Skip to content

Exploits

These are some of the exploits we wrote:

Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC x86 (3)


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage3.tar.gz · View on LWN.net

Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC x86 (2)


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage2.tar.gz · View on LWN.net

Linux sock_sendpage() NULL Pointer Dereference Exploit for Linux POWER/PowerPC x86


The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

linux-sendpage.c · View on LWN.net

ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)


Stack-based buffer overflow in the _tt_internal_realpath function in the ToolTalk library (libtt.a) in IBM AIX 5.2.0, 5.3.0, 5.3.7 through 5.3.10, and 6.1.0 through 6.1.3, when the rpc.ttdbserver daemon is enabled in /etc/inetd.conf, allows remote attackers to execute arbitrary code via a long XDR-encoded ASCII string to remote procedure 15.

rpc_ttdbserverd_realpath.rb

Samba lsa_io_trans_names Heap Overflow (Linux)


Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

lsa_transnames_heap_linux.rb

Sun Solaris sadmind adm_build_path() Buffer Overflow


Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request.

sadmind_adm_build_path.rb

Borland InterBase INET_connect() Buffer Overflow


Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.

ib_inet_connect.rb

Borland InterBase jrd8_create_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

ib_jrd8_create_database.rb

Borland InterBase open_marker_file() Buffer Overflow


Stack-based buffer overflow in Borland InterBase LI 8.0.0.53 through 8.1.0.253 on Linux, and possibly unspecified versions on Solaris, allows remote attackers to execute arbitrary code via a long attach request on TCP port 3050 to the open_marker_file function.

ib_open_marker_file.rb

Borland InterBase PWD_db_aliased() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_pwd_db_aliased.rb

Firebird Relational Database isc_attach_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

fb_isc_attach_database.rb

Firebird Relational Database isc_create_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

fb_isc_create_database.rb

Firebird Relational Database SVC_attach() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

fb_svc_attach.rb

Borland InterBase isc_attach_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted attach request.

ib_isc_attach_database.rb

Borland InterBase isc_create_database() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted create request.

ib_isc_create_database.rb

Borland InterBase SVC_attach() Buffer Overflow


This module exploits a stack buffer overflow in Borland InterBase by sending a specially crafted service attach request.

ib_svc_attach.rb

Samba lsa_io_trans_names Heap Overflow (Solaris)


This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the TALLOC chunk overwrite method (credit Ramon and Adriano), which only works with Samba versions 3.0.21-3.0.24. Additionally, this module will not work when the Samba "log level" parameter is higher than "2".

lsa_transnames_heap_solaris.rb

Samba lsa_io_trans_names Heap Overflow (OSX)


This module triggers a heap overflow in the LSA RPC service of the Samba daemon. This module uses the szone_free() to overwrite the size() or free() pointer in initial_malloc_zones structure.

lsa_transnames_heap_osx.rb

X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for SCO UnixWare 7.1.3 x86


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sco-x86-xkb.c

X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for Solaris 8 9 10 SPARC


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sol-sparc-xkb.c

X11R6 XKEYBOARD Extension Strcmp() Stack-based Buffer Overflow Exploit for Solaris 8 9 10 x86


Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

sol-x86-xkb.c