| Hold down SHIFT and
then hit the mouse button to get something. |
|
|---|---|
| aixdtaction.c | Overwrites a buffer in /usr/dt/bin/dtaction via HOME env. variable, giving root. |
| wuftpd_umask.txt | The umask for wuftpd 2.4.2-b13 is 002 making files group writeable by anyone. |
| sneakin.tgz | A way to 'reverse telnet' from a box behind a firewall that allows ICMP packets. |
| qmail_exploit.c | Runs a qmail system out of memory by feeding an infinite amount of recipients. |
| qmail.tar.gz | This is a replacement sendmail-binmail system providing security and efficiency. |
| controlpanel.txt | If root administrates via controlpanel, /etc/shadow is left in a world readable state. |
| h_rpcinfo.tar.gz | Allows you to sneak past port filters on port 111 and get dumps of RPC services. |
| synlog-0.1.tar.gz | Synlog monitors half open TCP connections such as synfloods or synscans. |
| wrapper.txt | This is a generic wrapper to prevent the exploitation of suid/sgid programs. |
| longpath.sh | Shell script that implements a long path attack causing various problems on Linux. |
| logarp.tar.gz | Useful for seeing if users on your subnet are "stealing" IP addresses. |
| aix_dtterm.c | This will overwrite a buffer in /usr/dt/bin/dtterm on AIX 4.2 PPC, giving root. |
| irix-wrapper.c | Wraps programs on IRIX to prevent command line argument buffer overruns. |
| irix-df.c | This will overwrite a buffer in /bin/df on IRIX systems, thus giving a root shell. |
| irix-dp.c | This overwrites a buffer in /usr/lib/desktop/permissions, giving egid of sys on IRIX. |
| irix-login.c | This will overwrite a buffer in /bin/login on IRIX systems, giving root. |
| irix-xlock.c | This will give root by overwriting a buffer in /usr/bin/X11/xlock on IRIX. |
| synsniff.tar.gz | Script in perl which watches for inbound connections (SYN's) and logs them. |
| SunOS_crash.txt | If you try to read /dev/tcx0 on a SunOS 4.1.4 Sparc 20, you will cause a system panic. |
| xlock.c | On Linux systems, this will overwrite a buffer in setuid xlock, giving root access. |
| elm_exploit.c | Overwrites a buffer in Elm and Elm-ME+ on Linux via TERM environ. variable. |
| daynotify.sh | This script will exploit a bug in SGI's Registration Software under IRIX 6.2. |
| brute_web.c | This program will brute force it's way into a web server giving a user and passwd. |
| tcpdump.tar.Z | A tool for network monitoring and data acquisition. (needs library packet capture.) |
| winnuke.c | This sends Out of Band Data to Win95/NT computers causing panics and reboots. |
| sperl.tgz | This will overwrite a buffer in the sperl5.001 and sperl5.003, thus giving root access. |
| dip-prob.txt | Dip will allow an ordinary user to gain control of arbitrary devices in /dev. |
| nlspath.txt | Exploits for ping, minicom, su and others on Linux via NLSPATH environment variable. |
| solaris_lp.sh | Script for Solaris that breaks lp, then use lp priv to break root (or bin, etc...). |
| AIX_mount.c | This overwrites a buffer in /usr/sbin/mount on AIX 4.x systems via LC_MESSAGES. |
| fdformat-ex.c | This will overwrite a buffer in /usr/bin/fdformat on Solaris 2.x systems giving root. |
| cxterm.c | This overwrites a buffer in Chinese xterm and colour xterm giving root on Linux. |
| LPRng.tgz | A light weight printing system especially designed with security in mind. |
| eject.c | This will overwrite a buffer on Solaris 2.x systems in /usr/bin/eject, giving a root shell. |
| webs099.tgz | A minimalist web server designed primarily for security and handles redirects. |
| talkd.txt | This explains how to get root remotely by overwriting a buffer in in.talkd. |
| udpstorm.tgz | This is an implenmentation of the udpstorm attack. Works with Linux. |
| lin_probe.c | This overwrites a buffer in /usr/X11/bin/SuperProbe on Linux, thus giving root. |
| AIX_host.c | This overwrites a buffer in gethostbyname() on AIX 4.2 Power PC, giving a root shell. |
| sgi_systour.txt | Exploit for /usr/lib/tour/bin/RemoveSystemTour on IRIX 5.3 & 6.2 that gives root. |
| connect.c | Lets a normal user crash AIX 4.1.4, AIX 4.1.5, HP-UX 10.01, and HP-UX 9.05 |
| sol2.5_nis.txt | This show how to exploit /usr/lib/nis/nispopulate on Solaris 2.5 systems. |
| crack-2a.tgz | Unix Password Cracker v. 2.0 (alpha) by Scooter Corp. (Comes with crack dictionary). |
| lilo-exploit.txt | Get root on the lastest versions of Linux (at the console) using LD_PRELOAD. |
| rsucker.pl | Perl script that acts as a fake r* daemon and logs the usernames sent from clients. |
| portmap_5b.tar.gz | A portmapper that supports access control in the style of the tcp wrapper package. |
| irix-login.txt | On Irix systems /var/adm/badlogin contains failed logins and passwords in clear text. |
| iebugs.tar.gz | Microsoft Internet Explorer bugs one through six in text and html format. |
| arnudp.c | Demonstrates how to send single UDP packets from an arbitray souce/destination. |
| cgiwrap-3.22.tgz | This is a gateway that allows a more secure user access to CGI programs. |
| fastcracker.tgz | This program is designed to quickly crack DES encrypted passwords. |
| pma.tar.gz | Poor Man's Access - A daemon that lets you issue shell commands remotely. |
| makedir.txt | Programs to create thousands of directories and to delete these directories. |
| tcpprobe.c | This is a tcp portscanner that shows accepted connections on a remote host. |
| locktcp.c | This program will freeze a Solaris/x86 2.5.1 systems, causing denial of service. |
| irix-wrap.txt | This shows how to get a listing of directories (755) from cgi-bin/wrap on Irix 6.2. |
| block.c | Prevents a user from logging in by monitoring utmp and closing down that user's tty port. |
| tin_problem.txt | rtin/tin will create /tmp/.tin_log with mode of 0666 in /tmp and will follow symbolic links. |
| sun_patch.sh | If you have a sun SPARC, this script will stop all forms of buffer overrun attacks. |
| riputils.tgz | This is a set of routing internet protocol utilities designed for Linux systems. |
| test-cgi.txt | Using the CGI program test-cgi, you can remotely inventory files on remote systems. |
| lquerypv.txt | On AIX systems you can read any file (in hex) on the system with lquerypv. |
| COPS | (Computer Oracle & Password System) checks for Unix system misconfigurations. |
| Crack v5.0 | Got access to password or shadow file? This shows what other user's passwords are. |
| Crack Dictionary | A general 50,000 word dictionary for use with Crack. |
| Esniff.c | Source code for basic ethernet Sniffer. ( Straight out of Phrack ). |
| fakerwall.c | This program lets you send an rwall message from an arbitrary host of your choice. |
| fping | Like UNIX ping(1), but allows efficient pinging of a large list of hosts. |
| bind.txt | This describes a potenital denial of service problem with BIND-4.9.5-P1. |
| hide.c | Code to exploit a world-writeable /etc/utmp and allow the user to modify it interactively. |
| hsh002.c | This is a neat little shell for experimentation with lots of interesting features. |
| nfswatch4.1.tar.Z | This lets you monitor NFS requests to any given machine or the entire network. |
| nfstrace.tgz | The rpcspy/nfstrace package lets you to perform NFS tracing by network monitoring. |
| wuftpd-owrite.sh | Exploits a bug in wu-ftpd to create or overwrite a file anywhere on the filesystem. |
| wuftpd-sdump.sh | Script that will exploit a bug in wu-ftpd to assemble and view the shadow password file. |
| shadowyank.c | This will reconstruct shadow entries from the core file from ftp daemon segmenting. |
| ICMPinfo V1.10 | ICMPinfo is a tool for looking at ICMP messages received on the running host. |
| ident-scan.c | TCP scanner that retreives the username of the daemon running on the specified port. |
| ascend.txt | Program for Linux designed to attack Ascend routers with zero length tcp offsets. |
| gzip.txt | While a file is being compressed with gzip it is world readable. |
| ISS (V1.3) | Internet Security Scanner. Scans subnets and gathers info. about the hosts it finds. |
| libc.so.5 | This is a hacked libc.so.5 for Linux that spawns a shell when a call is made to crypt(). |
| sdtcm_convert.txt | This explains to how exploit sdtcm_convert on Solaris machines to get root access. |
| mnt | This exploits a hole in HP-UX 9 rpc.mountd program. It lets you steal NFS file handles. |
| netcat (V1.10) | Like Unix cat(1) but this one talks network packets (TCP or UDP). Excellent tool. |
| NFS Shell | This should be very useful if you have located an insecure NFS server. |
| pmcrash.c | This allows you to crash ANY Livingston PortMaster by overflowing buffers. |
| pop3.c | Exploit that attemps mulitple username/password guesses on machines running POP3. |
| psrace.c | This code exploits a race condition in Solaris, thus allowing you to make a root shell. |
| Root Kit | Programs like ps, ls, & du which have been modified to hide certain files & processes. |
| rpc_chk.sh | Shell Script to get a list of running hosts from a DNS nameserver for a given domain. |
| seq_number.c | Code to exploit TCP Sequence Number Generator bug. |
| asppp.txt | On Solaris 2.5x86, /tmp/.asppp.fifo can be used to make a world writeable .rhosts file. |
| kcms.txt | Explains how to get root on solaris 2.5 by exploiting /usr/openwin/bin/kcms_calibrate. |
| slammer | Slammer lets you issue arbitray commands on hosts by exploting yp daemons. |
| Socket Demon (V1.3) | Daemon that sits on a specified IP port and provides passworded shell access. |
| Solaris Sniffer | This is a version of ESniff.c that has been modified for Solaris 2.X. |
| Strobe (V1.03) | Scans TCP ports on a target host and reveals which daemons are running. |
| Tiger (V2.2.3) | Tiger attemps to exploit known bugs, holes, and misconfigurations to attain root. |
| lquerylv.c | This overwrites a buffer in /usr/sbin/lquerylv on AIX systems, thus giving a root shell. |
| Traceroute | Traceroute is an indispensable tool for troubleshooting and mapping your network. |
| udpscan.c | This identifys open UDP ports by sending a bogus UDP packet and wait for a response. |
| portd.c | This program is a daemon that listens on a port and provides passworded shell access. |
| pingexploit.c | This lets you send oversized ICMP packets from a unix box just like Win95. |
| checksyslog.tgz | This will analyze your system logs for security problems while ignoring normal behavior. |
| dosemu.txt | On Debian v1.1, /usr/sbin/dos can be used to read any file on the system. |
| yaping.0.1.tgz | Yet another ping for Linux. Packets of size > 65535 octets are supported. |
| xcrowbar.c | Source code that gets you a pointer to an X Display even after an xhost - |
| xkey.c | Attach to any X server you have permission to and watch the user's keyboard. |
| X Watch Window | If you have access on a host's X server,this will show the window on your X-server. |
| messages.sh | Parses through /var/adm/messages to see if user typed password at login prompt. |
| FreeBSDmail.txt | This exploit will overwrite a buffer on sendmail 8.6.12 running on FreeBSD 2.1.0. |
| ypsnarf.c | This handy little program will get you yp domain names, yp maps, and yp maplists. |
| YPX | YPX guesses NIS domain names.YPX will extract the maps directly from domains. |
| ftp-scan.c | This program exploits the ftp protocol to let you scan services on firewalls. |
| rdist-ex.c | This will write past a buffer, straight onto the stack, giving a root shell on FreeBSD. |
| mount-ex.c | All Linux versions are vulnerable to this buffer overflow attack on suid mount. |
| perl-ex.sh | perl-ex.sh is a simple little sperl script that gives you a root shell via suidperl. |
| sndmail8.8.4.txt | Explains how to exploit sendmail version 8.8.4 to get root access. |
| irix-xhost.txt | In default setup for irix, xhost is set to global acess when someone logs into console. |
| mod_ldt.c | Gives access to all of Linux's linear memory to user processes at will, and thus root. |
| dipExploit.c | Linux dip Exploit. Overwrite a buffer in do_chatkey(), thus giving you a root shell. |
| rpcs.01b.tar.gz | This is program that is designed to scan subnets for rpc services. |
| rxvtExploit.txt | This will exploit a popen() call issued by rxvt on Linux machines, thus giving a root shell. |
| nfsbug.c | Demonstates a security problem in unfsd guessing the file handle of the root FS. |
| abuse.txt | A Linux exploit for Red Hat 2.1. This gives a root shell by exploitng abuse.console. |
| xtermOverflo.c | A program that overwrites a buffer in libXt.so while xterm is suid to root. |
| resolv+.exp | Quick and Simple way to read the /etc/shadow file as well as many other things. |
| resizeExp.txt | Another Red Hat 2.1 exploit for resizecons due to lack of absolute pathnames. |
| qcrack.tar.gz | Like crack except this gives increased cracking speeds at the expense of disk space. |
| Linux rootkit | A rootkit designed for Linux. Comes with ps, netstat, and login. |
| X webcomber | A cool little tool that lets you search for things (like hacking) on the web. |
| gpm-exploit.txt | This will get root on Linux systems using /usr/games/doom/killmouse. |
| pingflood.c | This pings floods a host, thus wasting bandwidth and denying service. |
| telnetd exploit | This will create a shared library that gives a root shell remotely or locally. |
| pop3d exploit | Lets you to Read the contents of the mail spool of a user when they connect to in.popd. |
| vif.tar.gz | This code lets you have multiple IP addresses for a single interface. |
| amod.tar.gz | Amodload is a tool which allows the loading of arbitrary code into SunOS kernels. |
| getethers1.6.tgz | getthers scans all address on an ethernet and producing a hostname/ethernet list. |
| rootkitSunOS.tgz | Here is another root kit designed for SunOS operating systems. Lots of cool stuff. |
| demonKit-1.0.tar.gz | A suite of trojan programs opening back doors to root on a Linux system. |
| eviltelnetd | telnet-hacked.tgz is a hacked telnet daemon that gives a root shell w/o password. |
| cfexec.sh | This let's you issue arbitrary commands as root on GNU cfingerd 1.0.1. |
| NFS Problems | Shows some potential problems with Linux in.nfsd concerning read-only exports. |
| cdromvuln.txt | If Linux CD is mounted w/ suid flag, older suid exploits will work on live filesystem. |
| vixie.c | On Redhat Linux systems this will overwrite a buffer in crontab, thus giving root. |
| linsniffer.c | This is a simple Linux Sniffer that shows you incoming TCP packets on most ports. |
| rshd_problem.txt | You can figure out valid usernames on hosts by examining the response from in.rshd. |
| linux_sniffer.c | Another Linux sniffer much like the one above. Shows more detailed TCP info. |
| sniffit.0.3.5.tar.gz | A very flexible network sniffer that has many interesting features (like curses). |
| Sol2.4Core.txt | Solaris 2.4 exploit that allows you to overwrite files when a suid prog. core dumps. |
| SolAdmtool.txt | On Solaris 2.5, the Admintool can be used to create a writeable /.rhosts file. |
| irix-netprint.txt | On IRIX systems, /usr/lib/print/netprint calls 'disable' without specifying absolute path. |
| SYNpacket.tgz | Floods a port with TCP packets with the SYN bit turned on causing inetd to segment. |
| phf.c | A quick and easy to scan for hosts that still have the phf bug which gives /etc/passwd. |
| phfprobe.pl | This tries to find out as much information about the person calling phf as possible. |
| SYNWatch.tar.gz | This program watches for TCP packets with the SYN bit turned on. |
| pinglogger.tar.gz | Logs all ICMP packets to a log file so you can see who is ping flooding you. |
| screen.txt | On BSDi systems, you can use /usr/contrbi/bin/screen to read /etc/master.passwd. |
| ftpBounceAttack | A script that implements the ftp Bounce Attack allowing you to anonymously do things. |
| grabem.c | A very stupid/simple program to get passwords from users logging in on the consol. |
| tcpview.c | Another sniffer type program designed for Sun OS 4.1 architectures using /dev/nit. |
| pcnfsd.c | Exploit that allows local users to chmod arbitrary directories on hosts running pcnfsd. |
| netcraft.tgz | Contains various (and older) web security issues and exploits from Netcraft. |
| superforker.c | This is a supercharged version of the classic fork() denial of service attack. |
| syslogFogger.c | Program that allows you to write to system logging facilites via UDP packets to port 514. |
| ypbreak.c | Lets you change your username, password, gecos, or shell via yppasswd daemon. |
| hdtraq.c | This runs as a daemon and purportedly creates bad sectors on a hard drive. |
| finger_attack.txt | By recursively fingering a host, you can cause a possible crash of in.fingerd. |
| logdaemon.tar.gz | Version 5.6 of a suite of tcp/ip programs that enhance network system logging. |
| suTrojan.c | This is a replacement program for su that mails you when an attempt to su is made. |
| sigurg.c | This code allows up to kill any process on Linux boxes running older kernels. |
| sushiPing.c | On Sun 4 platforms, this trojan ping gives you a root shell when you make a triggerfile. |
| sushiQuota.c | Another trojan for Sun 4 machines that is trigger with a triggerfile. |
| pcs.tgz | pcs is a libpcap based sniffer that supports multiple interfaces and PPP (with no filtering). |
| sfingerd-1.8.tgz | A replacement for the standard unix finger daemon designed for security. |
| snifftest.c | snifftest.c will try to tell you if a sniffer is running on Sun machines. |
| IPInvestigator.tgz | IPIvestigator is another sniffer that lets you watch traffic between machines. |
| gnmp.tar.gz | Generic Network Message Passing is a simple client server messaging system. |
| irixmail.sh | Exploit shell script that gives a root shell on IRIX systems. |
| lpr Exploit | This small program exploit the suid root lpr program giving root. |
| Xfree86 Exploit | There is a problem with XFree86 3.1.2 that lets you overwrite files. |
| wipehd.asm | Assembly Language program that will remove the first 10 sectors of a hardrive. |
| sam.txt | On HP-UX, the System Administration Manager (sam) can be used to truncate files. |
| DenialofService | zip file illustrating five simple denial of service attacks on a unix. |
| xspy.tar.gz | xspy is a program that makes logins appear on your display. |
| scan.sh | This is a perl script that scans subnets and reports if rexd or ypserv is running. |
| xscan.tar.gz | scans subnets for unsecured X clients and automatically logs results. |
| BSDcron-ex.c | BSD cron exploit. This program overruns a buffer, giving root access. |
| OSF1_dxchpwd | On OSF1, /usr/tcb/bin/dxchpwd can be used to overwrite any file on the system. |
| bindExploit.txt | Setting SO_REUSEADDR options and calling bind allows user to steal udp packets. |
| cloak.c | This program wipes all traces of a user from a UNIX system. |
| convfontExploit.sh | Script that exploits /usr/bin/convfont on Linux systems to get root access. |
| ipspoof.c | This program demonstrates how to send arbitrary tcp/ip packets. |
Thanks to rootshell.com for the table
