| AIX_host.c - Overwrites a buffer
in gethostbyname() on AIX 4.2 Power PC, giving a root shell. |
| connect.c - Lets a normal user
crash AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05 |
| sol2.5_nis.txt - This show
how to exploit /usr/lib/nis/nispopulate on Solaris 2.5 systems. |
| xdm_bugs.txt - It is possible
to deny service from xdm and xdm does not close file handles correctly. |
| lilo-exploit.txt - Get
root on the lastest versions of Linux (at the console) using LD_PRELOAD. |
| rsucker.pl - Perl script that
acts as a fake r* daemon and logs the usernames sent from clients. |
| portmap_5b.tar.gz - A
portmapper that supports access control in the style of the tcp wrapper package. |
| irix-login.txt - On Irix
systems /var/adm/badlogin contains failed logins and passwords in clear text. |
| iebugs.tar.gz - Microsoft
Internet Explorer bugs one through six in text and html format. |
| arnudp.c - Demonstrates how to
send single UDP packets from an arbitray souce/destination. |
| cgiwrap-3.22.tgz - This is
a gateway that allows a more secure user access to CGI programs. |
| pma.tar.gz - Poor Man's Access -
A daemon that lets you issue shell commands remotely. |
| makedir.txt - Programs to
create thousands of directories and to delete these directories. |
| tcpprobe.c - This is a tcp
portscanner that shows accepted connections on a remote host. |
| locktcp.c - This program will
freeze a Solaris/x86 2.5.1 systems, causing denial of service. |
| irix-wrap.txt - This shows
how to get a listing of directories (755) from cgi-bin/wrap on Irix 6.2. |
| block.c
- Prevents users from logging in by monitoring utmp and closing down user's tty ports |
| tin_problem.txt - rtin/tin
will create /tmp/.tin_log with mode of 0666 in /tmp and follows symbolic links. |
| sun_patch.sh - If you have a
sun SPARC, this script will stop all forms of buffer overrun attacks. |
| riputils.tgz - This is a set
of routing internet protocol utilities designed for Linux systems. |
| test-cgi.txt - Using the CGI
program test-cgi, you can inventory files on remote systems. |
| fakerwall.c -This program lets
you send an rwall message from an arbitrary host of your choice. |
| bind.txt - This describes a
potenital denial of service problem with BIND-4.9.5-P1. |
| remove.c - A universal utmp, wtmp,
and lastlog editor that also compiles under AIX & SCO. |
| hide.c
- Exploits a world-writeable /etc/utmp and allow the user to modify it interactively. |
| hsh002.c - This is a neat little
shell for experimentation with lots of interesting features. |
| nfswatch4.1.tar.Z - This
lets you monitor NFS requests to any given machine or the entire network. |
| nfstrace.tgz - The
rpcspy/nfstrace package lets you to perform NFS tracing by network monitoring. |
| wuftpd-owrite.sh -
Exploits a bug in wu-ftpd to create or overwrite a file anywhere on the filesystem |
| wuftpd-sdump.sh - Exploit a
bug in wu-ftpd to assemble and view the shadow password file. |
| shadowyank.c - This will
reconstruct shadow entries from the core file from ftp daemon segmenting. |
| ident-scan.c - TCP scanner
that gets the username of the daemon running on the specified port |
| ascend.txt - Program for Linux
designed to attack Ascend routers with zero length tcp offsets. |
| gzip.txt - While a file is being
compressed with gzip it is world readable. |
| libc.so.5 - This is a hacked
libc.so.5 for Linux that spawns a shell when a call is made to crypt(). |
| sdtcm_convert.txt - This
explains to how exploit sdtcm_convert on Solaris machines to get root access. |
| mnt.tar.gz - Exploits a hole in
HP-UX 9 rpc.mountd program and lets you steal NFS file handles. |
| kmemthief.c - If /dev/kmem is
writeable by normal users, then this program will get you root. |
| nfsshell.c - This should be very
useful if you have located an insecure NFS server. |
| psrace.c - This code exploits a
race condition in Solaris, thus allowing you to make a root shell. |
| rpc_chk.sh - Shell Script to get
a list of running hosts from a DNS nameserver for a given domain. |
| seq_number.c - This is a
program that exploits the TCP Sequence Number Generator bug. |
| asppp.txt - On Solaris 2.5x86,
/tmp/.asppp.fifo can be used to make a world writeable .rhosts file |
| kcms.txt - Explains how to get
root on solaris 2.5 by exploiting /usr/openwin/bin/kcms_calibrate. |
| Spoofing |
| any-erect.c - Another DNS
spoofing type program much like jizz.c. Compiles on Linux. |
| smurf.c
- Spoofs IMCP packets resulting in multiple replies to a host from a single packet. |
| Jizz.c
- A DNS spoofer that exploits the cache vulnerability in most BIND daemons |
| ipspoof.c - The classic IP
spoofer. |
| sirc4.gz - IRC spoofer |
| Sniffers |
| web_sniff.c - A Linux sniffer
that is designed to retrieve web usernames and passwords. |
| Linsniff.c - This is a simple
Linux Sniffer that shows you incoming TCP packets on most ports. |
| Esniff.c- Source for a basic
ethernet sniffer |
| Linux_sniffer.c - Monitors
ip packets for Linux. |
| Solsniff.c - This is
sunsniffer.c modified to run on dlpi systems |
| Sunsniff.c - A sniffer for SUN
machines. |
| Secsniff.c - Another sniffer. |
| sniffit.0.3.5.tar.gz -
A very flexible network sniffer that has many interesting features (like curses) |
| tcpview.c - Another sniffer type
program designed for Sun OS 4.1 architectures using /dev/nit. |
| IPInvestigator.tgz -
IPIvestigator is another sniffer that lets you watch traffic between machines. |
| snifftest.c - snifftest.c will
try to tell you if a sniffer is running on Sun machines. |
| solsniffer.c - This is a
version of ESniff.c that has been modified for Solaris 2.X. |
| Nuking |
| sping.tar.gz - Linux binary
and source of 'sping' which causes Win95 machines to crash. |
| Winnuke.c - This sends Out of
Band Data to Win95/NT computers causing panics and reboots. |
| Jolt.c
- Sends oversized fragmented packets to Win95 boxes causing them to lock up. |
| jping.tar.gz - This is another
simple IMCP flooding program that compiles under Linux. |
| puke.c
- Spoofs an ICMP unreachable error to a target, causing connection drops. |
| Synk4.c
- An improved and updated Syn Flooder that also supports a random IP spoofing mode |
| fping.tar.gz - Like UNIX
ping(1), but allows efficient pinging of a large list of hosts. |
| simping.c - Simulates the
"ping -l 65510 victim.host" from Windows95 - also compiles on Linux. |
| pong.c
- Attacks an arbitrary host by sending a flood of spoofed ICMP packets. |
| land.c
- Crash WFW311, Win95, and WinNT by sending a spoofed packet with the SYN flag from a host
on an open port setting as source the same host and port. |
| teardrop.c - Exploits the
overlapping IP fragment bug present in all Linux kernels and NT 4.0 / Windows 95 (others?) |
| pentium_bug.c - Denial of
service attack for the Intel Pentium CPU for any operating system. |
