This Metasploit module exploits a stack overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This Metasploit module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all).

This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue.

This is an exploit for the Exchange 2000 heap overflow. Due to the nature of the vulnerability, this exploit is not very reliable. This Metasploit module has been tested against Exchange 2000 SP0 and SP3 running a Windows 2000 system patched to SP4. It normally takes between one and 100 connection attempts to successfully obtain a shell. This exploit is *very* unreliable.

This Metasploit module exploits a stack overflow in the NetApi32 NetpManageIPCConnect function using the Workstation service in Windows 2000 SP4 and Windows XP SP2. In order to exploit this vulnerability, you must specify a the name of a valid Windows DOMAIN. It may be possible to satisfy this condition by using a custom dns and ldap setup, however that method is not covered here. Although Windows XP SP2 is vulnerable, Microsoft reports that Administrator credentials are required to reach the vulnerable code. Windows XP SP1 only requires valid user credentials. Also, testing shows that a machine already joined to a domain is not exploitable.

"Harden SSL/TLS" hardens the default SSL/TLS settings of Windows 2000,2003,2008,2008R2, XP,Vista,7. It allows you to remotely set SSL/TLS policies allowing or denying certain ciphers/hashes or complete ciphersuites.

This Metasploit module exploits a stack buffer overflow in the Windows Media Unicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially crafted FunnelConnect request, an attacker can execute arbitrary code under the "NetShowServices" user account. Windows Media Services 4.1 ships with Windows 2000 Server, but is not installed by default. NOTE: This service does NOT restart automatically. Successful, as well as unsuccessful exploitation attempts will kill the service which prevents additional attempts.

win32k.sys in Microsoft Windows 2000 / XP / 2003 suffers from a local kernel denial of service vulnerability related to SfnLOGONNOTIFY.

win32k.sys in Microsoft Windows 2000 / XP / 2003 suffers from a local kernel denial of service vulnerability related to SfnINSTRING.

This is an exploit for the chunked encoding buffer overflow described in MS03-051 and originally reported by Brett Moore. This particular modules works against versions of Windows 2000 between SP0 and SP3. Service Pack 4 fixes the issue.

A vulnerability in the Windows kernel can be triggered via SMB in Microsoft Windows versions ranging from Windows 2000 through to Windows 7. This vulnerability allows an attacker to trigger a kernel pool corruption by sending a specially crafted SMB_COM_TRANSACTION2 request. Successful exploitation of this issue may result in remote code execution with kernel privileges, while failed attempts will result in a denial of service condition.

The del2info utility was written to analyze Windows Recycle Bin INFO2 and $I?????? files. It can extract file deletion time, original path, and size of deleted files and whether they have been moved from the Recycle Bin. It supports files from Windows 2000 to 7.

The del2info utility was written to analyze Windows Recycle Bin INFO2 and $I?????? files. It can extract file deletion time, original path, and size of deleted files and whether they have been moved from the Recycle Bin. It supports files from Windows 2000 to 7.

This Metasploit module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and has been tested with Windows 2000 / XP. In addition, the Weblogic Apache plugin version is fingerprinted with a POST request containing a specially crafted Transfer-Encoding header.

A vulnerability in Windows DHCP was found on Windows OS versions ranging from Windows 2000 through to Windows server 2003. This vulnerability allows an attacker to remotely overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user interaction. Successful exploitation of this issue will result in a remote network configuration overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.

ECLIPSEDWING exploits the SMB vulnerability patched by MS08-67. It affects Microsoft Windows 2000, 2003, and XP. Note that this exploit is part of the recent public disclosure from the "Shadow Brokers" who claim to have compromised data from a team known as the "Equation Group", however, there is no author data available in this content. Consider this exploit hostile and unverified. For research purposes only. Description has been referenced from http://medium.com/@networksecurity.

Mandrake Linux Security Update Advisory - Problems lie in the utempter program versions 10.0, 9.2, 9.1, Corporate Server 2.1, and Multi Network Firewall 8.2 that allow for arbitrary file overwrites and denial of service attacks.

RPM Finder Project version 1.2 is a utility that works much like the rpmfind.net site. It supports RedHat and Mandrake Linux.

Mandrake Linux Security Update Advisory - The cdrecord program, which is suid root, fails to drop euid=0 when it exec()s a program specified by the user through the RSH environment variable. This can be abused by a local attacker to obtain root privileges.

Mandrake Linux Security Update Advisory - A number of vulnerabilities were fixed in mozilla 1.7.3, the following of which have been backported to mozilla packages for Mandrake Linux 10.0: "Send page" heap overrun, javascript clipboard access, buffer overflow when displaying VCard, BMP integer overflow, javascript: link dragging, Malicious POP3 server III.

Mandrake Linux Security Update Advisory - cvs 10.0, 92, Corporate Server 2.1. A flaw in CVS versions prior to 1.1.17 in an undocumented switch to the CVS history command allows for determining directory structure and the existance of files on a target machine.

Mandrake Linux Security Update Advisory - affected versions of MDK: 10.0, 92, Corporate Server 2.1, Multi Network Firewall 8.2. Several vulnerabilities have been discovered in the libtiff package that could lead to arbitrary code execution.

Mandrake Linux Security Update Advisory - Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like cups which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution.

The Linux Security Auditing Tool (LSAT) is a post install security auditor for Linux/Unix. It checks many system configurations and local network settings on the system for common security/config errors and for packages that are not needed. It (for now) works under Linux (x86: Gentoo, RedHat, Debian, Mandrake; Sparc: SunOS (2.x), Redhat sparc, Mandrake Sparc; Apple OS X).

The Bastille Hardening System attempts to "harden" or "tighten" the Linux/Unix operating systems. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible. Screenshot available here..

Mandrake Linux Security Update Advisory - The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application.

Mandrake Linux Security Update Advisory - SGI developers discovered a remote DoS (Denial of Service) condition in the NFS statd server. rpc.statd did not ignore the SIGPIPE signal which would cause it to shutdown if a misconfigured or malicious peer terminated the TCP connection prematurely.

Mandrake Linux Security Update Advisory - Herbert Xu discovered that iproute can accept spoofed messages sent via the kernel netlink interface by other users on the local machine. This could lead to a local Denial of Service attack.

The Bastille Hardening System attempts to "harden" or "tighten" the Linux/Unix operating systems. It currently supports Red Hat and Mandrake systems, with support on the way for Debian, SuSE, TurboLinux and HP-UX. We attempt to provide the most secure, yet usable, system possible. Screenshot available here..