HooBieNet Logo
Home Brutus Exploits Resources Search

Here is an aging, but still very relevant collection of security exploits for various operating systems. I snagged and mangled this some time ago and because it is popular, I shall be leaving it in place.

Since you're here, you may want to take a look at one of my public tools - Brutus, a remote password cracker for Windows (no UN*X version I'm afraid, yet.)

File Name Brief Description
ntpptp.c NT 4.0 SP3 PPTP denial of service attack exploit.
ntpwgrabber.txt A false DLL can be stored in the system32 directory under Windows NT which collects passwords in plain text.
libcrypt.tgz The libcrypt.so, _RDL_ROOT telnetd env var root exploit for irix systems.
imapd_scan.sh This script will scan (and exploit) an entire subnet for imap2 vulnerabilitles.
qmail_dos.c Runs a qmail system out of memory by feeding an infinite amount of recipients.
ping_bug.txt Users of pine can overwrite any file in their home directory despite permissions.
latierra.c An enhanced version of land.c which works better against NT SP3 among other things.
rip.c RIP (Routing Information Protocol) Version 1 Spoofer
imaps.tar.gz Serveral different versions of the remote imapd buffer overflow exploit.
automount.c The automountd exploit for SunOS 5.5.1 let's you issue remote commands.
xfree86.txt Using XFree86, oridinary users can read any file with root permissions.
lownoise.txt Exploit for Digital Unix v4.0 that let's you create a writeable /.rhosts file.
land.c Crash Windows  by sending a spoofed packet from a host on an open port setting as source the same host and port.
teardrop.c Exploits the overlapping IP fragment bug present in all Linux kernels and NT 4.0 / Windows 95 (others?) 
pentium_bug.c Denial of service attack for the Intel Pentium CPU for any operating system.
linux_perl.txt It is still possible to overwrite a buffer a get root on Linux via sperl 5.003.
lizards.txt Explains how to get root on Slakware 3.4 from the suid lizards game.
evil-term.c This is the remote buffer overflow termcap exploit for BSDI BSD/OS 2.1.
dgux_xterm.txt On Digital Unix 4.0B, causing, xterm to core can overwrite arbitrary files.
php_exploit.c mlog.html and mylog.html w/ PHP dist. can be used to read arbitrary files.
wwwcount.c Exploits Count.cgi, allowing remote exececution of arbitray commands.
ciscocrack.c This contains script and source for decrypting cisco encrypted passwords.
wm_exploit.c Overwrites a buffer in 'wm' from Ideafix package for Linux, giving root.
brute_ssl.c This program will brute force it's way into secure and non-secure webservers.
sr-crash.c Source routing exploit for Linux v1.0.x-v1.3.x that causes the kernel to panic.
aix_ping.c Overwrites a buffer in gethostbyname(), giving root access.
aix_lchangelv.c Another buffer overrun that gives root on AIX 4.x machines.
aix_xlock.c This will overwrite a buffer in /usr/bin/X11/xlock giving root.
web_sniff.c A Linux sniffer that is designed to retrieve web usernames and passwords.
arp_fun.txt ICMP and arp can be used to deny service and spoof other hosts on the LAN.
xf86_ports.txt A normal user can run X on a reserved port thus blocking legitmate daemons.
hostscan.cmd OS/2 Rexx-script that scans hosts by IP-adresses
solaris_telnet.c A program designed to attack a Solaris 2.5 box, making it totally unresponsive.
identd_attack.txt A massive amount of authorization requests can render a system unusable.
secure_shell.txt Using SSH, a non-root user can open privleged ports and redirect them.
sshd_redirect.txt Any normal user can redirect privileged ports using secure shell daemon.
medax_linux.tgz A TCP sequence number predictor that also lets you execute commands.
samba_exploit.txt Local and remote exploit for samba that sends an xterm back to your display.
bsd_procfs.c In /proc under FreeBSD 2.2.1, you can modify a setuid executable's memory.
zgv_exploit.c This will overwrite a buffer in /usr/bin/zgv on Redhat Linux systems, giving root.
heroin.c This sample source illustrates the dangers of Linux modules in the kernel.
sgi_html.txt It is possible to execute remote commands on IRIX 6.3 and 6.4 via /usr/sysadm.
ipd_probe.txt The Internet Probe Droid can scan massive amounts of hosts very quickly.
smurf.c Spoofs IMCP packets resulting in multiple replies to a host from a single packet.
in.comstat.txt If a user has biff y on, in.comstat can be used increase the system load.
bind_nuke.txt Bind8.1.(1) can't update the same RR more than once in the same DNS packet.
chkexploit_1.13.tgz A shell script for Linux that checks for some publicly available exploits.
syslog_deluxe.c Lets you write spoofed and arbitrary messages to another machine's syslogd.
dgux_fingerd.txt The fingerd that ships w/ dgux allows remote execution of arbitrary commands.
smb_mount.c This overwrites a buffer on Linux systems in smbmount from smbfs-2.0.1.
nmap.1.25.tar.gz nmap is a utility for port scanning large networks and currently runs on Linux.
innd_exploit.c Overwrites a buffer in innd on Linux x86 systems thus giving a remote shell.
smlogic.c This is a fully functional logic bomb designed render Linux systems unuseable.
intruderf.c A trojan for Linux system that mails you user's names and passwords.
ld.so.c Overwrites a buffer via LD_PRELOAD env. variable, giving root on Linux.
sol_syslog.txt If Solaris syslogd gets a message and it can't resolve the sender's IP, it dies.
promisc.c This program will scan your network devices to detect running sniffers.
solaris_ping.txt On Solaris 2.x systems, any user can crash or reboot the system using ping.
seyon_exploit.sh Exploit for seyon, giving you the euid or egid of whatever seyon is suid to.
aixdtaction.c Overwrites a buffer in /usr/dt/bin/dtaction giving root access.
datapipe.c Makes a pipe between a listen port on localhost and a port on a remote machine.
sping.tar.gz Linux binary and source of 'sping' which causes Win95 machines to crash.
linux_httpd.c Overwrites a buffer in NSCA httpd v1.3 on linux systems, giving a remote shell.
sgi_cgihandler.txt On IRIX systems, /cgi-bin/handler can be used to issue arbitrary commands.
wuftpd_umask.txt The umask for wuftpd 2.4.2-b13 is 002 making files group writeable by anyone.
majordomo.txt Local and remote users can execute arbitrary commands from majordomo.
glimpse_http.txt Glimpse HTTP (Interface to Glimpse Search Tool) can issue remote commands.
pandora.tgz This is the Unix version of the Netware version 4.x NDS cracking utility.
telnet_core.txt On Linux systems, it is possible to get part of the shadow file w/ cores.
fake_ps.txt Checks for 'ps' trojans by running 'ps' and checking results against /proc.
hpux-cue.txt On HP 10.20, users can truncate arbitrary files using the setuid cue program.
rpc.mountd_bug.txt One can see what files a machine contains by looking at rpc.mountd responses.
ircd_kill.c Overwrites a buffer in ircII daemons, causing a segmentation fault in the server.
lpboost.c A simple program demonstrating problems with PLP/LPRng user authenticiation.
imapd_4.1b.txt It's possible to crash imapd, thus leaving shadow and password files in core file.
sneakin.tgz A way to 'reverse telnet' from a box behind a firewall that allows ICMP packets.
qmail.tar.gz This is a replacement sendmail-binmail system providing security and efficiency.
h_rpcinfo.tar.gz Allows you to sneak past port filters on port 111 and get dumps of RPC services.
synlog-0.4.tar.gz Synlog monitors half open TCP connections such as synfloods or synscans.
net_rpm.txt Redhat Package Manager (rpm) can be used to overwrite arbitrary files.
wrapper-v2.tgz This is a generic wrapper to prevent the exploitation of suid/sgid programs.
solaris_ifreq.c On Solaris, users can do control requests on a root created socket descriptor.
longpath.sh Script that implements a long path attack causing various problems on Linux.
logarp.tar.gz Useful for seeing if users on your subnet are "stealing" IP addresses.
aix_dtterm.c This will overwrite a buffer in /usr/dt/bin/dtterm, giving root.
campus_cgi_hole Describes a hole in campus cgi which allows execution of remote commands.
listhosts.c A host resolving program based on nslookup and other pieces of named tools.
irix-wrapper.c Wraps programs on IRIX to prevent command line argument buffer overruns.
irix-df.c This will overwrite a buffer in /bin/df on IRIX systems, thus giving a root shell.
irix-dp.c Overwrites a buffer in /usr/lib/desktop/permissions, giving egid of sys on IRIX.
irix-login.c This will overwrite a buffer in /bin/login on IRIX systems, giving root.
irix-xlock.c This will give root by overwriting a buffer in /usr/bin/X11/xlock on IRIX.
synsniff.tar.gz Script in perl which watches for inbound connections (SYN's) and logs them.
SunOS_crash.txt Reading /dev/tcx0 on a SunOS 4.1.4 Sparc 20 causes a system panic.
imapd_exploit.c Get remote root access on Redhat systems by overwriting a buffer in impad.
xlock.c On Linux systems, this will overwrite a buffer in setuid xlock, giving root access.
phobia.tgz This utility does a scan of an internet host looking for various vulnerabilities.
elm_exploit.c Overwrites a buffer in Elm and Elm-ME+ on Linux via TERM environ. variable.
daynotify.sh This script will exploit a bug in SGI's Registration Software under IRIX 6.2.
brute_web.c This program will brute force it's way into a web server giving a user and passwd.
tcpdump.tar.Z Tool for network monitoring and data acquisition (needs library packet capture).
winnuke.c Sends Out of Band Data to a Win95/NT computer causing panics and reboots.
sperl.tgz Overwrites a buffer in the sperl5.001 and sperl5.003, thus giving root access.
dip-prob.txt Dip will allow an ordinary user to gain control of arbitrary devices in /dev.
nlspath.txt Exploits for ping, minicom, su and others on Linux via NLSPATH env. variable.
solaris_lp.sh Script for Solaris that breaks lp, then use lp priv to break root (or bin, etc...). 
AIX_mount.c Overwrites a buffer in /usr/sbin/mount on AIX 4.x systems.
vold_prob.txt It is possible to corrupt CDROM management on Solaris by changing block size.
fdformat-ex.c This will overwrite a buffer in /usr/bin/fdformat on Solaris 2.x systems giving root.
sunos-ovf.tar.gz This program is designed to test buffer overflows on SunOS 4.1.x boxes.
cxterm.c Overwrites a buffer in Chinese xterm Linux systems, thus giving root access.
color_xterm.c This will overwrite a buffer in /usr/X11/bin/color_xterm, giving root on Linux.
pepsi.c This program is a random source host UDP flooder that compiles under Linux.
tlnthide.c Allocates a port and sets up a telnet gateway making it difficult to trace telnets.
jping.tar.gz This is another simple IMCP flooding program that compiles under Linux.
LPRng.tgz A light weight printing system especially designed with security in mind.
jolt.c Sends oversized fragmented packets to Win95 boxes causing them to lock up.
utclean.c This will remove your presence from wtmp, wtmpx, utmp, utmpx, and lastlog.
eject.c Overwrites a buffer on Solaris 2.x systems in /usr/bin/eject, giving a root shell.
puke.c Spoofs an ICMP unreachable error to a target, causing connection drops.
webs099.tgz A minimalist web server designed primarily for security and handles redirects.
talkd.txt This explains how to get root remotely by overwriting a buffer in in.talkd.
pingmod.tar.gz A very flexible pinging program that is able to fake ICMP packets and more.
rbone.tar.gz Another IP spoofer type program that guesses TCP sequence numbers.
bsd_cxterm.c This will overwrite a buffer in xterm_color on BSD systems, giving root.
udpstorm.tgz This is an implenmentation of the udpstorm attack. Works with Linux.
jakal.c Portscanner that avoids logging by not completing the 3-way TCP handshake.
lin_probe.c This overwrites a buffer in /usr/X11/bin/SuperProbe on Linux, thus giving root.
AIX_host.c Overwrites a buffer in gethostbyname() giving a root shell.
sgi_systour.txt Exploit for /usr/lib/tour/bin/RemoveSystemTour on IRIX 5.3 & 6.2 that gives root.
connect.c Crashes AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05.
sol2.5_nis.txt This show how to exploit /usr/lib/nis/nispopulate on Solaris 2.5 systems.
xdm_bugs.txt Shows how to deny service from xdm. It also doesn't close file handles correctly.
crack-2a.tgz Unix Password Cracker 2.0(a) by Scooter Corp. (Comes with crack dictionary).
lilo-exploit.txt Get root on the lastest versions of Linux (at the console) using LD_PRELOAD.
rsucker.pl Perl script that acts as a fake r* daemon and logs usernames sent from clients.
synk4.c An improved Syn Flooder that also supports a random IP spoofing mode.
portmap_5b.tar.gz Portmapper that supports access control in the style of the tcp wrapper package.
irix-login.txt On Irix systems /var/adm/badlogin has failed logins and passwords in clear text.
iebugs.tar.gz Microsoft Internet Explorer bugs one through six in text and html format.
arnudp.c Shows how to send single UDP packets from an arbitray souce/destination.
sun-reboot.txt By typing: perl -e 'print "\e[1J"' you can reboot a sun ultra sparc at the console.
cgiwrap-3.22.tgz This is a gateway that allows a more secure user access to CGI programs.
fastcracker.tgz This program is designed to quickly crack DES encrypted passwords.
pma.tar.gz Poor Man's Access - A daemon that lets you issue shell commands remotely.
lpr_bugs.txt It is possible to create, read, and delete any file on the system using lpr/lpd.
vsr.tar.gz A loadable module for SunOS systems that creates a virtual IP interface.
makedir.txt Programs to create thousands of directories and to delete these directories.
tcpprobe.c This is a tcp portscanner that shows accepted connections on a remote host.
locktcp.c This program will freeze a Solaris/x86 2.5.1 systems, causing denial of service.
irix-wrap.txt This shows how to get a listing of directories (755) from cgi-bin/wrap on Irix 6.2.
block.c Stops users from logging in by monitoring utmp and closing down user's tty ports.
tin_problem.txt rtin/tin creates /tmp/.tin_log w/ mode of 0666 in /tmp and follows symbolic links.
sun_patch.sh If you have a sun SPARC, this script will stop all forms of buffer overrun attacks.
riputils.tgz This is a set of routing internet protocol utilities designed for Linux systems.
ipbomb.c This will attack a target host by sending various sizes and numbers of IP packets.
test-cgi.txt Using the CGI program test-cgi, you can inventory files on remote systems.
lquerypv.txt On AIX systems you can read any file (in hex) on the system with lquerypv.
cops_104.tar.gz (Computer Oracle & Password System) checks for Unix misconfigurations.
Crack v5.0 Got access to password or shadow file? Shows what other user's passwords are.
Crack Dictionary This is a general 50,000 word dictionary for use with Crack or other programs.
Esniff.c This is the source code for basic ethernet Sniffer. ( Straight out of Phrack ).
fakerwall.c Lets you send an rwall message from an arbitrary host of your choice.
fping Like UNIX ping(1), but allows efficient pinging of a large list of hosts.
simping.c Simulates the "ping -l 65510 victim.host" from Win95 - also compiles on Linux.
bind.txt This describes a potenital denial of service problem with BIND-4.9.5-P1.
pong.c Attacks an arbitrary host by sending a flood of spoofed ICMP packets.
jizz.c A DNS spoofer that exploits the cache vulnerability in most BIND daemons.
any-erect.c Another DNS spoofing type program much like jizz.c. Compiles on Linux.
hide.c Exploits a world-writeable /etc/utmp and allow the user to modify it interactively.
hsh002.c This is a neat little shell for experimentation with lots of interesting features.
netpipes4.0.tgz A package (that comes w/ Linux) to manipulate BSD TCP/IP stream sockets.
nfswatch4.1.tar.Z This lets you monitor NFS requests to any given machine or the entire network.
nfstrace.tgz This nfstrace package lets you to perform NFS tracing by network monitoring.
wuftpd-owrite.sh Exploit for wu-ftpd to create or overwrite a file anywhere on the filesystem.
wuftpd-sdump.sh Exploit a bug in wu-ftpd to assemble and view the shadow password file.
shadowyank.c Reconstructs the shadow entries from a core file from ftp daemon segmenting.
ICMPinfo V1.10 ICMPinfo is a tool for looking at ICMP messages received on the running host.
ident-scan.c TCP scanner that gets the username of the daemon running on the specified port.
ascend.txt Program for Linux designed to attack Ascend routers with zero length tcp offsets.
gzip.txt While a file is being compressed with gzip it is world readable to all users.
iss13.tar.gz The Internet Security Scanner scans subnets and collects info. about hosts.
libc.so.5 A hacked libc.so.5 for Linux that spawns a shell when a call is made to crypt().
sdtcm_convert.txt Explains to how to exploit sdtcm_convert on Solaris boxes to get root access.
mnt.tar.gz Exploits a bug in HP-UX 9 rpc.mountd program and gives you NFS file handles.
netcat (V1.10) Like Unix cat(1) but this one talks network packets (TCP or UDP).
NFS Shell This should be very useful if you have located an insecure NFS server.
pmcrash.c This allows you to crash ANY Livingston PortMaster by overflowing buffers.
pop3.c Attemps mulitple username/password guesses on machines running POP3.
psrace.c Exploits a race condition in Solaris, thus allowing you to make a root shell.
Root Kit Programs like ps, ls, & du that are modified to hide certain files & processes.
rpc_chk.sh Script to get a list of running hosts from a DNS nameserver for a given domain.
seq_number.c This is a program that exploits the TCP Sequence Number Generator bug.
asppp.txt On Solaris 2.5x86, /tmp/.asppp.fifo can make a world writeable .rhosts file.
kcms.txt Get root on Solaris 2.5 by exploiting /usr/openwin/bin/kcms_calibrate.
remove.c A universal utmp, wtmp, and lastlog editor that also compiles under AIX & SCO.
kmemthief.c If /dev/kmem is writeable by normal users, then this program will get you root.
slammer Slammer lets you issue arbitray commands on hosts by exploting yp daemons.
socket_demon13.zip Daemon that sits on a specified IP port and provides passworded shell access.
Solaris Sniffer This is a version of ESniff.c that has been modified for Solaris 2.X.
xpusher.c This is a neat way to send keyboard events to another user's X window.
xsnoop.c This program allows you to spy on another user's keyboard events like xkey.c
Strobe (V1.03) Scans TCP ports on a target host and reveals which daemons are running.
Tiger (V2.2.3) Tiger attemps to exploit known bugs, holes, and misconfigurations to attain root.
lquerylv.c Overwrites a buffer in /usr/sbin/lquerylv on AIX systems, thus giving a root shell.
Traceroute Traceroute is an indispensable tool for troubleshooting and mapping your network.
open_bug.txt On {Free,Open,Net}BSD, open() returns a file descriptor to a protected devices.
udpscan.c Identifys open UDP ports by sending bogus UDP packets and wait for responses.
portd.c A daemon that listens on a port and provides passworded shell access.
pingexploit.c This lets you send oversized ICMP packets from a unix box just like Win95.
checksyslog.tgz Analyze your system logs for security problems while ignoring normal behavior.
dosemu.txt On Debian v1.1, /usr/sbin/dos can be used to read any file on the system.
yaping.0.1.tgz Yet another ping for Linux. Packets of size > 65535 octets are supported.
xcrowbar.c Source code that gets you a pointer to an X Display even after an xhost - 
xkey.c Attach to any X server you have permission to and watch the user's keyboard.
xwatchwin.tar.gz If you got access to another's X server,this shows the window on your X-server.
messages.sh Parses through /var/adm/messages to see if user typed password at login prompt.
FreeBSDmail.txt This exploit will overwrite a buffer on sendmail 8.6.12 running on FreeBSD 2.1.0.
securelib.tar.Z Shared library for SunOS 4.1 and later that will help protect your RPC daemons.
ypsnarf.c This handy little program will get you yp domain names, yp maps, and yp maplists.
ypx.tgz Guesses NIS domain namesand also extract the maps directly from domains.
ftp-scan.c This program exploits the ftp protocol to let you scan services on firewalls.
rdist-ex.c Writes past a buffer, straight onto the stack, giving a root shell on FreeBSD.
ttywatcher-1.1b.tgz ttywatcher lets a user monitor and interact with every tty on the system.
splitvt.c An older exploit for Linux that overwrites a buffer in /usr/bin/splitvt, giving root.
mount-ex.c All Linux versions are vulnerable to this buffer overflow attack on suid mount.
perl-ex.sh perl-ex.sh is a simple little sperl script that gives you a root shell via suidperl.
sndmail8.8.4.txt This will explain how to exploit sendmail version 8.8.4 to get root access.
irix-xhost.txt In the default setup on Irix, xhost is set to global access for console logins.
aix_bugfiler.txt On AIX 3.x, /lib/bugfiler can be used to circumvent file access restrictions.
mod_ldt.c Gives access to all of Linux's linear memory to user processes at will.
dipExploit.c Linux dip Exploit. Overwrite a buffer in do_chatkey(), thus giving you a root shell.
rexecscan.txt The rexecd can be used easily to scan the client host from the server host.
rpcs.01b.tar.gz This is program that is designed to scan subnets for rpc services.
rxvtExploit.txt Exploits a popen() call issued by rxvt on Linux machines, thus giving a root shell.
nfsbug.c Demonstates a security problem in unfsd guessing the file handle of the root FS.
abuse.txt Exploit for Red Hat 2.1 that gives a root shell by exploitng abuse.console.
xtermOverflo.c A program that overwrites a buffer in libXt.so while xterm is suid to root.
resolv+.exp Quick and Simple way to read the /etc/shadow file as well as many other things.
resizeExp.txt Another Red Hat 2.1 exploit for resizecons due to lack of absolute pathnames.
qcrack.tar.gz qcrack gives increased cracking speeds at the expense of disk space.
Linux rootkit A rootkit designed for Linux systems. Comes with ps, netstat, and login.
X webcomber A cool little tool that lets you search for things (like hacking) on the web.
gpm-exploit.txt This will get root on Linux systems using /usr/games/doom/killmouse.
pingflood.c This pings floods a host, thus wasting bandwidth and denying service.
telnetd exploit This will create a shared library that gives a root shell remotely or locally.
balk.pl This is a perl script that will mess up another's users tty using talk/ntalk.
wallflash.c This will mess up another user's tty remotely via remote write all (rwall).
pop3d exploit Read the contents of the mail spool of a user when they connect to in.popd.
popper.txt Some versions of (q)popper from qualcomm allow you to read other user's mail.
vif.tar.gz This code lets you have multiple IP addresses for a single interface.
amod.tar.gz Amodload is a tool which allows the loading of arbitrary code into SunOS kernels.
getethers1.6.tgz getthers scans all address on an ethernet and producing a hostname/ethernet list.
rootkitSunOS.tgz Here is another root kit designed for SunOS operating systems. Lots of cool stuff.
demonKit-1.0.tar.gz A suite of trojan programs opening back doors to root on a Linux system.
eviltelnetd telnet-hacked.tgz is a hacked telnet daemon that gives a root shell w/o password.
cfexec.sh This let's you issue arbitrary commands as root on GNU cfingerd 1.0.1.
NFS Problems Shows some potential problems with Linux in.nfsd concerning read-only exports.
cdromvuln.txt If Linux CD is mounted w/ suid flag, old exploits still work on live filesystem.
vixie.c On Redhat Linux systems this will overwrite a buffer in crontab, thus giving root.
linsniffer.c A Linux Sniffer that shows you incoming TCP packets on most ports.
rshd_problem.txt You can figure out valid usernames by examining the response from in.rshd.
linux_sniffer.c Another Linux sniffer much like the one above. Shows more detailed TCP info.
sniffit.0.3.5.tar.gz A very flexible network sniffer that has many interesting features (like curses).
Sol2.4Core.txt Solaris 2.4 exploit that lets you to overwrite files when a suid prog. core dumps.
SolAdmtool.txt On Solaris 2.5, the Admintool can be used to create a writeable /.rhosts file.
irix-netprint.txt On IRIX, /usr/lib/print/netprint calls 'disable' without specifying absolute path.
SYNpacket.tgz Floods a port with TCP packets w/ SYN bit turned on causing inetd to segment.
login_trojan.c A login trojan program to be run at the console to get other user's passwords.
phf.c A quick way to scan for hosts that still have the phf bug which gives /etc/passwd.
phfprobe.pl This tries to find out as much information about the person calling phf as possible.
SYNWatch.tar.gz This program watches for TCP packets with the SYN bit turned on.
pinglogger.tar.gz Logs all ICMP packets to a log file so you can see who is ping flooding you.
screen.txt On BSDi boxes, you can use /usr/contrbi/bin/screen to read /etc/master.passwd.
ftpBounceAttack Implementation of the ftp Bounce Attack allowing you to anonymously do things.
grabem.c A very simple program to get passwords from users logging in on the console.
tcpview.c Another sniffer type program designed for Sun OS 4.1 architectures using /dev/nit.
pcnfsd.c Allows local users to chmod arbitrary directories on hosts running pcnfsd.
netcraft.tgz Contains various (and older) web security issues and exploits from Netcraft.
superforker.c This is a supercharged version of the classic fork() denial of service attack.
tripwire-1.2.tgz Creates a signature of binary files, and checks to see if these file were modified.
tcpr-1.3.tar.gz Set of perl scripts that let you to run ftp and telnet commands across a firewall.
syslogFogger.c This allows you to write to system logging facilites via UDP packets to port 514.
ypbreak.c Lets you change your username, password, gecos, or shell via yppasswd daemon.
hdtraq.c This runs as a daemon and purportedly creates bad sectors on a hard drive.
finger_attack.txt By recursively fingering a host, you can cause a possible crash of in.fingerd.
logdaemon.tar.gz Version 5.6 of a suite of tcp/ip programs that enhance network system logging.
suTrojan.c A replacement program for su that mails you when an attempt to su is made.
sigurg.c This code allows up to kill any process on Linux boxes running older kernels.
sushiPing.c On Sun OS 4.x, this trojan ping gives you a root shell when you make a triggerfile.
webgais.txt This will explain how to issue shell commands remotely using /cgi-bin/webgais.
sushiQuota.c Another trojan for Sun 4 machines that is trigger with a triggerfile.
swap-uid.c On Solaris, an I_PUSH call on an open tty followed by lseek() gived euid=0.
pcs.tgz A libpcap based sniffer that supports multiple interfaces as well as PPP.
sfingerd-1.8.tgz A replacement for the standard unix finger daemon designed for security.
snifftest.c snifftest.c will try to tell you if a sniffer is running on Sun machines.
IPInvestigator.tgz IPIvestigator is another sniffer that lets you watch traffic between machines.
gnmp.tar.gz Generic Network Message Passing is a simple client server messaging system.
irixmail.sh This is an exploit shell script that will give a root shell on IRIX systems.
lpr Exploit This small program exploit the suid root lpr program giving root.
Xfree86 Exploit There is a problem with XFree86 3.1.2 that lets you overwrite files.
wipehd.asm Assembly Language program that will remove the first 10 sectors of a hardrive.
minicom.c This is an exploit for minicom on Linux systems that will overwrite a buffer.
sam.txt On HP-UX, the System Administration Manager (sam) can truncate files.
DenialofService zip file illustrating five simple denial of service attacks on a unix.
xspy.tar.gz xspy is a program that will make user's logins appear on your display.
scan.sh This is a perl script that scans subnets and reports if rexd or ypserv is running.
xscan.tar.gz scans subnets for unsecured X clients and automatically logs results.
BSDcron-ex.c BSD cron exploit. This program overruns a buffer, giving root access.
OSF1_dxchpwd On OSF1, /usr/tcb/bin/dxchpwd can be used to overwrite any file on the system.
bindExploit.txt Setting SO_REUSEADDR and calling bind allows user to steal udp packets.
cloak.c This program wipes all traces of a user from a UNIX system.
convfontExploit.sh Script that exploits /usr/bin/convfont on Linux systems to get root access.
ipspoof.c This program demonstrates how to send arbitrary tcp/ip packets.
marry.c This program is a log editor with lots of interesting features.
juju.c This is an ICMP-router type program that will redirect ICMP packets.
redirect.c This program is a generic ICMP redirect sender for Solaris machines.
portscan.c A Linux port scanner that reports the services running on another host.
dumpExploit.txt On Linux systems /sbin/dump can be used to read arbitrary files.
fingerd.c This program is another finger type daemon trojan program.
ttysurf.c This program listens on ttys and tries to get login and passwords.
ttystuff.c This program let's you input commands into another user's terminal.
generic_buffer.tgz Generic buffer overrun program for Linux, SunOS, and Solaris.
linux_lpr.c This program overwrites a buffer in the suid program lpr, thus giving a root shell.
SunOS_user.txt On SunOS, chsh and chfn use getenv("USER") to validate userid of the caller.
kill_inetd.c This program causes denial of service by attacking inetd. Runs on Linux systems.
grabBag.tgz Tons of old and miscellaneous exploits from different versions of unix.
wu-ftpd.sh This shell script lets you create a file anywhere on the system.
sol_mailx.txt An old security hole in /usr/bin/mailx still exists in the mailx on Solaris 2.5
oracle.txt Discusses a denial of service attack against older versions of Oracle Webserver.
hp_stuff.tgz Lots of exploits for HP/UX from the Scriptors of Doom.
hpjetadmin.txt hpjetadmin can be tricked giving away root by a writeable .rhosts file.
irix-buffer.txt IRIX buffer overruns for df, eject, /sbin/pset, /usr/bsd/ordist, and xlock.
irix-xterm.c This will overwrite a buffer in xterm on IRIX systems, giving a root shell.
irix-iwsh.c This will overwrite a buffer in /usr/sbin/iwsh on IRIX 5.3, giving root access.
irix-printers.c This will overwrite a buffer in /usr/sbin/printers on IRIX systems giving root.
spaceball.txt spaceball.sh can be exploited to give a setuid root shell on IRIX 6.2 boxes.
flash.c Messes up user's terminals by issuing a talk request with vt100 escape chars.
modstat.c This program will overrun a buffer in /usr/bin/modstat on FreeBSD systems.
pine_exploit.sh This script is an exploit for pine. It can be used to create .rhosts files.
view_source.txt On some httpd distributions, /cgi-bin/view-source can be used to read files.
sendmail-ex.sh This is an exploit script for sendmail 8.7-8.8.2 for FreeBSD and Linux. Gives root.
smh.c smh.c is an exploit for sendmail 8.6.9. It gives a bin owned setuid shell.
rlogin_exploit.c This overwrites a buffer in gethostbyame() on Solaris 2.5.1, giving a root shell.
octopus.c A denial of service attack by opening tons of connections to a remote host.
expect_bug.txt Expect does not make handles to pseudo tty's inaccessable to other processes.
html.txt Shows interesting links to put in your HTML pages causing denial of service.
autoreply.txt autoreply(1) can be used to create root owned files with a mode of 666.
bdexp.c On older versions of Linux, this will overwrite a buffer in suid bdash, giving root.
irix-csetup.txt Get root on IRIX via /usr/Cadmin/bin/csetup in conjunction with /usr/sbin/sgihelp.
solsocket.txt On Solaris-x86 2.5, any normal user can connect to unix domain sockets.
lemon25.c Exploit for Solaris 2.5.(1) that overwrites a buffer in passwd, giving root access.
reflscan.c Another TCP port scanner that escapes logging by using half open connections.
yp.txt On YP systems, when a password expires, the old password is not required.
bsd_core.txt On BSDi 3.x, users arbitrarly write files with binary data, but not overwrite them.
ffbconfig-ex.c This program overwrites a buffer in /usr/sbin/ffbconfig on Solaris 2.5.1 giving root.
FreeBSD-ppp.c This will overwrite a buffer in pppd on FreeBSD systems, giving a root shell.
sol-license.txt On Solaris 2.4, if the license manager is running, root can be obtained.
sparc_cpu.txt Compiling main(){while(1);} with optimizations turned on will hose a sparc.
lin-pkgtool.txt This file explains how to get root on Linux system with the pkgtool program.
startmidi.txt On IRIX systems, startmidi can be exploited to obtain root privileges.
linux_rcp.txt On Linux, if you have access to uid 65535 (nobody), then root can be obtained.
doomsnd.txt This will get root on Linux systems by exploiting the doom sndserver.
solaris_ps.txt Exploit /usr/bin/ps and /usr/ucb/ps on Solaris systems, giving root access.
dec_osf1.sh Exploits /usr/sbin/dop on DEC unix 4.0, 4.0A, and 4.0B, giving a root shell.
tcp_wrapper.tgz Version 7.5 of the tcp/ip wrapper for inetd. (Does logging and monitoring).
rpcbind_1.1.tgz This is an rpcbind replacement that includes tcp wrapper style access control.
breaksk.txt Netscape's server key format is susceptible to dictionary attacks.
IP-spoof.txt Examples and text on the art of IP spoofing. (For Linux 1.3.x kernels).
irix-dataman.txt This file show how to exploit dataman on irix system to obtain root access.
irix-fsdump.txt This is an exploit for /var/rfindd/fsdump that gives root on irix systems.


Home ]

Send mail to hoobie@hoobie.net with questions or comments etc.
Copyright 1997,1998,1999, 2000 HooBie Inc.
Last modified: March 24, 2000
You are visitor