From d7866754a92043e21cfb22386cc6dbff893ccc9f Mon Sep 17 00:00:00 2001 From: "sussurro@happypacket.net" Date: Mon, 26 Sep 2011 03:43:05 +0000 Subject: [PATCH] remove cache file from checkout, it should be populated per individual git-svn-id: https://beef.googlecode.com/svn/trunk@1310 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9 --- extensions/metasploit/msf-exploits.cache | 16119 --------------------- 1 file changed, 16119 deletions(-) delete mode 100644 extensions/metasploit/msf-exploits.cache diff --git a/extensions/metasploit/msf-exploits.cache b/extensions/metasploit/msf-exploits.cache deleted file mode 100644 index a910a814e..000000000 --- a/extensions/metasploit/msf-exploits.cache +++ /dev/null @@ -1,16119 +0,0 @@ ---- -msf_rpc_cmsd_opcode21: - enable: true - msf: true - msf_key: aix/rpc_cmsd_opcode21 - name: AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow vulnerability in opcode 21 handled by\n\ - \t\t\t\trpc.cmsd on AIX. By making a request with a long string passed to the first\n\ - \t\t\t\targument of the \"rtable_create\" RPC, a stack based buffer overflow occurs. This\n\ - \t\t\t\tleads to arbitrary code execution.\n\n\ - \t\t\t\tNOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where\n\ - \t\t\t\tfurther attempts are not possible.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3699 - - - OSVDB - - "58726" - - - BID - - "36615" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825 - - - URL - - http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc - path: extensions/metasploit/ - class: Msf_module -msf_rpc_ttdbserverd_realpath: - enable: true - msf: true - msf_key: aix/rpc_ttdbserverd_realpath - name: ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow vulnerability in _tt_internal_realpath\n\ - \t\t\t\tfunction of the ToolTalk database server (rpc.ttdbserverd).\n\ - \t\t\t" - authors: - - - CVE - - 2009-2727 - - - OSVDB - - "55151" - path: extensions/metasploit/ - class: Msf_module -msf_tagprinter_exec: - enable: true - msf: true - msf_key: irix/lpd/tagprinter_exec - name: Irix LPD tagprinter Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution flaw in\n\ - \t\t\t\tthe in.lpd service shipped with all versions of Irix.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0800 - - - OSVDB - - "8573" - - - URL - - http://www.lsd-pl.net/code/IRIX/irx_lpsched.c - path: extensions/metasploit/ - class: Msf_module -msf_lsass_cifs: - enable: true - msf: true - msf_key: netware/smb/lsass_cifs - name: Novell NetWare LSASS CIFS.NLM Driver Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the NetWare CIFS.NLM driver.\n\ - \t\t\t\tSince the driver runs in the kernel space, a failed exploit attempt can\n\ - \t\t\t\tcause the OS to reboot.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2852 - - - OSVDB - - "12790" - path: extensions/metasploit/ - class: Msf_module -msf_pkernel_callit: - enable: true - msf: true - msf_key: netware/sunrpc/pkernel_callit - name: NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.\n\ - \t\t\t\tPKERNEL.NLM is installed by default on all NetWare servers to support NFS.\n\ - \t\t\t\tThe PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can\n\ - \t\t\t\tcause the operating system to reboot.\n\ - \t\t\t" - authors: - - - BID - - "36564" - - - OSVDB - - "58447" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-067/ - path: extensions/metasploit/ - class: Msf_module -msf_clamav_milter_blackhole: - enable: true - msf: true - msf_key: unix/smtp/clamav_milter_blackhole - name: ClamAV Milter Blackhole-Mode Remote Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'\n\ - \t\t\t\t(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.\n\ - \t\t\t\tWhen implemented with black hole mode enabled, it is possible to execute\n\ - \t\t\t\tcommands remotely due to an insecure popen call.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4560 - - - OSVDB - - "36909" - - - BID - - "25439" - - - URL - - http://www.milw0rm.com/exploits/4761 - path: extensions/metasploit/ - class: Msf_module -msf_exim4_string_format: - enable: true - msf: true - msf_key: unix/smtp/exim4_string_format - name: Exim4 <= 4.69 string_format Function Heap Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a heap buffer overflow within versions of Exim prior to\n\ - \t\t\t\tversion 4.69. By sending a specially crafted message, an attacker can corrupt the\n\ - \t\t\t\theap and execute arbitrary code with the privileges of the Exim daemon.\n\n\ - \t\t\t\tThe root cause is that no check is made to ensure that the buffer is not full\n\ - \t\t\t\tprior to handling '%s' format specifiers within the 'string_vformat' function.\n\ - \t\t\t\tIn order to trigger this issue, we get our message rejected by sending a message\n\ - \t\t\t\tthat is too large. This will call into log_write to log rejection headers (which\n\ - \t\t\t\tis a default configuration setting). After filling the buffer, a long header\n\ - \t\t\t\tstring is sent. In a successful attempt, it overwrites the ACL for the 'MAIL\n\ - \t\t\t\tFROM' command. By sending a second message, the string we sent will be evaluated\n\ - \t\t\t\twith 'expand_string' and arbitrary shell commands can be executed.\n\n\ - \t\t\t\tIt is likely that this issue could also be exploited using other techniques such\n\ - \t\t\t\tas targeting in-band heap management structures, or perhaps even function pointers\n\ - \t\t\t\tstored in the heap. However, these techniques would likely be far more platform\n\ - \t\t\t\tspecific, more complicated, and less reliable.\n\n\ - \t\t\t\tThis bug was original found and reported in December 2008, but was not\n\ - \t\t\t\tproperly handled as a security issue. Therefore, there was a 2 year lag time\n\ - \t\t\t\tbetween when the issue was fixed and when it was discovered being exploited\n\ - \t\t\t\tin the wild. At that point, the issue was assigned a CVE and began being\n\ - \t\t\t\taddressed by downstream vendors.\n\n\ - \t\t\t\tAn additional vulnerability, CVE-2010-4345, was also used in the attack that\n\ - \t\t\t\tled to the discovery of danger of this bug. This bug allows a local user to\n\ - \t\t\t\tgain root privileges from the Exim user account. If the Perl interpreter is\n\ - \t\t\t\tfound on the remote system, this module will automatically exploit the\n\ - \t\t\t\tsecondary bug as well to get root.\n\ - \t\t\t" - authors: - - - CVE - - 2010-4344 - - - OSVDB - - "69685" - - - BID - - "45308" - - - CVE - - 2010-4345 - - - BID - - "45341" - - - URL - - http://seclists.org/oss-sec/2010/q4/311 - - - URL - - http://www.gossamer-threads.com/lists/exim/dev/89477 - - - URL - - http://bugs.exim.org/show_bug.cgi?id=787 - - - URL - - http://git.exim.org/exim.git/commitdiff/24c929a27415c7cfc7126c47e4cad39acf3efa6b - path: extensions/metasploit/ - class: Msf_module -msf_spamassassin_exec: - enable: true - msf: true - msf_key: unix/misc/spamassassin_exec - name: SpamAssassin spamd Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a flaw in the SpamAssassin spamd service by specifying\n\ - \t\t\t\ta malicious vpopmail User header, when running with vpopmail and paranoid\n\ - \t\t\t\tmodes enabled (non-default). Versions prior to v3.1.3 are vulnerable\n\ - \t\t\t" - authors: - - - CVE - - 2006-2447 - - - OSVDB - - "26177" - - - BID - - "18290" - - - URL - - http://spamassassin.apache.org/advisories/cve-2006-2447.txt - path: extensions/metasploit/ - class: Msf_module -msf_zabbix_agent_exec: - enable: true - msf: true - msf_key: unix/misc/zabbix_agent_exec - name: Zabbix Agent net.tcp.listen Command Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a metacharacter injection vulnerability\n\ - \t\t\t\tin the FreeBSD and Solaris versions of the Zabbix agent. This flaw\n\ - \t\t\t\tcan only be exploited if the attacker can hijack the IP address\n\ - \t\t\t\tof an authorized server (as defined in the configuration file).\n\ - \t\t\t" - authors: - - - CVE - - 2009-4502 - - - OSVDB - - "60956" - - - URL - - https://support.zabbix.com/browse/ZBX-1032 - path: extensions/metasploit/ - class: Msf_module -msf_distcc_exec: - enable: true - msf: true - msf_key: unix/misc/distcc_exec - name: DistCC Daemon Command Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis module uses a documented security weakness to execute\n\ - \t\t\t\tarbitrary commands on any system running distccd.\n\n\ - \t\t\t" - authors: - - - CVE - - 2004-2687 - - - OSVDB - - "13378" - - - URL - - http://distcc.samba.org/security.html - path: extensions/metasploit/ - class: Msf_module -msf_vsftpd_234_backdoor: - enable: true - msf: true - msf_key: unix/ftp/vsftpd_234_backdoor - name: VSFTPD v2.3.4 Backdoor Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a malicious backdoor that was added to the\tVSFTPD download\n\ - \t\t\t\t\tarchive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between\n\ - \t\t\t\t\tJune 30th 2011 and July 1st 2011 according to the most recent information\n\ - \t\t\t\t\tavailable. This backdoor was removed on July 3rd 2011.\n\ - \t\t\t" - authors: - - - OSVDB - - "73573" - - - URL - - http://pastebin.com/AetT9sS5 - - - URL - - http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html - path: extensions/metasploit/ - class: Msf_module -msf_proftpd_133c_backdoor: - enable: true - msf: true - msf_key: unix/ftp/proftpd_133c_backdoor - name: ProFTPD-1.3.3c Backdoor Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a malicious backdoor that was added to the\n\ - \t\t\t\tProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz]\n\ - \t\t\t\tarchive between November 28th 2010 and 2nd December 2010.\n\ - \t\t\t" - authors: - - - OSVDB - - "69562" - - - BID - - "45150" - - - URL - - http://sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org - path: extensions/metasploit/ - class: Msf_module -msf_contentkeeperweb_mimencode: - enable: true - msf: true - msf_key: unix/http/contentkeeperweb_mimencode - name: ContentKeeper Web Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the ContentKeeper Web Appliance. Versions prior\n\ - \t\t\t\tto 125.10 are affected. This module exploits a combination of weaknesses\n\ - \t\t\t\tto enable remote command execution as the Apache user. By setting\n\ - \t\t\t\tSkipEscalation to false, this module will attempt to setuid the bash shell.\n\ - \t\t\t" - authors: - - - OSVDB - - "54551" - - - OSVDB - - "54552" - - - URL - - http://www.aushack.com/200904-contentkeeper.txt - path: extensions/metasploit/ - class: Msf_module -msf_unreal_ircd_3281_backdoor: - enable: true - msf: true - msf_key: unix/irc/unreal_ircd_3281_backdoor - name: UnrealIRCD 3.2.8.1 Backdoor Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a malicious backdoor that was added to the\n\ - \t\t\t\tUnreal IRCD 3.2.8.1 download archive. This backdoor was present in the\n\ - \t\t\t\tUnreal3.2.8.1.tar.gz archive between November 2009 and June 12th 2010.\n\ - \t\t\t" - authors: - - - CVE - - 2010-2075 - - - OSVDB - - "65445" - - - URL - - http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt - path: extensions/metasploit/ - class: Msf_module -msf_awstatstotals_multisort: - enable: true - msf: true - msf_key: unix/webapp/awstatstotals_multisort - name: AWStats Totals =< v1.14 multisort Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\t\tAWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.\n\ - \t\t\t" - authors: - - - CVE - - 2008-3922 - - - OSVDB - - "47807" - - - BID - - "30856" - - - URL - - http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt - path: extensions/metasploit/ - class: Msf_module -msf_coppermine_piceditor: - enable: true - msf: true - msf_key: unix/webapp/coppermine_piceditor - name: Coppermine Photo Gallery <= 1.4.14 picEditor.php Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the picEditor.php script of Coppermine\n\ - \t\t\t\tPhoto Gallery. When configured to use the ImageMagick library, the 'quality', 'angle',\n\ - \t\t\t\tand 'clipval' parameters are not properly escaped before being passed to the PHP\n\ - \t\t\t\t'exec' command.\n\n\ - \t\t\t\tIn order to reach the vulnerable 'exec' call, the input must pass several validation\n\ - \t\t\t\tsteps.\n\n\ - \t\t\t\tThe vulnerabilities actually reside in the following functions:\n\n\ - \t\t\t\timage_processor.php: rotate_image(...)\n\ - \t\t\t\tinclude/imageObjectIM.class.php: imageObject::cropImage(...)\n\ - \t\t\t\tinclude/imageObjectIM.class.php: imageObject::rotateImage(...)\n\ - \t\t\t\tinclude/imageObjectIM.class.php: imageObject::resizeImage(...)\n\ - \t\t\t\tinclude/picmgmt.inc.php: resize_image(...)\n\n\ - \t\t\t\tNOTE: Use of the ImageMagick library is a non-default option. However, a user can\n\ - \t\t\t\tspecify its use at installation time.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0506 - - - OSVDB - - "41676" - - - URL - - http://www.exploit-db.com/exploits/5019 - - - URL - - http://forum.coppermine-gallery.net/index.php?topic=50103.0 - path: extensions/metasploit/ - class: Msf_module -msf_php_vbulletin_template: - enable: true - msf: true - msf_key: unix/webapp/php_vbulletin_template - name: vBulletin misc.php Template Name Arbitrary Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary PHP code execution flaw in\n\ - \t\t\t\tthe vBulletin web forum software. This vulnerability is only\n\ - \t\t\t\tpresent when the \"Add Template Name in HTML Comments\" option\n\ - \t\t\t\tis enabled. All versions of vBulletin prior to 3.0.7 are\n\ - \t\t\t\taffected.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0511 - - - BID - - "12622" - - - OSVDB - - "14047" - path: extensions/metasploit/ - class: Msf_module -msf_sphpblog_file_upload: - enable: true - msf: true - msf_key: unix/webapp/sphpblog_file_upload - name: Simple PHP Blog <= 0.4.0 Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module combines three separate issues within The Simple PHP Blog (<= 0.4.0)\n\ - \t\t\t\tapplication to upload arbitrary data and thus execute a shell. The first\n\ - \t\t\t\tvulnerability exposes the hash file (password.txt) to unauthenticated users.\n\ - \t\t\t\tThe second vulnerability lies within the image upload system provided to\n\ - \t\t\t\tlogged-in users; there is no image validation function in the blogger to\n\ - \t\t\t\tprevent an authenticated user from uploading any file type. The third\n\ - \t\t\t\tvulnerability occurs within the blog comment functionality, allowing\n\ - \t\t\t\tarbitrary files to be deleted.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2733 - - - OSVDB - - "19012" - - - BID - - "14667" - - - URL - - http://www.milw0rm.com/exploits/1191 - path: extensions/metasploit/ - class: Msf_module -msf_awstats_migrate_exec: - enable: true - msf: true - msf_key: unix/webapp/awstats_migrate_exec - name: AWStats migrate Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\tAWStats CGI script. AWStats v6.4 and v6.5 are vulnerable. Perl based\n\ - \t\t\t\tpayloads are recommended with this module. The vulnerability is only\n\ - \t\t\t\tpresent when AllowToUpdateStatsFromBrowser is enabled in the AWstats\n\ - \t\t\t\tconfiguration file (non-default).\n\ - \t\t\t" - authors: - - - CVE - - 2006-2237 - - - OSVDB - - "25284" - - - BID - - "17844" - - - URL - - http://awstats.sourceforge.net/awstats_security_news.php - - - URL - - http://www.milw0rm.com/exploits/1755 - path: extensions/metasploit/ - class: Msf_module -msf_oscommerce_filemanager: - enable: true - msf: true - msf_key: unix/webapp/oscommerce_filemanager - name: osCommerce 2.2 Arbitrary PHP Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tosCommerce is a popular open source E-Commerce application.\n\ - \t\t\t\tThe admin console contains a file management utility that\n\ - \t\t\t\tallows administrators to upload, download, and edit files.\n\ - \t\t\t\tThis could be abused to allow unauthenticated attackers to\n\ - \t\t\t\texecute arbitrary code with the permissions of the\n\ - \t\t\t\twebserver.\n\ - \t\t\t" - authors: - - - OSVDB - - "60018" - - - URL - - http://www.milw0rm.com/exploits/9556 - path: extensions/metasploit/ - class: Msf_module -msf_php_eval: - enable: true - msf: true - msf_key: unix/webapp/php_eval - name: Generic PHP Code eval - category: Metasploit - description: "\n\ - \t\t\t\tExploits things like \n\ - \t\t\t\tIt is likely that HTTP evasion options will break this exploit.\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_squirrelmail_pgp_plugin: - enable: true - msf: true - msf_key: unix/webapp/squirrelmail_pgp_plugin - name: SquirrelMail PGP Plugin command execution (SMTP) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command execution vulnerability in the\n\ - \t\t\t\tPGP plugin of SquirrelMail. This flaw was found while quickly\n\ - \t\t\t\tgrepping the code after release of some information at\n\ - \t\t\t\thttp://www.wslabi.com/. Later, iDefense published an advisory ....\n\n\ - \t\t\t\tReading an email in SquirrelMail with the PGP plugin activated\n\ - \t\t\t\tis enough to compromise the underlying server.\n\n\ - \t\t\t\tOnly \"cmd/unix/generic\" payloads were tested.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0990 - - - OSVDB - - "3178" - - - URL - - http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=330 - - - URL - - http://www.wslabi.com/wabisabilabi/initPublishedBid.do? - path: extensions/metasploit/ - class: Msf_module -msf_twiki_history: - enable: true - msf: true - msf_key: unix/webapp/twiki_history - name: TWiki History TWikiUsers rev Parameter Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the history component of TWiki.\n\ - \t\t\t\tBy passing a 'rev' parameter containing shell metacharacters to the TWikiUsers\n\ - \t\t\t\tscript, an attacker can execute arbitrary OS commands.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2877 - - - OSVDB - - "19403" - - - BID - - "14834" - - - URL - - http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev - path: extensions/metasploit/ - class: Msf_module -msf_dogfood_spell_exec: - enable: true - msf: true - msf_key: unix/webapp/dogfood_spell_exec - name: Dogfood CRM spell.php Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a previously unpublished vulnerability in the\n\ - \t\t\t\tDogfood CRM mail function which is vulnerable to command injection\n\ - \t\t\t\tin the spell check feature. Because of character restrictions, this\n\ - \t\t\t\texploit works best with the double-reverse telnet payload. This\n\ - \t\t\t\tvulnerability was discovered by LSO and affects v2.0.10.\n\ - \t\t\t" - authors: - - - OSVDB - - "54707" - - - URL - - http://downloads.sourceforge.net/dogfood/ - path: extensions/metasploit/ - class: Msf_module -msf_openx_banner_edit: - enable: true - msf: true - msf_key: unix/webapp/openx_banner_edit - name: OpenX banner-edit.php File Upload PHP Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the OpenX advertising software.\n\ - \t\t\t\tIn versions prior to version 2.8.2, authenticated users can upload files\n\ - \t\t\t\twith arbitrary extensions to be used as banner creative content. By uploading\n\ - \t\t\t\ta file with a PHP extension, an attacker can execute arbitrary PHP code.\n\n\ - \t\t\t\tNOTE: The file must also return either \"png\", \"gif\", or \"jpeg\" as its image\n\ - \t\t\t\ttype as returned from the PHP getimagesize() function.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4098 - - - OSVDB - - "60499" - - - BID - - "37110" - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2009-11/0166.html - - - URL - - https://developer.openx.org/jira/browse/OX-5747 - - - URL - - http://www.openx.org/docs/2.8/release-notes/openx-2.8.2 - - - URL - - http://php.net/manual/en/function.getimagesize.php - - - URL - - http://gynvael.coldwind.pl/?id=223 - - - URL - - http://gynvael.coldwind.pl/?id=224 - - - URL - - http://gynvael.coldwind.pl/?id=235 - - - URL - - http://programming.arantius.com/the+smallest+possible+gif - - - URL - - http://stackoverflow.com/questions/2253404/what-is-the-smallest-valid-jpeg-file-size-in-bytes - path: extensions/metasploit/ - class: Msf_module -msf_tikiwiki_jhot_exec: - enable: true - msf: true - msf_key: unix/webapp/tikiwiki_jhot_exec - name: TikiWiki jhot Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tTikiWiki contains a flaw that may allow a malicious user to execute\n\ - \t\t\t\tarbitrary PHP code. The issue is triggered due to the jhot.php script\n\ - \t\t\t\tnot correctly verifying uploaded files. It is possible that the flaw\n\ - \t\t\t\tmay allow arbitrary PHP code execution by uploading a malicious PHP\n\ - \t\t\t\tscript resulting in a loss of integrity.\n\n\ - \t\t\t\tThe vulnerability was reported in Tikiwiki version 1.9.4.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4602 - - - OSVDB - - "28456" - - - BID - - "19819" - - - URL - - http://secunia.com/advisories/21733/ - path: extensions/metasploit/ - class: Msf_module -msf_qtss_parse_xml_exec: - enable: true - msf: true - msf_key: unix/webapp/qtss_parse_xml_exec - name: QuickTime Streaming Server parse_xml.cgi Remote Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThe QuickTime Streaming Server contains a CGI script that is vulnerable\n\ - \t\t\t\tto metacharacter injection, allow arbitrary commands to be executed as root.\n\ - \t\t\t\t" - authors: - - - OSVDB - - "10562" - - - BID - - "6954" - - - CVE - - 2003-0050 - path: extensions/metasploit/ - class: Msf_module -msf_phpbb_highlight: - enable: true - msf: true - msf_key: unix/webapp/phpbb_highlight - name: phpBB viewtopic.php Arbitrary Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits two arbitrary PHP code execution flaws in the\n\ - \t\t\t\tphpBB forum system. The problem is that the 'highlight' parameter\n\ - \t\t\t\tin the 'viewtopic.php' script is not verified properly and will\n\ - \t\t\t\tallow an attacker to inject arbitrary code via preg_replace().\n\n\ - \t\t\t\tThis vulnerability was introduced in revision 3076, and finally\n\ - \t\t\t\tfixed in revision 5166. According to the \"tags\" within their tree,\n\ - \t\t\t\tthis corresponds to versions 2.0.4 through 2.0.15 (inclusive).\n\ - \t\t\t" - authors: - - - CVE - - 2005-2086 - - - CVE - - 2004-1315 - - - OSVDB - - "11719" - - - OSVDB - - "17613" - - - BID - - "14086" - - - BID - - "10701" - path: extensions/metasploit/ - class: Msf_module -msf_php_include: - enable: true - msf: true - msf_key: unix/webapp/php_include - name: PHP Remote File Include Generic Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module can be used to exploit any generic PHP file include vulnerability,\n\ - \t\t\t\twhere the application includes code like the following:\n\n\ - \t\t\t\t\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_nagios3_statuswml_ping: - enable: true - msf: true - msf_key: unix/webapp/nagios3_statuswml_ping - name: Nagios3 statuswml.cgi Ping Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\ - \t\t\t\tNagios3 statuswml.cgi script. This flaw is triggered when shell\n\ - \t\t\t\tmetacharacters are present in the parameters to the ping and\n\ - \t\t\t\ttraceroute commands.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2288 - - - OSVDB - - "55281" - path: extensions/metasploit/ - class: Msf_module -msf_google_proxystylesheet_exec: - enable: true - msf: true - msf_key: unix/webapp/google_proxystylesheet_exec - name: Google Appliance ProxyStyleSheet Command Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a feature in the Saxon XSLT parser used by\n\ - \t\t\tthe Google Search Appliance. This feature allows for arbitrary\n\ - \t\t\tjava methods to be called. Google released a patch and advisory to\n\ - \t\t\ttheir client base in August of 2005 (GA-2005-08-m). The target appliance\n\ - \t\t\tmust be able to connect back to your machine for this exploit to work.\n\ - \t\t\t" - authors: - - - CVE - - 2005-3757 - - - OSVDB - - "20981" - - - BID - - "15509" - path: extensions/metasploit/ - class: Msf_module -msf_php_wordpress_lastpost: - enable: true - msf: true - msf_key: unix/webapp/php_wordpress_lastpost - name: WordPress cache_lastpostdate Arbitrary Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary PHP code execution flaw in the WordPress\n\ - \t\t\t\tblogging software. This vulnerability is only present when the PHP 'register_globals'\n\ - \t\t\t\toption is enabled (common for hosting providers). All versions of WordPress prior to\n\ - \t\t\t\t1.5.1.3 are affected.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2612 - - - OSVDB - - "18672" - - - BID - - "14533" - path: extensions/metasploit/ - class: Msf_module -msf_twiki_search: - enable: true - msf: true - msf_key: unix/webapp/twiki_search - name: TWiki Search Function Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the search component of TWiki.\n\ - \t\t\t\tBy passing a 'search' parameter containing shell metacharacters to the\n\ - \t\t\t\t'WebSearch' script, an attacker can execute arbitrary OS commands.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1037 - - - OSVDB - - "11714" - - - BID - - "11674" - - - URL - - http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch - path: extensions/metasploit/ - class: Msf_module -msf_phpmyadmin_config: - enable: true - msf: true - msf_key: unix/webapp/phpmyadmin_config - name: PhpMyAdmin Config File Code Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in PhpMyAdmin's setup\n\ - \t\t\t\tfeature which allows an attacker to inject arbitrary PHP\n\ - \t\t\t\tcode into a configuration file. The original advisory says\n\ - \t\t\t\tthe vulnerability is present in phpMyAdmin versions 2.11.x\n\ - \t\t\t\t< 2.11.9.5 and 3.x < 3.1.3.1; this module was tested on\n\ - \t\t\t\t3.0.1.1.\n\n\ - \t\t\t\tThe file where our payload is written\n\ - \t\t\t\t(phpMyAdmin/config/config.inc.php) is not directly used by\n\ - \t\t\t\tthe system, so it may be a good idea to either delete it or\n\ - \t\t\t\tcopy the running config (phpMyAdmin/config.inc.php) over it\n\ - \t\t\t\tafter successful exploitation.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1151 - - - OSVDB - - "53076" - - - URL - - http://www.milw0rm.com/exploits/8921 - - - URL - - http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php - - - URL - - http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/ - path: extensions/metasploit/ - class: Msf_module -msf_generic_exec: - enable: true - msf: true - msf_key: unix/webapp/generic_exec - name: Generic Web Application Unix Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module can be used to exploit any generic command execution vulnerability\n\ - \t\t\t\tfor CGI applications on Unix-like platforms. To use this module, specify the\n\ - \t\t\t\tCMDURI path, replacing the command itself with XXcmdXX. This module is currently\n\ - \t\t\t\tlimited to forms vulnerable through GET requests with query parameters.\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_citrix_access_gateway_exec: - enable: true - msf: true - msf_key: unix/webapp/citrix_access_gateway_exec - name: Citrix Access Gateway Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThe Citrix Access Gateway provides support for multiple authentication types.\n\ - \t\t\t\tWhen utilizing the external legacy NTLM authentication module known as\n\ - \t\t\t\tntlm_authenticator the Access Gateway spawns the Samba 'samedit' command\n\ - \t\t\t\tline utility to verify a user's identity and password. By embedding shell\n\ - \t\t\t\tmetacharacters in the web authentication form it is possible to execute\n\ - \t\t\t\tarbitrary commands on the Access Gateway.\n\ - \t\t\t" - authors: - - - CVE - - 2010-4566 - - - OSVDB - - "70099" - - - BID - - "45402" - - - URL - - http://www.vsecurity.com/resources/advisory/20101221-1/ - path: extensions/metasploit/ - class: Msf_module -msf_cakephp_cache_corruption: - enable: true - msf: true - msf_key: unix/webapp/cakephp_cache_corruption - name: CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tCakePHP is a popular PHP framework for building web applications.\n\ - \t\t\t\tThe Security component of CakePHP is vulnerable to an unserialize attack which\n\ - \t\t\t\tcould be abused to allow unauthenticated attackers to execute arbitrary\n\ - \t\t\t\tcode with the permissions of the webserver.\n\ - \t\t\t" - authors: - - - OSVDB - - "69352" - - - CVE - - 2010-4335 - - - BID - - "44852" - - - URL - - http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt - path: extensions/metasploit/ - class: Msf_module -msf_oracle_vm_agent_utl: - enable: true - msf: true - msf_key: unix/webapp/oracle_vm_agent_utl - name: Oracle VM Server Virtual Server Agent Command Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command injection flaw within Oracle\\'s VM Server\n\ - \t\t\t\tVirtual Server Agent (ovs-agent) service.\n\n\ - \t\t\t\tBy including shell meta characters within the second parameter to the 'utl_test_url'\n\ - \t\t\t\tXML-RPC methodCall, an attacker can execute arbitrary commands. The service\n\ - \t\t\t\ttypically runs with root privileges.\n\n\ - \t\t\t\tNOTE: Valid credentials are required to trigger this vulnerable. The username\n\ - \t\t\t\tappears to be hardcoded as 'oracle', but the password is set by the administrator\n\ - \t\t\t\tat installation time.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3585 - - - OSVDB - - "68797" - - - BID - - "44047" - path: extensions/metasploit/ - class: Msf_module -msf_tikiwiki_graph_formula_exec: - enable: true - msf: true - msf_key: unix/webapp/tikiwiki_graph_formula_exec - name: TikiWiki tiki-graph_formula Remote PHP Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tTikiWiki (<= 1.9.8) contains a flaw that may allow a remote\n\ - \t\t\t\tattacker to execute arbitrary PHP code. The issue is due to\n\ - \t\t\t\t'tiki-graph_formula.php' script not properly sanitizing user\n\ - \t\t\t\tinput supplied to create_function(), which may allow a remote\n\ - \t\t\t\tattacker to execute arbitrary PHP code resulting in a loss of\n\ - \t\t\t\tintegrity.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5423 - - - OSVDB - - "40478" - - - BID - - "26006" - path: extensions/metasploit/ - class: Msf_module -msf_guestbook_ssi_exec: - enable: true - msf: true - msf_key: unix/webapp/guestbook_ssi_exec - name: Matt Wright guestbook.pl Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\tThe Matt Wright guestbook.pl <= v2.3.1 CGI script contains\n\ - \t\t\t\ta flaw that may allow arbitrary command execution. The vulnerability\n\ - \t\t\t\trequires that HTML posting is enabled in the guestbook.pl script, and\n\ - \t\t\t\tthat the web server must have the Server-Side Include (SSI) script\n\ - \t\t\t\thandler enabled for the '.html' file type. By combining the script\n\ - \t\t\t\tweakness with non-default server configuration, it is possible to exploit\n\ - \t\t\t\tthis vulnerability successfully.\n\ - \t\t\t" - authors: - - - CVE - - 1999-1053 - - - OSVDB - - "84" - - - BID - - "776" - path: extensions/metasploit/ - class: Msf_module -msf_awstats_configdir_exec: - enable: true - msf: true - msf_key: unix/webapp/awstats_configdir_exec - name: AWStats configdir Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\t\tAWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2\n\ - \t\t\t\t\tare vulnerable.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0116 - - - OSVDB - - "13002" - - - BID - - "12298" - - - URL - - http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities - path: extensions/metasploit/ - class: Msf_module -msf_cacti_graphimage_exec: - enable: true - msf: true - msf_key: unix/webapp/cacti_graphimage_exec - name: Cacti graph_view.php Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\tRaxnet Cacti 'graph_view.php' script. All versions of Raxnet Cacti prior to\n\ - \t\t\t\t0.8.6-d are vulnerable.\n\ - \t\t\t" - authors: - - - OSVDB - - "17539" - - - BID - - "14042" - path: extensions/metasploit/ - class: Msf_module -msf_php_xmlrpc_eval: - enable: true - msf: true - msf_key: unix/webapp/php_xmlrpc_eval - name: PHP XML-RPC Arbitrary Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary code execution flaw\n\ - \t\t\t\tdiscovered in many implementations of the PHP XML-RPC module.\n\ - \t\t\t\tThis flaw is exploitable through a number of PHP web\n\ - \t\t\t\tapplications, including but not limited to Drupal, Wordpress,\n\ - \t\t\t\tPostnuke, and TikiWiki.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1921 - - - OSVDB - - "17793" - - - BID - - "14088" - path: extensions/metasploit/ - class: Msf_module -msf_joomla_tinybrowser: - enable: true - msf: true - msf_key: unix/webapp/joomla_tinybrowser - name: Joomla 1.5.12 TinyBrowser File Upload Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the TinyMCE/tinybrowser plugin.\n\ - \t\t\t\tThis plugin is not secured in version 1.5.12 of joomla and allows the upload\n\ - \t\t\t\tof files on the remote server.\n\ - \t\t\t\tBy renaming the uploaded file this vulnerability can be used to upload/execute\n\ - \t\t\t\tcode on the affected system.\n\ - \t\t\t" - authors: - - - OSVDB - - "64578" - - - URL - - http://milw0rm.com/exploits/9296 - - - URL - - http://developer.joomla.org/security/news/301-20090722-core-file-upload.html - path: extensions/metasploit/ - class: Msf_module -msf_mitel_awc_exec: - enable: true - msf: true - msf_key: unix/webapp/mitel_awc_exec - name: Mitel Audio and Web Conferencing Command Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command injection flaw within the Mitel\n\ - \t\t\t\tAudio and Web Conferencing web interface.\n\ - \t\t\t" - authors: - - - URL - - http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14 - - - OSVDB - - "69934" - path: extensions/metasploit/ - class: Msf_module -msf_openview_connectednodes_exec: - enable: true - msf: true - msf_key: unix/webapp/openview_connectednodes_exec - name: HP Openview connectedNodes.ovpl Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\tHP OpenView connectedNodes.ovpl CGI application. The results of the command\n\ - \t\t\t\twill be displayed to the screen.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2773 - - - OSVDB - - "19057" - - - BID - - "14662" - path: extensions/metasploit/ - class: Msf_module -msf_barracuda_img_exec: - enable: true - msf: true - msf_key: unix/webapp/barracuda_img_exec - name: Barracuda IMG.PL Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\tBarracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2847 - - - OSVDB - - "19279" - - - BID - - "14712" - - - NSS - - "19556" - - - URL - - http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1 - path: extensions/metasploit/ - class: Msf_module -msf_mambo_cache_lite: - enable: true - msf: true - msf_key: unix/webapp/mambo_cache_lite - name: Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a remote file inclusion vulnerability in\n\ - \t\t\t\tincludes/Cache/Lite/Output.php in the Cache_Lite package in Mambo\n\ - \t\t\t\t4.6.4 and earlier.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2905 - - - OSVDB - - "46173" - - - BID - - "29716" - path: extensions/metasploit/ - class: Msf_module -msf_pajax_remote_exec: - enable: true - msf: true - msf_key: unix/webapp/pajax_remote_exec - name: PAJAX Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tRedTeam has identified two security flaws in PAJAX (<= 0.5.1).\n\ - \t\t\t\tIt is possible to execute arbitrary PHP code from unchecked user input.\n\ - \t\t\t\tAdditionally, it is possible to include arbitrary files on the server\n\ - \t\t\t\tending in \".class.php\".\n\ - \t\t\t" - authors: - - - CVE - - 2006-1551 - - - OSVDB - - "24618" - - - BID - - "17519" - - - URL - - http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php - path: extensions/metasploit/ - class: Msf_module -msf_base_qry_common: - enable: true - msf: true - msf_key: unix/webapp/base_qry_common - name: BASE base_qry_common Remote File Include - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a remote file inclusion vulnerability in\n\ - \t\t\t\tthe base_qry_common.php file in BASE 1.2.4 and earlier.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2685 - - - OSVDB - - "49366" - - - BID - - "18298" - path: extensions/metasploit/ - class: Msf_module -msf_trixbox_langchoice: - enable: true - msf: true - msf_key: unix/webapp/trixbox_langchoice - name: Trixbox langChoice PHP Local File Inclusion - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module injects php into the trixbox session file and then, in a second call, evaluates\n\ - \t\t\t\tthat code by manipulating the langChoice parameter as described in OSVDB-50421.\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_redmine_scm_exec: - enable: true - msf: true - msf_key: unix/webapp/redmine_scm_exec - name: Redmine SCM Repository Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\tRedmine repository controller. The flaw is triggered when a rev parameter\n\ - \t\t\t\tis passed to the command line of the SCM tool without adequate filtering.\n\ - \t\t\t" - authors: - - - OSVDB - - "70090" - - - URL - - http://www.redmine.org/news/49 - path: extensions/metasploit/ - class: Msf_module -msf_heap_noir: - enable: true - msf: true - msf_key: solaris/dtspcd/heap_noir - name: Solaris dtspcd Heap Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is a port of noir's dtspcd exploit. This module should\n\ - \t\t\t\twork against any vulnerable version of Solaris 8 (sparc).\n\ - \t\t\t\tThe original exploit code was published in the book\n\ - \t\t\t\tShellcoder's Handbook.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0803 - - - OSVDB - - "4503" - - - BID - - "3517" - - - URL - - http://www.cert.org/advisories/CA-2001-31.html - - - URL - - http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip - path: extensions/metasploit/ - class: Msf_module -msf_ttyprompt: - enable: true - msf: true - msf_key: solaris/telnet/ttyprompt - name: Solaris in.telnetd TTYPROMPT Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module uses a buffer overflow in the Solaris 'login'\n\ - \t\t\tapplication to bypass authentication in the telnet daemon.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0797 - - - OSVDB - - "690" - - - BID - - "5531" - path: extensions/metasploit/ - class: Msf_module -msf_fuser: - enable: true - msf: true - msf_key: solaris/telnet/fuser - name: Sun Solaris Telnet Remote Authentication Bypass Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits the argument injection vulnerabilty\n\ - \t\t\t\tin the telnet daemon (in.telnetd) of Solaris 10 and 11.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0882 - - - OSVDB - - "31881" - - - BID - - "22512" - path: extensions/metasploit/ - class: Msf_module -msf_trans2open: - enable: true - msf: true - msf_key: freebsd/samba/trans2open - name: Samba trans2open Overflow (*BSD x86) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits the buffer overflow found in Samba versions\n\ - \t\t\t\t2.2.0 to 2.2.8. This particular module is capable of\n\ - \t\t\t\texploiting the flaw on x86 Linux systems that do not\n\ - \t\t\t\thave the noexec stack option set.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0201 - - - OSVDB - - "4469" - - - BID - - "7294" - - - URL - - http://seclists.org/bugtraq/2003/Apr/103 - path: extensions/metasploit/ - class: Msf_module -msf_lsa_transnames_heap: - enable: true - msf: true - msf_key: osx/samba/lsa_transnames_heap - name: Samba lsa_io_trans_names Heap Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module triggers a heap overflow in the LSA RPC service\n\ - \t\t\tof the Samba daemon. This module uses the szone_free() to overwrite\n\ - \t\t\tthe size() or free() pointer in initial_malloc_zones structure.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2446 - - - OSVDB - - "34699" - path: extensions/metasploit/ - class: Msf_module -msf_sadmind_adm_build_path: - enable: true - msf: true - msf_key: solaris/sunrpc/sadmind_adm_build_path - name: Sun Solaris sadmind adm_build_path() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow vulnerability in adm_build_path()\n\ - \t\t\t\tfunction of sadmind daemon.\n\n\ - \t\t\t\tThe distributed system administration daemon (sadmind) is the daemon used by\n\ - \t\t\t\tSolstice AdminSuite applications to perform distributed system administration\n\ - \t\t\t\toperations.\n\n\ - \t\t\t\tThe sadmind daemon is started automatically by the inetd daemon whenever a\n\ - \t\t\t\trequest to invoke an operation is received. The sadmind daemon process\n\ - \t\t\t\tcontinues to run for 15 minutes after the last request is completed, unless a\n\ - \t\t\t\tdifferent idle-time is specified with the -i command line option. The sadmind\n\ - \t\t\t\tdaemon may be started independently from the command line, for example, at\n\ - \t\t\t\tsystem boot time. In this case, the -i option has no effect; sadmind continues\n\ - \t\t\t\tto run, even if there are no active requests.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4556 - - - OSVDB - - "49111" - - - URL - - http://risesecurity.org/advisories/RISE-2008001.txt - path: extensions/metasploit/ - class: Msf_module -msf_sadmind_exec: - enable: true - msf: true - msf_key: solaris/sunrpc/sadmind_exec - name: Solaris sadmind Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploit targets a weakness in the default security\n\ - \t\t\t\tsettings of the sadmind RPC application. This server is\n\ - \t\t\t\tinstalled and enabled by default on most versions of the\n\ - \t\t\t\tSolaris operating system.\n\n\ - \t\t\t\tVulnerable systems include solaris 2.7, 8, and 9\n\ - \t\t\t" - authors: - - - CVE - - 2003-0722 - - - OSVDB - - "4585" - - - BID - - "8615" - - - URL - - http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html - path: extensions/metasploit/ - class: Msf_module -msf_ypupdated_exec: - enable: true - msf: true - msf_key: solaris/sunrpc/ypupdated_exec - name: Solaris ypupdated Command Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis exploit targets a weakness in the way the ypupdated RPC\n\ - \t\t\t\tapplication uses the command shell when handling a MAP UPDATE\n\ - \t\t\t\trequest. Extra commands may be launched through this command\n\ - \t\t\t\tshell, which runs as root on the remote host, by passing\n\ - \t\t\t\tcommands in the format '|'.\n\n\ - \t\t\t\tVulnerable systems include Solaris 2.7, 8, 9, and 10, when\n\ - \t\t\t\typupdated is started with the '-i' command-line option.\n\ - \t\t\t" - authors: - - - CVE - - 1999-0209 - - - OSVDB - - "11517" - - - BID - - "1749" - path: extensions/metasploit/ - class: Msf_module -msf_sendmail_exec: - enable: true - msf: true - msf_key: solaris/lpd/sendmail_exec - name: Solaris LPD Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution flaw in\n\ - \t\t\t\tthe in.lpd service shipped with all versions of Sun Solaris\n\ - \t\t\t\tup to and including 8.0. This module uses a technique\n\ - \t\t\t\tdiscovered by Dino Dai Zovi to exploit the flaw without\n\ - \t\t\t\tneeding to know the resolved name of the attacking system.\n\ - \t\t\t" - authors: - - - CVE - - 2001-1583 - - - OSVDB - - "15131" - - - BID - - "3274" - path: extensions/metasploit/ - class: Msf_module -msf_gld_postfix: - enable: true - msf: true - msf_key: linux/misc/gld_postfix - name: GLD (Greylisting Daemon) Postfix Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the Salim Gasmi\n\ - \t\t\t\tGLD <= 1.4 greylisting daemon for Postfix. By sending an\n\ - \t\t\t\toverly long string the stack can be overwritten.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1099 - - - OSVDB - - "15492" - - - BID - - "13129" - - - URL - - http://www.milw0rm.com/exploits/934 - path: extensions/metasploit/ - class: Msf_module -msf_ib_inet_connect: - enable: true - msf: true - msf_key: linux/misc/ib_inet_connect - name: Borland InterBase INET_connect() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted service attach request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38605" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_netsupport_manager_agent: - enable: true - msf: true - msf_key: linux/misc/netsupport_manager_agent - name: NetSupport Manager Agent Remote Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in NetSupport Manager Agent. It\n\ - \t\t\t\tuses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.\n\ - \t\t\t" - authors: - - - CVE - - 2011-0404 - - - OSVDB - - "70408" - - - BID - - "45728" - - - URL - - http://seclists.org/fulldisclosure/2011/Jan/90 - - - URL - - http://www.exploit-db.com/exploits/15937/ - path: extensions/metasploit/ - class: Msf_module -msf_lprng_format_string: - enable: true - msf: true - msf_key: linux/misc/lprng_format_string - name: LPRng use_syslog Remote Format String Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string vulnerability in the LPRng print server.\n\ - \t\t\t\tThis vulnerability was discovered by Chris Evans. There was a publicly\n\ - \t\t\t\tcirculating worm targeting this vulnerability, which prompted RedHat to pull\n\ - \t\t\t\ttheir 7.0 release. They consequently re-released it as \"7.0-respin\".\n\ - \t\t\t" - authors: - - - CVE - - 2000-0917 - - - OSVDB - - "421" - - - BID - - "1712" - - - US-CERT-VU - - "382365" - - - URL - - http://www.cert.org/advisories/CA-2000-22.html - - - URL - - https://bugzilla.redhat.com/show_bug.cgi?id=17756 - - - URL - - http://www.exploit-db.com/exploits/226 - - - URL - - http://www.exploit-db.com/exploits/227 - - - URL - - http://www.exploit-db.com/exploits/230 - path: extensions/metasploit/ - class: Msf_module -msf_ib_open_marker_file: - enable: true - msf: true - msf_key: linux/misc/ib_open_marker_file - name: Borland InterBase open_marker_file() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted attach request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5244 - - - OSVDB - - "38610" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_accellion_fta_mpipe2: - enable: true - msf: true - msf_key: linux/misc/accellion_fta_mpipe2 - name: Accellion File Transfer Appliance MPIPE2 Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a chain of vulnerabilities in the Accellion \n\ - \t\t\t\tFile Transfer appliance. This appliance exposes a UDP service on \n\ - \t\t\t\tport 8812 that acts as a gateway to the internal communication bus. \n\ - \t\t\t\tThis service uses Blowfish encryption for authentication, but the \n\ - \t\t\t\tappliance ships with two easy to guess default authentication keys. \n\ - \t\t\t\tThis module abuses the known default encryption keys to inject a \n\ - \t\t\t\tmessage into the communication bus. In order to execute arbitrary \n\ - \t\t\t\tcommands on the remote appliance, a message is injected into the bus \n\ - \t\t\t\tdestined for the 'matchrep' service. This service exposes a function \n\ - \t\t\t\tnamed 'insert_plugin_meta_info' which is vulnerable to an input \n\ - \t\t\t\tvalidation flaw in a call to system(). This provides access to the \n\ - \t\t\t\t'soggycat' user account, which has sudo privileges to run the \n\ - \t\t\t\tprimary admin tool as root. These two flaws are fixed in update\n\ - \t\t\t\tversion FTA_8_0_562.\t\n\ - \t\t\t" - authors: - - - OSVDB - - "71362" - - - OSVDB - - "71363" - - - URL - - http://www.rapid7.com/security-center/advisories/R7-0039.jsp - path: extensions/metasploit/ - class: Msf_module -msf_ib_pwd_db_aliased: - enable: true - msf: true - msf_key: linux/misc/ib_pwd_db_aliased - name: Borland InterBase PWD_db_aliased() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted attach request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38607" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_drb_remote_codeexec: - enable: true - msf: true - msf_key: linux/misc/drb_remote_codeexec - name: Distributed Ruby Send instance_eval/syscall Code Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits remote code execution vulnerabilities in dRuby\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_ib_jrd8_create_database: - enable: true - msf: true - msf_key: linux/misc/ib_jrd8_create_database - name: Borland InterBase jrd8_create_database() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted create request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38606" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_hplip_hpssd_exec: - enable: true - msf: true - msf_key: linux/misc/hplip_hpssd_exec - name: hplip hpssd.py From Address Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command execution vulnerable in the hpssd.py\n\ - \t\t\t\tdaemon of the Hewlett-Packard Linux Imaging and Printing Project.\n\ - \t\t\t\tAccording to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.\n\n\ - \t\t\t\tThis module was written and tested using the Fedora 6 Linux distribution.\n\ - \t\t\t\tOn the test system, the daemon listens on localhost only and runs with\n\ - \t\t\t\troot privileges. Although the configuration shows the daemon is to\n\ - \t\t\t\tlisten on port 2207, it actually listens on a dynamic port.\n\n\ - \t\t\t\tNOTE: If the target system does not have a 'sendmail' command installed,\n\ - \t\t\t\tthis vulnerability cannot be exploited.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5208 - - - OSVDB - - "41693" - - - BID - - "26054" - - - URL - - https://bugzilla.redhat.com/show_bug.cgi?id=319921 - - - URL - - https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit - path: extensions/metasploit/ - class: Msf_module -msf_mysql_yassl_getname: - enable: true - msf: true - msf_key: linux/mysql/mysql_yassl_getname - name: MySQL yaSSL CertDecoder::GetName Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the yaSSL (1.9.8 and earlier)\n\ - \t\t\t\timplementation bundled with MySQL. By sending a specially crafted\n\ - \t\t\t\tclient certificate, an attacker can execute arbitrary code.\n\n\ - \t\t\t\tThis vulnerability is present within the CertDecoder::GetName function inside\n\ - \t\t\t\t\"taocrypt/src/asn.cpp\". However, the stack buffer that is written to exists\n\ - \t\t\t\twithin a parent function's stack frame.\n\n\ - \t\t\t\tNOTE: This vulnerability requires a non-default configuration. First, the attacker\n\ - \t\t\t\tmust be able to pass the host-based authentication. Next, the server must be\n\ - \t\t\t\tconfigured to listen on an accessible network interface. Lastly, the server\n\ - \t\t\t\tmust have been manually configured to use SSL.\n\n\ - \t\t\t\tThe binary from version 5.5.0-m2 was built with /GS and /SafeSEH. During testing\n\ - \t\t\t\ton Windows XP SP3, these protections successfully prevented exploitation.\n\n\ - \t\t\t\tTesting was also done with mysql on Ubuntu 9.04. Although the vulnerable code is\n\ - \t\t\t\tpresent, both version 5.5.0-m2 built from source and version 5.0.75 from a binary\n\ - \t\t\t\tpackage were not exploitable due to the use of the compiler's FORTIFY feature.\n\n\ - \t\t\t\tAlthough suse11 was mentioned in the original blog post, the binary package they\n\ - \t\t\t\tprovide does not contain yaSSL or support SSL.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4484 - - - BID - - "37640" - - - BID - - "37943" - - - BID - - "37974" - - - OSVDB - - "61956" - - - URL - - http://secunia.com/advisories/38344/ - - - URL - - http://intevydis.blogspot.com/2010/01/mysq-yassl-stack-overflow.html - path: extensions/metasploit/ - class: Msf_module -msf_mysql_yassl_hello: - enable: true - msf: true - msf_key: windows/mysql/mysql_yassl_hello - name: MySQL yaSSL SSL Hello Message Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the yaSSL (1.7.5 and earlier)\n\ - \t\t\t\timplementation bundled with MySQL <= 6.0. By sending a specially crafted\n\ - \t\t\t\tHello packet, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0226 - - - OSVDB - - "41195" - - - BID - - "27140" - path: extensions/metasploit/ - class: Msf_module -msf_proftp_telnet_iac: - enable: true - msf: true - msf_key: freebsd/ftp/proftp_telnet_iac - name: ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in versions of ProFTPD\n\ - \t\t\t\tserver between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n\ - \t\t\t\tlarge number of Telnet IAC commands, an attacker can corrupt memory and\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-4221 - - - OSVDB - - "68985" - - - BID - - "44562" - path: extensions/metasploit/ - class: Msf_module -msf_proftp_sreplace: - enable: true - msf: true - msf_key: linux/ftp/proftp_sreplace - name: ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in versions 1.2 through\n\ - \t\t\t\t1.3.0 of ProFTPD server. The vulnerability is within the \"sreplace\" function\n\ - \t\t\t\twithin the \"src/support.c\" file.\n\n\ - \t\t\t\tThe off-by-one heap overflow bug in the ProFTPD sreplace function has been\n\ - \t\t\t\tdiscovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit\n\ - \t\t\t\tthis off-by-one bug via MKD command, but failed. We did not work on this bug\n\ - \t\t\t\tsince then.\n\n\ - \t\t\t\tActually, there are exists at least two bugs in sreplace function, one is the\n\ - \t\t\t\tmentioned off-by-one heap overflow bug the other is a stack-based buffer overflow\n\ - \t\t\t\tvia 'sstrncpy(dst,src,negative argument)'.\n\n\ - \t\t\t\tWe were unable to reach the \"sreplace\" stack bug on ProFTPD 1.2.10 stable\n\ - \t\t\t\tversion, but the version 1.3.0rc3 introduced some interesting changes, among them:\n\n\ - \t\t\t\t1. another (integer) overflow in sreplace!\n\ - \t\t\t\t2. now it is possible to reach sreplace stack-based buffer overflow bug via\n\ - \t\t\t\t\tthe \"pr_display_file\" function!\n\ - \t\t\t\t3. stupid '.message' file display bug\n\n\ - \t\t\t\tSo we decided to choose ProFTPD 1.3.0 as a target for our exploit.\n\ - \t\t\t\tTo reach the bug, you need to upload a specially created .message file to a\n\ - \t\t\t\twriteable directory, then do \"CWD \" to trigger the invocation\n\ - \t\t\t\tof sreplace function.\n\n\ - \t\t\t\tNote that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'\n\ - \t\t\t\tfile you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.\n\n\ - \t\t\t\tThe exploit is a part of VulnDisco Pack since Dec 2005.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5815 - - - OSVDB - - "68985" - - - BID - - "20992" - - - URL - - http://seclists.org/bugtraq/2006/Nov/94 - - - URL - - http://seclists.org/bugtraq/2006/Nov/538 - - - URL - - http://bugs.proftpd.org/show_bug.cgi?id=2858 - - - URL - - http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h - path: extensions/metasploit/ - class: Msf_module -msf_imap_uw_lsub: - enable: true - msf: true - msf_key: linux/imap/imap_uw_lsub - name: UoW IMAP server LSUB Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the 'LSUB'\n\ - \t\t\t\tcommand of the University of Washington IMAP service.\n\ - \t\t\t\tThis vulnerability can only be exploited with a valid username\n\ - \t\t\t\tand password.\n\ - \t\t\t" - authors: - - - CVE - - 2000-0284 - - - OSVDB - - "12037" - - - BID - - "1110" - - - URL - - http://www.milw0rm.com/exploits/284 - path: extensions/metasploit/ - class: Msf_module -msf_squid_ntlm_authenticate: - enable: true - msf: true - msf_key: linux/proxy/squid_ntlm_authenticate - name: Squid NTLM Authenticate Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for Squid\\'s NTLM authenticate overflow\n\ - \t\t\t\t(libntlmssp.c). Due to improper bounds checking in\n\ - \t\t\t\tntlm_check_auth, it is possible to overflow the 'pass'\n\ - \t\t\t\tvariable on the stack with user controlled data of a user\n\ - \t\t\t\tdefined length. Props to iDEFENSE for the advisory.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0541 - - - OSVDB - - "6791" - - - URL - - http://www.idefense.com/application/poi/display?id=107 - - - BID - - "10500" - path: extensions/metasploit/ - class: Msf_module -msf_alcatel_omnipcx_mastercgi_exec: - enable: true - msf: true - msf_key: linux/http/alcatel_omnipcx_mastercgi_exec - name: Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\ - \t\t\t\tHTTP management interface of the Alcatel-Lucent OmniPCX Enterprise\n\ - \t\t\t\tCommunication Server 7.1 and earlier. The Unified Maintenance Tool\n\ - \t\t\t\tcontains a 'masterCGI' binary which allows an unauthenticated attacker\n\ - \t\t\t\tto execute arbitrary commands by specifing shell metacharaters as the\n\ - \t\t\t\t'user' within the 'ping' action to obtain 'httpd' user access. This\n\ - \t\t\t\tmodule only supports command line payloads, as the httpd process kills\n\ - \t\t\t\tthe reverse/bind shell spawn after the HTTP 200 OK response.\n\ - \t\t\t" - authors: - - - OSVDB - - "40521" - - - BID - - "25694" - - - CVE - - 2007-3010 - - - URL - - http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm - path: extensions/metasploit/ - class: Msf_module -msf_piranha_passwd_exec: - enable: true - msf: true - msf_key: linux/http/piranha_passwd_exec - name: RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis module abuses two flaws - a metacharacter injection vulnerability in the\n\ - \t\t\t\tHTTP management server of RedHat 6.2 systems running the Piranha\n\ - \t\t\t\tLVS cluster service and GUI (rpm packages: piranha and piranha-gui).\n\ - \t\t\t\tThe vulnerability allows an authenticated attacker to execute arbitrary\n\ - \t\t\t\tcommands as the Apache user account (nobody) within the\n\ - \t\t\t\t/piranha/secure/passwd.php3 script. The package installs with a default\n\ - \t\t\t\tuser and password of piranha:q which was exploited in the wild.\n\ - \t\t\t" - authors: - - - CVE - - 2000-0248 - - - OSVDB - - "289" - - - BID - - "1148" - - - CVE - - 2000-0322 - - - OSVDB - - "1300" - - - BID - - "1149" - path: extensions/metasploit/ - class: Msf_module -msf_linksys_apply_cgi: - enable: true - msf: true - msf_key: linux/http/linksys_apply_cgi - name: Linksys WRT54 Access Point apply.cgi Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in apply.cgi on the Linksys WRT54G and WRT54GS routers.\n\ - \t\t\t\tAccording to iDefense who discovered this vulnerability, all WRT54G versions prior to\n\ - \t\t\t\t4.20.7 and all WRT54GS version prior to 1.05.2 may be be affected.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2799 - - - OSVDB - - "19389" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=305 - path: extensions/metasploit/ - class: Msf_module -msf_ddwrt_cgibin_exec: - enable: true - msf: true - msf_key: linux/http/ddwrt_cgibin_exec - name: DD-WRT HTTP Daemon Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\n\ - \t\t\t\tHTTP management server of wireless gateways running DD-WRT. This flaw\n\ - \t\t\t\tallows an unauthenticated attacker to execute arbitrary commands as\n\ - \t\t\t\tthe root user account.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2765 - - - OSVDB - - "55990" - - - BID - - "35742" - - - URL - - http://www.milw0rm.com/exploits/9209 - path: extensions/metasploit/ - class: Msf_module -msf_gpsd_format_string: - enable: true - msf: true - msf_key: linux/http/gpsd_format_string - name: Berlios GPSD Format String Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string vulnerability in the Berlios GPSD server.\n\ - \t\t\t\tThis vulnerability was discovered by Kevin Finisterre.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1388 - - - OSVDB - - "13199" - - - BID - - "12371" - - - URL - - http://www.securiteam.com/unixfocus/5LP0M1PEKK.html - path: extensions/metasploit/ - class: Msf_module -msf_peercast_url: - enable: true - msf: true - msf_key: windows/http/peercast_url - name: PeerCast <= 0.1216 URL Handling Buffer Overflow (win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in PeerCast <= v0.1216.\n\ - \t\t\t\tThe vulnerability is caused due to a boundary error within the\n\ - \t\t\t\thandling of URL parameters.\n\ - \t\t\t" - authors: - - - CVE - - 2006-1148 - - - OSVDB - - "23777" - - - BID - - "17040" - - - URL - - http://www.infigo.hr/in_focus/INFIGO-2006-03-01 - path: extensions/metasploit/ - class: Msf_module -msf_poptop_negative_read: - enable: true - msf: true - msf_key: linux/pptp/poptop_negative_read - name: Poptop Negative Read Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the Poptop negative read overflow. This will\n\ - \t\t\t\twork against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I\n\ - \t\t\t\tcurrently do not have a good way to detect Poptop versions.\n\n\ - \t\t\t\tThe server will by default only allow 4 concurrent manager processes\n\ - \t\t\t\t(what we run our code in), so you could have a max of 4 shells at once.\n\n\ - \t\t\t\tUsing the current method of exploitation, our socket will be closed\n\ - \t\t\t\tbefore we have the ability to run code, preventing the use of Findsock.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0213 - - - OSVDB - - "3293" - - - URL - - http://securityfocus.com/archive/1/317995 - - - URL - - http://www.freewebs.com/blightninjas/ - path: extensions/metasploit/ - class: Msf_module -msf_cyrus_pop3d_popsubfolders: - enable: true - msf: true - msf_key: linux/pop3/cyrus_pop3d_popsubfolders - name: Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploit takes advantage of a stack based overflow. Once the stack\n\ - \t\t\t\tcorruption has occured it is possible to overwrite a pointer which is\n\ - \t\t\t\tlater used for a memcpy. This gives us a write anything anywhere condition\n\ - \t\t\t\tsimilar to a format string vulnerability.\n\n\ - \t\t\t\tNOTE: The popsubfolders option is a non-default setting.\n\n\ - \t\t\t\tI chose to overwrite the GOT with my shellcode and return to it. This\n\ - \t\t\t\tdefeats the VA random patch and possibly other stack protection features.\n\n\ - \t\t\t\tTested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with\n\ - \t\t\t\ta version containing the vulnerable code, it is not exploitable due to the\n\ - \t\t\t\tuse of the FORTIFY_SOURCE compiler enhancement\n\ - \t\t\t" - authors: - - - CVE - - 2006-2502 - - - OSVDB - - "25853" - - - BID - - "18056" - - - URL - - http://www.exploit-db.com/exploits/2053 - - - URL - - http://www.exploit-db.com/exploits/2185 - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html - path: extensions/metasploit/ - class: Msf_module -msf_madwifi_giwscan_cb: - enable: true - msf: true - msf_key: linux/madwifi/madwifi_giwscan_cb - name: Madwifi SIOCGIWSCAN Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThe Madwifi driver under Linux is vulnerable to a remote kernel-mode\n\ - \t\t\t\tstack-based buffer overflow.\n\n\ - \t\t\t\tThe vulnerability is triggered by one of these properly crafted\n\ - \t\t\t\tinformation element: WPA, RSN, WME and Atheros OUI Current madwifi\n\ - \t\t\t\tdriver (0.9.2) and and all madwifi-ng drivers since r1504 are\n\ - \t\t\t\tvulnerable\n\n\ - \t\t\t\tMadwifi 0.9.2.1 release corrects the issue.\n\n\ - \t\t\t\tThis module has been tested against Ubuntu 6.10 and is 100% reliable,\n\ - \t\t\t\tdoesn\\'t crash the Wifi stack and can exploit the same machine multiple\n\ - \t\t\t\ttime without the need to reboot it.\n\n\ - \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux\n\ - \t\t\t\tplatform with a supported wireless card. Please see the Ruby Lorcon2\n\ - \t\t\t\tdocumentation (external/ruby-lorcon/README) for more information.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6332 - - - OSVDB - - "31267" - - - URL - - http://www.madwifi.org - path: extensions/metasploit/ - class: Msf_module -msf_chain_reply: - enable: true - msf: true - msf_key: linux/samba/chain_reply - name: Samba chain_reply Memory Corruption (Linux x86) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a memory corruption vulnerability present in Samba versions\n\ - \t\t\t\tprior to 3.3.13. When handling chained response packets, Samba fails to validate\n\ - \t\t\t\tthe offset value used when building the next part. By setting this value to a\n\ - \t\t\t\tnumber larger than the destination buffer size, an attacker can corrupt memory.\n\ - \t\t\t\tAdditionally, setting this value to a value smaller than 'smb_wct' (0x24) will\n\ - \t\t\t\tcause the header of the input buffer chunk to be corrupted.\n\n\ - \t\t\t\tAfter close inspection, it appears that 3.0.x versions of Samba are not\n\ - \t\t\t\texploitable. Since they use an \"InputBuffer\" size of 0x20441, an attacker cannot\n\ - \t\t\t\tcause memory to be corrupted in an exploitable way. It is possible to corrupt the\n\ - \t\t\t\theap header of the \"InputBuffer\", but it didn't seem possible to get the chunk\n\ - \t\t\t\tto be processed again prior to process exit.\n\n\ - \t\t\t\tIn order to gain code execution, this exploit attempts to overwrite a \"talloc\n\ - \t\t\t\tchunk\" destructor function pointer.\n\n\ - \t\t\t\tThis particular module is capable of exploiting the flaw on x86 Linux systems\n\ - \t\t\t\tthat do not have the nx memory protection.\n\n\ - \t\t\t\tNOTE: It is possible to make exploitation attempts indefinitely since Samba forks\n\ - \t\t\t\tfor user sessions in the default configuration.\n\ - \t\t\t" - authors: - - - CVE - - 2010-2063 - - - OSVDB - - "65518" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=873 - path: extensions/metasploit/ - class: Msf_module -msf_snortbopre: - enable: true - msf: true - msf_key: linux/ids/snortbopre - name: Snort Back Orifice Pre-Preprocessor Remote Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Back Orifice pre-processor module\n\ - \t\t\t\tincluded with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could\n\ - \t\t\t\tbe used to completely compromise a Snort sensor, and would typically gain an attacker\n\ - \t\t\t\tfull root or administrative privileges.\n\ - \t\t\t" - authors: - - - CVE - - 2005-3252 - - - OSVDB - - "20034" - - - BID - - "15131" - - - URL - - http://xforce.iss.net/xforce/alerts/id/207 - path: extensions/metasploit/ - class: Msf_module -msf_ut2004_secure: - enable: true - msf: true - msf_key: windows/games/ut2004_secure - name: Unreal Tournament 2004 "secure" Overflow (Win32) - category: Metasploit - description: "\n\n\ - \t\t\tThis is an exploit for the GameSpy secure query in\n\ - \t\t\tthe Unreal Engine.\n\n\ - \t\t\tThis exploit only requires one UDP packet, which can\n\ - \t\t\tbe both spoofed and sent to a broadcast address.\n\ - \t\t\tUsually, the GameSpy query server listens on port 7787,\n\ - \t\t\tbut you can manually specify the port as well.\n\n\ - \t\t\tThe RunServer.sh script will automatically restart the\n\ - \t\t\tserver upon a crash, giving us the ability to\n\ - \t\t\tbruteforce the service and exploit it multiple\n\ - \t\t\ttimes.\n\n\ - \t\t\t" - authors: - - - CVE - - 2004-0608 - - - OSVDB - - "7217" - - - BID - - "10570" - path: extensions/metasploit/ - class: Msf_module -msf_upnp_location: - enable: true - msf: true - msf_key: osx/mdns/upnp_location - name: Mac OS X mDNSResponder UPnP Location Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow that occurs when processing\n\ - \t\t\t\tspecially crafted requests set to mDNSResponder. All Mac OS X systems\n\ - \t\t\t\tbetween version 10.4 and 10.4.9 (without the 2007-005 patch) are\n\ - \t\t\t\taffected.\n\ - \t\t\t" - authors: - - - OSVDB - - "35142" - - - CVE - - 2007-2386 - - - BID - - "24144" - - - URL - - http://support.apple.com/kb/TA24732 - path: extensions/metasploit/ - class: Msf_module -msf_ufo_ai: - enable: true - msf: true - msf_key: windows/misc/ufo_ai - name: "UFO: Alien Invasion IRC Client Buffer Overflow Exploit" - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the IRC client component of\n\ - \t\t\t\tUFO: Alien Invasion 2.2.1.\n\ - \t\t\t" - authors: - - - OSVDB - - "65689" - - - URL - - http://www.exploit-db.com/exploits/14013 - path: extensions/metasploit/ - class: Msf_module -msf_safari_libtiff: - enable: true - msf: true - msf_key: osx/armle/safari_libtiff - name: iPhone MobileSafari LibTIFF Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the version of\n\ - \t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n\ - \t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n\ - \t\t\t\ttools installed will need to use a special payload.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3459 - - - OSVDB - - "27723" - - - BID - - "19283" - path: extensions/metasploit/ - class: Msf_module -msf_safari_metadata_archive: - enable: true - msf: true - msf_key: osx/browser/safari_metadata_archive - name: Safari Archive Metadata Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in Safari's \"Safe file\" feature, which will\n\ - \t\t\t\tautomatically open any file with one of the allowed extensions. This can be abused\n\ - \t\t\t\tby supplying a zip file, containing a shell script, with a metafile indicating\n\ - \t\t\t\tthat the file should be opened by Terminal.app. This module depends on\n\ - \t\t\t\tthe 'zip' command-line utility.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0848 - - - OSVDB - - "23510" - - - BID - - "16736" - path: extensions/metasploit/ - class: Msf_module -msf_software_update: - enable: true - msf: true - msf_key: osx/browser/software_update - name: Apple OS X Software Update Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a feature in the Distribution Packages,\n\ - \t\t\t\twhich are used in the Apple Software Update mechanism. This feature\n\ - \t\t\t\tallows for arbitrary command execution through JavaScript. This exploit\n\ - \t\t\t\tprovides the malicious update server. Requests must be redirected to\n\ - \t\t\t\tthis server by other means for this exploit to work.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5863 - - - OSVDB - - "40722" - path: extensions/metasploit/ - class: Msf_module -msf_webstar_ftp_user: - enable: true - msf: true - msf_key: osx/ftp/webstar_ftp_user - name: WebSTAR FTP Server USER Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the logging routine\n\ - \t\t\t\tof the WebSTAR FTP server. Reliable code execution is\n\ - \t\t\t\tobtained by a series of hops through the System library.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0695 - - - OSVDB - - "7794" - - - BID - - "10720" - path: extensions/metasploit/ - class: Msf_module -msf_loginext: - enable: true - msf: true - msf_key: osx/afp/loginext - name: AppleFileServer LoginExt PathName Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the AppleFileServer service\n\ - \t\t\t\ton MacOS X. This vulnerability was originally reported by Atstake and\n\ - \t\t\t\twas actually one of the few useful advisories ever published by that\n\ - \t\t\t\tcompany. You only have one chance to exploit this bug.\n\ - \t\t\t\tThis particular exploit uses a stack-based return address that will\n\ - \t\t\t\tonly work under optimal conditions.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0430 - - - OSVDB - - "5762" - - - BID - - "10271" - path: extensions/metasploit/ - class: Msf_module -msf_evocam_webserver: - enable: true - msf: true - msf_key: osx/http/evocam_webserver - name: MacOS X EvoCam HTTP GET Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the web server provided with the EvoCam\n\ - \t\t\t\tprogram for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload\n\ - \t\t\t\tfrom the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,\n\ - \t\t\t\t3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.\n\ - \t\t\t" - authors: - - - CVE - - 2010-2309 - - - OSVDB - - "65043" - - - URL - - http://www.exploit-db.com/exploits/12835 - path: extensions/metasploit/ - class: Msf_module -msf_type77: - enable: true - msf: true - msf_key: windows/arkeia/type77 - name: Arkeia Backup Client Type 77 Overflow (Win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Arkeia backup\n\ - \t\t\t\tclient for the Windows platform. This vulnerability affects\n\ - \t\t\t\tall versions up to and including 5.3.3.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0491 - - - OSVDB - - "14011" - - - BID - - "12594" - - - URL - - http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html - path: extensions/metasploit/ - class: Msf_module -msf_quicktime_rtsp_content_type: - enable: true - msf: true - msf_key: osx/rtsp/quicktime_rtsp_content_type - name: MacOS X QuickTime RTSP Content-Type Overflow - category: Metasploit - description: No module description - authors: - - - CVE - - 2007-6166 - - - OSVDB - - "40876" - - - BID - - "26549" - path: extensions/metasploit/ - class: Msf_module -msf_mailapp_image_exec: - enable: true - msf: true - msf_key: osx/email/mailapp_image_exec - name: Mail.app Image Attachment Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command execution vulnerability in the\n\ - \t\t\t\tMail.app application shipped with Mac OS X 10.5.0. This flaw was\n\ - \t\t\t\tpatched in 10.4 in March of 2007, but reintroduced into the final\n\ - \t\t\t\trelease of 10.5.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0395 - - - CVE - - 2007-6165 - - - OSVDB - - "40875" - - - BID - - "26510" - - - BID - - "16907" - path: extensions/metasploit/ - class: Msf_module -msf_mobilemail_libtiff: - enable: true - msf: true - msf_key: osx/email/mobilemail_libtiff - name: iPhone MobileMail LibTIFF Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the version of\n\ - \t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n\ - \t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n\ - \t\t\t\ttools installed will need to use a special payload.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3459 - - - OSVDB - - "27723" - - - BID - - "19283" - path: extensions/metasploit/ - class: Msf_module -msf_manyargs: - enable: true - msf: true - msf_key: dialup/multi/login/manyargs - name: System V Derived /bin/login Extraneous Arguments Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploit connects to a system's modem over dialup and exploits\n\ - \t\t\t\ta buffer overlflow vulnerability in it's System V derived /bin/login.\n\ - \t\t\t\tThe vulnerability is triggered by providing a large number of arguments.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0797 - - - OSVDB - - "690" - - - OSVDB - - "691" - - - BID - - "3681" - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html - path: extensions/metasploit/ - class: Msf_module -msf_mercantec_softcart: - enable: true - msf: true - msf_key: bsdi/softcart/mercantec_softcart - name: Mercantec SoftCart CGI Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis is an exploit for an undisclosed buffer overflow\n\ - \t\t\t\tin the SoftCart.exe CGI as shipped with Mercantec's shopping\n\ - \t\t\t\tcart software. It is possible to execute arbitrary code\n\ - \t\t\t\tby passing a malformed CGI parameter in an HTTP GET\n\ - \t\t\t\trequest. This issue is known to affect SoftCart version\n\ - \t\t\t\t4.00b.\n\ - \t\t\t" - authors: - - - CVE - - 2004-2221 - - - OSVDB - - "9011" - - - BID - - "10926" - path: extensions/metasploit/ - class: Msf_module -msf_hagent_untrusted_hsdata: - enable: true - msf: true - msf_key: multi/wyse/hagent_untrusted_hsdata - name: Wyse Rapport Hagent Fake Hserver Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the Wyse Rapport Hagent service by pretending to\n\ - \t\t\t\tbe a legitimate server. This process involves starting both HTTP and\n\ - \t\t\t\tFTP services on the attacker side, then contacting the Hagent service of\n\ - \t\t\t\tthe target and indicating that an update is available. The target will\n\ - \t\t\t\tthen download the payload wrapped in an executable from the FTP service.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0695 - - - OSVDB - - "55839" - - - US-CERT-VU - - "654545" - - - URL - - http://snosoft.blogspot.com/ - - - URL - - http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/ - - - URL - - http://www.wyse.com/serviceandsupport/support/WSB09-01.zip - - - URL - - http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf - path: extensions/metasploit/ - class: Msf_module -msf_java_rmi_server: - enable: true - msf: true - msf_key: multi/misc/java_rmi_server - name: Java RMI Server Insecure Default Configuration Java Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module takes advantage of the default configuration of the RMI Registry and\n\ - \t\t\t\tRMI Activation services, which allow loading classes from any remote (HTTP) URL. As it\n\ - \t\t\t\tinvokes a method in the RMI Distributed Garbage Collector which is available via every\n\ - \t\t\t\tRMI endpoint, it can be used against both rmiregistry and rmid, and against most other\n\ - \t\t\t\t(custom) RMI endpoints as well.\n\n\ - \t\t\t\t\tNote that it does not work against Java Management Extension (JMX) ports since those do\n\ - \t\t\t\tnot support remote class loading, unless another RMI endpoint is active in the same\n\ - \t\t\t\tJava process.\n\ - \t\t\t\t\n\ - \t\t\t\t\tRMI method calls do not support or require any sort of authentication.\n\ - \t\t\t" - authors: - - - URL - - http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html - path: extensions/metasploit/ - class: Msf_module -msf_wireshark_lwres_getaddrbyname: - enable: true - msf: true - msf_key: multi/misc/wireshark_lwres_getaddrbyname - name: Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n\ - \t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n\ - \t\t\t\toverflow. This bug found and reported by babi.\n\n\ - \t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\n\ - \t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\n\n\ - \t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n\ - \t\t\t\texploitation via the return address on the stack. Sending a larger string allows\n\ - \t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\n\ - \t\t\t\tfragmented, which may cause additional complications.\n\n\ - \t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\n\ - \t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\n\ - \t\t\t\texploit this issue.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0304 - - - OSVDB - - "61987" - - - BID - - "37985" - - - URL - - http://www.wireshark.org/security/wnpa-sec-2010-02.html - - - URL - - http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h - path: extensions/metasploit/ - class: Msf_module -msf_wireshark_lwres_getaddrbyname_loop: - enable: true - msf: true - msf_key: multi/misc/wireshark_lwres_getaddrbyname_loop - name: Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop) - category: Metasploit - description: "\n\ - \t\t\t\t\tThe LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through\n\ - \t\t\t\t1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer\n\ - \t\t\t\toverflow. This bug found and reported by babi.\n\n\ - \t\t\t\tThis particular exploit targets the dissect_getaddrsbyname_request function. Several\n\ - \t\t\t\tother functions also contain potentially exploitable stack-based buffer overflows.\n\n\ - \t\t\t\tThe Windows version (of 1.2.5 at least) is compiled with /GS, which prevents\n\ - \t\t\t\texploitation via the return address on the stack. Sending a larger string allows\n\ - \t\t\t\texploitation using the SEH bypass method. However, this packet will usually get\n\ - \t\t\t\tfragmented, which may cause additional complications.\n\n\ - \t\t\t\tNOTE: The vulnerable code is reached only when the packet dissection is rendered.\n\ - \t\t\t\tIf the packet is fragmented, all fragments must be captured and reassembled to\n\ - \t\t\t\texploit this issue.\n\n\ - \t\t\t\tThis version loops, sending the packet every X seconds until the job is killed.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0304 - - - OSVDB - - "61987" - - - BID - - "37985" - - - URL - - http://www.wireshark.org/security/wnpa-sec-2010-02.html - - - URL - - http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h - path: extensions/metasploit/ - class: Msf_module -msf_veritas_netbackup_cmdexec: - enable: true - msf: true - msf_key: multi/misc/veritas_netbackup_cmdexec - name: VERITAS NetBackup Remote Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows arbitrary command execution on an\n\ - \t\t\t\tephemeral port opened by Veritas NetBackup, whilst an\n\ - \t\t\t\tadministrator is authenticated. The port is opened and\n\ - \t\t\t\tallows direct console access as root or SYSTEM from\n\ - \t\t\t\tany source address.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1389 - - - OSVDB - - "11026" - - - BID - - "11494" - - - URL - - http://seer.support.veritas.com/docs/271727.htm - path: extensions/metasploit/ - class: Msf_module -msf_openview_omniback_exec: - enable: true - msf: true - msf_key: multi/misc/openview_omniback_exec - name: HP OpenView OmniBack II Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module uses a vulnerability in the OpenView Omniback II\n\ - \t\t\t\tservice to execute arbitrary commands. This vulnerability was\n\ - \t\t\t\tdiscovered by DiGiT and his code was used as the basis for this\n\ - \t\t\t\tmodule.\n\n\ - \t\t\t\tFor Microsoft Windows targets, due to module limitations, use the\n\ - \t\t\t\t\"unix/cmd/generic\" payload and set CMD to your command. You can only\n\ - \t\t\t\tpass a small amount of characters (4) to the command line on Windows.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0311 - - - OSVDB - - "6018" - - - BID - - "11032" - - - URL - - http://www.securiteam.com/exploits/6M00O150KG.html - path: extensions/metasploit/ - class: Msf_module -msf_zend_java_bridge: - enable: true - msf: true - msf_key: multi/misc/zend_java_bridge - name: Zend Server Java Bridge Arbitrary Java Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module takes advantage of a trust relationship issue within the\n\ - \t\t\t\tZend Server Java Bridge. The Java Bridge is responsible for handling interactions\n\ - \t\t\t\tbetween PHP and Java code within Zend Server. \n\ - \t\t\t\t\n\ - \t\t\t\t\tWhen Java code is encountered Zend Server communicates with the Java Bridge. The\n\ - \t\t\t\tJava Bridge then handles the java code and creates the objects within the Java Virtual\n\ - \t\t\t\tMachine. This interaction however, does not require any sort of authentication. This\n\ - \t\t\t\tleaves the JVM wide open to remote attackers. Sending specially crafted data to the\n\ - \t\t\t\tJava Bridge results in the execution of arbitrary java code.\n\ - \t\t\t" - authors: - - - OSVDB - - "71420" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-113/ - - - URL - - http://www.exploit-db.com/exploits/17078/ - path: extensions/metasploit/ - class: Msf_module -msf_php_unserialize_zval_cookie: - enable: true - msf: true - msf_key: multi/php/php_unserialize_zval_cookie - name: PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an integer overflow vulnerability in the unserialize()\n\ - \t\t\t\tfunction of the PHP web server extension. This vulnerability was patched by\n\ - \t\t\t\tStefan in version 4.5.0 and applies all previous versions supporting this function.\n\ - \t\t\t\tThis particular module targets numerous web applications and is based on the proof\n\ - \t\t\t\tof concept provided by Stefan Esser. This vulnerability requires approximately 900k\n\ - \t\t\t\tof data to trigger due the multiple Cookie headers requirement. Since we\n\ - \t\t\t\tare already assuming a fast network connection, we use a 2Mb block of shellcode for\n\ - \t\t\t\tthe brute force, allowing quick exploitation for those with fast networks.\n\n\ - \t\t\t\tOne of the neat things about this vulnerability is that on x86 systems, the EDI register points\n\ - \t\t\t\tinto the beginning of the hashtable string. This can be used with an egghunter to\n\ - \t\t\t\tquickly exploit systems where the location of a valid \"jmp EDI\" or \"call EDI\" instruction\n\ - \t\t\t\tis known. The EDI method is faster, but the bandwidth-intensive brute force used by this\n\ - \t\t\t\tmodule is more reliable across a wider range of systems.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1286 - - - OSVDB - - "32771" - - - URL - - http://www.php-security.org/MOPB/MOPB-04-2007.html - path: extensions/metasploit/ - class: Msf_module -msf_qtjava_pointer: - enable: true - msf: true - msf_key: multi/browser/qtjava_pointer - name: Apple QTJava toQTPointer() Arbitrary Memory Access - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits an arbitrary memory access vulnerability in the\n\ - \t\t\tQuicktime for Java API provided with Quicktime 7.\n\n\ - \t\t\t" - authors: - - - CVE - - 2007-2175 - - - OSVDB - - "34178" - - - BID - - "23608" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-07-023.html - path: extensions/metasploit/ - class: Msf_module -msf_java_signed_applet: - enable: true - msf: true - msf_key: multi/browser/java_signed_applet - name: Java Signed Applet Social Engineering Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploit dynamically creates a .jar file via the\n\ - \t\t\t\tMsf::Exploit::Java mixin, then signs the it. The resulting\n\ - \t\t\t\tsigned applet is presented to the victim via a web page with\n\ - \t\t\t\tan applet tag. The victim's JVM will pop a dialog asking if\n\ - \t\t\t\tthey trust the signed applet.\n\ - \t\t\t\t\n\ - \t\t\t\tOn older versions the dialog will display the value of CERTCN\n\ - \t\t\t\tin the \"Publisher\" line. Newer JVMs display \"UNKNOWN\" when the\n\ - \t\t\t\tsignature is not trusted (i.e., it's not signed by a trusted\n\ - \t\t\t\tCA). The SigningCert option allows you to provide a trusted\n\ - \t\t\t\tcode signing cert, the values in which will override CERTCN.\n\ - \t\t\t\tIf SigningCert is not given, a randomly generated self-signed\n\ - \t\t\t\tcert will be used.\n\n\ - \t\t\t\tEither way, once the user clicks \"run\", the applet executes\n\ - \t\t\t\twith full user permissions.\n\ - \t\t\t" - authors: - - - URL - - http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf - - - URL - - http://www.spikezilla-software.com/blog/?p=21 - path: extensions/metasploit/ - class: Msf_module -msf_opera_historysearch: - enable: true - msf: true - msf_key: multi/browser/opera_historysearch - name: Opera historysearch XSS - category: Metasploit - description: "\n\ - \t\t\t\t\tCertain constructs are not escaped correctly by Opera's History\n\ - \t\t\t\tSearch results. These can be used to inject scripts into the\n\ - \t\t\t\tpage, which can then be used to modify configuration settings\n\ - \t\t\t\tand execute arbitrary commands. Affects Opera versions between\n\ - \t\t\t\t9.50 and 9.61.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4696 - - - OSVDB - - "49472" - - - BID - - "31869" - - - URL - - http://www.opera.com/support/kb/view/903/ - path: extensions/metasploit/ - class: Msf_module -msf_java_trusted_chain: - enable: true - msf: true - msf_key: multi/browser/java_trusted_chain - name: Java Statement.invoke() Trusted Method Chain Exploit - category: Metasploit - description: "\n\ - \t\t\tThis module exploits a vulnerability in Java Runtime Environment\n\ - \t\t\tthat allows an untrusted method to run in a privileged context. The\n\ - \t\t\tvulnerability affects version 6 prior to update 19 and version 5\n\ - \t\t\tprior to update 23.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0840 - - - OSVDB - - "63483" - - - URL - - http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-trusted-method-chaining-cve-2010.html - path: extensions/metasploit/ - class: Msf_module -msf_firefox_escape_retval: - enable: true - msf: true - msf_key: multi/browser/firefox_escape_retval - name: Firefox 3.5 escape() Return Value Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory corruption vulnerability in the Mozilla\n\ - \t\t\t\tFirefox browser. This flaw occurs when a bug in the javascript interpreter\n\ - \t\t\t\tfails to preserve the return value of the escape() function and results in\n\ - \t\t\t\tuninitialized memory being used instead. This module has only been tested\n\ - \t\t\t\ton Windows, but should work on other platforms as well with the current\n\ - \t\t\t\ttargets.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2477 - - - OSVDB - - "55846" - - - BID - - "35660" - - - URL - - https://bugzilla.mozilla.org/show_bug.cgi?id=503286 - path: extensions/metasploit/ - class: Msf_module -msf_opera_configoverwrite: - enable: true - msf: true - msf_key: multi/browser/opera_configoverwrite - name: Opera 9 Configuration Overwrite - category: Metasploit - description: "\n\ - \t\t\t\tOpera web browser in versions <= 9.10 allows unrestricted script\n\ - \t\t\t\taccess to its configuration page, opera:config, allowing an\n\ - \t\t\t\tattacker to change settings and potentially execute arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - OSVDB - - "66472" - path: extensions/metasploit/ - class: Msf_module -msf_java_setdifficm_bof: - enable: true - msf: true - msf_key: multi/browser/java_setdifficm_bof - name: Sun Java JRE AWT setDiffICM Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a flaw in the setDiffICM function in the Sun JVM.\n\n\ - \t\t\t\tThe payload is serialized and passed to the applet via PARAM tags. It must be\n\ - \t\t\t\ta native payload.\n\n\ - \t\t\t\tThe effected Java versions are JDK and JRE 6 Update 16 and earlier,\n\ - \t\t\t\tJDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n\ - \t\t\t\tearlier, and SDK and JRE 1.3.1_26 and earlier.\n\n\ - \t\t\t\tNOTE: Although all of the above versions are reportedly vulnerable, only\n\ - \t\t\t\t1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3869 - - - OSVDB - - "59710" - - - BID - - "36881" - - - URL - - http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1 - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-078/ - path: extensions/metasploit/ - class: Msf_module -msf_java_calendar_deserialize: - enable: true - msf: true - msf_key: multi/browser/java_calendar_deserialize - name: Sun Java Calendar Deserialization Exploit - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a flaw in the deserialization of Calendar objects in the Sun JVM.\n\n\ - \t\t\t\tThe payload can be either a native payload which is generated as an executable and\n\ - \t\t\t\tdropped/executed on the target or a shell from within the Java applet in the target browser.\n\n\ - \t\t\t\tThe affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16\n\ - \t\t\t\tand earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected).\n\ - \t\t\t" - authors: - - - CVE - - 2008-5353 - - - OSVDB - - "50500" - - - URL - - http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html - - - URL - - http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html - - - URL - - http://blog.cr0.org/2009/05/write-once-own-everyone.html - - - URL - - http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1 - path: extensions/metasploit/ - class: Msf_module -msf_mozilla_navigatorjava: - enable: true - msf: true - msf_key: multi/browser/mozilla_navigatorjava - name: Mozilla Suite/Firefox Navigator Object Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\ - \t\t\t\tSuite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n\ - \t\t\t\trequires the Java plugin to be installed.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3677 - - - OSVDB - - "27559" - - - BID - - "19192" - - - URL - - http://www.mozilla.org/security/announce/mfsa2006-45.html - - - URL - - http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html - path: extensions/metasploit/ - class: Msf_module -msf_mozilla_compareto: - enable: true - msf: true - msf_key: multi/browser/mozilla_compareto - name: Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\ - \t\t\t\tSuite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit\n\ - \t\t\t\tmodule is a direct port of Aviv Raff's HTML PoC.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2265 - - - OSVDB - - "17968" - - - BID - - "14242" - - - URL - - http://www.mozilla.org/security/announce/mfsa2005-50.html - path: extensions/metasploit/ - class: Msf_module -msf_java_rmi_connection_impl: - enable: true - msf: true - msf_key: multi/browser/java_rmi_connection_impl - name: Java RMIConnectionImpl Deserialization Privilege Escalation Exploit - category: Metasploit - description: "\n\ - \t\t\tThis module exploits a vulnerability in the Java Runtime Environment\n\ - \t\t\tthat allows to deserialize a MarshalledObject containing a custom\n\ - \t\t\tclassloader under a privileged context. The vulnerability affects\n\ - \t\t\tversion 6 prior to update 19 and version 5 prior to update 23.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0094 - - - OSVDB - - "63484" - - - URL - - http://slightlyrandombrokenthoughts.blogspot.com/2010/04/java-rmiconnectionimpl-deserialization.html - path: extensions/metasploit/ - class: Msf_module -msf_java_getsoundbank_bof: - enable: true - msf: true - msf_key: multi/browser/java_getsoundbank_bof - name: Sun Java JRE getSoundbank file:// URI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a flaw in the getSoundbank function in the Sun JVM.\n\n\ - \t\t\t\tThe payload is serialized and passed to the applet via PARAM tags. It must be\n\ - \t\t\t\ta native payload.\n\n\ - \t\t\t\tThe effected Java versions are JDK and JRE 6 Update 16 and earlier,\n\ - \t\t\t\tJDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and\n\ - \t\t\t\tearlier, and SDK and JRE 1.3.1_26 and earlier.\n\n\ - \t\t\t\tNOTE: Although all of the above versions are reportedly vulnerable, only\n\ - \t\t\t\t1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3867 - - - OSVDB - - "59711" - - - BID - - "36881" - - - URL - - http://zerodayinitiative.com/advisories/ZDI-09-076/ - path: extensions/metasploit/ - class: Msf_module -msf_firefox_queryinterface: - enable: true - msf: true - msf_key: multi/browser/firefox_queryinterface - name: Firefox location.QueryInterface() Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in the Mozilla\n\ - \t\t\t\tFirefox browser. To reliably exploit this vulnerability, we need to fill\n\ - \t\t\t\talmost a gigabyte of memory with our nop sled and payload. This module has\n\ - \t\t\t\tbeen tested on OS X 10.3 with the stock Firefox 1.5.0 package.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0295 - - - OSVDB - - "22893" - - - BID - - "16476" - - - URL - - http://www.mozilla.org/security/announce/mfsa2006-04.html - path: extensions/metasploit/ - class: Msf_module -msf_itms_overflow: - enable: true - msf: true - msf_key: multi/browser/itms_overflow - name: Apple OS X iTunes 8.1.1 ITMS Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis modules exploits a stack-based buffer overflow in iTunes\n\ - \t\t\t\titms:// URL parsing. It is accessible from the browser and\n\ - \t\t\t\tin Safari, itms urls will be opened in iTunes automatically.\n\ - \t\t\t\tBecause iTunes is multithreaded, only vfork-based payloads should\n\ - \t\t\t\tbe used.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0950 - - - OSVDB - - "54833" - - - URL - - http://support.apple.com/kb/HT3592 - - - URL - - http://redpig.dataspill.org/2009/05/drive-by-attack-for-itunes-811.html - path: extensions/metasploit/ - class: Msf_module -msf_wuftpd_site_exec_format: - enable: true - msf: true - msf_key: multi/ftp/wuftpd_site_exec_format - name: wu-ftpd SITE EXEC/INDEX Format String Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string vulnerability in versions of the\n\ - \t\t\t\tWashington University FTP server older than 2.6.1. By executing\n\ - \t\t\t\tspecially crafted SITE EXEC or SITE INDEX commands containing format\n\ - \t\t\t\tspecifiers, an attacker can corrupt memory and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2000-0573 - - - OSVDB - - "11805" - - - BID - - "1387" - path: extensions/metasploit/ - class: Msf_module -msf_svnserve_date: - enable: true - msf: true - msf_key: multi/svn/svnserve_date - name: Subversion Date Svnserve - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the Subversion date parsing overflow. This\n\ - \t\t\t\texploit is for the svnserve daemon (svn:// protocol) and will not work\n\ - \t\t\t\tfor Subversion over webdav (http[s]://). This exploit should never\n\ - \t\t\t\tcrash the daemon, and should be safe to do multi-hits.\n\n\ - \t\t\t\t**WARNING** This exploit seems to (not very often, I've only seen\n\ - \t\t\t\tit during testing) corrupt the subversion database, so be careful!\n\ - \t\t\t" - authors: - - - CVE - - 2004-0397 - - - OSVDB - - "6301" - - - BID - - "10386" - - - URL - - http://lists.netsys.com/pipermail/full-disclosure/2004-May/021737.html - - - MIL - - "68" - path: extensions/metasploit/ - class: Msf_module -msf_spree_searchlogic_exec: - enable: true - msf: true - msf_key: multi/http/spree_searchlogic_exec - name: Spreecommerce < 0.50.0 Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\n\ - \t\t\t\t\tSpreecommerce API searchlogic. Unvalidated input is called via the \n\ - \t\t\t\t\tRuby send method allowing command execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "71900" - - - URL - - http://www.spreecommerce.com/blog/2011/04/19/security-fixes/ - path: extensions/metasploit/ - class: Msf_module -msf_jboss_maindeployer: - enable: true - msf: true - msf_key: multi/http/jboss_maindeployer - name: JBoss JMX Console Deployer Upload and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module can be used to execute a payload on JBoss servers that have\n\ - \t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\n\ - \t\t\t\tusing the jboss.system:MainDeployer functionality. To accomplish this, a\n\ - \t\t\t\ttemporary HTTP server is created to serve a WAR archive containing our\n\ - \t\t\t\tpayload. This method will only work if the target server allows outbound\n\ - \t\t\t\tconnections to us.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1036 - - - CVE - - 2010-0738 - - - OSVDB - - "33744" - - - URL - - http://www.redteam-pentesting.de/publications/jboss - - - URL - - https://bugzilla.redhat.com/show_bug.cgi?id=574105 - path: extensions/metasploit/ - class: Msf_module -msf_jboss_bshdeployer: - enable: true - msf: true - msf_key: multi/http/jboss_bshdeployer - name: JBoss JMX Console Beanshell Deployer WAR upload and deployment - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module can be used to install a WAR file payload on JBoss servers that have\n\ - \t\t\t\tan exposed \"jmx-console\" application. The payload is put on the server by\n\ - \t\t\t\tusing the jboss.system:BSHDeployer\\'s createScriptDeployment() method.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0738 - - - URL - - http://www.redteam-pentesting.de/publications/jboss - - - URL - - https://bugzilla.redhat.com/show_bug.cgi?id=574105 - path: extensions/metasploit/ - class: Msf_module -msf_sun_jsws_dav_options: - enable: true - msf: true - msf_key: multi/http/sun_jsws_dav_options - name: Sun Java System Web Server WebDAV OPTIONS Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Sun Java Web Server prior to\n\ - \t\t\t\tversion 7 Update 8. By sending an \"OPTIONS\" request with an overly long\n\ - \t\t\t\tpath, attackers can execute arbitrary code. In order to reach the vulnerable\n\ - \t\t\t\tcode, the attacker must also specify the path to a directory with WebDAV\n\ - \t\t\t\tenabled.\n\n\ - \t\t\t\tThis exploit was tested and confirmed to work on Windows XP SP3 without DEP.\n\ - \t\t\t\tVersions for other platforms are vulnerable as well.\n\n\ - \t\t\t\tThe vulnerability was originally discovered and disclosed by Evgeny Legerov of\n\ - \t\t\t\tIntevydis.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0361 - - - OSVDB - - "61851" - - - URL - - http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html - - - URL - - http://sunsolve.sun.com/search/document.do?assetkey=1-66-275850-1 - path: extensions/metasploit/ - class: Msf_module -msf_jboss_deploymentfilerepository: - enable: true - msf: true - msf_key: multi/http/jboss_deploymentfilerepository - name: JBoss Java Class DeploymentFileRepository WAR deployment - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module uses the DeploymentFileRepository class in\n\ - \t\t\t\tJBoss Application Server (jbossas) to deploy a JSP file\n\ - \t\t\t\tin a minimal WAR context.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0738 - - - URL - - http://www.redteam-pentesting.de/publications/jboss - - - URL - - https://bugzilla.redhat.com/show_bug.cgi?id=574105 - path: extensions/metasploit/ - class: Msf_module -msf_freenas_exec_raw: - enable: true - msf: true - msf_key: multi/http/freenas_exec_raw - name: FreeNAS exec_raw.php Arbitrary Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an arbitrary command execution flaw\n\ - \t\t\t\tin FreeNAS 0.7.2 < rev.5543. When passing a specially formatted URL\n\ - \t\t\t\tto the exec_raw.php page, an attacker may be able to execute arbitrary\n\ - \t\t\t\tcommands.\n\n\ - \t\t\t\tNOTE: This module works best with php/meterpreter payloads.\n\ - \t\t\t" - authors: - - - URL - - http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download - path: extensions/metasploit/ - class: Msf_module -msf_axis2_deployer: - enable: true - msf: true - msf_key: multi/http/axis2_deployer - name: Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n\ - \t\t\t\tand uploads and executes commands via deploying a malicious web service by using SOAP.\n\ - \t\t\t" - authors: - - - URL - - http://www.rapid7.com/security-center/advisories/R7-0037.jsp - - - URL - - http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf - - - CVE - - 2010-0219 - path: extensions/metasploit/ - class: Msf_module -msf_axis2_deployer_rest: - enable: true - msf: true - msf_key: multi/http/axis2_deployer_rest - name: Axis2 Authenticated Code Execution (via REST) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module logs in to an Axis2 Web Admin Module instance using a specific user/pass\n\ - \t\t\t\tand uploads and executes commands via deploying a malicious web service by using REST.\n\ - \t\t\t" - authors: - - - URL - - http://www.rapid7.com/security-center/advisories/R7-0037.jsp - - - URL - - http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf - - - CVE - - 2010-0219 - path: extensions/metasploit/ - class: Msf_module -msf_tomcat_mgr_deploy: - enable: true - msf: true - msf_key: multi/http/tomcat_mgr_deploy - name: Apache Tomcat Manager Application Deployer Authenticated Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module can be used to execute a payload on Apache Tomcat servers that\n\ - \t\t\t\thave an exposed \"manager\" application. The payload is uploaded as a WAR archive\n\ - \t\t\t\tcontaining a jsp application using a PUT request.\n\n\ - \t\t\t\tThe manager application can also be abused using /manager/html/upload, but that\n\ - \t\t\t\tmethod is not implemented in this module.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3843 - - - OSVDB - - "60317" - - - CVE - - 2009-4189 - - - OSVDB - - "60670" - - - CVE - - 2009-4188 - - - BID - - "38084" - - - CVE - - 2010-0557 - - - URL - - http://www-01.ibm.com/support/docview.wss?uid=swg21419179 - - - CVE - - 2010-4094 - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-214/ - - - CVE - - 2009-3548 - - - OSVDB - - "60176" - - - BID - - "36954" - - - URL - - http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html - path: extensions/metasploit/ - class: Msf_module -msf_describe: - enable: true - msf: true - msf_key: multi/realserver/describe - name: RealServer Describe Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow in RealServer 7/8/9\n\ - \t\t\t\tand was based on Johnny Cyberpunk's THCrealbad exploit. This\n\ - \t\t\t\tcode should reliably exploit Linux, BSD, and Windows-based\n\ - \t\t\t\tservers.\n\ - \t\t\t" - authors: - - - CVE - - 2002-1643 - - - OSVDB - - "4468" - - - URL - - http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html - path: extensions/metasploit/ - class: Msf_module -msf_ntp_overflow: - enable: true - msf: true - msf_key: multi/ntp/ntp_overflow - name: NTP daemon readvar Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack based buffer overflow in the\n\ - \t\t\t\tntpd and xntpd service. By sending an overly long 'readvar'\n\ - \t\t\t\trequest it is possible to execute code remotely. As the stack\n\ - \t\t\t\tis corrupted, this module uses the Egghunter technique.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0414 - - - OSVDB - - "805" - - - BID - - "2540" - - - US-CERT-VU - - "970472" - path: extensions/metasploit/ - class: Msf_module -msf_peazip_command_injection: - enable: true - msf: true - msf_key: multi/fileformat/peazip_command_injection - name: PeaZip <= 2.6.1 Zip Processing Command Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command injection vulnerability in PeaZip. All\n\ - \t\t\t\tversions prior to 2.6.2 are suspected vulnerable. Testing was conducted with\n\ - \t\t\t\tversion 2.6.1 on Windows.\n\n\ - \t\t\t\tIn order for the command to be executed, an attacker must convince someone to\n\ - \t\t\t\topen a specially crafted zip file with PeaZip, and access the specially file via\n\ - \t\t\t\tdouble-clicking it. By doing so, an attacker can execute arbitrary commands\n\ - \t\t\t\tas the victim user.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2261 - - - OSVDB - - "54966" - - - URL - - http://peazip.sourceforge.net/ - - - URL - - http://www.exploit-db.com/exploits/8881 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_u3d_meshcont: - enable: true - msf: true - msf_key: multi/fileformat/adobe_u3d_meshcont - name: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n\ - \t\t\t\tAffected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a\n\ - \t\t\t\tspecially crafted pdf that a contains malformed U3D data, an attacker may\n\ - \t\t\t\tbe able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2990 - - - OSVDB - - "58920" - - - BID - - "36665" - - - URL - - http://sites.google.com/site/felipeandresmanzano/ - - - URL - - http://www.adobe.com/support/security/bulletins/apsb09-15.html - path: extensions/metasploit/ - class: Msf_module -msf_maple_maplet: - enable: true - msf: true - msf_key: multi/fileformat/maple_maplet - name: Maple Maplet File Creation and Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module harnesses Maple's ability to create files and execute commands\n\ - \t\t\t\tautomatically when opening a Maplet. All versions up to 13 are suspected\n\ - \t\t\t\tvulnerable. Testing was conducted with version 13 on Windows. Standard security\n\ - \t\t\t\tsettings prevent code from running in a normal maple worksheet without user\n\ - \t\t\t\tinteraction, but those setting do not prevent code in a Maplet from running.\n\n\ - \t\t\t\tIn order for the payload to be executed, an attacker must convince someone to\n\ - \t\t\t\topen a specially modified .maplet file with Maple. By doing so, an attacker can\n\ - \t\t\t\texecute arbitrary code as the victim user.\n\ - \t\t\t" - authors: - - - OSVDB - - "64541" - - - URL - - http://www.maplesoft.com/products/maple/ - path: extensions/metasploit/ - class: Msf_module -msf_handler: - enable: true - msf: true - msf_key: multi/handler - name: Generic Payload Handler - category: Metasploit - description: "\n\ - \t\t\t\tThis module is a stub that provides all of the\n\ - \t\t\t\tfeatures of the Metasploit payload system to exploits\n\ - \t\t\t\tthat have been launched outside of the framework.\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_nttrans: - enable: true - msf: true - msf_key: multi/samba/nttrans - name: Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module attempts to exploit a buffer overflow vulnerability present in\n\ - \t\t\t\tversions 2.2.2 through 2.2.6 of Samba.\n\n\ - \t\t\t\tThe Samba developers report this as:\n\ - \t\t\t\t\"Bug in the length checking for encrypted password change requests from clients.\"\n\n\ - \t\t\t\tThe bug was discovered and reported by the Debian Samba Maintainers.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0085 - - - OSVDB - - "6323" - - - BID - - "7106" - - - URL - - http://www.samba.org/samba/history/samba-2.2.7a.html - path: extensions/metasploit/ - class: Msf_module -msf_usermap_script: - enable: true - msf: true - msf_key: multi/samba/usermap_script - name: Samba "username map script" Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command execution vulerability in Samba\n\ - \t\t\t\tversions 3.0.20 through 3.0.25rc3 when using the non-default\n\ - \t\t\t\t\"username map script\" configuration option. By specifying a username\n\ - \t\t\t\tcontaining shell meta characters, attackers can execute arbitrary\n\ - \t\t\t\tcommands.\n\n\ - \t\t\t\tNo authentication is needed to exploit this vulnerability since\n\ - \t\t\t\tthis option is used to map usernames prior to authentication!\n\ - \t\t\t" - authors: - - - CVE - - 2007-2447 - - - OSVDB - - "34700" - - - BID - - "23972" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=534 - - - URL - - http://samba.org/samba/security/CVE-2007-2447.html - path: extensions/metasploit/ - class: Msf_module -msf_xtacacsd_report: - enable: true - msf: true - msf_key: freebsd/tacacs/xtacacsd_report - name: XTACACSD <= 4.1.2 report() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By\n\ - \t\t\t\tsending a specially crafted XTACACS packet with an overly long\n\ - \t\t\t\tusername, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-7232 - - - OSVDB - - "58140" - - - URL - - http://aluigi.altervista.org/adv/xtacacsdz-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_cleanup_exec: - enable: true - msf: true - msf_key: hpux/lpd/cleanup_exec - name: HP-UX LPD Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploit abuses an unpublished vulnerability in the\n\ - \t\t\t\tHP-UX LPD service. This flaw allows an unauthenticated\n\ - \t\t\t\tattacker to execute arbitrary commands with the privileges\n\ - \t\t\t\tof the root user. The LPD service is only exploitable when\n\ - \t\t\t\tthe address of the attacking system can be resolved by the\n\ - \t\t\t\ttarget. This vulnerability was silently patched with the\n\ - \t\t\t\tbuffer overflow flaws addressed in HP Security Bulletin\n\ - \t\t\t\tHPSBUX0208-213.\n\ - \t\t\t" - authors: - - - CVE - - 2002-1473 - - - OSVDB - - "9638" - - - URL - - http://archives.neohapsis.com/archives/hp/2002-q3/0064.html - path: extensions/metasploit/ - class: Msf_module -msf_ypops_overflow1: - enable: true - msf: true - msf_key: windows/smtp/ypops_overflow1 - name: YPOPS 0.6 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the YPOPS POP3\n\ - \t\t\t\tservice.\n\n\ - \t\t\t\tThis is a classic stack buffer overflow for YPOPS version 0.6.\n\ - \t\t\t\tPossibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to\n\ - \t\t\t\tjmp ebx opcode in ws_32.dll\n\ - \t\t\t" - authors: - - - CVE - - 2004-1558 - - - OSVDB - - "10367" - - - BID - - "11256" - - - URL - - http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html - path: extensions/metasploit/ - class: Msf_module -msf_wmailserver: - enable: true - msf: true - msf_key: windows/smtp/wmailserver - name: SoftiaCom WMailserver 1.0 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SoftiaCom WMailserver 1.0\n\ - \t\t\t\t(SMTP) via a SEH frame overwrite.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2287 - - - OSVDB - - "17883" - - - BID - - "14213" - path: extensions/metasploit/ - class: Msf_module -msf_ms03_046_exchange2000_xexch50: - enable: true - msf: true - msf_key: windows/smtp/ms03_046_exchange2000_xexch50 - name: MS03-046 Exchange 2000 XEXCH50 Heap Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the Exchange 2000 heap overflow. Due\n\ - \t\t\t\tto the nature of the vulnerability, this exploit is not very\n\ - \t\t\t\treliable. This module has been tested against Exchange 2000\n\ - \t\t\t\tSP0 and SP3 running a Windows 2000 system patched to SP4. It\n\ - \t\t\t\tnormally takes between one and 100 connection attempts to\n\ - \t\t\t\tsuccessfully obtain a shell. This exploit is *very* unreliable.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0714 - - - BID - - "8838" - - - OSVDB - - "2674" - - - MSB - - MS03-046 - - - URL - - http://www.milw0rm.com/exploits/113 - path: extensions/metasploit/ - class: Msf_module -msf_mercury_cram_md5: - enable: true - msf: true - msf_key: windows/smtp/mercury_cram_md5 - name: Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.\n\ - \t\t\t\tBy sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker\n\ - \t\t\t\tmay be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4440 - - - OSVDB - - "39669" - - - BID - - "25357" - path: extensions/metasploit/ - class: Msf_module -msf_mailcarrier_smtp_ehlo: - enable: true - msf: true - msf_key: windows/smtp/mailcarrier_smtp_ehlo - name: TABS MailCarrier v2.51 SMTP EHLO Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the MailCarrier v2.51 suite SMTP service.\n\ - \t\t\t\tThe stack is overwritten when sending an overly long EHLO command.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1638 - - - OSVDB - - "11174" - - - BID - - "11535" - - - URL - - http://milw0rm.com/exploits/598 - path: extensions/metasploit/ - class: Msf_module -msf_fb_isc_attach_database: - enable: true - msf: true - msf_key: windows/misc/fb_isc_attach_database - name: Firebird Relational Database isc_attach_database() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted create request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38607" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_splayer_content_type: - enable: true - msf: true - msf_key: windows/misc/splayer_content_type - name: SPlayer 3.7 Content-Type Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer\n\ - \t\t\t\trequests the URL of a media file (video or audio), it is possible to gain arbitrary\n\ - \t\t\t\tremote code execution due to a buffer overflow caused by an exceeding length of data\n\ - \t\t\t\tas the 'Content-Type' parameter.\n\ - \t\t\t" - authors: - - - OSVDB - - "72181" - - - URL - - http://www.exploit-db.com/exploits/17243/ - path: extensions/metasploit/ - class: Msf_module -msf_bomberclone_overflow: - enable: true - msf: true - msf_key: windows/misc/bomberclone_overflow - name: Bomberclone 0.11.6 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.\n\ - \t\t\t\tThe return address is overwritten with lstrcpyA memory address,\n\ - \t\t\t\tthe second and third value are the destination buffer,\n\ - \t\t\t\tthe fourth value is the source address of our buffer in the stack.\n\ - \t\t\t\tThis exploit is like a return in libc.\n\n\ - \t\t\t\tATTENTION\n\ - \t\t\t\tThe shellcode is exec ONLY when someone try to close bomberclone.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0460 - - - OSVDB - - "23263" - - - BID - - "16697" - - - URL - - http://www.frsirt.com/english/advisories/2006/0643 - path: extensions/metasploit/ - class: Msf_module -msf_mirc_privmsg_server: - enable: true - msf: true - msf_key: windows/misc/mirc_privmsg_server - name: mIRC <= 6.34 PRIVMSG Handling Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the mIRC IRC Client v6.34 and earlier.\n\ - \t\t\t\tBy enticing a mIRC user to connect to this server module, an excessively long PRIVMSG\n\ - \t\t\t\tcommand can be sent, overwriting the stack. Due to size restrictions, ordinal payloads\n\ - \t\t\t\tmay be necessary. This module is based on the code by SkD.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4449 - - - OSVDB - - "48752" - - - BID - - "31552" - - - URL - - http://www.milw0rm.com/exploits/6666 - path: extensions/metasploit/ - class: Msf_module -msf_ibm_tsm_rca_dicugetidentify: - enable: true - msf: true - msf_key: windows/misc/ibm_tsm_rca_dicugetidentify - name: IBM Tivoli Storage Manager Express RCA Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express Remote\n\ - \t\t\t\tClient Agent service. By sending a \"dicuGetIdentify\" request packet containing a long\n\ - \t\t\t\tNodeName parameter, an attacker can execute arbitrary code.\n\n\ - \t\t\t\tNOTE: this exploit first connects to the CAD service to start the RCA service and obtain\n\ - \t\t\t\tthe port number on which it runs. This service does not restart.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4828 - - - OSVDB - - "54232" - - - BID - - "34803" - path: extensions/metasploit/ - class: Msf_module -msf_nettransport: - enable: true - msf: true - msf_key: windows/misc/nettransport - name: NetTransport Download Manager 2.90.510 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a stack buffer overflow in NetTransport Download Manager,\n\ - \t\t\t\tpart of the NetXfer suite. This module was tested\n\ - \t\t\t\tsuccessfully against version 2.90.510.\n\ - \t\t\t" - authors: - - - OSVDB - - "61435" - - - URL - - http://www.exploit-db.com/exploits/10911 - path: extensions/metasploit/ - class: Msf_module -msf_poppeeper_date: - enable: true - msf: true - msf_key: windows/misc/poppeeper_date - name: POP Peeper v3.4 DATE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in POP Peeper v3.4.\n\ - \t\t\t\tWhen a specially crafted DATE string is sent to a client,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code. This\n\ - \t\t\t\tmodule is based off of krakowlabs code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1029 - - - OSVDB - - "53560" - - - BID - - "34093" - - - URL - - http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_date-bof.txt - path: extensions/metasploit/ - class: Msf_module -msf_bigant_server_250: - enable: true - msf: true - msf_key: windows/misc/bigant_server_250 - name: BigAnt Server 2.50 SP1 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis exploits a stack buffer overflow in the BigAnt Messaging Service,\n\ - \t\t\t\tpart of the BigAnt Server product suite. This module was tested\n\ - \t\t\t\tsuccessfully against version 2.50 SP1.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1914 - - - OSVDB - - "44454" - - - URL - - http://www.exploit-db.com/exploits/9673 - - - URL - - http://www.exploit-db.com/exploits/9690 - path: extensions/metasploit/ - class: Msf_module -msf_ib_isc_attach_database: - enable: true - msf: true - msf_key: windows/misc/ib_isc_attach_database - name: Borland InterBase isc_attach_database() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted attach request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38607" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_hp_ovtrace: - enable: true - msf: true - msf_key: windows/misc/hp_ovtrace - name: HP OpenView Operations OVTrace Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Operations version A.07.50.\n\ - \t\t\t\tBy sending a specially crafted packet, a remote attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3872 - - - OSVDB - - "39527" - - - BID - - "25255" - path: extensions/metasploit/ - class: Msf_module -msf_ib_svc_attach: - enable: true - msf: true - msf_key: windows/misc/ib_svc_attach - name: Borland InterBase SVC_attach() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted service attach request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38605" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_mercury_phonebook: - enable: true - msf: true - msf_key: windows/misc/mercury_phonebook - name: Mercury/32 <= v4.01b PH Server Module Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in\n\ - \t\t\t\tMercury/32 <= v4.01b PH Server Module. This issue is\n\ - \t\t\t\tdue to a failure of the application to properly bounds check\n\ - \t\t\t\tuser-supplied data prior to copying it to a fixed size memory buffer.\n\ - \t\t\t" - authors: - - - CVE - - 2005-4411 - - - OSVDB - - "22103" - - - BID - - "16396" - path: extensions/metasploit/ - class: Msf_module -msf_bigant_server_usv: - enable: true - msf: true - msf_key: windows/misc/bigant_server_usv - name: BigAnt Server 2.52 USV Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis exploits a stack buffer overflow in the BigAnt Messaging Service,\n\ - \t\t\t\tpart of the BigAnt Server product suite. This module was tested\n\ - \t\t\t\tsuccessfully against version 2.52.\n\n\ - \t\t\t\tNOTE: The AntServer service does not restart, you only get one shot.\n\ - \t\t\t" - authors: - - - OSVDB - - "61386" - - - URL - - http://www.exploit-db.com/exploits/10765 - - - URL - - http://www.exploit-db.com/exploits/10973 - path: extensions/metasploit/ - class: Msf_module -msf_asus_dpcproxy_overflow: - enable: true - msf: true - msf_key: windows/misc/asus_dpcproxy_overflow - name: Asus Dpcproxy Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.\n\ - \t\t\t\t\tIt should be vulnerable until version 2.0.0.24.\n\ - \t\t\t\t\tCredit to Luigi Auriemma\n\ - \t\t\t" - authors: - - - CVE - - 2008-1491 - - - OSVDB - - "43638" - - - BID - - "28394" - path: extensions/metasploit/ - class: Msf_module -msf_ib_isc_create_database: - enable: true - msf: true - msf_key: windows/misc/ib_isc_create_database - name: Borland InterBase isc_create_database() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted create request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38606" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_apple_quicktime_rtsp_response: - enable: true - msf: true - msf_key: windows/misc/apple_quicktime_rtsp_response - name: Apple QuickTime 7.3 RTSP Response Header Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Apple QuickTime 7.3. By sending an overly long\n\ - \t\t\t\tRTSP response to a client, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-6166 - - - OSVDB - - "40876" - - - BID - - "26549" - - - URL - - http://milw0rm.com/exploits/4648 - path: extensions/metasploit/ - class: Msf_module -msf_ms07_064_sami: - enable: true - msf: true - msf_key: windows/misc/ms07_064_sami - name: Microsoft DirectX DirectShow SAMI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the DirectShow Synchronized\n\ - \t\t\t\tAccessible Media Interchanged (SAMI) parser in quartz.dll. This module\n\ - \t\t\t\thas only been tested with Windows Media Player (6.4.09.1129) and\n\ - \t\t\t\tDirectX 8.0.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3901 - - - OSVDB - - "39126" - - - MSB - - MS07-064 - - - BID - - "26789" - path: extensions/metasploit/ - class: Msf_module -msf_sap_2005_license: - enable: true - msf: true - msf_key: windows/misc/sap_2005_license - name: SAP Business One License Manager 2005 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the SAP Business One 2005\n\ - \t\t\t\t\tLicense Manager 'NT Naming Service' A and B releases. By sending an\n\ - \t\t\t\t\texcessively long string the stack is overwritten enabling arbitrary\n\ - \t\t\t\t\tcode execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "56837" - - - CVE - - 2009-4988 - - - BID - - "35933" - - - URL - - http://www.milw0rm.com/exploits/9319 - path: extensions/metasploit/ - class: Msf_module -msf_wireshark_packet_dect: - enable: true - msf: true - msf_key: windows/fileformat/wireshark_packet_dect - name: Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (local) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Wireshark <= 1.4.4\n\ - \t\t\t\tWhen opening a malicious .pcap file in Wireshark, a stack buffer occurs,\n\ - \t\t\t\tresulting in arbitrary code execution.\n\n\ - \t\t\t\tNote: To exploit the vulnerability remotely with Scapy: sendp(rdpcap(\"file\"))\n\ - \t\t\t" - authors: - - - CVE - - 2011-1591 - - - OSVDB - - "71848" - - - URL - - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838 - - - URL - - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836 - - - URL - - http://www.exploit-db.com/exploits/17185 - path: extensions/metasploit/ - class: Msf_module -msf_hp_omniinet_3: - enable: true - msf: true - msf_key: windows/misc/hp_omniinet_3 - name: HP OmniInet.exe Opcode 27 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the Hewlett-Packard\n\ - \t\t\t\tOmniInet NT Service. By sending a specially crafted opcode 27 packet,\n\ - \t\t\t\ta remote attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1865 - - - OSVDB - - "73571" - - - URL - - http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities - path: extensions/metasploit/ - class: Msf_module -msf_agentxpp_receive_agentx: - enable: true - msf: true - msf_key: windows/misc/agentxpp_receive_agentx - name: AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a stack buffer overflow in the AgentX++ library, as used by\n\ - \t\t\t\tvarious applications. By sending a specially crafted request, an attacker can\n\ - \t\t\t\texecute arbitrary code, potentially with SYSTEM privileges.\n\n\ - \t\t\t\tThis module was tested successfully against master.exe as included with Real\n\ - \t\t\t\tNetwork\\'s Helix Server v12. When installed as a service with Helix Server,\n\ - \t\t\t\tthe service runs as SYSTEM, has no recovery action, but will start automatically\n\ - \t\t\t\ton boot.\n\n\ - \t\t\t\tThis module does not work with NX/XD enabled but could be modified easily to\n\ - \t\t\t\tdo so. The address\n\ - \t\t\t" - authors: - - - CVE - - 2010-1318 - - - OSVDB - - "63919" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867 - path: extensions/metasploit/ - class: Msf_module -msf_citrix_streamprocess: - enable: true - msf: true - msf_key: windows/misc/citrix_streamprocess - name: Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.\n\ - \t\t\t\tBy sending a specially crafted packet to the Provisioning Services server, a fixed\n\ - \t\t\t\tlength buffer on the stack can be overflowed and arbitrary code can be executed.\n\ - \t\t\t" - authors: - - - OSVDB - - "70597" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-023/ - - - URL - - http://secunia.com/advisories/42954/ - - - URL - - http://support.citrix.com/article/CTX127149 - path: extensions/metasploit/ - class: Msf_module -msf_landesk_aolnsrvr: - enable: true - msf: true - msf_key: windows/misc/landesk_aolnsrvr - name: LANDesk Management Suite 8.7 Alert Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending\n\ - \t\t\t\tan overly long string to the Alert Service, a buffer is overwritten and arbitrary\n\ - \t\t\t\tcode can be executed.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1674 - - - OSVDB - - "34964" - - - URL - - http://www.tippingpoint.com/security/advisories/TSRT-07-04.html - path: extensions/metasploit/ - class: Msf_module -msf_shixxnote_font: - enable: true - msf: true - msf_key: windows/misc/shixxnote_font - name: ShixxNOTE 6.net Font Field Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in ShixxNOTE 6.net.\n\ - \t\t\t\tThe vulnerability is caused due to boundary errors in the\n\ - \t\t\t\thandling of font fields.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1595 - - - OSVDB - - "10721" - - - BID - - "11409" - path: extensions/metasploit/ - class: Msf_module -msf_hp_omniinet_1: - enable: true - msf: true - msf_key: windows/misc/hp_omniinet_1 - name: HP OmniInet.exe MSG_PROTOCOL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\n\ - \t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n\ - \t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\n\ - \t\t\t\tprivileges.\n\n\ - \t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\n\ - \t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\n\ - \t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n\ - \t\t\t\tof Application Recovery Manager.\n\n\ - \t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\n\ - \t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\n\ - \t\t\t\texploits the first one.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2280 - - - BID - - "37396" - - - OSVDB - - "61206" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-099 - path: extensions/metasploit/ - class: Msf_module -msf_realtek_playlist: - enable: true - msf: true - msf_key: windows/misc/realtek_playlist - name: Realtek Media Player Playlist Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Realtek Media Player(RtlRack) A4.06.\n\ - \t\t\t\tWhen a Realtek Media Player client opens a specially crafted playlist, an\n\ - \t\t\t\tattacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5664 - - - OSVDB - - "50715" - - - BID - - "32860" - path: extensions/metasploit/ - class: Msf_module -msf_talkative_response: - enable: true - msf: true - msf_key: windows/misc/talkative_response - name: Talkative IRC v0.4.4.16 Response Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Talkative IRC v0.4.4.16.\n\ - \t\t\t\tWhen a specially crafted response string is sent to a client,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "64582" - - - BID - - "34141" - - - URL - - http://milw0rm.com/exploits/8227 - path: extensions/metasploit/ - class: Msf_module -msf_borland_starteam: - enable: true - msf: true - msf_key: windows/misc/borland_starteam - name: Borland CaliberRM StarTeam Multicast Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending\n\ - \t\t\t\ta specially crafted GET request to the STMulticastService, an attacker may be\n\ - \t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0311 - - - OSVDB - - "44039" - - - BID - - "28602" - path: extensions/metasploit/ - class: Msf_module -msf_eiqnetworks_esa_topology: - enable: true - msf: true - msf_key: windows/misc/eiqnetworks_esa_topology - name: eIQNetworks ESA Topology DELETEDEVICE Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in eIQnetworks\n\ - \t\t\t\tEnterprise Security Analyzer. During the processing of\n\ - \t\t\t\tlong arguments to the DELETEDEVICE command in the Topology\n\ - \t\t\t\tserver, a stack-based buffer overflow occurs.\n\n\ - \t\t\t\tThis module has only been tested against ESA v2.1.13.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3838 - - - OSVDB - - "27528" - - - BID - - "19164" - path: extensions/metasploit/ - class: Msf_module -msf_bigant_server: - enable: true - msf: true - msf_key: windows/misc/bigant_server - name: BigAnt Server 2.2 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in BigAnt Server 2.2.\n\ - \t\t\t\tBy sending a specially crafted packet, an attacker may be\n\ - \t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1914 - - - OSVDB - - "44454" - - - BID - - "28795" - path: extensions/metasploit/ - class: Msf_module -msf_fb_isc_create_database: - enable: true - msf: true - msf_key: windows/misc/fb_isc_create_database - name: Firebird Relational Database isc_create_database() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted create request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38606" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_poppeeper_uidl: - enable: true - msf: true - msf_key: windows/misc/poppeeper_uidl - name: POP Peeper v3.4 UIDL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in POP Peeper v3.4.\n\ - \t\t\t\tWhen a specially crafted UIDL string is sent to a client,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code. This\n\ - \t\t\t\tmodule is based off of krakowlabs code.\n\ - \t\t\t" - authors: - - - OSVDB - - "53559" - - - CVE - - 2009-1029 - - - BID - - "33926" - - - URL - - http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt - path: extensions/metasploit/ - class: Msf_module -msf_ibm_tsm_cad_ping: - enable: true - msf: true - msf_key: windows/misc/ibm_tsm_cad_ping - name: IBM Tivoli Storage Manager Express CAD Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.\n\ - \t\t\t\tBy sending a \"ping\" packet containing a long string, an attacker can execute arbitrary code.\n\n\ - \t\t\t\tNOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order\n\ - \t\t\t\tfor the vulnerable code to be reached. This state doesn't appear to be reachable when the\n\ - \t\t\t\tTSM server is not running. This service does not restart.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3853 - - - OSVDB - - "59632" - path: extensions/metasploit/ - class: Msf_module -msf_bakbone_netvault_heap: - enable: true - msf: true - msf_key: windows/misc/bakbone_netvault_heap - name: BakBone NetVault Remote Heap Overflow - category: Metasploit - description: "\n\ - \t\tThis module exploits a heap overflow in the BakBone NetVault\n\ - \tProcess Manager service. This code is a direct port of the netvault.c\n\ - \tcode written by nolimit and BuzzDee.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1009 - - - OSVDB - - "15234" - - - BID - - "12967" - path: extensions/metasploit/ - class: Msf_module -msf_hp_omniinet_4: - enable: true - msf: true - msf_key: windows/misc/hp_omniinet_4 - name: HP OmniInet.exe Opcode 20 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found in HP Data Protector's OmniInet\n\ - \t\t\t\tprocess. By supplying a long string of data as the file path with opcode '20',\n\ - \t\t\t\ta buffer overflow can occur when this data is being written on the stack where\n\ - \t\t\t\tno proper bounds checking is done beforehand, which results arbitrary code\n\ - \t\t\t\texecution under the context of SYSTEM. This module is also made against systems\n\ - \t\t\t\tsuch as Windows Server 2003 or Windows Server 2008 that have DEP and/or ASLR\n\ - \t\t\t\tenabled by default.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1865 - - - OSVDB - - "73571" - - - URL - - http://www.exploit-db.com/exploits/17468/ - - - URL - - http://www.coresecurity.com/content/HP-Data-Protector-multiple-vulnerabilities - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02872182 - path: extensions/metasploit/ - class: Msf_module -msf_eiqnetworks_esa: - enable: true - msf: true - msf_key: windows/misc/eiqnetworks_esa - name: eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in eIQnetworks\n\ - \t\t\t\tEnterprise Security Analyzer. During the processing of\n\ - \t\t\t\tlong arguments to the LICMGR_ADDLICENSE command, a stack-based\n\ - \t\t\t\tbuffer overflow occurs. This module has only been tested\n\ - \t\t\t\tagainst ESA v2.1.13.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3838 - - - OSVDB - - "27526" - - - BID - - "19163" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-06-024.html - path: extensions/metasploit/ - class: Msf_module -msf_tiny_identd_overflow: - enable: true - msf: true - msf_key: windows/misc/tiny_identd_overflow - name: TinyIdentD 2.2 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack based buffer overflow in TinyIdentD version 2.2.\n\ - \t\t\t\tIf we send a long string to the ident service we can overwrite the return\n\ - \t\t\t\taddress and execute arbitrary code. Credit to Maarten Boone.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2711 - - - OSVDB - - "36053" - - - BID - - "23981" - path: extensions/metasploit/ - class: Msf_module -msf_windows_rsh: - enable: true - msf: true - msf_key: windows/misc/windows_rsh - name: Windows RSH daemon Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerabliltiy in Windows RSH daemon 1.8.\n\ - \t\t\t\tThe vulnerability is due to a failure to check for the length of input sent\n\ - \t\t\t\tto the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit\n\ - \t\t\t\tto be successful.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4006 - - - OSVDB - - "38572" - - - BID - - "25044" - path: extensions/metasploit/ - class: Msf_module -msf_hp_omniinet_2: - enable: true - msf: true - msf_key: windows/misc/hp_omniinet_2 - name: HP OmniInet.exe MSG_PROTOCOL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Hewlett-Packard\n\ - \t\t\t\tOmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)\n\ - \t\t\t\tpacket, a remote attacker may be able to execute arbitrary code with elevated\n\ - \t\t\t\tprivileges.\n\n\ - \t\t\t\tThis service is installed with HP OpenView Data Protector, HP Application\n\ - \t\t\t\tRecovery Manager and potentially other products. This exploit has been tested\n\ - \t\t\t\tagainst versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1\n\ - \t\t\t\tof Application Recovery Manager.\n\n\ - \t\t\t\tNOTE: There are actually two consecutive wcscpy() calls in the program (which\n\ - \t\t\t\tmay be why ZDI considered them two separate issues). However, this module only\n\ - \t\t\t\texploits the second one.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3844 - - - BID - - "37250" - - - OSVDB - - "60852" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-091 - path: extensions/metasploit/ - class: Msf_module -msf_eureka_mail_err: - enable: true - msf: true - msf_key: windows/misc/eureka_mail_err - name: Eureka Email 2.2q ERR Remote Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow in the Eureka Email 2.2q\n\ - \t\t\t\tclient that is triggered through an excessively long ERR message.\n\n\ - \t\t\t\tNOTE: this exploit isn't very reliable. Unfortunately reaching the\n\ - \t\t\t\tvulnerable code can only be done when manually checking mail (Ctrl-M).\n\ - \t\t\t\tChecking at startup will not reach the code targeted here.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3837 - - - OSVDB - - "59262 " - - - URL - - http://www.exploit-db.com/exploits/10235 - path: extensions/metasploit/ - class: Msf_module -msf_netcat110_nt: - enable: true - msf: true - msf_key: windows/misc/netcat110_nt - name: Netcat v1.10 NT Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Netcat v1.10 NT. By sending\n\ - \t\t\t\t\tan overly long string we are able to overwrite SEH. The vulnerability\n\ - \t\t\t\t\texists when netcat is used to bind (-e) an executable to a port in doexec.c.\n\ - \t\t\t\t\tThis module tested successfully using \"c:\\>nc -L -p 31337 -e ftp\".\n\ - \t\t\t\t" - authors: - - - CVE - - 2004-1317 - - - OSVDB - - "12612" - - - BID - - "12106" - - - URL - - http://www.milw0rm.com/exploits/726 - path: extensions/metasploit/ - class: Msf_module -msf_doubletake: - enable: true - msf: true - msf_key: windows/misc/doubletake - name: DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the authentication mechanism of\n\ - \t\t\t\t\tNSI Doubletake which is also rebranded as HP Storage Works. This vulnerability\n\ - \t\t\t\t\twas found by Titon of Bastard Labs.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1661 - - - OSVDB - - "45924" - path: extensions/metasploit/ - class: Msf_module -msf_borland_interbase: - enable: true - msf: true - msf_key: windows/misc/borland_interbase - name: Borland Interbase Create-Request Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Borland Interbase 2007.\n\ - \t\t\t\tBy sending a specially crafted create-request packet, a remote\n\ - \t\t\t\tattacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3566 - - - OSVDB - - "38602" - - - URL - - http://dvlabs.tippingpoint.com/advisory/TPTI-07-13 - path: extensions/metasploit/ - class: Msf_module -msf_bcaaa_bof: - enable: true - msf: true - msf_key: windows/misc/bcaaa_bof - name: Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),\n\ - \t\t\t\twhich comes as part of the Blue Coat Authentication proxy. Please note that by default,\n\ - \t\t\t\tthis exploit will attempt up to three times in order to successfully gain remote code\n\ - \t\t\t\texecution (in some cases, it takes as many as five times). This can cause your activity\n\ - \t\t\t\tto look even more suspicious. To modify the number of exploit attempts, set the\n\ - \t\t\t\tATTEMPTS option.\n\ - \t\t\t" - authors: - - - OSVDB - - "72095" - - - URL - - https://kb.bluecoat.com/index?page=content&id=SA55 - - - URL - - http://seclists.org/bugtraq/2011/Jul/44 - path: extensions/metasploit/ - class: Msf_module -msf_bopup_comm: - enable: true - msf: true - msf_key: windows/misc/bopup_comm - name: Bopup Communications Server Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Bopup Communications Server 3.2.26.5460.\n\ - \t\t\t\t\tBy sending a specially crafted packet, an attacker may be\n\ - \t\t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2227 - - - OSVDB - - "55275" - - - URL - - http://www.blabsoft.com/products/server - - - URL - - http://milw0rm.com/exploits/9002 - path: extensions/metasploit/ - class: Msf_module -msf_fb_svc_attach: - enable: true - msf: true - msf_key: windows/misc/fb_svc_attach - name: Firebird Relational Database SVC_attach() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Borland InterBase\n\ - \t\t\t\tby sending a specially crafted service attach request.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5243 - - - OSVDB - - "38605" - - - BID - - "25917" - - - URL - - http://www.risesecurity.org/advisories/RISE-2007002.txt - path: extensions/metasploit/ - class: Msf_module -msf_ms05_030_nntp: - enable: true - msf: true - msf_key: windows/nntp/ms05_030_nntp - name: Microsoft Outlook Express NNTP Response Parsing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the news reader of Microsoft\n\ - \t\t\t\tOutlook Express.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1213 - - - OSVDB - - "17306" - - - BID - - "13951" - - - MSB - - MS05-030 - path: extensions/metasploit/ - class: Msf_module -msf_nmap_stor: - enable: true - msf: true - msf_key: windows/novell/nmap_stor - name: Novell NetMail <= 3.52d NMAP STOR Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 NMAP STOR\n\ - \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ - \t\t\t\tbuffer and control program execution.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6424 - - - OSVDB - - "31363" - - - BID - - "21725" - path: extensions/metasploit/ - class: Msf_module -msf_groupwisemessenger_client: - enable: true - msf: true - msf_key: windows/novell/groupwisemessenger_client - name: Novell GroupWise Messenger Client Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.\n\ - \t\t\t\tBy sending a specially crafted HTTP response, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2703 - - - OSVDB - - "46041" - - - BID - - "29602" - - - URL - - http://www.infobyte.com.ar/adv/ISR-17.html - path: extensions/metasploit/ - class: Msf_module -msf_zenworks_desktop_agent: - enable: true - msf: true - msf_key: windows/novell/zenworks_desktop_agent - name: Novell ZENworks 6.5 Desktop/Server Management Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a heap overflow in the Novell ZENworks\n\ - \t\t\t\tDesktop Management agent. This vulnerability was discovered\n\ - \t\t\t\tby Alex Wheeler.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1543 - - - OSVDB - - "16698" - - - BID - - "13678" - path: extensions/metasploit/ - class: Msf_module -msf_ms04_045_wins: - enable: true - msf: true - msf_key: windows/wins/ms04_045_wins - name: Microsoft WINS Service Memory Overwrite - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits an arbitrary memory write flaw in the\n\ - \t\t\t\tWINS service. This exploit has been tested against Windows\n\ - \t\t\t\t2000 only.\n\n\ - \t\t\t" - authors: - - - CVE - - 2004-1080 - - - OSVDB - - "12378" - - - BID - - "11763" - - - MSB - - MS04-045 - path: extensions/metasploit/ - class: Msf_module -msf_xlink_nfsd: - enable: true - msf: true - msf_key: windows/nfs/xlink_nfsd - name: Omni-NFS Server Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2\n\ - \t\t\t\tWhen sending a specially crafted nfs packet, an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5780 - - - OSVDB - - "30224" - - - BID - - "20941" - - - URL - - http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm - path: extensions/metasploit/ - class: Msf_module -msf_safenet_ike_11: - enable: true - msf: true - msf_key: windows/vpn/safenet_ike_11 - name: SafeNet SoftRemote IKE Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe\n\ - \t\t\t\tservice. When sending a specially crafted udp packet to port 62514 an\n\ - \t\t\t\tattacker may be able to execute arbitrary code. This module has\n\ - \t\t\t\tbeen tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using\n\ - \t\t\t\twindows/meterpreter/reverse_ord_tcp payloads.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1943 - - - OSVDB - - "54831" - - - BID - - "35154" - - - URL - - http://reversemode.com/index.php?option=com_content&task=view&id=63&Itemid=1 - path: extensions/metasploit/ - class: Msf_module -msf_putty_msg_debug: - enable: true - msf: true - msf_key: windows/ssh/putty_msg_debug - name: PuTTy.exe <= v0.53 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the PuTTY SSH client that is triggered\n\ - \t\t\t\tthrough a validation error in SSH.c.\n\ - \t\t\t" - authors: - - - CVE - - 2002-1359 - - - OSVDB - - "8044" - - - URL - - http://www.rapid7.com/advisories/R7-0009.html - - - BID - - "6407" - path: extensions/metasploit/ - class: Msf_module -msf_freesshd_key_exchange: - enable: true - msf: true - msf_key: windows/ssh/freesshd_key_exchange - name: FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.\n\ - \t\t\t\tThis flaw is due to a buffer overflow error when handling a specially\n\ - \t\t\t\tcrafted key exchange algorithm string received from an SSH client.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2407 - - - OSVDB - - "25463" - - - BID - - "17958" - path: extensions/metasploit/ - class: Msf_module -msf_freeftpd_key_exchange: - enable: true - msf: true - msf_key: windows/ssh/freeftpd_key_exchange - name: FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a simple stack buffer overflow in FreeFTPd 1.0.10\n\ - \t\t\t\tThis flaw is due to a buffer overflow error when handling a specially\n\ - \t\t\t\tcrafted key exchange algorithm string received from an SSH client.\n\ - \t\t\t\tThis module is based on MC's freesshd_key_exchange exploit.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2407 - - - OSVDB - - "25569" - - - BID - - "17958" - path: extensions/metasploit/ - class: Msf_module -msf_securecrt_ssh1: - enable: true - msf: true - msf_key: windows/ssh/securecrt_ssh1 - name: SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in SecureCRT <= 4.0\n\ - \t\t\t\tBeta 2. By sending a vulnerable client an overly long\n\ - \t\t\t\tSSH1 protocol identifier string, it is possible to execute\n\ - \t\t\t\tarbitrary code.\n\n\ - \t\t\t\tThis module has only been tested on SecureCRT 3.4.4.\n\ - \t\t\t" - authors: - - - CVE - - 2002-1059 - - - OSVDB - - "4991" - - - BID - - "5287" - path: extensions/metasploit/ - class: Msf_module -msf_alphastor_agent: - enable: true - msf: true - msf_key: windows/emc/alphastor_agent - name: EMC AlphaStor Agent Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in EMC AlphaStor 3.1.\n\ - \t\t\t\tBy sending a specially crafted message, an attacker may\n\ - \t\t\t\tbe able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2158 - - - OSVDB - - "45714" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702 - path: extensions/metasploit/ - class: Msf_module -msf_java_docbase_bof: - enable: true - msf: true - msf_key: windows/browser/java_docbase_bof - name: Sun Java Runtime New Plugin docbase Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a flaw in the new plugin component of the Sun Java\n\ - \t\t\t\tRuntime Environment before v6 Update 22. By specifying specific parameters\n\ - \t\t\t\tto the new plugin, an attacker can cause a stack-based buffer overflow and\n\ - \t\t\t\texecute arbitrary code.\n\n\ - \t\t\t\tWhen the new plugin is invoked with a \"launchjnlp\" parameter, it will\n\ - \t\t\t\tcopy the contents of the \"docbase\" parameter to a stack-buffer using the\n\ - \t\t\t\t\"sprintf\" function. A string of 396 bytes is enough to overflow the 256\n\ - \t\t\t\tbyte stack buffer and overwrite some local variables as well as the saved\n\ - \t\t\t\treturn address.\n\n\ - \t\t\t\tNOTE: The string being copied is first passed through the \"WideCharToMultiByte\".\n\ - \t\t\t\tDue to this, only characters which have a valid localized multibyte\n\ - \t\t\t\trepresentation are allowed. Invalid characters will be replaced with\n\ - \t\t\t\tquestion marks ('?').\n\n\ - \t\t\t\tThis vulnerability was originally discovered independently by both Stephen\n\ - \t\t\t\tFewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't\n\ - \t\t\t\tbeen done, all versions since version 6 Update 10 are believed to be affected\n\ - \t\t\t\tby this vulnerability.\n\n\ - \t\t\t\tThis vulnerability was patched as part of the October 2010 Oracle Patch\n\ - \t\t\t\trelease.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3552 - - - OSVDB - - "68873" - - - BID - - "44023" - - - URL - - http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-206/ - - - URL - - http://code.google.com/p/skylined/issues/detail?id=23 - - - URL - - http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/ - - - URL - - http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html - path: extensions/metasploit/ - class: Msf_module -msf_adobe_flashplayer_avm: - enable: true - msf: true - msf_key: windows/browser/adobe_flashplayer_avm - name: Adobe Flash Player AVM Bytecode Verification Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player versions 10.2.152.33\n\ - \t\t\t\tand earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification\n\ - \t\t\t\tlogic. This results in unsafe JIT(Just-In-Time) code being executed.\n\n\ - \t\t\t\t\tSpecifically, this issue results in uninitialized memory being referenced and later \n\ - \t\t\t\texecuted. Taking advantage of this issue relies on heap spraying and controlling the\n\ - \t\t\t\tuninitialized memory. \n\n\ - \t\t\t\t\tCurrently this exploit works for IE6, IE7, and Firefox 3.6 and likely several \n\ - \t\t\t\tother browsers. DEP does catch the exploit and causes it to fail. Due to the nature\n\ - \t\t\t\tof the uninitialized memory its fairly difficult to get around this restriction.\n\ - \t\t\t\t" - authors: - - - CVE - - 2011-0609 - - - OSVDB - - "71254" - - - URL - - http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html - - - URL - - http://www.adobe.com/devnet/swf.html - - - URL - - http://www.adobe.com/support/security/advisories/apsa11-01.html - path: extensions/metasploit/ - class: Msf_module -msf_adobe_jbig2decode: - enable: true - msf: true - msf_key: windows/fileformat/adobe_jbig2decode - name: Adobe JBIG2Decode Memory Corruption Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.\n\ - \t\t\t\t\tThis module relies upon javascript for the heap spray.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0658 - - - OSVDB - - "52073" - - - URL - - http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html - path: extensions/metasploit/ - class: Msf_module -msf_windvd7_applicationtype: - enable: true - msf: true - msf_key: windows/browser/windvd7_applicationtype - name: WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in IASystemInfo.dll ActiveX\n\ - \t\t\t\tcontrol in InterVideo WinDVD 7. By sending a overly long string\n\ - \t\t\t\tto the \"ApplicationType()\" property, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0348 - - - OSVDB - - "34315" - - - BID - - "23071" - path: extensions/metasploit/ - class: Msf_module -msf_ms06_071_xml_core: - enable: true - msf: true - msf_key: windows/browser/ms06_071_xml_core - name: Internet Explorer XML Core Services HTTP Request Handling - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft XML Core Services which\n\ - \t\t\t\texists in the XMLHTTP ActiveX control. This module is the modifed version of\n\ - \t\t\t\thttp://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully\n\ - \t\t\t\ttested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6\n\ - \t\t\t\t+ Microsoft XML Core Services 4.0 SP2.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5745 - - - OSVDB - - "29425" - - - MSB - - MS06-071 - - - BID - - "20915" - path: extensions/metasploit/ - class: Msf_module -msf_juniper_sslvpn_ive_setupdll: - enable: true - msf: true - msf_key: windows/browser/juniper_sslvpn_ive_setupdll - name: Juniper SSL-VPN IVE JuniperSetupDLL.dll ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the JuniperSetupDLL.dll\n\ - \t\t\t\tlibrary which is called by the JuniperSetup.ocx ActiveX\tcontrol,\n\ - \t\t\t\tas part of the Juniper SSL-VPN (IVE) appliance. By specifying an\n\ - \t\t\t\toverly long string to the ProductName object parameter, the stack\n\ - \t\t\t\tis overwritten.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2086 - - - OSVDB - - "25001" - - - BID - - "17712" - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0743.html - path: extensions/metasploit/ - class: Msf_module -msf_apple_itunes_playlist: - enable: true - msf: true - msf_key: windows/browser/apple_itunes_playlist - name: Apple ITunes 4.7 Playlist Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Apple ITunes 4.7\n\ - \t\t\t\tbuild 4.7.0.42. By creating a URL link to a malicious PLS\n\ - \t\t\t\tfile, a remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code. When using this module, be sure to set the\n\ - \t\t\t\tURIPATH with an extension of '.pls'.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0043 - - - OSVDB - - "12833" - - - BID - - "12238" - path: extensions/metasploit/ - class: Msf_module -msf_tumbleweed_filetransfer: - enable: true - msf: true - msf_key: windows/browser/tumbleweed_filetransfer - name: Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the vcst_eu.dll\n\ - \t\t\t\tFileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed\n\ - \t\t\t\tSecureTransport suite. By sending an overly long string to the\n\ - \t\t\t\tTransferFile() 'remotefile' function, an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1724 - - - OSVDB - - "44252" - - - URL - - http://www.aushack.com/200708-tumbleweed.txt - path: extensions/metasploit/ - class: Msf_module -msf_ms10_046_shortcut_icon_dllloader: - enable: true - msf: true - msf_key: windows/browser/ms10_046_shortcut_icon_dllloader - name: Microsoft Windows Shell LNK Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the handling of Windows\n\ - \t\t\t\tShortcut files (.LNK) that contain an icon resource pointing to a\n\ - \t\t\t\tmalicious DLL. This module creates a WebDAV service that can be used\n\ - \t\t\t\tto run an arbitrary payload when accessed as a UNC path.\n\ - \t\t\t" - authors: - - - CVE - - 2010-2568 - - - OSVDB - - "66387" - - - MSB - - MS10-046 - - - URL - - http://www.microsoft.com/technet/security/advisory/2286198.mspx - path: extensions/metasploit/ - class: Msf_module -msf_mcafeevisualtrace_tracetarget: - enable: true - msf: true - msf_key: windows/browser/mcafeevisualtrace_tracetarget - name: McAfee Visual Trace ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX\n\ - \t\t\t\tControl (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the\n\ - \t\t\t\t\"TraceTarget()\" method, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6707 - - - OSVDB - - "32399" - - - URL - - http://secunia.com/advisories/23463 - path: extensions/metasploit/ - class: Msf_module -msf_orbit_connecting: - enable: true - msf: true - msf_key: windows/browser/orbit_connecting - name: Orbit Downloader Connecting Log Creation Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an\n\ - \t\t\t\tattacker serves up a malicious web site, abritrary code may be executed.\n\ - \t\t\t\tThe PAYLOAD windows/shell_bind_tcp works best.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0187 - - - OSVDB - - "52294" - - - BID - - "33894" - path: extensions/metasploit/ - class: Msf_module -msf_kazaa_altnet_heap: - enable: true - msf: true - msf_key: windows/browser/kazaa_altnet_heap - name: Kazaa Altnet Download Manager ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Altnet Download Manager ActiveX\n\ - \t\t\t\tControl (amd4.dll) bundled with Kazaa Media Desktop 3.2.7.\n\ - \t\t\t\tBy sending a overly long string to the \"Install()\" method, an attacker may be\n\ - \t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5217 - - - OSVDB - - "37785" - - - URL - - http://secunia.com/advisories/26970/ - path: extensions/metasploit/ - class: Msf_module -msf_ms08_041_snapshotviewer: - enable: true - msf: true - msf_key: windows/browser/ms08_041_snapshotviewer - name: Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ - \t\t\t\tvia the Microsoft Office Snapshot Viewer ActiveX Control.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2463 - - - OSVDB - - "46749" - - - MSB - - MS08-041 - - - BID - - "30114" - path: extensions/metasploit/ - class: Msf_module -msf_java_codebase_trust: - enable: true - msf: true - msf_key: windows/browser/java_codebase_trust - name: Sun Java Applet2ClassLoader Remote Code Execution Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Java Runtime Environment\n\ - \t\t\t\tthat allows an attacker to run an applet outside of the Java Sandbox. When\n\ - \t\t\t\tan applet is invoked with:\n\n\ - \t\t\t\t1. A \"codebase\" parameter that points at a trusted directory\n\ - \t\t\t\t2. A \"code\" parameter that is a URL that does not contain any dots\n\n\ - \t\t\t\tthe applet will run outside of the sandbox.\n\n\ - \t\t\t\tThis vulnerability affects JRE prior to version 6 update 24.\n\ - \t\t\t" - authors: - - - CVE - - 2010-4452 - - - OSVDB - - "71193" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-084/ - - - URL - - http://fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ - - - URL - - http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html - path: extensions/metasploit/ - class: Msf_module -msf_awingsoft_web3d_bof: - enable: true - msf: true - msf_key: windows/browser/awingsoft_web3d_bof - name: AwingSoft Winds3D Player SceneURL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a data segment buffer overflow within Winds3D Viewer of\n\ - \t\t\t\tAwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of\n\ - \t\t\t\tAwingSoft Web3D Player.\n\ - \t\t\t\tBy setting an overly long value to the 'SceneURL' property, an attacker can\n\ - \t\t\t\toverrun a buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4588 - - - OSVDB - - "60017" - - - URL - - http://www.milw0rm.com/exploits/9116 - - - URL - - http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txt - - - URL - - http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/ - path: extensions/metasploit/ - class: Msf_module -msf_aim_goaway: - enable: true - msf: true - msf_key: windows/browser/aim_goaway - name: AOL Instant Messenger goaway Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a flaw in the handling of AOL Instant\n\ - \t\t\t\tMessenger's 'goaway' URI handler. An attacker can execute\n\ - \t\t\t\tarbitrary code by supplying a overly sized buffer as the\n\ - \t\t\t\t'message' parameter. This issue is known to affect AOL Instant\n\ - \t\t\t\tMessenger 5.5.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0636 - - - OSVDB - - "8398" - - - BID - - "10889" - - - URL - - http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities - path: extensions/metasploit/ - class: Msf_module -msf_autodesk_idrop: - enable: true - msf: true - msf_key: windows/browser/autodesk_idrop - name: Autodesk IDrop ActiveX Control Heap Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a heap-based memory corruption vulnerability in\n\ - \t\t\t\tAutodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.\n\ - \t\t\t\tAn attacker can execute arbitrary code by triggering a heap use after\n\ - \t\t\t\tfree condition using the Src, Background, PackageXml properties.\n\ - \t\t\t" - authors: - - - OSVDB - - "53265" - - - BID - - "34352" - - - URL - - http://www.milw0rm.com/exploits/8560 - - - URL - - http://marc.info/?l=full-disclosure&m=123870112214736 - path: extensions/metasploit/ - class: Msf_module -msf_aol_icq_downloadagent: - enable: true - msf: true - msf_key: windows/browser/aol_icq_downloadagent - name: America Online ICQ ActiveX Control Arbitrary File Download and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows remote attackers to download and execute arbitrary files\n\ - \t\t\t\ton a users system via the DownloadAgent function of the ICQPhone.SipxPhoneManager ActiveX control.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5650 - - - OSVDB - - "30220" - - - BID - - "20930" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-06-037/ - path: extensions/metasploit/ - class: Msf_module -msf_aventail_epi_activex: - enable: true - msf: true - msf_key: windows/browser/aventail_epi_activex - name: SonicWALL Aventail epi.dll AuthCredential Format String Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string vulnerability within version 10.0.4.x and\n\ - \t\t\t\t10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX\n\ - \t\t\t\tcontrol (epi.dll). By calling the 'AuthCredential' method with a specially\n\ - \t\t\t\tcrafted Unicode format string, an attacker can cause memory corruption and\n\ - \t\t\t\texecute arbitrary code.\n\n\ - \t\t\t\tUnfortunately, it does not appear to be possible to indirectly re-use existing\n\ - \t\t\t\tstack data for more reliable exploitation. This is due to several particulars\n\ - \t\t\t\tabout this vulnerability. First, the format string must be a Unicode string,\n\ - \t\t\t\twhich uses two bytes per character. Second, the buffer is allocated on the\n\ - \t\t\t\tstack using the 'alloca' function. As such, each additional format specifier (%x)\n\ - \t\t\t\twill add four more bytes to the size allocated. This results in the inability to\n\ - \t\t\t\tmove the read pointer outside of the buffer.\n\n\ - \t\t\t\tFurther testing showed that using specifiers that pop more than four bytes does\n\ - \t\t\t\tnot help. Any number of format specifiers will result in accessing the same value\n\ - \t\t\t\twithin the buffer.\n\n\ - \t\t\t\tNOTE: It may be possible to leverage the vulnerability to leak memory contents.\n\ - \t\t\t\tHowever, that has not been fully investigated at this time.\n\ - \t\t\t" - authors: - - - OSVDB - - "67286" - - - URL - - http://sotiriu.de/adv/NSOADV-2010-005.txt - path: extensions/metasploit/ - class: Msf_module -msf_hp_loadrunner_addfile: - enable: true - msf: true - msf_key: windows/browser/hp_loadrunner_addfile - name: Persits XUpload ActiveX AddFile Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Persits Software Inc's\n\ - \t\t\t\tXUpload ActiveX control(version 3.0.0.3) thats included in HP LoadRunner 9.5.\n\ - \t\t\t\tBy passing an overly long string to the AddFile method, an attacker may be\n\ - \t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0492 - - - OSVDB - - "40762" - - - BID - - "27456" - - - URL - - http://www.milw0rm.com/exploits/4987 - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_datetime: - enable: true - msf: true - msf_key: windows/browser/novelliprint_datetime - name: Novell iPrint Client ActiveX Control Date/Time Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n\ - \t\t\t\tpassing a specially crafted date/time string via certain parameters to ienipp.ocx\n\ - \t\t\t\tan attacker can execute arbitrary code.\n\n\ - \t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\n\ - \t\t\t\tvulnerability.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1569 - - - BID - - "37242" - - - OSVDB - - "60804" - - - URL - - http://secunia.com/advisories/35004/ - path: extensions/metasploit/ - class: Msf_module -msf_zenturiprogramchecker_unsafe: - enable: true - msf: true - msf_key: windows/browser/zenturiprogramchecker_unsafe - name: Zenturi ProgramChecker ActiveX Control Arbitrary File Download - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ - \t\t\t\tvia the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2987 - - - OSVDB - - "36715" - - - BID - - "24217" - path: extensions/metasploit/ - class: Msf_module -msf_realplayer_cdda_uri: - enable: true - msf: true - msf_key: windows/browser/realplayer_cdda_uri - name: RealNetworks RealPlayer CDDA URI Initialization Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a initialization flaw within RealPlayer 11/11.1 and \n\ - \t\t\t\tRealPlayer SP 1.0 - 1.1.4. An abnormally long CDDA URI causes an object \n\ - \t\t\t\tinitialization failure. However, this failure is improperly handled and \n\ - \t\t\t\tuninitialized memory executed.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3747 - - - OSVDB - - "68673" - - - BID - - "44144" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-210/ - - - URL - - http://service.real.com/realplayer/security/10152010_player/en/ - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_target_frame: - enable: true - msf: true - msf_key: windows/browser/novelliprint_target_frame - name: Novell iPrint Client ActiveX Control target-frame Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.30. When\n\ - \t\t\t\tpassing an overly long string via the \"target-frame\" parameter to ienipp.ocx\n\ - \t\t\t\tan attacker can execute arbitrary code.\n\n\ - \t\t\t\tNOTE: The \"operation\" variable must be set to a valid command in order to reach this\n\ - \t\t\t\tvulnerability.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1568 - - - BID - - "37242" - - - OSVDB - - "60803" - - - URL - - http://secunia.com/advisories/37169/ - path: extensions/metasploit/ - class: Msf_module -msf_roxio_cineplayer: - enable: true - msf: true - msf_key: windows/browser/roxio_cineplayer - name: Roxio CinePlayer ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in SonicPlayer ActiveX\n\ - \t\t\t\tcontrol (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.\n\ - \t\t\t\tBy setting an overly long value to 'DiskType', an attacker can overrun\n\ - \t\t\t\ta buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1559 - - - OSVDB - - "34779" - - - BID - - "23412" - path: extensions/metasploit/ - class: Msf_module -msf_dxstudio_player_exec: - enable: true - msf: true - msf_key: windows/browser/dxstudio_player_exec - name: Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a command execution vulnerability within the\n\ - \t\t\t\tDX Studio Player from Worldweaver. The player is a browser plugin for\n\ - \t\t\t\tIE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web\n\ - \t\t\t\tpage referring to a specially crafted .dxstudio document, an attacker can\n\ - \t\t\t\texecute arbitrary commands.\n\n\ - \t\t\t\tTesting was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and\n\ - \t\t\t\tIE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow\n\ - \t\t\t\tthe plug-in to access local files. This prompt appears to occur only once per\n\ - \t\t\t\tserver host.\n\n\ - \t\t\t\tNOTE: This exploit uses additionally dangerous script features to write to\n\ - \t\t\t\tlocal files!\n\ - \t\t\t" - authors: - - - CVE - - 2009-2011 - - - BID - - "35273" - - - OSVDB - - "54969" - - - URL - - http://www.exploit-db.com/exploits/8922 - - - URL - - http://dxstudio.com/guide.aspx - path: extensions/metasploit/ - class: Msf_module -msf_realplayer_smil: - enable: true - msf: true - msf_key: windows/browser/realplayer_smil - name: RealNetworks RealPlayer SMIL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.\n\ - \t\t\t\tBy creating a URL link to a malicious SMIL file, a remote attacker could\n\ - \t\t\t\toverflow a buffer and execute arbitrary code.\n\ - \t\t\t\tWhen using this module, be sure to set the URIPATH with an extension of '.smil'.\n\ - \t\t\t\tThis module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8\n\ - \t\t\t\tbuild 6.0.9.584.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0455 - - - OSVDB - - "14305" - - - BID - - "12698" - path: extensions/metasploit/ - class: Msf_module -msf_java_ws_arginject_altjvm: - enable: true - msf: true - msf_key: windows/browser/java_ws_arginject_altjvm - name: Sun Java Web Start Plugin Command Line Argument Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a flaw in the Web Start plugin component of Sun Java\n\ - \t\t\t\tWeb Start. The arguments passed to Java Web Start are not properly validated.\n\ - \t\t\t\tBy passing the lesser known -J option, an attacker can pass arbitrary options\n\ - \t\t\t\tdirectly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n\ - \t\t\t\tby Ruben Santamarta, an attacker can execute arbitrary code in the context of\n\ - \t\t\t\tan unsuspecting browser user.\n\n\ - \t\t\t\tThis vulnerability was originally discovered independently by both Ruben\n\ - \t\t\t\tSantamarta and Tavis Ormandy. Tavis reported that all versions since version\n\ - \t\t\t\t6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n\ - \t\t\t\tIn order for this module to work, it must be ran as root on a server that\n\ - \t\t\t\tdoes not serve SMB. Additionally, the target host must have the WebClient\n\ - \t\t\t\tservice (WebDAV Mini-Redirector) enabled.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0886 - - - OSVDB - - "63648" - - - BID - - "39346" - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html - - - URL - - http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_flashplayer_flash10o: - enable: true - msf: true - msf_key: windows/browser/adobe_flashplayer_flash10o - name: Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player that was discovered, and\n\ - \t\t\t\thas been exploited actively in the wild. By embedding a specially crafted .swf file,\n\ - \t\t\t\tAdobe Flash crashes due to an invalid use of an object type, which allows attackers to\n\ - \t\t\t\toverwrite a pointer in memory, and results arbitrary code execution.\n\ - \t\t\t" - authors: - - - CVE - - 2011-0611 - - - OSVDB - - "71686" - - - BID - - "47314" - - - URL - - http://www.adobe.com/support/security/bulletins/apsb11-07.html - - - URL - - http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx - - - URL - - http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html - - - URL - - http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html - - - URL - - http://secunia.com/blog/210 - path: extensions/metasploit/ - class: Msf_module -msf_ms06_067_keyframe: - enable: true - msf: true - msf_key: windows/browser/ms06_067_keyframe - name: Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a heap overflow vulnerability in the KeyFrame method of the\n\ - \t\t\t\tdirect animation ActiveX control. This is a port of the exploit implemented by\n\ - \t\t\t\tAlexander Sotirov.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4777 - - - OSVDB - - "28842" - - - BID - - "20047" - - - MSB - - MS06-067 - - - URL - - https://www.blackhat.com/presentations/bh-eu-07/Sotirov/Sotirov-Source-Code.zip - path: extensions/metasploit/ - class: Msf_module -msf_trendmicro_officescan: - enable: true - msf: true - msf_key: windows/http/trendmicro_officescan - name: Trend Micro OfficeScan Remote Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Trend Micro OfficeScan\n\ - \t\t\t\tcgiChkMasterPwd.exe (running with SYSTEM privileges).\n\ - \t\t\t" - authors: - - - CVE - - 2008-1365 - - - OSVDB - - "42499" - path: extensions/metasploit/ - class: Msf_module -msf_ms11_050_mshtml_cobjectelement: - enable: true - msf: true - msf_key: windows/browser/ms11_050_mshtml_cobjectelement - name: MS11-050 IE mshtml!CObjectElement Use After Free - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a use-after-free vulnerability in Internet Explorer. The\n\ - \t\t\t\tvulnerability occurs when an invalid tag exists and other elements\n\ - \t\t\t\toverlap/cover where the object tag should be when rendered (due to their\n\ - \t\t\t\tstyles/positioning). The mshtml!CObjectElement is then freed from memory because\n\ - \t\t\t\tit is invalid. However, the mshtml!CDisplay object for the page continues to keep\n\ - \t\t\t\ta reference to the freed and attempts to call a function on it, leading\n\ - \t\t\t\tto the use-after-free.\n\n\ - \t\t\t\tPlease note that for IE 8 targets, JRE (Java Runtime Environment) is required to\n\ - \t\t\t\tbypass DEP.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1260 - - - OSVDB - - "72950" - - - MSB - - MS11-050 - - - URL - - http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html - path: extensions/metasploit/ - class: Msf_module -msf_barcode_ax49: - enable: true - msf: true - msf_key: windows/browser/barcode_ax49 - name: RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in RKD Software Barcode Application\n\ - \t\t\t\tActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint\n\ - \t\t\t\tmethod of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - URL - - http://www.milw0rm.com/exploits/4094 - - - OSVDB - - "37482" - - - BID - - "24596" - - - CVE - - 2007-3435 - path: extensions/metasploit/ - class: Msf_module -msf_yahoomessenger_server: - enable: true - msf: true - msf_key: windows/browser/yahoomessenger_server - name: Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX\n\ - \t\t\t\tControl (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.\n\ - \t\t\t\tBy sending a overly long string to the \"Server()\" method, and then calling\n\ - \t\t\t\tthe \"Send()\" method, an attacker may be able to execute arbitrary code.\n\ - \t\t\t\tUsing the payloads \"windows/shell_bind_tcp\" and \"windows/shell_reverse_tcp\"\n\ - \t\t\t\tyield for the best results.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3147 - - - OSVDB - - "37082" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.html - path: extensions/metasploit/ - class: Msf_module -msf_winzip_fileview: - enable: true - msf: true - msf_key: windows/browser/winzip_fileview - name: WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThe FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a\n\ - \t\t\t\tremote attacker to execute arbitrary code on the system. The control contains\n\ - \t\t\t\tseveral unsafe methods and is marked safe for scripting and safe for initialization.\n\ - \t\t\t\tA remote attacker could exploit this vulnerability to execute arbitrary code on the\n\ - \t\t\t\tvictim system. WinZip 10.0 <= Build 6667 are vulnerable.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5198 - - - OSVDB - - "30433" - - - BID - - "21060" - path: extensions/metasploit/ - class: Msf_module -msf_chilkat_crypt_writefile: - enable: true - msf: true - msf_key: windows/browser/chilkat_crypt_writefile - name: Chilkat Crypt ActiveX WriteFile Unsafe Method - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows attackers to execute code via the 'WriteFile' unsafe method of\n\ - \t\t\t\tChilkat Software Inc's Crypt ActiveX control.\n\n\ - \t\t\t\tThis exploit is based on shinnai's exploit that uses an hcp:// protocol URI to\n\ - \t\t\t\texecute our payload immediately. However, this method requires that the victim user\n\ - \t\t\t\tbe browsing with Administrator. Additionally, this method will not work on newer\n\ - \t\t\t\tversions of Windows.\n\n\ - \t\t\t\tNOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at\n\ - \t\t\t\tthe time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5002 - - - OSVDB - - "49510" - - - BID - - "32073" - - - URL - - http://www.exploit-db.com/exploits/6963 - path: extensions/metasploit/ - class: Msf_module -msf_ms10_018_ie_behaviors: - enable: true - msf: true - msf_key: windows/browser/ms10_018_ie_behaviors - name: Internet Explorer DHTML Behaviors Use After Free - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a use-after-free vulnerability within the DHTML behaviors\n\ - \t\t\t\tfunctionality of Microsoft Internet Explorer versions 6 and 7. This bug was\n\ - \t\t\t\tdiscovered being used in-the-wild and was previously known as the \"iepeers\"\n\ - \t\t\t\tvulnerability. The name comes from Microsoft's suggested workaround to block\n\ - \t\t\t\taccess to the iepeers.dll file.\n\n\ - \t\t\t\tAccording to Nico Waisman, \"The bug itself is when trying to persist an object\n\ - \t\t\t\tusing the setAttribute, which end up calling VariantChangeTypeEx with both the\n\ - \t\t\t\tsource and the destination being the same variant. So if you send as a variant\n\ - \t\t\t\tan IDISPATCH the algorithm will try to do a VariantClear of the destination before\n\ - \t\t\t\tusing it. This will end up on a call to PlainRelease which deref the reference\n\ - \t\t\t\tand clean the object.\"\n\n\ - \t\t\t\tNOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0806 - - - OSVDB - - "62810" - - - BID - - "38615" - - - URL - - http://www.microsoft.com/technet/security/advisory/981374.mspx - - - URL - - http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/ - - - URL - - http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html - - - MSB - - MS10-018 - path: extensions/metasploit/ - class: Msf_module -msf_nis2004_get: - enable: true - msf: true - msf_key: windows/browser/nis2004_get - name: Symantec Norton Internet Security 2004 ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the ISAlertDataCOM ActiveX\n\ - \t\t\t\tControl (ISLAert.dll) provided by Symantec Norton Internet Security 2004.\n\ - \t\t\t\tBy sending a overly long string to the \"Get()\" method, an attacker may be\n\ - \t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1689 - - - OSVDB - - "36164" - - - URL - - http://securityresponse.symantec.com/avcenter/security/Content/2007.05.16.html - path: extensions/metasploit/ - class: Msf_module -msf_ibmlotusdomino_dwa_uploadmodule: - enable: true - msf: true - msf_key: windows/browser/ibmlotusdomino_dwa_uploadmodule - name: IBM Lotus Domino Web Access Upload Module Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module.\n\ - \t\t\t\tBy sending an overly long string to the \"General_ServerName()\" property located\n\ - \t\t\t\tin the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4474 - - - OSVDB - - "40954" - - - BID - - "26972" - - - URL - - http://milw0rm.com/exploits/4820 - path: extensions/metasploit/ - class: Msf_module -msf_hp_loadrunner_addfolder: - enable: true - msf: true - msf_key: windows/browser/hp_loadrunner_addfolder - name: HP LoadRunner 9.0 ActiveX AddFolder Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Persits Software Inc's\n\ - \t\t\t\tXUpload ActiveX control(version 2.1.0.1) thats included in HP LoadRunner 9.0.\n\ - \t\t\t\tBy passing an overly long string to the AddFolder method, an attacker may be\n\ - \t\t\t\table to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-6530 - - - OSVDB - - "39901" - - - BID - - "27025" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059296.html - path: extensions/metasploit/ - class: Msf_module -msf_ea_checkrequirements: - enable: true - msf: true - msf_key: windows/browser/ea_checkrequirements - name: Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\n\ - \t\t\t\tActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long\n\ - \t\t\t\tstring to the CheckRequirements() method, an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4466 - - - OSVDB - - "37723" - path: extensions/metasploit/ - class: Msf_module -msf_ms06_057_webview_setslice: - enable: true - msf: true - msf_key: windows/browser/ms06_057_webview_setslice - name: Internet Explorer WebViewFolderIcon setSlice() Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a flaw in the WebViewFolderIcon ActiveX control\n\ - \t\t\tincluded with Windows 2000, Windows XP, and Windows 2003. This flaw was published\n\ - \t\t\tduring the Month of Browser Bugs project (MoBB #18).\n\ - \t\t\t" - authors: - - - CVE - - 2006-3730 - - - OSVDB - - "27110" - - - MSB - - MS06-057 - - - BID - - "19030" - - - URL - - http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html - path: extensions/metasploit/ - class: Msf_module -msf_sonicwall_addrouteentry: - enable: true - msf: true - msf_key: windows/browser/sonicwall_addrouteentry - name: SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n\ - \t\t\t\tBy sending an overly long string to the \"AddRouteEntry()\" method located\n\ - \t\t\t\tin the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5603 - - - OSVDB - - "39069" - - - URL - - http://www.sec-consult.com/303.html - path: extensions/metasploit/ - class: Msf_module -msf_trendmicro_extsetowner: - enable: true - msf: true - msf_key: windows/browser/trendmicro_extsetowner - name: Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a remote code execution vulnerability in Trend Micro\n\ - \t\t\t\tInternet Security Pro 2010 ActiveX.\n\ - \t\t\t\tWhen sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3189 - - - OSVDB - - "67561" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-165/ - - - URL - - http://www.exploit-db.com/exploits/14878/ - path: extensions/metasploit/ - class: Msf_module -msf_mcafee_mcsubmgr_vsprintf: - enable: true - msf: true - msf_key: windows/browser/mcafee_mcsubmgr_vsprintf - name: McAfee Subscription Manager Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a flaw in the McAfee Subscription Manager ActiveX control.\n\ - \t\t\t\tDue to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by\n\ - \t\t\t\tpassing a large string to one of the COM-exposed routines, such as IsAppExpired.\n\ - \t\t\t\tThis vulnerability was discovered by Karl Lynn of eEye.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3961 - - - OSVDB - - "27698" - - - BID - - "19265" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048565.html - path: extensions/metasploit/ - class: Msf_module -msf_ms09_043_owc_htmlurl: - enable: true - msf: true - msf_key: windows/browser/ms09_043_owc_htmlurl - name: Microsoft OWC Spreadsheet HTMLURL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Microsoft's Office Web Components.\n\ - \t\t\t\tWhen passing an overly long string as the \"HTMLURL\" parameter an attacker can\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1534 - - - OSVDB - - "56916" - - - BID - - "35992" - - - MSB - - MS09-043 - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819 - path: extensions/metasploit/ - class: Msf_module -msf_communicrypt_mail_activex: - enable: true - msf: true - msf_key: windows/browser/communicrypt_mail_activex - name: CommuniCrypt Mail 1.16 SMTP ActiveX Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the ANSMTP.dll/AOSMTP.dll\n\ - \t\t\t\tActiveX Control provided by CommuniCrypt Mail 1.16. By sending a overly\n\ - \t\t\t\tlong string to the \"AddAttachments()\" method, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "64839" - - - URL - - http://www.exploit-db.com/exploits/12663 - path: extensions/metasploit/ - class: Msf_module -msf_gom_openurl: - enable: true - msf: true - msf_key: windows/browser/gom_openurl - name: GOM Player ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in GOM Player 2.1.6.3499.\n\ - \t\t\t\tBy sending an overly long string to the \"OpenUrl()\" method located\n\ - \t\t\t\tin the GomWeb3.dll Control, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5779 - - - OSVDB - - "38282" - - - URL - - http://secunia.com/advisories/27418/ - path: extensions/metasploit/ - class: Msf_module -msf_facebook_extractiptc: - enable: true - msf: true - msf_key: windows/browser/facebook_extractiptc - name: Facebook Photo Uploader 4 ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Facebook Photo Uploader 4.\n\ - \t\t\t\tBy sending an overly long string to the \"ExtractIptc()\" property located\n\ - \t\t\t\tin the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5711 - - - OSVDB - - "41073" - - - BID - - "27534" - - - URL - - http://milw0rm.com/exploits/5049 - path: extensions/metasploit/ - class: Msf_module -msf_ask_shortformat: - enable: true - msf: true - msf_key: windows/browser/ask_shortformat - name: Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.\n\ - \t\t\t\tAn attacker may be able to excute arbitrary code by sending an overly\n\ - \t\t\t\tlong string to the \"ShortFormat()\" method in askbar.dll.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5107 - - - OSVDB - - "37735" - - - URL - - http://wslabi.com/wabisabilabi/showBidInfo.do?code=ZD-00000148 - path: extensions/metasploit/ - class: Msf_module -msf_ibmegath_getxmlvalue: - enable: true - msf: true - msf_key: windows/browser/ibmegath_getxmlvalue - name: IBM Access Support ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in IBM Access Support. When\n\ - \t\t\t\tsending an overly long string to the GetXMLValue() method of IbmEgath.dll\n\ - \t\t\t\t(3.20.284.0) an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0215 - - - OSVDB - - "52958" - - - BID - - "34228" - path: extensions/metasploit/ - class: Msf_module -msf_apple_quicktime_smil_debug: - enable: true - msf: true - msf_key: windows/browser/apple_quicktime_smil_debug - name: Apple QuickTime 7.6.6 Invalid SMIL URI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Apple QuickTime\n\ - \t\t\t\t7.6.6. When processing a malformed SMIL uri, a stack-based buffer\n\ - \t\t\t\toverflow can occur when logging an error message.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1799 - - - OSVDB - - "66636" - - - BID - - "41962" - - - URL - - http://secunia.com/advisories/40729/ - - - URL - - http://support.apple.com/kb/HT4290 - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_executerequest_dbg: - enable: true - msf: true - msf_key: windows/browser/novelliprint_executerequest_dbg - name: Novell iPrint Client ActiveX Control ExecuteRequest debug Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.\n\ - \t\t\t\tWhen sending an overly long string to the 'debug' parameter in ExecuteRequest()\n\ - \t\t\t\tproperty of ienipp.ocx an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3106 - - - OSVDB - - "66960" - - - URL - - http://dvlabs.tippingpoint.com/advisory/TPTI-10-06 - - - URL - - http://www.exploit-db.com/exploits/15001/ - path: extensions/metasploit/ - class: Msf_module -msf_enjoysapgui_comp_download: - enable: true - msf: true - msf_key: windows/browser/enjoysapgui_comp_download - name: EnjoySAP SAP GUI ActiveX Control Arbitrary File Download - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ - \t\t\t\tby abusing the \"Comp_Download\" method in the SAP KWEdit ActiveX Control (kwedit.dll 6400.1.1.41).\n\ - \t\t\t" - authors: - - - CVE - - 2008-4830 - - - OSVDB - - "53680" - - - URL - - http://dsecrg.com/files/pub/pdf/HITB%20-%20Attacking%20SAP%20Users%20with%20Sapsploit.pdf - path: extensions/metasploit/ - class: Msf_module -msf_ms08_078_xml_corruption: - enable: true - msf: true - msf_key: windows/browser/ms08_078_xml_corruption - name: Internet Explorer Data Binding Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a vulnerability in the data binding feature of Internet\n\ - \t\t\tExplorer. In order to execute code reliably, this module uses the .NET DLL\n\ - \t\t\tmemory technique pioneered by Alexander Sotirov and Mark Dowd. This method is\n\ - \t\t\tused to create a fake vtable at a known location with all methods pointing\n\ - \t\t\tto our payload. Since the .text segment of the .NET DLL is non-writable, a\n\ - \t\t\tprefixed code stub is used to copy the payload into a new memory segment and\n\ - \t\t\tcontinue execution from there.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4844 - - - OSVDB - - "50622" - - - BID - - "32721" - - - MSB - - MS08-078 - - - URL - - http://www.microsoft.com/technet/security/advisory/961051.mspx - - - URL - - http://taossa.com/archive/bh08sotirovdowd.pdf - path: extensions/metasploit/ - class: Msf_module -msf_ms10_018_ie_tabular_activex: - enable: true - msf: true - msf_key: windows/browser/ms10_018_ie_tabular_activex - name: Internet Explorer Tabular Data Control ActiveX Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory corruption vulnerability in the Internet Explorer\n\ - \t\t\t\tTabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet\n\ - \t\t\t\tExplorer are vulnerable.\n\n\ - \t\t\t\tBy specifying a long value as the \"DataURL\" parameter to this control, it is possible\n\ - \t\t\t\tto write a NUL byte outside the bounds of an array. By targeting control flow data\n\ - \t\t\t\ton the stack, an attacker can execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0805 - - - OSVDB - - "63329" - - - BID - - "39025" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-034 - - - MSB - - MS10-018 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_flashplayer_newfunction: - enable: true - msf: true - msf_key: windows/fileformat/adobe_flashplayer_newfunction - name: Adobe Flash Player "newfunction" Invalid Pointer Use - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the DoABC tag handling within\n\ - \t\t\t\tversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n\ - \t\t\t\tvulnerable, as are any other applications that may embed Flash player.\n\n\ - \t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\n\ - \t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\n\ - \t\t\t\tthat the memory used by the invalid pointer issue is controlled.\n\n\ - \t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\n\ - \t\t\t\tadobe_libtiff module. This method is unlikely to work across various\n\ - \t\t\t\tWindows versions due a the hardcoded syscall number.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1297 - - - OSVDB - - "65141" - - - BID - - "40586" - - - URL - - http://www.adobe.com/support/security/advisories/apsa10-01.html - - - URL - - http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/ - path: extensions/metasploit/ - class: Msf_module -msf_verypdf_pdfview: - enable: true - msf: true - msf_key: windows/browser/verypdf_pdfview - name: VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThe VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow\n\ - \t\t\t\tbecause it fails to properly bounds-check user-supplied data before copying\n\ - \t\t\t\tit into an insufficiently sized memory buffer. An attacker can exploit this issue\n\ - \t\t\t\tto execute arbitrary code within the context of the affected application.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5492 - - - OSVDB - - "49871" - - - BID - - "32313" - path: extensions/metasploit/ - class: Msf_module -msf_symantec_appstream_unsafe: - enable: true - msf: true - msf_key: windows/browser/symantec_appstream_unsafe - name: Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability\n\ - \t\t\t\tis in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the \"installAppMgr()\"\n\ - \t\t\t\tmethod. The insecure method can be exploited to download and execute arbitrary files in the\n\ - \t\t\t\tcontext of the currently logged-on user.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4388 - - - OSVDB - - "51410" - path: extensions/metasploit/ - class: Msf_module -msf_realplayer_import: - enable: true - msf: true - msf_key: windows/browser/realplayer_import - name: RealPlayer ierpplug.dll ActiveX Control Playlist Name Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in RealOne Player V2 Gold Build 6.0.11.853 and\n\ - \t\t\t\tRealPlayer 10.5 Build 6.0.12.1483. By sending an overly long string to the \"Import()\"\n\ - \t\t\t\tmethod, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5601 - - - OSVDB - - "41430" - - - BID - - "26130" - path: extensions/metasploit/ - class: Msf_module -msf_ms03_020_ie_objecttype: - enable: true - msf: true - msf_key: windows/browser/ms03_020_ie_objecttype - name: MS03-020 Internet Explorer Object Type - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in Internet Explorer's\n\ - \t\t\t\thandling of the OBJECT type attribute.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0344 - - - OSVDB - - "2967" - - - BID - - "7806" - - - MSB - - MS03-020 - path: extensions/metasploit/ - class: Msf_module -msf_ms10_042_helpctr_xss_cmd_exec: - enable: true - msf: true - msf_key: windows/browser/ms10_042_helpctr_xss_cmd_exec - name: Microsoft Help Center XSS and Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tHelp and Support Center is the default application provided to access online\n\ - \t\t\t\tdocumentation for Microsoft Windows. Microsoft supports accessing help documents\n\ - \t\t\t\tdirectly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n\ - \t\t\t\tan error in validation of input to hcp:// combined with a local cross site\n\ - \t\t\t\tscripting vulnerability and a specialized mechanism to launch the XSS trigger,\n\ - \t\t\t\tarbitrary command execution can be achieved.\n\n\ - \t\t\t\tOn IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n\ - \t\t\t\tcan be used to launch the exploit automatically. If IE8 and WMP11, either can\n\ - \t\t\t\tbe used to launch the attack, but both pop dialog boxes asking the user if\n\ - \t\t\t\texecution should continue. This exploit detects if non-intrusive mechanisms are\n\ - \t\t\t\tavailable and will use one if possible. In the case of both IE8 and WMP11, the\n\ - \t\t\t\texploit defaults to using an iframe on IE8, but is configurable by setting the\n\ - \t\t\t\tDIALOGMECH option to \"none\" or \"player\".\n\ - \t\t\t" - authors: - - - CVE - - 2010-1885 - - - OSVDB - - "65264" - - - URL - - http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY - - - URL - - http://www.microsoft.com/technet/security/advisory/2219475.mspx - - - MSB - - MS10-042 - path: extensions/metasploit/ - class: Msf_module -msf_ultraoffice_httpupload: - enable: true - msf: true - msf_key: windows/browser/ultraoffice_httpupload - name: Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in Ultra Shareware's Office\n\ - \t\t\t\tControl. When processing the 'HttpUpload' method, the arguments are concatenated\n\ - \t\t\t\ttogether to form a command line to run a bundled version of cURL. If the command\n\ - \t\t\t\tfails to run, a stack-based buffer overflow occurs when building the error\n\ - \t\t\t\tmessage. This is due to the use of sprintf() without proper bounds checking.\n\n\ - \t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n\ - \t\t\t\tinto memory unmodified.\n\ - \t\t\t" - authors: - - - CVE - - 2008-3878 - - - OSVDB - - "47866" - - - BID - - "30861" - - - URL - - http://www.exploit-db.com/exploits/6318 - path: extensions/metasploit/ - class: Msf_module -msf_awingsoft_winds3d_sceneurl: - enable: true - msf: true - msf_key: windows/browser/awingsoft_winds3d_sceneurl - name: AwingSoft Winds3D Player 3.5 SceneURL Download and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an untrusted program execution vulnerability within the\n\ - \t\t\t\tWinds3D Player from AwingSoft. The Winds3D Player is a browser plugin for\n\ - \t\t\t\tIE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'\n\ - \t\t\t\tparameter to the URL to an executable, an attacker can execute arbitrary\n\ - \t\t\t\tcode.\n\n\ - \t\t\t\tTesting was conducted using plugin version 3.5.0.9 for Firefox 3.5 and\n\ - \t\t\t\tIE 8 on Windows XP SP3.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4850 - - - OSVDB - - "60049" - path: extensions/metasploit/ - class: Msf_module -msf_hyleos_chemviewx_activex: - enable: true - msf: true - msf_key: windows/browser/hyleos_chemviewx_activex - name: Hyleos ChemView ActiveX Control Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos\n\ - \t\t\t\tChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods\n\ - \t\t\t\twith an overly long first argument, an attacker can overrun a buffer and execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0679 - - - OSVDB - - "62276" - - - URL - - http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf - - - URL - - http://www.exploit-db.com/exploits/11422/ - path: extensions/metasploit/ - class: Msf_module -msf_wmi_admintools: - enable: true - msf: true - msf_key: windows/browser/wmi_admintools - name: Microsoft WMI Administration Tools ActiveX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory trust issue in the Microsoft WMI\n\ - \t\t\t\tAdministration tools ActiveX control. When processing a specially crafted\n\ - \t\t\t\tHTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat\n\ - \t\t\t\tthe 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods\n\ - \t\t\t\tas a trusted pointer. It makes an indirect call via this pointer which leads\n\ - \t\t\t\tto arbitrary code execution.\n\n\ - \t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\ - \t\t\t\t.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n\ - \t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\ - \t\t\t\tversions.\n\n\ - \t\t\t\tThe WMI Adminsitrative Tools are a standalone download & install (linked in the\n\ - \t\t\t\treferences).\n\n\ - \t\t\t" - authors: - - - OSVDB - - "69942" - - - CVE - - 2010-3973 - - - BID - - "45546" - - - URL - - http://wooyun.org/bug.php?action=view&id=1006 - - - URL - - http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf - - - URL - - http://secunia.com/advisories/42693 - - - URL - - http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314 - path: extensions/metasploit/ - class: Msf_module -msf_realplayer_console: - enable: true - msf: true - msf_key: windows/browser/realplayer_console - name: RealPlayer rmoc3260.dll ActiveX Control Heap Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a heap corruption vulnerability in the RealPlayer ActiveX control.\n\ - \t\t\t\tBy sending a specially crafted string to the 'Console' property\n\ - \t\t\t\tin the rmoc3260.dll control, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1309 - - - OSVDB - - "42946" - - - BID - - "28157" - - - URL - - http://secunia.com/advisories/29315/ - path: extensions/metasploit/ - class: Msf_module -msf_mozilla_nstreerange: - enable: true - msf: true - msf_key: windows/browser/mozilla_nstreerange - name: Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a code execution vulnerability in Mozilla Firefox\n\ - \t\t\t\t3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n\ - \t\t\t\tBy overwriting a subfunction of invalidateSelection it is possible to free the \n\ - \t\t\t\tnsTreeRange object that the function currently operates on. \n\ - \t\t\t\tAny further operations on the freed object can result in remote code execution.\n\ - \t\t\t\tUtilizing the call setup the function provides it's possible to bypass DEP\n\ - \t\t\t\twithout the need for a ROP. Sadly this exploit is still either dependent\n\ - \t\t\t\ton Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n\ - \t\t\t\tmodules anymore.\n\ - \t\t\t" - authors: - - - CVE - - 2011-0073 - - - OSVDB - - "72087" - - - BID - - "47663" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-157/ - - - URL - - https://bugzilla.mozilla.org/show_bug.cgi?id=630919 - - - URL - - http://www.mozilla.org/security/announce/2011/mfsa2011-13.html - path: extensions/metasploit/ - class: Msf_module -msf_ms09_072_style_object: - enable: true - msf: true - msf_key: windows/browser/ms09_072_style_object - name: Internet Explorer Style getElementsByTagName Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a vulnerability in the getElementsByTagName function\n\ - \t\t\tas implemented within Internet Explorer.\n\ - \t\t\t" - authors: - - - MSB - - MS09-072 - - - CVE - - 2009-3672 - - - OSVDB - - "50622" - - - BID - - "37085" - - - URL - - http://www.microsoft.com/technet/security/advisory/977981.mspx - - - URL - - http://taossa.com/archive/bh08sotirovdowd.pdf - path: extensions/metasploit/ - class: Msf_module -msf_ms08_053_mediaencoder: - enable: true - msf: true - msf_key: windows/browser/ms08_053_mediaencoder - name: Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Windows Media Encoder 9. When\n\ - \t\t\t\tsending an overly long string to the GetDetailsString() method of wmex.dll\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-3008 - - - OSVDB - - "47962" - - - BID - - "31065" - - - MSB - - MS08-053 - path: extensions/metasploit/ - class: Msf_module -msf_greendam_url: - enable: true - msf: true - msf_key: windows/browser/greendam_url - name: Green Dam URL Processing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in Green Dam Youth Escort\n\ - \t\t\t\tversion 3.17 in the way it handles overly long URLs.\n\ - \t\t\t\tBy setting an overly long URL, an attacker can overrun a buffer and execute\n\ - \t\t\t\tarbitrary code. This module uses the .NET DLL memory technique by Alexander\n\ - \t\t\t\tSotirov and Mark Dowd and should bypass DEP, NX and ASLR.\n\ - \t\t\t" - authors: - - - OSVDB - - "55126" - - - URL - - http://www.cse.umich.edu/~jhalderm/pub/gd/ - - - URL - - http://www.milw0rm.com/exploits/8938 - - - URL - - http://taossa.com/archive/bh08sotirovdowd.pdf - path: extensions/metasploit/ - class: Msf_module -msf_ie_unsafe_scripting: - enable: true - msf: true - msf_key: windows/browser/ie_unsafe_scripting - name: Internet Explorer Unsafe Scripting Misconfiguration - category: Metasploit - description: "\n\ - \t\t\t\tThis exploit takes advantage of the \"Initialize and script ActiveX controls not\n\ - \t\t\tmarked safe for scripting\" setting within Internet Explorer. When this option is set,\n\ - \t\t\tIE allows access to the WScript.Shell ActiveX control, which allows javascript to\n\ - \t\t\tinteract with the file system and run commands. This security flaw is not uncommon\n\ - \t\t\tin corporate environments for the 'Intranet' or 'Trusted Site' zones. In order to\n\ - \t\t\tsave binary data to the file system, ADODB.Stream access is required, which in IE7\n\ - \t\t\twill trigger a cross domain access violation. As such, we write the code to a .vbs\n\ - \t\t\tfile and execute it from there, where no such restrictions exist.\n\n\ - \t\t\t\tWhen set via domain policy, the most common registry entry to modify is HKLM\\\n\ - \t\t\tSoftware\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\1201,\n\ - \t\t\twhich if set to '0' forces ActiveX controls not marked safe for scripting to be\n\ - \t\t\tenabled for the Intranet zone.\n\n\ - \t\t\t\tThis module creates a javascript/html hybrid that will render correctly either\n\ - \t\t\tvia a direct GET http://msf-server/ or as a javascript include, such as in:\n\ - \t\t\thttp://intranet-server/xss.asp?id=\">\n\ - \t\t\t.\n\ - \t\t\t" - authors: - - - URL - - http://support.microsoft.com/kb/182569 - - - URL - - http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html - path: extensions/metasploit/ - class: Msf_module -msf_ms09_043_owc_msdso: - enable: true - msf: true - msf_key: windows/browser/ms09_043_owc_msdso - name: Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a memory corruption vulnerability within versions 10 and 11 of\n\ - \t\t\t\tthe Office Web Component Spreadsheet ActiveX control. This module was based on\n\ - \t\t\t\tan exploit found in the wild.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1136 - - - OSVDB - - "55806" - - - MSB - - MS09-043 - - - URL - - http://ahmed.obied.net/software/code/exploits/ie_owc.py - - - URL - - http://www.exploit-db.com/exploits/9163/ - - - URL - - http://www.microsoft.com/technet/security/advisory/973472.mspx - path: extensions/metasploit/ - class: Msf_module -msf_ms11_003_ie_css_import: - enable: true - msf: true - msf_key: windows/browser/ms11_003_ie_css_import - name: Internet Explorer CSS Recursive Import Use After Free - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory corruption vulnerability within Microsoft\\'s\n\ - \t\t\t\tHTML engine (mshtml). When parsing an HTML page containing a recursive CSS\n\ - \t\t\t\timport, a C++ object is deleted and later reused. This leads to arbitrary\n\ - \t\t\t\tcode execution.\n\n\ - \t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\ - \t\t\t\t.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not\n\ - \t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\ - \t\t\t\tversions with .NET 2.0.50727 installed.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3971 - - - OSVDB - - "69796" - - - BID - - "45246" - - - URL - - http://www.microsoft.com/technet/security/advisory/2488013.mspx - - - URL - - http://www.wooyun.org/bugs/wooyun-2010-0885 - - - URL - - http://seclists.org/fulldisclosure/2010/Dec/110 - - - URL - - http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf - - - URL - - http://www.breakingpointsystems.com/community/blog/ie-vulnerability/ - - - MSB - - MS11-003 - path: extensions/metasploit/ - class: Msf_module -msf_creative_software_cachefolder: - enable: true - msf: true - msf_key: windows/browser/creative_software_cachefolder - name: Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When\n\ - \t\t\t\tsending an overly long string to the cachefolder() property of CTSUEng.ocx\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0955 - - - OSVDB - - "45655" - path: extensions/metasploit/ - class: Msf_module -msf_webex_ucf_newobject: - enable: true - msf: true - msf_key: windows/browser/webex_ucf_newobject - name: WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in WebEx's WebexUCFObject\n\ - \t\t\t\tActiveX Control. If an long string is passed to the 'NewObject' method, a stack-\n\ - \t\t\t\tbased buffer overflow will occur when copying attacker-supplied data using the\n\ - \t\t\t\tsprintf function.\n\n\ - \t\t\t\tIt is noteworthy that this vulnerability was discovered and reported by multiple\n\ - \t\t\t\tindependent researchers. To quote iDefense's advisory, \"Before this issue was\n\ - \t\t\t\tpublicly reported, at least three independent security researchers had knowledge\n\ - \t\t\t\tof this issue; thus, it is reasonable to believe that even more people were aware\n\ - \t\t\t\tof this issue before disclosure.\"\n\n\ - \t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n\ - \t\t\t\tinto memory unmodified.\n\ - \t\t\t" - authors: - - - CVE - - 2008-3558 - - - OSVDB - - "47344" - - - BID - - "30578" - - - URL - - http://www.exploit-db.com/exploits/6220 - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849 - - - URL - - http://www.trapkit.de/advisories/TKADV2008-009.txt - - - URL - - http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html - - - URL - - http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml - path: extensions/metasploit/ - class: Msf_module -msf_winamp_playlist_unc: - enable: true - msf: true - msf_key: windows/browser/winamp_playlist_unc - name: Winamp Playlist UNC Path Computer Name Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Winamp media player.\n\ - \t\t\t\tThis flaw is triggered when a audio file path is specified, inside a\n\ - \t\t\t\tplaylist, that consists of a UNC path with a long computer name. This\n\ - \t\t\t\tmodule delivers the playlist via the browser. This module has only\n\ - \t\t\t\tbeen successfully tested on Winamp 5.11 and 5.12.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0476 - - - OSVDB - - "22789" - - - BID - - "16410" - path: extensions/metasploit/ - class: Msf_module -msf_real_arcade_installerdlg: - enable: true - msf: true - msf_key: windows/browser/real_arcade_installerdlg - name: Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in Real Networks Acrade Game's ActiveX control. The \"exec\"\n\ - \t\t\t\tfunction found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands\n\ - \t\t\t\ton the victim machine.\n\ - \t\t\t" - authors: - - - OSVDB - - "71559" - - - URL - - http://www.exploit-db.com/exploits/17105/ - path: extensions/metasploit/ - class: Msf_module -msf_apple_quicktime_marshaled_punk: - enable: true - msf: true - msf_key: windows/browser/apple_quicktime_marshaled_punk - name: Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory trust issue in Apple QuickTime\n\ - \t\t\t\t7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX\n\ - \t\t\t\tcontrol will treat a supplied parameter as a trusted pointer. It will\n\ - \t\t\t\tthen use it as a COM-type pUnknown and lead to arbitrary code execution.\n\n\ - \t\t\t\tThis exploit utilizes a combination of heap spraying and the\n\ - \t\t\t\tQuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not\n\ - \t\t\t\topt-in to ASLR. As such, this module should be reliable on all Windows\n\ - \t\t\t\tversions.\n\n\ - \t\t\t\tNOTE: The addresses may need to be adjusted for older versions of QuickTime.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1818 - - - OSVDB - - "67705" - - - URL - - http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1 - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_executerequest: - enable: true - msf: true - msf_key: windows/browser/novelliprint_executerequest - name: Novell iPrint Client ActiveX Control ExecuteRequest Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 4.26. When\n\ - \t\t\t\tsending an overly long string to the ExecuteRequest() property of ienipp.ocx\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0935 - - - OSVDB - - "42063" - - - BID - - "27939" - path: extensions/metasploit/ - class: Msf_module -msf_ms06_013_createtextrange: - enable: true - msf: true - msf_key: windows/browser/ms06_013_createtextrange - name: Internet Explorer createTextRange() Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer.\n\ - \t\t\t\tBoth IE6 and IE7 (Beta 2) are vulnerable. It will corrupt memory in a way, which, under\n\ - \t\t\t\tcertain circumstances, can lead to an invalid/corrupt table pointer dereference. EIP will point\n\ - \t\t\t\tto a very remote, non-existent memory location. This module is the result of merging three\n\ - \t\t\t\tdifferent exploit submissions and has only been reliably tested against Windows XP SP2.\n\ - \t\t\t\tThis vulnerability was independently discovered by multiple parties. The heap spray method\n\ - \t\t\t\tused by this exploit was pioneered by Skylined.\n\ - \t\t\t" - authors: - - - CVE - - 2006-1359 - - - OSVDB - - "24050" - - - MSB - - MS06-013 - - - BID - - "17196" - - - US-CERT-VU - - "876678" - - - URL - - http://secunia.com/secunia_research/2006-7/advisory/ - - - URL - - http://seclists.org/lists/bugtraq/2006/Mar/0410.html - - - URL - - http://seclists.org/lists/fulldisclosure/2006/Mar/1439.html - - - URL - - http://www.shog9.com/crashIE.html - path: extensions/metasploit/ - class: Msf_module -msf_ms06_001_wmf_setabortproc: - enable: true - msf: true - msf_key: windows/browser/ms06_001_wmf_setabortproc - name: Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the GDI library included with\n\ - \t\t\t\tWindows XP and 2003. This vulnerability uses the 'Escape' metafile function\n\ - \t\t\t\tto execute arbitrary code through the SetAbortProc procedure. This module\n\ - \t\t\t\tgenerates a random WMF record stream for each request.\n\ - \t\t\t" - authors: - - - CVE - - 2005-4560 - - - OSVDB - - "21987" - - - MSB - - MS06-001 - - - BID - - "16074" - - - URL - - http://www.microsoft.com/technet/security/advisory/912840.mspx - - - URL - - http://wvware.sourceforge.net/caolan/ora-wmf.html - - - URL - - http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt - path: extensions/metasploit/ - class: Msf_module -msf_enjoysapgui_preparetoposthtml: - enable: true - msf: true - msf_key: windows/browser/enjoysapgui_preparetoposthtml - name: EnjoySAP SAP GUI ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SAP KWEdit ActiveX\n\ - \t\t\t\tControl (kwedit.dll 6400.1.1.41) provided by EnjoySAP GUI. By sending\n\ - \t\t\t\tan overly long string to the \"PrepareToPostHTML()\" method, an attacker\n\ - \t\t\t\tmay be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3605 - - - OSVDB - - "37690" - - - BID - - "24772" - path: extensions/metasploit/ - class: Msf_module -msf_ms07_017_ani_loadimage_chunksize: - enable: true - msf: true - msf_key: windows/email/ms07_017_ani_loadimage_chunksize - name: Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow vulnerability in the\n\ - \t\t\t\tLoadAniIcon() function of USER32.dll. The flaw is triggered\n\ - \t\t\t\tthrough Outlook Express by using the CURSOR style sheet\n\ - \t\t\t\tdirective to load a malicious .ANI file.\n\n\ - \t\t\t\tThis vulnerability was discovered by Alexander Sotirov of Determina\n\ - \t\t\t\tand was rediscovered, in the wild, by McAfee.\n\ - \t\t\t" - authors: - - - MSB - - MS07-017 - - - CVE - - 2007-0038 - - - CVE - - 2007-1765 - - - OSVDB - - "33629" - - - BID - - "23194" - - - URL - - http://www.microsoft.com/technet/security/advisory/935423.mspx - - - URL - - http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp - - - URL - - http://www.determina.com/security.research/vulnerabilities/ani-header.html - path: extensions/metasploit/ - class: Msf_module -msf_adobe_cooltype_sing: - enable: true - msf: true - msf_key: windows/fileformat/adobe_cooltype_sing - name: Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n\ - \t\t\t\thandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are\n\ - \t\t\t\tassumed to be vulnerable as well.\n\ - \t\t\t" - authors: - - - CVE - - 2010-2883 - - - OSVDB - - "67849" - - - URL - - http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html - - - URL - - http://www.adobe.com/support/security/advisories/apsa10-02.html - path: extensions/metasploit/ - class: Msf_module -msf_nis2004_antispam: - enable: true - msf: true - msf_key: windows/browser/nis2004_antispam - name: Norton AntiSpam 2004 SymSpamHelper ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Norton AntiSpam 2004. When\n\ - \t\t\t\tsending an overly long string to the LaunchCustomRuleWizard() method\n\ - \t\t\t\tof symspam.dll (2004.1.0.147) an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0363 - - - OSVDB - - "6249" - - - BID - - "9916" - path: extensions/metasploit/ - class: Msf_module -msf_symantec_altirisdeployment_downloadandinstall: - enable: true - msf: true - msf_key: windows/browser/symantec_altirisdeployment_downloadandinstall - name: Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows remote attackers to install and execute arbitrary files on a users file system via\n\ - \t\t\t\tAeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.\n\ - \t\t\t" - authors: - - - BID - - "36346" - - - CVE - - 2009-3028 - - - OSVDB - - "57893" - path: extensions/metasploit/ - class: Msf_module -msf_softartisans_getdrivename: - enable: true - msf: true - msf_key: windows/browser/softartisans_getdrivename - name: SoftArtisans XFile FileManager ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control\n\ - \t\t\t\t(SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1682 - - - OSVDB - - "47794" - - - US-CERT-VU - - "914785" - - - BID - - "30826" - path: extensions/metasploit/ - class: Msf_module -msf_apple_quicktime_rtsp: - enable: true - msf: true - msf_key: windows/browser/apple_quicktime_rtsp - name: Apple QuickTime 7.1.3 RTSP URI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Apple QuickTime\n\ - \t\t\t\t7.1.3. This module was inspired by MOAB-01-01-2007. The\n\ - \t\t\t\tBrowser target for this module was tested against IE 6 and\n\ - \t\t\t\tFirefox 1.5.0.3 on Windows XP SP0/2; Firefox 3 blacklists the\n\ - \t\t\t\tQuickTime plugin.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0015 - - - OSVDB - - "31023" - - - BID - - "21829" - - - URL - - http://projects.info-pull.com/moab/MOAB-01-01-2007.html - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_getdriversettings_2: - enable: true - msf: true - msf_key: windows/browser/novelliprint_getdriversettings_2 - name: Novell iPrint Client ActiveX Control <= 5.52 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 5.52. When\n\ - \t\t\t\tsending an overly long string to the GetDriverSettings() property of ienipp.ocx\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-4321 - - - BID - - "44966" - - - OSVDB - - "69357" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-256/ - - - URL - - http://www.exploit-db.com/exploits/16014/ - - - URL - - http://www.novell.com/support/viewContent.do?externalId=7007234 - path: extensions/metasploit/ - class: Msf_module -msf_ca_brightstor_addcolumn: - enable: true - msf: true - msf_key: windows/browser/ca_brightstor_addcolumn - name: CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThe CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based\n\ - \t\t\t\tbuffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker\n\ - \t\t\t\tcould overflow a buffer and execute arbitrary code on the system.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1472 - - - OSVDB - - "43214" - path: extensions/metasploit/ - class: Msf_module -msf_symantec_consoleutilities_browseandsavefile: - enable: true - msf: true - msf_key: windows/browser/symantec_consoleutilities_browseandsavefile - name: Symantec ConsoleUtilities ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Symantecs ConsoleUtilities.\n\ - \t\t\t\tBy sending an overly long string to the \"BrowseAndSaveFile()\" method located\n\ - \t\t\t\tin the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code\n\ - \t\t\t" - authors: - - - CVE - - 2009-3031 - - - OSVDB - - "59597" - - - BID - - "36698" - - - URL - - http://sotiriu.de/adv/NSOADV-2009-001.txt - - - URL - - http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 - path: extensions/metasploit/ - class: Msf_module -msf_yahoomessenger_fvcom: - enable: true - msf: true - msf_key: windows/browser/yahoomessenger_fvcom - name: Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Yahoo! Messenger ActiveX\n\ - \t\t\t\tControl (YVerInfo.dll <= 2006.8.24.1). By sending a overly long string\n\ - \t\t\t\tto the \"fvCom()\" method from a yahoo.com domain, an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4515 - - - OSVDB - - "37739" - - - BID - - "25494" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=591 - path: extensions/metasploit/ - class: Msf_module -msf_aol_ampx_convertfile: - enable: true - msf: true - msf_key: windows/browser/aol_ampx_convertfile - name: AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in AOL IWinAmpActiveX\n\ - \t\t\t\tclass (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.\n\ - \t\t\t\tBy setting an overly long value to 'ConvertFile()', an attacker can overrun\n\ - \t\t\t\ta buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "54706" - - - BID - - "35028" - - - URL - - http://www.milw0rm.com/exploits/8733 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_utilprintf: - enable: true - msf: true - msf_key: windows/fileformat/adobe_utilprintf - name: Adobe util.printf() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional\n\ - \t\t\t\t< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()\n\ - \t\t\t\tentry, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2992 - - - OSVDB - - "49520" - path: extensions/metasploit/ - class: Msf_module -msf_macrovision_downloadandexecute: - enable: true - msf: true - msf_key: windows/browser/macrovision_downloadandexecute - name: Macrovision InstallShield Update Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Macrovision InstallShield Update\n\ - \t\t\t\tService(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to\n\ - \t\t\t\tthe DownloadAndExecute method, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5660 - - - OSVDB - - "38347" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059288.html - path: extensions/metasploit/ - class: Msf_module -msf_webdav_dll_hijacker: - enable: true - msf: true - msf_key: windows/browser/webdav_dll_hijacker - name: WebDAV Application DLL Hijacker - category: Metasploit - description: "\n\ - \t\t\t\tThis module presents a directory of file extensions that can lead to\n\ - \t\t\tcode execution when opened from the share. The default EXTENSIONS option\n\ - \t\t\tmust be configured to specify a vulnerable application type.\n\ - \t\t\t" - authors: - - - URL - - http://blog.zoller.lu/2010/08/cve-2010-xn-loadlibrarygetprocaddress.html - - - URL - - http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt - path: extensions/metasploit/ - class: Msf_module -msf_adobe_flatedecode_predictor02: - enable: true - msf: true - msf_key: windows/fileformat/adobe_flatedecode_predictor02 - name: Adobe FlateDecode Stream Predictor 02 Integer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an integer overflow vulnerability in Adobe Reader and Adobe\n\ - \t\t\t\tAcrobat Professional versions before 9.2.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3459 - - - BID - - "36600" - - - OSVDB - - "58729" - - - URL - - http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html - - - URL - - http://www.adobe.com/support/security/bulletins/apsb09-15.html - - - URL - - http://www.fortiguard.com/analysis/pdfanalysis.html - path: extensions/metasploit/ - class: Msf_module -msf_winamp_ultravox: - enable: true - msf: true - msf_key: windows/browser/winamp_ultravox - name: Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Winamp 5.24. By\n\ - \t\t\t\tsending an overly long artist tag, a remote attacker may\n\ - \t\t\t\tbe able to execute arbitrary code. This vulnerability can be\n\ - \t\t\t\texploited from the browser or the winamp client itself.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0065 - - - OSVDB - - "41707" - - - BID - - "27344" - path: extensions/metasploit/ - class: Msf_module -msf_baofeng_storm_onbeforevideodownload: - enable: true - msf: true - msf_key: windows/browser/baofeng_storm_onbeforevideodownload - name: BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX\n\ - \t\t\t\tcontrol. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing\n\ - \t\t\t\tan overly long string to the method \"OnBeforeVideoDownload\" an attacker can execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1612 - - - OSVDB - - "54169" - - - BID - - "34789" - - - URL - - http://www.exploit-db.com/exploits/8579 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_media_newplayer: - enable: true - msf: true - msf_key: windows/fileformat/adobe_media_newplayer - name: Adobe Doc.media.newPlayer Use After Free Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat\n\ - \t\t\t\tProfessional versions up to and including 9.2.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4324 - - - BID - - "37331" - - - OSVDB - - "60980" - path: extensions/metasploit/ - class: Msf_module -msf_oracle_dc_submittoexpress: - enable: true - msf: true - msf_key: windows/browser/oracle_dc_submittoexpress - name: Oracle Document Capture 10g ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n\ - \t\t\t\tOracle Document Capture 10g comes bundled with a third party ActiveX control\n\ - \t\t\t\temsmtp.dll (6.0.1.0). When passing a overly long string to the method \"SubmitToExpress\"\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4607 - - - OSVDB - - "38335" - - - BID - - "25467" - - - US-CERT-VU - - "281977" - path: extensions/metasploit/ - class: Msf_module -msf_ms08_070_visual_studio_msmask: - enable: true - msf: true - msf_key: windows/browser/ms08_070_visual_studio_msmask - name: Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.\n\ - \t\t\t\tWhen passing a specially crafted string to the Mask parameter of the\n\ - \t\t\t\tMsmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - CVE - - 2008-3704 - - - OSVDB - - "47475" - - - BID - - "30674" - - - MSB - - MS08-070 - path: extensions/metasploit/ - class: Msf_module -msf_macrovision_unsafe: - enable: true - msf: true - msf_key: windows/browser/macrovision_unsafe - name: Macrovision InstallShield Update Service ActiveX Unsafe Method - category: Metasploit - description: "\n\ - \t\t\t\tThis module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5660 - - - OSVDB - - "38347" - - - BID - - "26280" - path: extensions/metasploit/ - class: Msf_module -msf_nctaudiofile2_setformatlikesample: - enable: true - msf: true - msf_key: windows/browser/nctaudiofile2_setformatlikesample - name: NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX\n\ - \t\t\t\tControl provided by various audio applications. By sending a overly long\n\ - \t\t\t\tstring to the \"SetFormatLikeSample()\" method, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0018 - - - OSVDB - - "32032" - - - BID - - "22196" - - - US-CERT-VU - - "292713" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2007-May/062911.html - path: extensions/metasploit/ - class: Msf_module -msf_ms10_022_ie_vbscript_winhlp32: - enable: true - msf: true - msf_key: windows/browser/ms10_022_ie_vbscript_winhlp32 - name: Internet Explorer Winhlp32.exe MsgBox Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability that occurs when a user\n\ - \t\t\t\tpresses F1 on MessageBox originated from VBscript within a web page. When the\n\ - \t\t\t\tuser hits F1, the MessageBox help functionaility will attempt to load and use\n\ - \t\t\t\ta HLP file from an SMB or WebDAV (if the WebDAV redirector is enabled) server.\n\n\ - \t\t\t\tThis particular version of the exploit implements a WebDAV server that will\n\ - \t\t\t\tserve HLP file as well as a payload EXE. During testing warnings about the\n\ - \t\t\t\tpayload EXE being unsigned were witnessed. A future version of this module\n\ - \t\t\t\tmight use other methods that do not create such a warning.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0483 - - - OSVDB - - "62632" - - - MSB - - MS10-023 - - - URL - - http://www.microsoft.com/technet/security/advisory/981169.mspx - - - URL - - http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx - - - URL - - http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt - path: extensions/metasploit/ - class: Msf_module -msf_sapgui_saveviewtosessionfile: - enable: true - msf: true - msf_key: windows/browser/sapgui_saveviewtosessionfile - name: SAP AG SAPgui EAI WebViewer3D Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Siemens Unigraphics Solutions\n\ - \t\t\t\tTeamcenter Visualization EAI WebViewer3D ActiveX control that is bundled\n\ - \t\t\t\twith SAPgui. When passing an overly long string the SaveViewToSessionFile()\n\ - \t\t\t\tmethod, arbitrary code may be executed.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4475 - - - OSVDB - - "53066" - - - US-CERT-VU - - "985449" - path: extensions/metasploit/ - class: Msf_module -msf_lpviewer_url: - enable: true - msf: true - msf_key: windows/browser/lpviewer_url - name: iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When\n\ - \t\t\t\tsending an overly long string to the URL() property an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4384 - - - OSVDB - - "48946" - - - US-CERT-VU - - "848873" - - - BID - - "31604" - path: extensions/metasploit/ - class: Msf_module -msf_amaya_bdo: - enable: true - msf: true - msf_key: windows/browser/amaya_bdo - name: Amaya Browser v11.0 bdo tag overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Amaya v11 Browser.\n\ - \t\t\t\t\tBy sending an overly long string to the \"bdo\"\n\ - \t\t\t\t\ttag, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0323 - - - OSVDB - - "55721" - - - BID - - 33046, 33047 - path: extensions/metasploit/ - class: Msf_module -msf_xmplay_asx: - enable: true - msf: true - msf_key: windows/browser/xmplay_asx - name: XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in XMPlay 3.3.0.4.\n\ - \t\t\t\tThe vulnerability is caused due to a boundary error within\n\ - \t\t\t\tthe parsing of playlists containing an overly long file name.\n\ - \t\t\t\tThis module uses the ASX file format.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6063 - - - OSVDB - - "30537" - - - BID - - "21206" - - - URL - - http://secunia.com/advisories/22999/ - path: extensions/metasploit/ - class: Msf_module -msf_java_basicservice_impl: - enable: true - msf: true - msf_key: windows/browser/java_basicservice_impl - name: Sun Java Web Start BasicServiceImpl Remote Code Execution Exploit - category: Metasploit - description: "\n\ - \t\t\tThis module exploits a vulnerability in Java Runtime Environment\n\ - \t\t\tthat allows an attacker to escape the Java Sandbox. By injecting\n\ - \t\t\ta parameter into a javaws call within the BasicServiceImpl class\n\ - \t\t\tthe default java sandbox policy file can be therefore overwritten.\n\ - \t\t\tThe vulnerability affects version 6 prior to update 22.\n\n\ - \t\t\tNOTE: Exploiting this vulnerability causes several sinister-looking\n\ - \t\t\tpopup windows saying that Java is \"Downloading application.\"\n\ - \t\t\t" - authors: - - - CVE - - 2010-3563 - - - OSVDB - - "69043" - - - URL - - http://mk41ser.blogspot.com - path: extensions/metasploit/ - class: Msf_module -msf_cisco_anyconnect_exec: - enable: true - msf: true - msf_key: windows/browser/cisco_anyconnect_exec - name: Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Cisco AnyConnect VPN client \n\ - \t\t\t\tvpnweb.ocx ActiveX control. This control is typically used to install the \n\ - \t\t\t\tVPN client. An attacker can set the 'url' property which is where the control\n\ - \t\t\t\ttries to locate the files needed to install the client.\n\n\ - \t\t\t\t\tThe control tries to download two files from the site specified within the\n\ - \t\t\t\t'url' property. One of these files it will be stored in a temporary directory and \n\ - \t\t\t\texecuted.\n\ - \t\t\t\t\t" - authors: - - - CVE - - 2011-2039 - - - OSVDB - - "72714" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909 - - - URL - - http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml - path: extensions/metasploit/ - class: Msf_module -msf_ie_iscomponentinstalled: - enable: true - msf: true - msf_key: windows/browser/ie_iscomponentinstalled - name: Internet Explorer isComponentInstalled Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Internet Explorer. This bug was\n\ - \t\t\t\tpatched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.\n\ - \t\t\t" - authors: - - - CVE - - 2006-1016 - - - OSVDB - - "31647" - - - BID - - "16870" - path: extensions/metasploit/ - class: Msf_module -msf_athocgov_completeinstallation: - enable: true - msf: true - msf_key: windows/browser/athocgov_completeinstallation - name: AtHocGov IWSAlerts ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in AtHocGov IWSAlerts. When\n\ - \t\t\t\tsending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll\n\ - \t\t\t\t(6.1.4.36) an attacker may be able to execute arbitrary code. This\n\ - \t\t\t\tvulnerability was silently patched by the vendor.\n\ - \t\t\t" - authors: - - - URL - - http://www.athoc.com/products/IWSAlerts_overview.aspx - path: extensions/metasploit/ - class: Msf_module -msf_mirc_irc_url: - enable: true - msf: true - msf_key: windows/browser/mirc_irc_url - name: mIRC IRC URL Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in mIRC 6.1. By\n\ - \t\t\t\tsubmitting an overly long and specially crafted URL to\n\ - \t\t\t\tthe 'irc' protocol, an attacker can overwrite the buffer\n\ - \t\t\t\tand control program execution.\n\ - \t\t\t" - authors: - - - CVE - - 2003-1336 - - - OSVDB - - "2665" - - - BID - - "8819" - path: extensions/metasploit/ - class: Msf_module -msf_symantec_backupexec_pvcalendar: - enable: true - msf: true - msf_key: windows/browser/symantec_backupexec_pvcalendar - name: Symantec BackupExec Calendar Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.\n\ - \t\t\t\tBy sending an overly long string to the \"_DOWText0\" property located\n\ - \t\t\t\tin the pvcalendar.ocx control, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-6016 - - - OSVDB - - "42358" - - - BID - - "26904" - - - URL - - http://secunia.com/advisories/27885/ - path: extensions/metasploit/ - class: Msf_module -msf_ms10_002_aurora: - enable: true - msf: true - msf_key: windows/browser/ms10_002_aurora - name: Internet Explorer "Aurora" Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory corruption flaw in Internet Explorer. This\n\ - \t\t\t\tflaw was found in the wild and was a key component of the \"Operation Aurora\"\n\ - \t\t\t\tattacks that lead to the compromise of a number of high profile companies. The\n\ - \t\t\t\texploit code is a direct port of the public sample published to the Wepawet\n\ - \t\t\t\tmalware analysis site. The technique used by this module is currently identical\n\ - \t\t\t\tto the public sample, as such, only Internet Explorer 6 can be reliably exploited.\n\ - \t\t\t" - authors: - - - MSB - - MS10-002 - - - CVE - - 2010-0249 - - - OSVDB - - "61697" - - - URL - - http://www.microsoft.com/technet/security/advisory/979352.mspx - - - URL - - http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js - path: extensions/metasploit/ - class: Msf_module -msf_blackice_downloadimagefileurl: - enable: true - msf: true - msf_key: windows/browser/blackice_downloadimagefileurl - name: Black Ice Cover Page ActiveX Control Arbitrary File Download - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\n\ - \t\t\t\tby abusing the \"DownloadImageFileURL\" method in the Black Ice BIImgFrm.ocx ActiveX\n\ - \t\t\t\tControl (BIImgFrm.ocx 12.0.0.0). Code exeuction can be acheived by first uploading the\n\ - \t\t\t\tpayload to the remote machine, and then upload another mof file, which enables Windows\n\ - \t\t\t\tManagement Instrumentation service to execute the binary. Please note that this module\n\ - \t\t\t\tcurrently only works for Windows before Vista. Also, a similar issue is reported in\n\ - \t\t\t\tBIDIB.ocx (10.9.3.0) within the Barcode SDK.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2683 - - - OSVDB - - "46007" - - - BID - - "29577" - - - URL - - http://www.exploit-db.com/exploits/5750/ - path: extensions/metasploit/ - class: Msf_module -msf_hpmqc_progcolor: - enable: true - msf: true - msf_key: windows/browser/hpmqc_progcolor - name: HP Mercury Quality Center ActiveX Control ProgColor Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack-based buffer overflow in SPIDERLib.Loader\n\ - \t\t\t\tActiveX control (Spider90.ocx) 9.1.0.4353 installed by TestDirector (TD)\n\ - \t\t\t\tfor Hewlett-Packard Mercury Quality Center 9.0 before Patch 12.1, and\n\ - \t\t\t\t8.2 SP1 before Patch 32.\n\ - \t\t\t\tBy setting an overly long value to 'ProgColor', an attacker can overrun\n\ - \t\t\t\ta buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1819 - - - OSVDB - - "34317" - - - BID - - "23239" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=497 - path: extensions/metasploit/ - class: Msf_module -msf_ie_createobject: - enable: true - msf: true - msf_key: windows/browser/ie_createobject - name: Internet Explorer COM CreateObject Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a generic code execution vulnerability in Internet\n\ - \t\t\t\tExplorer by abusing vulnerable ActiveX objects.\n\ - \t\t\t" - authors: - - - MSB - - MS06-014 - - - CVE - - 2006-0003 - - - OSVDB - - "24517" - - - MSB - - MS06-073 - - - CVE - - 2006-4704 - - - OSVDB - - "30155" - path: extensions/metasploit/ - class: Msf_module -msf_mswhale_checkforupdates: - enable: true - msf: true - msf_key: windows/browser/mswhale_checkforupdates - name: Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n\ - \t\t\t\tGateway Whale Client. When sending an overly long string to CheckForUpdates()\n\ - \t\t\t\tmethod of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2238 - - - OSVDB - - "53933" - - - URL - - http://technet.microsoft.com/en-us/library/dd282918.aspx - path: extensions/metasploit/ - class: Msf_module -msf_ms06_055_vml_method: - enable: true - msf: true - msf_key: windows/browser/ms06_055_vml_method - name: Internet Explorer VML Fill Method Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in Microsoft Internet Explorer using\n\ - \t\t\t\ta buffer overflow in the VML processing code (VGX.dll). This module has been tested on\n\ - \t\t\t\tWindows 2000 SP4, Windows XP SP0, and Windows XP SP2.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4868 - - - OSVDB - - "28946" - - - MSB - - MS06-055 - - - BID - - "20096" - path: extensions/metasploit/ - class: Msf_module -msf_mozilla_interleaved_write: - enable: true - msf: true - msf_key: windows/browser/mozilla_interleaved_write - name: Mozilla Firefox Interleaving document.write and appendChild Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution vulnerability in Mozilla\n\ - \t\t\t\tFirefox caused by interleaved calls to document.write and appendChild.\n\ - \t\t\t\tThis exploit is a metasploit port of the in-the-wild exploit.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3765 - - - OSVDB - - "68905" - - - BID - - "15352" - - - URL - - http://www.exploit-db.com/exploits/15352/ - - - URL - - https://bugzilla.mozilla.org/show_bug.cgi?id=607222 - - - URL - - http://www.mozilla.org/security/announce/2010/mfsa2010-73.html - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_callbackurl: - enable: true - msf: true - msf_key: windows/browser/novelliprint_callbackurl - name: Novell iPrint Client ActiveX Control call-back-url Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.\n\ - \t\t\t\tWhen sending an overly long string to the 'call-back-url' parameter in an\n\ - \t\t\t\top-client-interface-version action of ienipp.ocx an attacker may be able to\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1527 - - - OSVDB - - "67411" - - - URL - - http://secunia.com/secunia_research/2010-104/ - - - URL - - http://www.exploit-db.com/exploits/15042/ - path: extensions/metasploit/ - class: Msf_module -msf_vlc_amv: - enable: true - msf: true - msf_key: windows/browser/vlc_amv - name: VLC AMV Dangling Pointer Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits VLC media player when handling a .AMV file. By flipping the 0x41st\n\ - \t\t\t\tbyte in the file format (video width/height), VLC crashes due to an invalid pointer, which\n\ - \t\t\t\tallows remote attackers to gain arbitrary code execution.\n\ - \t\t\t\t\n\ - \t\t\t\tThe vulnerable packages include:\n\ - \t\t\t\tVLC 1.1.4\n\ - \t\t\t\tVLC 1.1.5\n\ - \t\t\t\tVLC 1.1.6\n\ - \t\t\t\tVLC 1.1.7\n\ - \t\t\t\t" - authors: - - - CVE - - 2010-3275 - - - OSVDB - - "71277" - - - URL - - http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files - - - URL - - http://git.videolan.org/?p=vlc/vlc-1.1.git;a=commitdiff;h=fe44129dc6509b3347113ab0e1a0524af1e0dd11 - path: extensions/metasploit/ - class: Msf_module -msf_persits_xupload_traversal: - enable: true - msf: true - msf_key: windows/browser/persits_xupload_traversal - name: Persits XUpload ActiveX MakeHttpRequest Directory Traversal - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a directory traversal in Persits Software Inc's\n\ - \t\t\t\tXUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.\n\ - \t\t\t\tBy passing a string containing \"..\\\" sequences to the MakeHttpRequest method,\n\ - \t\t\t\tan attacker is able to write arbitrary files to arbitrary locations on disk.\n\n\ - \t\t\t\tCode execution occurs by writing to the All Users Startup Programs directory.\n\ - \t\t\t\tYou may want to combine this module with the use of multi/handler since a\n\ - \t\t\t\tuser would have to log for the payloda to execute.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3693 - - - OSVDB - - "60001" - - - URL - - http://retrogod.altervista.org/9sg_hp_loadrunner.html - path: extensions/metasploit/ - class: Msf_module -msf_ms10_090_ie_css_clip: - enable: true - msf: true - msf_key: windows/browser/ms10_090_ie_css_clip - name: Internet Explorer CSS SetUserClip Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThie module exploits a memory corruption vulnerability within Microsoft's\n\ - \t\t\t\tHTML engine (mshtml). When parsing an HTML page containing a specially\n\ - \t\t\t\tcrafted CSS tag, memory corruption occurs that can lead arbitrary code\n\ - \t\t\t\texecution.\n\n\ - \t\t\t\tIt seems like Microsoft code inadvertantly increments a vtable pointer to\n\ - \t\t\t\tpoint to an unaligned address within the vtable's function pointers. This\n\ - \t\t\t\tleads to the program counter being set to the address determined by the\n\ - \t\t\t\taddress \"[vtable+0x30+1]\". The particular address depends on the exact\n\ - \t\t\t\tversion of the mshtml library in use.\n\n\ - \t\t\t\tSince the address depends on the version of mshtml, some versions may not\n\ - \t\t\t\tbe exploitable. Specifically, those ending up with a program counter value\n\ - \t\t\t\twithin another module, in kernel space, or just not able to be reached with\n\ - \t\t\t\tvarious memory spraying techniques.\n\n\ - \t\t\t\tAlso, since the address is not controllable, it is unlikely to be possible\n\ - \t\t\t\tto use ROP to bypass non-executable memory protections.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3962 - - - OSVDB - - "68987" - - - BID - - "44536" - - - URL - - http://www.microsoft.com/technet/security/advisory/2458511.mspx - - - URL - - http://www.exploit-db.com/exploits/15421/ - - - MSB - - MS10-090 - path: extensions/metasploit/ - class: Msf_module -msf_ebook_flipviewer_fviewerloading: - enable: true - msf: true - msf_key: windows/browser/ebook_flipviewer_fviewerloading - name: FlipViewer FViewerLoading ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0.\n\ - \t\t\t\tThe vulnerability is caused due to a boundary error in the\n\ - \t\t\t\tFViewerLoading (FlipViewerX.dll) ActiveX control when handling the\n\ - \t\t\t\t\"LoadOpf()\" method.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2919 - - - OSVDB - - "37042" - - - BID - - "24328" - path: extensions/metasploit/ - class: Msf_module -msf_ms09_002_memory_corruption: - enable: true - msf: true - msf_key: windows/browser/ms09_002_memory_corruption - name: Internet Explorer 7 CFunctionPointer Uninitialized Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits an error related to the CFunctionPointer function when attempting\n\ - \t\t\t\tto access uninitialized memory. A remote attacker could exploit this vulnerability to\n\ - \t\t\t\tcorrupt memory and execute arbitrary code on the system with the privileges of the victim.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0075 - - - OSVDB - - "51839" - - - MSB - - MS09-002 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_geticon: - enable: true - msf: true - msf_key: windows/fileformat/adobe_geticon - name: Adobe Collab.getIcon() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n\ - \t\t\t\tAffected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n\ - \t\t\t\tcrafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n\ - \t\t\t\tbe able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0927 - - - OSVDB - - "53647" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-014/ - path: extensions/metasploit/ - class: Msf_module -msf_systemrequirementslab_unsafe: - enable: true - msf: true - msf_key: windows/browser/systemrequirementslab_unsafe - name: Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module allows attackers to execute code via an unsafe method in\n\ - \t\t\t\tHusdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)\n\ - \t\t\t" - authors: - - - CVE - - 2008-4385 - - - OSVDB - - "50122" - - - US-CERT-VU - - "166651" - path: extensions/metasploit/ - class: Msf_module -msf_msvidctl_mpeg2: - enable: true - msf: true - msf_key: windows/browser/msvidctl_mpeg2 - name: Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a memory corruption within the MSVidCtl component of Microsoft\n\ - \t\t\t\tDirectShow (BDATuner.MPEG2TuneRequest).\n\ - \t\t\t\tBy loading a specially crafted GIF file, an attacker can overrun a buffer and\n\ - \t\t\t\texecute arbitrary code.\n\n\ - \t\t\t\tClassID is now configurable via an advanced option (otherwise randomized) - I)ruid\n\ - \t\t\t" - authors: - - - CVE - - 2008-0015 - - - OSVDB - - "55651" - - - BID - - "35558" - - - MSB - - MS09-032 - - - MSB - - MS09-037 - - - URL - - http://www.microsoft.com/technet/security/advisory/972890.mspx - path: extensions/metasploit/ - class: Msf_module -msf_symantec_altirisdeployment_runcmd: - enable: true - msf: true - msf_key: windows/browser/symantec_altirisdeployment_runcmd - name: Symantec Altiris Deployment Solution ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Symantec Altiris Deployment Solution.\n\ - \t\t\t\tWhen sending an overly long string to RunCmd() method of\n\ - \t\t\t\tAeXNSConsoleUtilities.dll (6.0.0.1426) an attacker may be able to execute arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3033 - - - BID - - "37092" - - - OSVDB - - "60496" - path: extensions/metasploit/ - class: Msf_module -msf_adobe_shockwave_rcsl_corruption: - enable: true - msf: true - msf_key: windows/browser/adobe_shockwave_rcsl_corruption - name: Adobe Shockwave rcsL Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a weakness in the Adobe Shockwave player's handling of\n\ - \t\t\t\tDirector movies (.DIR). A memory corruption vulnerability occurs through an undocumented\n\ - \t\t\t\trcsL chunk. This vulnerability was discovered by http://www.abysssec.com.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3653 - - - OSVDB - - "68803" - - - URL - - http://www.exploit-db.com/sploits/Adobe_Shockwave_Director_rcsL_Chunk_Memory_Corruption.zip - path: extensions/metasploit/ - class: Msf_module -msf_logitechvideocall_start: - enable: true - msf: true - msf_key: windows/browser/logitechvideocall_start - name: Logitech VideoCall ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Logitech VideoCall ActiveX\n\ - \t\t\t\tControl (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the\n\ - \t\t\t\t\"Start()\" method, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2918 - - - OSVDB - - "36820" - - - BID - - "24254" - path: extensions/metasploit/ - class: Msf_module -msf_novelliprint_getdriversettings: - enable: true - msf: true - msf_key: windows/browser/novelliprint_getdriversettings - name: Novell iPrint Client ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell iPrint Client 4.34. When\n\ - \t\t\t\tsending an overly long string to the GetDriverSettings() property of ienipp.ocx\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2908 - - - OSVDB - - "46194" - - - URL - - http://secunia.com/advisories/30709/ - path: extensions/metasploit/ - class: Msf_module -msf_mysql_payload: - enable: true - msf: true - msf_key: windows/mysql/mysql_payload - name: Oracle MySQL for Microsoft Windows Payload Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis module creates and enables a custom UDF (user defined function) on the\n\ - \t\t\t\ttarget host via the SELECT ... into DUMPFILE method of binary injection. On\n\ - \t\t\t\tdefault Microsoft Windows installations of MySQL (=< 5.5.9), directory write\n\ - \t\t\t\tpermissions not enforced, and the MySQL service runs as LocalSystem.\n\n\ - \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ - \t\t\t\tattack is finished, as well as the UDF DLL, and will define or redefine sys_eval()\n\ - \t\t\t\tand sys_exec() functions.\n\ - \t\t\t" - authors: - - - URL - - http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html - - - URL - - http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html - path: extensions/metasploit/ - class: Msf_module -msf_calicserv_getconfig: - enable: true - msf: true - msf_key: windows/license/calicserv_getconfig - name: Computer Associates License Server GETCONFIG Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an vulnerability in the CA License Server\n\ - \t\t\t\tnetwork service. By sending an excessively long GETCONFIG\n\ - \t\t\t\tpacket the stack may be overwritten.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0581 - - - OSVDB - - "14389" - - - BID - - "12705" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213 - path: extensions/metasploit/ - class: Msf_module -msf_sentinel_lm7_udp: - enable: true - msf: true - msf_key: windows/license/sentinel_lm7_udp - name: SentinelLM UDP Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a simple stack buffer overflow in the Sentinel\n\ - \t\t\t\tLicense Manager. The SentinelLM service is installed with a\n\ - \t\t\t\twide selection of products and seems particular popular with\n\ - \t\t\t\tacademic products. If the wrong target value is selected,\n\ - \t\t\t\tthe service will crash and not restart.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0353 - - - OSVDB - - "14605" - - - BID - - "12742" - path: extensions/metasploit/ - class: Msf_module -msf_calicclnt_getconfig: - enable: true - msf: true - msf_key: windows/license/calicclnt_getconfig - name: Computer Associates License Client GETCONFIG Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an vulnerability in the CA License Client\n\ - \t\t\t\tservice. This exploit will only work if your IP address can be\n\ - \t\t\t\tresolved from the target system point of view. This can be\n\ - \t\t\t\taccomplished on a local network by running the 'nmbd' service\n\ - \t\t\t\tthat comes with Samba. If you are running this exploit from\n\ - \t\t\t\tWindows and do not filter udp port 137, this should not be a\n\ - \t\t\t\tproblem (if the target is on the same network segment). Due to\n\ - \t\t\t\tthe bugginess of the software, you are only allowed one connection\n\ - \t\t\t\tto the agent port before it starts ignoring you. If it wasn't for this\n\ - \t\t\t\tissue, it would be possible to repeatedly exploit this bug.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0581 - - - OSVDB - - "14389" - - - BID - - "12705" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213 - path: extensions/metasploit/ - class: Msf_module -msf_globalscapeftp_input: - enable: true - msf: true - msf_key: windows/ftp/globalscapeftp_input - name: GlobalSCAPE Secure FTP Server Input Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.\n\ - \t\t\t\tAll versions prior to 3.0.3 are affected by this flaw. A valid user account (\n\ - \t\t\t\tor anonymous access) is required for this exploit to work.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1415 - - - OSVDB - - "16049" - - - BID - - "13454" - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.html - path: extensions/metasploit/ - class: Msf_module -msf_32bitftp_list_reply: - enable: true - msf: true - msf_key: windows/ftp/32bitftp_list_reply - name: "32bit FTP Client Stack Buffer Overflow " - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to\n\ - \t\t\t\t\tdownload a file that has an overly long filename.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_wftpd_size: - enable: true - msf: true - msf_key: windows/ftp/wftpd_size - name: Texas Imperial Software WFTPD 3.23 SIZE Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the SIZE verb in\n\ - \t\t\t\tTexas Imperial's Software WFTPD 3.23.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4318 - - - OSVDB - - "28134" - - - BID - - "19617" - path: extensions/metasploit/ - class: Msf_module -msf_odin_list_reply: - enable: true - msf: true - msf_key: windows/ftp/odin_list_reply - name: Odin Secure FTP 4.1 Stack Buffer Overflow (LIST) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Odin Secure FTP 4.1,\n\ - \t\t\t\ttriggered when processing the response on a LIST command. During the overflow,\n\ - \t\t\t\ta structured exception handler record gets overwritten.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_dreamftp_format: - enable: true - msf: true - msf_key: windows/ftp/dreamftp_format - name: BolinTech Dream FTP Server 1.02 Format String - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string overflow in the BolinTech\n\ - \t\t\t\tDream FTP Server version 1.02. Based on the exploit by SkyLined.\n\ - \t\t\t" - authors: - - - CVE - - 2004-2074 - - - OSVDB - - "4986" - - - BID - - "9800" - - - URL - - http://www.milw0rm.com/exploits/823 - path: extensions/metasploit/ - class: Msf_module -msf_proftp_banner: - enable: true - msf: true - msf_key: windows/ftp/proftp_banner - name: ProFTP 2.9 Banner Remote Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the ProFTP 2.9\n\ - \t\t\t\tclient that is triggered through an excessively long welcome message.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3976 - - - OSVDB - - "57394" - - - URL - - http://www.labtam-inc.com/index.php?act=products&pid=1 - path: extensions/metasploit/ - class: Msf_module -msf_filewrangler_list_reply: - enable: true - msf: true - msf_key: windows/ftp/filewrangler_list_reply - name: FileWrangler 5.30 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the FileWrangler client\n\ - \t\t\t\tthat is triggered when the client connects to a FTP server and lists\n\ - \t\t\t\tthe directory contents, containing an overly long directory name.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_httpdx_tolog_format: - enable: true - msf: true - msf_key: windows/http/httpdx_tolog_format - name: HTTPDX tolog() Function Format String Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string vulnerability in HTTPDX HTTP server.\n\ - \t\t\t\tBy sending an specially crafted HTTP request containing format specifiers, an\n\ - \t\t\t\tattacker can corrupt memory and execute arbitrary code.\n\n\ - \t\t\t\tBy default logging is off for HTTP, but enabled for the 'moderator' user\n\ - \t\t\t\tvia FTP.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4769 - - - OSVDB - - "60182" - path: extensions/metasploit/ - class: Msf_module -msf_oracle9i_xdb_ftp_pass: - enable: true - msf: true - msf_key: windows/ftp/oracle9i_xdb_ftp_pass - name: Oracle 9i XDB FTP PASS Overflow (win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tBy passing an overly long string to the PASS command, a\n\ - \t\t\t\tstack based buffer overflow occurs. David Litchfield, has\n\ - \t\t\t\tillustrated multiple vulnerabilities in the Oracle 9i XML\n\ - \t\t\t\tDatabase (XDB), during a seminar on \"Variations in exploit\n\ - \t\t\t\tmethods between Linux and Windows\" presented at the Blackhat\n\ - \t\t\t\tconference.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0727 - - - OSVDB - - "2449" - - - BID - - "8375" - - - URL - - http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf - path: extensions/metasploit/ - class: Msf_module -msf_slimftpd_list_concat: - enable: true - msf: true - msf_key: windows/ftp/slimftpd_list_concat - name: SlimFTPd LIST Concatenation Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the SlimFTPd\n\ - \t\t\t\tserver. The flaw is triggered when a LIST command is\n\ - \t\t\t\treceived with an overly-long argument. This vulnerability\n\ - \t\t\t\taffects all versions of SlimFTPd prior to 3.16 and was\n\ - \t\t\t\tdiscovered by Raphael Rigo.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2373 - - - OSVDB - - "18172" - - - BID - - "14339" - path: extensions/metasploit/ - class: Msf_module -msf_easyfilesharing_pass: - enable: true - msf: true - msf_key: windows/ftp/easyfilesharing_pass - name: Easy File Sharing FTP Server 2.0 PASS Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the Easy File Sharing 2.0\n\ - \t\t\t\tservice. By sending an overly long password, an attacker can execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3952 - - - OSVDB - - "27646" - - - BID - - "19243" - path: extensions/metasploit/ - class: Msf_module -msf_xftp_client_pwd: - enable: true - msf: true - msf_key: windows/ftp/xftp_client_pwd - name: Xftp FTP Client 3.0 PWD Remote Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the Xftp 3.0 FTP client that is triggered\n\ - \t\t\t\tthrough an excessively long PWD message.\n\ - \t\t\t" - authors: - - - OSVDB - - "63968" - - - URL - - http://www.exploit-db.com/exploits/12332 - path: extensions/metasploit/ - class: Msf_module -msf_xlink_client: - enable: true - msf: true - msf_key: windows/ftp/xlink_client - name: Xlink FTP Client Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Xlink FTP Client 32\n\ - \t\t\t\tVersion 3.01 that comes bundled with Omni-NFS Enterprise 5.2.\n\ - \t\t\t\tWhen a overly long FTP server response is recieved by a client,\n\ - \t\t\t\tarbitrary code may be executed.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5792 - - - OSVDB - - "33969" - - - URL - - http://www.metasploit.com/ - - - URL - - http://www.xlink.com - path: extensions/metasploit/ - class: Msf_module -msf_3cdaemon_ftp_user: - enable: true - msf: true - msf_key: windows/ftp/3cdaemon_ftp_user - name: 3Com 3CDaemon 2.0 FTP Username Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the 3Com 3CDaemon\n\ - \t\t\t\tFTP service. This package is being distributed from the 3Com\n\ - \t\t\t\tweb site and is recommended in numerous support documents.\n\ - \t\t\t\tThis module uses the USER command to trigger the overflow.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0277 - - - OSVDB - - "12810" - - - OSVDB - - "12811" - - - BID - - "12155" - - - URL - - ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip - path: extensions/metasploit/ - class: Msf_module -msf_easyftp_list_fixret: - enable: true - msf: true - msf_key: windows/ftp/easyftp_list_fixret - name: EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.\n\ - \t\t\t\tcredit goes to Karn Ganeshan.\n\n\ - \t\t\t\tNOTE: Although, this is likely to exploit the same vulnerability as the\n\ - \t\t\t\t'easyftp_cwd_fixret' exploit, it uses a slightly different vector.\n\ - \t\t\t" - authors: - - - OSVDB - - "62134" - - - URL - - http://www.exploit-db.com/exploits/14400/ - - - URL - - http://www.exploit-db.com/exploits/14451/ - path: extensions/metasploit/ - class: Msf_module -msf_filecopa_list_overflow: - enable: true - msf: true - msf_key: windows/ftp/filecopa_list_overflow - name: FileCopa FTP Server pre 18 Jul Version - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the buffer overflow found in the LIST command\n\ - \t\t\t\tin fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch\n\ - \t\t\t" - authors: - - - CVE - - 2006-3726 - - - OSVDB - - "27389" - - - BID - - "19065" - path: extensions/metasploit/ - class: Msf_module -msf_ftpsynch_list_reply: - enable: true - msf: true - msf_key: windows/ftp/ftpsynch_list_reply - name: FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in FTP Synchronizer Pro\n\ - \t\t\t\tversion 4.0.73.274 The overflow gets triggered by sending an overly long filename to\n\ - \t\t\t\tthe client in response to a LIST command.\n\ - \t\t\t\tThe LIST command gets issued when doing a preview or when you have just created a new\n\ - \t\t\t\tsync profile and allow the tool to see the differences.\n\ - \t\t\t\tThis will overwrite a structured exception handler and trigger an access violation.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_ftpshell51_pwd_reply: - enable: true - msf: true - msf_key: windows/ftp/ftpshell51_pwd_reply - name: FTPShell 5.1 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets\n\ - \t\t\t\ttriggered when the ftp clients tries to process an overly response to a PWD command.\n\ - \t\t\t\tThis will overwrite the saved EIP and structured exception handler.\n\ - \t\t\t" - authors: - - - OSVDB - - "68639" - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_easyftp_mkd_fixret: - enable: true - msf: true - msf_key: windows/ftp/easyftp_mkd_fixret - name: EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\ - \t\t\t\tand earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which\n\ - \t\t\t\tleads to a stack based buffer overflow.\n\n\ - \t\t\t\tNOTE: EasyFTP allows anonymous access by default. However, in order to access the\n\ - \t\t\t\t'MKD' command, you must have access to an account that can create directories.\n\n\ - \t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\ - \t\t\t\tThis exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n\ - \t\t\t\tThis code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n\ - \t\t\t\t'fixing' the return address post-exploitation. See references for more information.\n\ - \t\t\t" - authors: - - - OSVDB - - "62134" - - - URL - - http://www.exploit-db.com/exploits/12044/ - - - URL - - http://www.exploit-db.com/exploits/14399/ - path: extensions/metasploit/ - class: Msf_module -msf_ftppad_list_reply: - enable: true - msf: true - msf_key: windows/ftp/ftppad_list_reply - name: FTPPad 1.2.0 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is\n\ - \t\t\t\ttriggered when the client connects to a FTP server which sends an overly long directory\n\ - \t\t\t\tand filename in response to a LIST command.\n\n\ - \t\t\t\tThis will cause an access violation, and will eventually overwrite the saved extended\n\ - \t\t\t\tinstruction pointer. Payload can be found at EDX+5c and ESI+5c, so a little pivot/\n\ - \t\t\t\tsniper was needed to make this one work.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_aasync_list_reply: - enable: true - msf: true - msf_key: windows/ftp/aasync_list_reply - name: AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when\n\ - \t\t\t\tprocessing the response on a LIST command. During the overflow, a structured exception\n\ - \t\t\t\thandler record gets overwritten.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_wsftp_server_505_xmd5: - enable: true - msf: true - msf_key: windows/ftp/wsftp_server_505_xmd5 - name: Ipswitch WS_FTP Server 5.05 XMD5 Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the XMD5 verb in\n\ - \t\t\t\tIPSWITCH WS_FTP Server 5.05.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4847 - - - OSVDB - - "28939" - - - BID - - "20076" - path: extensions/metasploit/ - class: Msf_module -msf_goldenftp_pass_bof: - enable: true - msf: true - msf_key: windows/ftp/goldenftp_pass_bof - name: GoldenFTP PASS Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Golden FTP service, using the PASS\n\ - \t\t\t\tcommand to cause a buffer overflow. Please note that in order trigger the vulnerable\n\ - \t\t\t\tcode, the victim machine must have the \"Show new connections\" setting enabled. By\n\ - \t\t\t\tdefault, this option is unchecked.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6576 - - - OSVDB - - "35951" - - - BID - - "45957 " - - - URL - - http://www.exploit-db.com/exploits/16036/ - path: extensions/metasploit/ - class: Msf_module -msf_warftpd_165_user: - enable: true - msf: true - msf_key: windows/ftp/warftpd_165_user - name: War-FTPD 1.65 Username Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow found in the USER command\n\ - \t\t\t\tof War-FTPD 1.65.\n\ - \t\t\t" - authors: - - - CVE - - 1999-0256 - - - OSVDB - - "875" - - - BID - - "10078" - - - URL - - http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html - path: extensions/metasploit/ - class: Msf_module -msf_sami_ftpd_user: - enable: true - msf: true - msf_key: windows/ftp/sami_ftpd_user - name: KarjaSoft Sami FTP Server v2.02 USER Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the KarjaSoft Sami FTP Server version 2.02\n\ - \t\t\t\tby sending an excessively long USER string. The stack is overwritten\n\ - \t\t\t\twhen the administrator attempts to view the FTP logs. Therefore, this exploit\n\ - \t\t\t\tis passive and requires end-user interaction. Keep this in mind when selecting\n\ - \t\t\t\tpayloads. When the server is restarted, it will re-execute the exploit until\n\ - \t\t\t\tthe logfile is manually deleted via the file system.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0441 - - - CVE - - 2006-2212 - - - OSVDB - - "25670" - - - BID - - "16370" - - - BID - - "22045" - - - BID - - "17835" - - - URL - - http://www.milw0rm.com/exploits/1448 - - - URL - - http://www.milw0rm.com/exploits/1452 - - - URL - - http://www.milw0rm.com/exploits/1462 - - - URL - - http://www.milw0rm.com/exploits/3127 - - - URL - - http://www.milw0rm.com/exploits/3140 - path: extensions/metasploit/ - class: Msf_module -msf_oracle9i_xdb_ftp_unlock: - enable: true - msf: true - msf_key: windows/ftp/oracle9i_xdb_ftp_unlock - name: Oracle 9i XDB FTP UNLOCK Overflow (win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tBy passing an overly long token to the UNLOCK command, a\n\ - \t\t\t\tstack based buffer overflow occurs. David Litchfield, has\n\ - \t\t\t\tillustrated multiple vulnerabilities in the Oracle 9i XML\n\ - \t\t\t\tDatabase (XDB), during a seminar on \"Variations in exploit\n\ - \t\t\t\tmethods between Linux and Windows\" presented at the Blackhat\n\ - \t\t\t\tconference. Oracle9i includes a number of default accounts,\n\ - \t\t\t\tincluding dbsnmp:dbsmp, scott:tiger, system:manager, and\n\ - \t\t\t\tsys:change_on_install.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0727 - - - OSVDB - - "2449" - - - BID - - "8375" - - - URL - - http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf - path: extensions/metasploit/ - class: Msf_module -msf_leapftp_list_reply: - enable: true - msf: true - msf_key: windows/ftp/leapftp_list_reply - name: LeapFTP 3.0.1 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the LeapFTP 3.0.1 client.\n\ - \t\t\t\tThis issue is triggered when a file with a long name is downloaded/opened.\n\ - \t\t\t" - authors: - - - OSVDB - - "68640" - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_trellian_client_pasv: - enable: true - msf: true - msf_key: windows/ftp/trellian_client_pasv - name: Trellian FTP Client 3.01 PASV Remote Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered\n\ - \t\t\t\tthrough an excessively long PASV message.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1465 - - - OSVDB - - "63812" - - - URL - - http://www.exploit-db.com/exploits/12152 - path: extensions/metasploit/ - class: Msf_module -msf_vermillion_ftpd_port: - enable: true - msf: true - msf_key: windows/ftp/vermillion_ftpd_port - name: Vermillion FTP Daemon PORT Command Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an out-of-bounds array access in the Arcane Software\n\ - \t\t\t\tVermillion FTP server. By sending an specially crafted FTP PORT command,\n\ - \t\t\t\tan attacker can corrupt stack memory and execute arbitrary code.\n\n\ - \t\t\t\tThis particular issue is caused by processing data bound by attacker\n\ - \t\t\t\tcontrolled input while writing into a 4 byte stack buffer. Unfortunately,\n\ - \t\t\t\tthe writing that occurs is not a simple byte copy.\n\n\ - \t\t\t\tProcessing is done using a source ptr (p) and a destination pointer (q).\n\ - \t\t\t\tThe vulnerable function walks the input string and continues while the\n\ - \t\t\t\tsource byte is non-null. If a comma is encountered, the function increments\n\ - \t\t\t\tthe the destination pointer. If an ascii digit [0-9] is encountered, the\n\ - \t\t\t\tfollowing occurs:\n\n\ - \t\t\t\t\t*q = (*q * 10) + (*p - '0');\n\n\ - \t\t\t\tAll other input characters are ignored in this loop.\n\n\ - \t\t\t\tAs a consequence, an attacker must craft input such that modifications\n\ - \t\t\t\tto the current values on the stack result in usable values. In this exploit,\n\ - \t\t\t\tthe low two bytes of the return address are adjusted to point at the\n\ - \t\t\t\tlocation of a 'call edi' instruction within the binary. This was chosen\n\ - \t\t\t\tsince 'edi' points at the source buffer when the function returns.\n\n\ - \t\t\t\tNOTE: This server can be installed as a service using \"vftpd.exe install\".\n\ - \t\t\t\tIf so, the service does not restart automatically, giving an attacker only\n\ - \t\t\t\tone attempt.\n\ - \t\t\t" - authors: - - - OSVDB - - "62163" - - - URL - - http://www.exploit-db.com/exploits/11293 - - - URL - - http://www.global-evolution.info/news/files/vftpd/vftpd.txt - path: extensions/metasploit/ - class: Msf_module -msf_cesarftp_mkd: - enable: true - msf: true - msf_key: windows/ftp/cesarftp_mkd - name: Cesar FTP 0.99g MKD Command Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.\n\n\ - \t\t\t\tYou must have valid credentials to trigger this vulnerability. Also, you\n\ - \t\t\t\tonly get one chance, so choose your target carefully.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2961 - - - OSVDB - - "26364" - - - BID - - "18586" - - - URL - - http://secunia.com/advisories/20574/ - path: extensions/metasploit/ - class: Msf_module -msf_easyftp_cwd_fixret: - enable: true - msf: true - msf_key: windows/ftp/easyftp_cwd_fixret - name: EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\ - \t\t\t\tand earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which\n\ - \t\t\t\tleads to a stack based buffer overflow. EasyFTP allows anonymous access by\n\ - \t\t\t\tdefault; valid credentials are typically unnecessary to exploit this vulnerability.\n\n\ - \t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\ - \t\t\t\tThis exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'.\n\ - \t\t\t\tThis code allows us to inject of payload of ~500 bytes into a 264 byte buffer by\n\ - \t\t\t\t'fixing' the return address post-exploitation. See references for more information.\n\ - \t\t\t" - authors: - - - OSVDB - - "62134" - - - URL - - http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/ - - - URL - - http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit - - - URL - - http://seclists.org/bugtraq/2010/Feb/202 - - - URL - - http://code.google.com/p/easyftpsvr/ - - - URL - - https://tegosecurity.com/etc/return_overwrite/RCE_easy_ftp_server_1.7.0.2.zip - - - URL - - http://www.securityfocus.com/bid/38262/exploit - path: extensions/metasploit/ - class: Msf_module -msf_wsftp_server_503_mkd: - enable: true - msf: true - msf_key: windows/ftp/wsftp_server_503_mkd - name: WS-FTP Server 5.03 MKD Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits the buffer overflow found in the MKD\n\ - \t\t\t\tcommand in IPSWITCH WS_FTP Server 5.03 discovered by Reed\n\ - \t\t\t\tArvin.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1135 - - - OSVDB - - "12509" - - - BID - - "11772" - path: extensions/metasploit/ - class: Msf_module -msf_ms09_053_ftpd_nlst: - enable: true - msf: true - msf_key: windows/ftp/ms09_053_ftpd_nlst - name: Microsoft IIS FTP Server NLST Response Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n\ - \t\t\t\tservice. The flaw is triggered when a special NLST argument is passed\n\ - \t\t\t\twhile the session has changed into a long directory path. For this exploit\n\ - \t\t\t\tto work, the FTP server must be configured to allow write access to the\n\ - \t\t\t\tfile system (either anonymously or in conjunction with a real account)\n\ - \t\t\t" - authors: - - - URL - - http://milw0rm.com/exploits/9541 - - - CVE - - 2009-3023 - - - OSVDB - - "57589" - - - BID - - "36189" - - - MSB - - MS09-053 - path: extensions/metasploit/ - class: Msf_module -msf_xlink_server: - enable: true - msf: true - msf_key: windows/ftp/xlink_server - name: Xlink FTP Server Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Xlink FTP Server\n\ - \t\t\t\tthat comes bundled with Omni-NFS Enterprise 5.2.\n\ - \t\t\t\tWhen a overly long FTP request is sent to the server,\n\ - \t\t\t\tarbitrary code may be executed.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5792 - - - OSVDB - - "58646" - - - URL - - http://www.metasploit.com/ - - - URL - - http://www.xlink.com - path: extensions/metasploit/ - class: Msf_module -msf_seagull_list_reply: - enable: true - msf: true - msf_key: windows/ftp/seagull_list_reply - name: Seagull FTP v3.3 build 409 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the Seagull FTP client that gets\n\ - \t\t\t\ttriggered when the ftp clients processes a response to a LIST command. If the\n\ - \t\t\t\tresponse contains an overly long file/folder name, a buffer overflow occurs,\n\ - \t\t\t\toverwriting a structured exception handler.\n\ - \t\t\t" - authors: - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_warftpd_165_pass: - enable: true - msf: true - msf_key: windows/ftp/warftpd_165_pass - name: War-FTPD 1.65 Password Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits the buffer overflow found in the PASS command\n\ - \t\t\t\tin War-FTPD 1.65. This particular module will only work\n\ - \t\t\t\treliably against Windows 2000 targets. The server must be\n\ - \t\t\t\tconfigured to allow anonymous logins for this exploit to\n\ - \t\t\t\tsucceed. A failed attempt will bring down the service\n\ - \t\t\t\tcompletely.\n\ - \t\t\t" - authors: - - - CVE - - 1999-0256 - - - OSVDB - - "875" - - - BID - - "10078" - - - URL - - http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html - path: extensions/metasploit/ - class: Msf_module -msf_sasser_ftpd_port: - enable: true - msf: true - msf_key: windows/ftp/sasser_ftpd_port - name: Sasser Worm avserve FTP PORT Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the FTP server component of the Sasser worm.\n\ - \t\t\t\tBy sending an overly long PORT command the stack can be overwritten.\n\ - \t\t\t" - authors: - - - OSVDB - - "6197" - path: extensions/metasploit/ - class: Msf_module -msf_leapftp_pasv_reply: - enable: true - msf: true - msf_key: windows/ftp/leapftp_pasv_reply - name: LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600\n\ - \t\t\t\tclient that is triggered through an excessively long PASV reply command. This\n\ - \t\t\t\tmodule was ported from the original exploit by drG4njubas with minor improvements.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0558 - - - OSVDB - - "4587" - - - BID - - "7860" - - - URL - - http://www.milw0rm.com/exploits/54 - path: extensions/metasploit/ - class: Msf_module -msf_gekkomgr_list_reply: - enable: true - msf: true - msf_key: windows/ftp/gekkomgr_list_reply - name: Gekko Manager FTP Client Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Gekko Manager ftp client, triggered when\n\ - \t\t\t\tprocessing the response received after sending a LIST request. If this response contains\n\ - \t\t\t\ta long filename, a buffer overflow occurs, overwriting a structured exception handler.\n\ - \t\t\t" - authors: - - - OSVDB - - "68641" - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_ftpgetter_pwd_reply: - enable: true - msf: true - msf_key: windows/ftp/ftpgetter_pwd_reply - name: FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.\n\ - \t\t\t\tWhen processing the response on a PWD command, a stack based buffer overflow occurs.\n\ - \t\t\t\tThis leads to arbitrary code execution when a structured exception handler gets\n\ - \t\t\t\toverwritten.\n\ - \t\t\t" - authors: - - - OSVDB - - "68638" - - - URL - - http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ - path: extensions/metasploit/ - class: Msf_module -msf_netterm_netftpd_user: - enable: true - msf: true - msf_key: windows/ftp/netterm_netftpd_user - name: NetTerm NetFTPD USER Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the NetTerm NetFTPD\n\ - \t\t\t\tapplication. This package is part of the NetTerm package.\n\ - \t\t\t\tThis module uses the USER command to trigger the overflow.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1323 - - - OSVDB - - "15865" - - - URL - - http://seclists.org/lists/fulldisclosure/2005/Apr/0578.html - - - BID - - "13396" - path: extensions/metasploit/ - class: Msf_module -msf_freeftpd_user: - enable: true - msf: true - msf_key: windows/ftp/freeftpd_user - name: freeFTPd 1.0 Username Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the freeFTPd\n\ - \t\t\t\tmulti-protocol file transfer service. This flaw can only be\n\ - \t\t\t\texploited when logging has been enabled (non-default).\n\ - \t\t\t" - authors: - - - CVE - - 2005-3683 - - - OSVDB - - "20909" - - - BID - - "15457" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html - path: extensions/metasploit/ - class: Msf_module -msf_servu_mdtm: - enable: true - msf: true - msf_key: windows/ftp/servu_mdtm - name: Serv-U FTPD MDTM Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the Serv-U\\'s MDTM command timezone\n\ - \t\t\t\toverflow. It has been heavily tested against versions\n\ - \t\t\t\t4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against\n\ - \t\t\t\tnt4/2k/xp/2k3. I have also had success against version 3,\n\ - \t\t\t\tbut only tested 1 version/os. The bug is in all versions\n\ - \t\t\t\tprior to 5.0.0.4, but this exploit will not work against\n\ - \t\t\t\tversions not listed above. You only get one shot, but it\n\ - \t\t\t\tshould be OS/SP independent.\n\n\ - \t\t\t\tThis exploit is a single hit, the service dies after the\n\ - \t\t\t\tshellcode finishes execution.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0330 - - - OSVDB - - "4073" - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html - - - URL - - http://www.cnhonker.com/advisory/serv-u.mdtm.txt - - - URL - - http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54 - - - BID - - "9751" - path: extensions/metasploit/ - class: Msf_module -msf_mercur_imap_select_overflow: - enable: true - msf: true - msf_key: windows/imap/mercur_imap_select_overflow - name: Mercur v5.0 IMAP SP3 SELECT Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tMercur v5.0 IMAP server is prone to a remotely exploitable\n\ - \t\t\t\tstack-based buffer overflow vulnerability. This issue is due\n\ - \t\t\t\tto a failure of the application to properly bounds check\n\ - \t\t\t\tuser-supplied data prior to copying it to a fixed size memory buffer.\n\ - \t\t\t\tCredit to Tim Taylor for discover the vulnerability.\n\ - \t\t\t" - authors: - - - CVE - - 2006-1255 - - - OSVDB - - "23950" - - - BID - - "17138" - path: extensions/metasploit/ - class: Msf_module -msf_eudora_list: - enable: true - msf: true - msf_key: windows/imap/eudora_list - name: Qualcomm WorldMail 3.0 IMAPD LIST Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the Qualcomm WorldMail IMAP Server\n\ - \t\t\t\tversion 3.0 (builds 6.1.19.0 through 6.1.22.0). Version 6.1.22.1 fixes this\n\ - \t\t\t\tparticular vulnerability.\n\n\ - \t\t\t\tNOTE: The service does NOT restart automatically by default. You may be limited to\n\ - \t\t\t\tonly one attempt, so choose wisely!\n\ - \t\t\t" - authors: - - - CVE - - 2005-4267 - - - OSVDB - - "22097" - - - BID - - "15980" - path: extensions/metasploit/ - class: Msf_module -msf_mailenable_w3c_select: - enable: true - msf: true - msf_key: windows/imap/mailenable_w3c_select - name: MailEnable IMAPD W3C Logging Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the W3C logging\n\ - \t\t\t\tfunctionality of the MailEnable IMAPD service. Logging is\n\ - \t\t\t\tnot enabled by default and this exploit requires a valid\n\ - \t\t\t\tusername and password to exploit the flaw. MailEnable\n\ - \t\t\t\tProfessional version 1.6 and prior and MailEnable Enterprise\n\ - \t\t\t\tversion 1.1 and prior are affected.\n\ - \t\t\t" - authors: - - - CVE - - 2005-3155 - - - OSVDB - - "19842" - - - BID - - "15006" - path: extensions/metasploit/ - class: Msf_module -msf_mdaemon_fetch: - enable: true - msf: true - msf_key: windows/imap/mdaemon_fetch - name: MDaemon 9.6.4 IMAPD FETCH Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Alt-N MDaemon IMAP Server\n\ - \t\t\t\tversion 9.6.4 by sending an overly long FETCH BODY command. Valid IMAP\n\ - \t\t\t\taccount credentials are required. Credit to Matteo Memelli\n\ - \t\t\t" - authors: - - - CVE - - 2008-1358 - - - OSVDB - - "43111" - - - BID - - "28245" - - - URL - - http://www.milw0rm.com/exploits/5248 - path: extensions/metasploit/ - class: Msf_module -msf_novell_netmail_subscribe: - enable: true - msf: true - msf_key: windows/imap/novell_netmail_subscribe - name: Novell NetMail <= 3.52d IMAP SUBSCRIBE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP SUBSCRIBE\n\ - \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ - \t\t\t\tbuffer and control program execution.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6761 - - - OSVDB - - "31360" - - - BID - - "21728" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=454 - path: extensions/metasploit/ - class: Msf_module -msf_novell_netmail_auth: - enable: true - msf: true - msf_key: windows/imap/novell_netmail_auth - name: Novell NetMail <=3.52d IMAP AUTHENTICATE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetMail 3.52 IMAP AUTHENTICATE\n\ - \t\t\t\tGSSAPI command. By sending an overly long string, an attacker can overwrite the\n\ - \t\t\t\tbuffer and control program execution. Using the PAYLOAD of windows/shell_bind_tcp\n\ - \t\t\t\tor windows/shell_reverse_tcp allows for the most reliable results.\n\ - \t\t\t" - authors: - - - OSVDB - - "55175" - - - URL - - http://www.w00t-shell.net/# - path: extensions/metasploit/ - class: Msf_module -msf_mailenable_status: - enable: true - msf: true - msf_key: windows/imap/mailenable_status - name: MailEnable IMAPD (1.54) STATUS Request Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tMailEnable's IMAP server contains a buffer overflow\n\ - \t\t\t\tvulnerability in the STATUS command. With proper\n\ - \t\t\t\tcredentials, this could allow for the execution of arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2278 - - - OSVDB - - "17844" - - - BID - - "14243" - - - NSS - - "19193" - path: extensions/metasploit/ - class: Msf_module -msf_mdaemon_cram_md5: - enable: true - msf: true - msf_key: windows/imap/mdaemon_cram_md5 - name: Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the CRAM-MD5\n\ - \t\t\t\tauthentication of the MDaemon IMAP service. This\n\ - \t\t\t\tvulnerability was discovered by Muts.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1520 - - - OSVDB - - "11838" - - - BID - - "11675" - path: extensions/metasploit/ - class: Msf_module -msf_novell_netmail_status: - enable: true - msf: true - msf_key: windows/imap/novell_netmail_status - name: Novell NetMail <= 3.52d IMAP STATUS Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP STATUS\n\ - \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ - \t\t\t\tbuffer and control program execution.\n\ - \t\t\t" - authors: - - - CVE - - 2005-3314 - - - OSVDB - - "20956" - - - BID - - "15491" - path: extensions/metasploit/ - class: Msf_module -msf_mercury_login: - enable: true - msf: true - msf_key: windows/imap/mercury_login - name: Mercury/32 <= 4.01b LOGIN Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Mercury/32 <= 4.01b IMAPD\n\ - \t\t\t\tLOGIN verb. By sending a specially crafted login command, a buffer\n\ - \t\t\t\tis corrupted, and code execution is possible. This vulnerability was\n\ - \t\t\t\tdiscovered by (mu-b at digit-labs.org).\n\ - \t\t\t" - authors: - - - CVE - - 2007-1373 - - - OSVDB - - "33883" - path: extensions/metasploit/ - class: Msf_module -msf_mailenable_login: - enable: true - msf: true - msf_key: windows/imap/mailenable_login - name: MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tMailEnable's IMAP server contains a buffer overflow\n\ - \t\t\t\tvulnerability in the Login command.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6423 - - - OSVDB - - "32125" - - - BID - - "21492" - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051229.html - path: extensions/metasploit/ - class: Msf_module -msf_ipswitch_search: - enable: true - msf: true - msf_key: windows/imap/ipswitch_search - name: Ipswitch IMail IMAP SEARCH Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Ipswitch IMail Server 2006.1 IMAP SEARCH\n\ - \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ - \t\t\t\tbuffer and control program execution.\n\ - \t\t\t\tIn order for this module to be successful, the IMAP user must have at least one\n\ - \t\t\t\tmessage.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3925 - - - OSVDB - - "36219" - - - BID - - "24962" - path: extensions/metasploit/ - class: Msf_module -msf_mercury_rename: - enable: true - msf: true - msf_key: windows/imap/mercury_rename - name: Mercury/32 v4.01a IMAP RENAME Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in the\n\ - \t\t\t\tMercury/32 v.4.01a IMAP service.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1211 - - - OSVDB - - "12508" - - - BID - - "11775" - - - NSS - - "15867" - path: extensions/metasploit/ - class: Msf_module -msf_novell_netmail_append: - enable: true - msf: true - msf_key: windows/imap/novell_netmail_append - name: Novell NetMail <= 3.52d IMAP APPEND Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's Netmail 3.52 IMAP APPEND\n\ - \t\t\t\tverb. By sending an overly long string, an attacker can overwrite the\n\ - \t\t\t\tbuffer and control program execution.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6425 - - - OSVDB - - "31362" - - - BID - - "21723" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-06-054.html - path: extensions/metasploit/ - class: Msf_module -msf_mercur_login: - enable: true - msf: true - msf_key: windows/imap/mercur_login - name: Mercur Messaging 2005 IMAP Login Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3.\n\ - \t\t\t\tSince the room for shellcode is small, using the reverse ordinal payloads\n\ - \t\t\t\tyields the best results.\n\ - \t\t\t" - authors: - - - CVE - - 2006-1255 - - - OSVDB - - "23950" - - - BID - - "17138" - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1104.html - path: extensions/metasploit/ - class: Msf_module -msf_imail_delete: - enable: true - msf: true - msf_key: windows/imap/imail_delete - name: IMail IMAP4D Delete Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the 'DELETE'\n\ - \t\t\t\tcommand of the the IMail IMAP4D service. This vulnerability\n\ - \t\t\t\tcan only be exploited with a valid username and password.\n\ - \t\t\t\tThis flaw was patched in version 8.14.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1520 - - - OSVDB - - "11838" - - - BID - - "11675" - path: extensions/metasploit/ - class: Msf_module -msf_ccproxy_telnet_ping: - enable: true - msf: true - msf_key: windows/proxy/ccproxy_telnet_ping - name: CCProxy <= v6.2 Telnet Proxy Ping Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the YoungZSoft CCProxy <= v6.2 suite\n\ - \t\t\t\tTelnet service. The stack is overwritten when sending an overly\n\ - \t\t\t\tlong address to the 'ping' command.\n\ - \t\t\t" - authors: - - - CVE - - 2004-2416 - - - OSVDB - - "11593" - - - BID - - "11666 " - - - URL - - http://milw0rm.com/exploits/621 - path: extensions/metasploit/ - class: Msf_module -msf_qbik_wingate_wwwproxy: - enable: true - msf: true - msf_key: windows/proxy/qbik_wingate_wwwproxy - name: Qbik WinGate WWW Proxy Server URL Processing Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Qbik WinGate version\n\ - \t\t\t\t6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the\n\ - \t\t\t\tHTTP proxy service on port 80, a remote attacker could overflow\n\ - \t\t\t\ta buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2926 - - - OSVDB - - "26214" - - - BID - - "18312" - path: extensions/metasploit/ - class: Msf_module -msf_proxypro_http_get: - enable: true - msf: true - msf_key: windows/proxy/proxypro_http_get - name: Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Proxy-Pro Professional\n\ - \t\t\t\tGateKeeper 4.7. By sending a long HTTP GET to the default port\n\ - \t\t\t\tof 3128, a remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0326 - - - OSVDB - - "4027" - - - BID - - "9716" - path: extensions/metasploit/ - class: Msf_module -msf_bluecoat_winproxy_host: - enable: true - msf: true - msf_key: windows/proxy/bluecoat_winproxy_host - name: Blue Coat WinProxy Host Header Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the Blue Coat Systems WinProxy\n\ - \t\t\t\tservice by sending a long port value for the Host header in a HTTP\n\ - \t\t\t\trequest.\n\ - \t\t\t" - authors: - - - CVE - - 2005-4085 - - - OSVDB - - "22238" - - - BID - - "16147" - - - URL - - http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html - path: extensions/metasploit/ - class: Msf_module -msf_maxdb_webdbm_get_overflow: - enable: true - msf: true - msf_key: windows/http/maxdb_webdbm_get_overflow - name: MaxDB WebDBM GET Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the MaxDB WebDBM\n\ - \t\t\t\tservice. This service is included with many recent versions\n\ - \t\t\t\tof the MaxDB and SAPDB products. This particular module is\n\ - \t\t\t\tcapable of exploiting Windows systems through the use of an\n\ - \t\t\t\tSEH frame overwrite. The offset to the SEH frame may change\n\ - \t\t\t\tdepending on where MaxDB has been installed, this module\n\ - \t\t\t\tassumes a web root path with the same length as:\n\n\ - \t\t\t\tC:\\Program Files\\sdb\\programs\\web\\Documents\n\ - \t\t\t" - authors: - - - CVE - - 2005-0684 - - - OSVDB - - "15816" - - - URL - - http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities - - - BID - - "13368" - path: extensions/metasploit/ - class: Msf_module -msf_servu_session_cookie: - enable: true - msf: true - msf_key: windows/http/servu_session_cookie - name: Rhinosoft Serv-U Session Cookie Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.\n\ - \t\t\t\tSending a specially crafted POST request with an overly long session cookie\n\ - \t\t\t\tstring, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4006 - - - OSVDB - - "59772" - - - URL - - http://rangos.de/ServU-ADV.txt - - - URL - - http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071370.html - path: extensions/metasploit/ - class: Msf_module -msf_trackercam_phparg_overflow: - enable: true - msf: true - msf_key: windows/http/trackercam_phparg_overflow - name: TrackerCam PHP Argument Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a simple stack buffer overflow in the\n\ - \t\t\t\tTrackerCam web server. All current versions of this software\n\ - \t\t\t\tare vulnerable to a large number of security issues. This\n\ - \t\t\t\tmodule abuses the directory traversal flaw to gain\n\ - \t\t\t\tinformation about the system and then uses the PHP overflow\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0478 - - - OSVDB - - "13953" - - - OSVDB - - "13955" - - - BID - - "12592" - - - URL - - http://aluigi.altervista.org/adv/tcambof-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_maxdb_webdbm_database: - enable: true - msf: true - msf_key: windows/http/maxdb_webdbm_database - name: MaxDB WebDBM Database Parameter Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the MaxDB WebDBM\n\ - \t\t\t\tservice. By sending a specially-crafted HTTP request that contains\n\ - \t\t\t\tan overly long database name. A remote attacker could overflow a buffer\n\ - \t\t\t\tand execute arbitrary code on the system with privileges of the wahttp process.\n\n\ - \t\t\t\tThis module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4305 - - - OSVDB - - "28300" - - - BID - - "19660" - path: extensions/metasploit/ - class: Msf_module -msf_zenworks_uploadservlet: - enable: true - msf: true - msf_key: windows/http/zenworks_uploadservlet - name: Novell ZENworks Configuration Management Remote Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.\n\ - \t\t\t\tBy exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory\n\ - \t\t\t\tand then make a secondary request that allows for arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "63412" - - - BID - - "39114" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-078/ - - - URL - - http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html - path: extensions/metasploit/ - class: Msf_module -msf_mdaemon_worldclient_form2raw: - enable: true - msf: true - msf_key: windows/http/mdaemon_worldclient_form2raw - name: MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\tThis module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for\n\ - \t\t\tversions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),\n\ - \t\t\ta CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,\n\ - \t\t\tby writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),\n\ - \t\t\tthe temporary form2raw.cgi data is copied by MDaemon.exe and a stack based\n\ - \t\t\toverflow occurs when an excessively long From field is specified.\n\ - \t\t\tThe RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.\n\ - \t\t\tKeep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.\n\n\ - \t\t\tFurthermore, this exploit uses a direct memory jump into a nopsled (which isn't very\n\ - \t\t\treliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will\n\ - \t\t\tcontinue to crash/execute the payload until the CGI output is manually deleted\n\ - \t\t\tfrom the queue in C:\\MDaemon\\RawFiles\\*.raw.\n\ - \t\t\t" - authors: - - - CVE - - 2003-1200 - - - OSVDB - - "3255" - - - BID - - "9317" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_snmp: - enable: true - msf: true - msf_key: windows/http/hp_nnm_snmp - name: HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ - \t\t\t\t\tBy sending a specially crafted CGI request to Snmp.exe, an attacker may be able to execute\n\ - \t\t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3849 - - - OSVDB - - "60933" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_getnnmdata_icount: - enable: true - msf: true - msf_key: windows/http/hp_nnm_getnnmdata_icount - name: HP OpenView Network Node Manager getnnmdata.exe (ICount) CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\ - \t\t\t\tBy sending specially crafted ICount parameter to the getnnmdata.exe CGI,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1554 - - - OSVDB - - "64976" - path: extensions/metasploit/ - class: Msf_module -msf_easyftp_list: - enable: true - msf: true - msf_key: windows/http/easyftp_list - name: EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11\n\ - \t\t\t\tand earlier. EasyFTP fails to check input size when parsing the 'path' parameter\n\ - \t\t\t\tsupplied to an HTTP GET request, which leads to a stack based buffer overflow.\n\ - \t\t\t\tEasyFTP allows anonymous access by default; valid credentials are typically\n\ - \t\t\t\tunnecessary to exploit this vulnerability.\n\n\ - \t\t\t\tAfter version 1.7.0.12, this package was renamed \"UplusFtp\".\n\n\ - \t\t\t\tDue to limited space, as well as difficulties using an egghunter, the use of\n\ - \t\t\t\tstaged, ORD, and/or shell payloads is recommended.\n\ - \t\t\t" - authors: - - - OSVDB - - "66614" - - - URL - - http://www.exploit-db.com/exploits/11500/ - path: extensions/metasploit/ - class: Msf_module -msf_novell_messenger_acceptlang: - enable: true - msf: true - msf_key: windows/http/novell_messenger_acceptlang - name: Novell Messenger Server 2.0 Accept-Language Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell GroupWise\n\ - \t\t\t\tMessenger Server v2.0. This flaw is triggered by any HTTP\n\ - \t\t\t\trequest with an Accept-Language header greater than 16 bytes.\n\ - \t\t\t\tTo overwrite the return address on the stack, we must first\n\ - \t\t\t\tpass a memcpy() operation that uses pointers we supply. Due to the\n\ - \t\t\t\tlarge list of restricted characters and the limitations of the current\n\ - \t\t\t\tencoder modules, very few payloads are usable.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0992 - - - OSVDB - - "24617" - - - BID - - "17503" - path: extensions/metasploit/ - class: Msf_module -msf_savant_31_overflow: - enable: true - msf: true - msf_key: windows/http/savant_31_overflow - name: Savant 3.1 Web Server Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Savant 3.1 Web Server. The service\n\ - \t\t\t\tsupports a maximum of 10 threads (for a default install). Each exploit attempt\n\ - \t\t\t\tgenerally causes a thread to die whether sucessful or not. Therefore, in a default\n\ - \t\t\t\tconfiguration, you only have 10 chances.\n\n\ - \t\t\t\tDue to the limited space available for the payload in this exploit module, use of the\n\ - \t\t\t\t\"ord\" payloads is recommended.\n\ - \t\t\t" - authors: - - - CVE - - 2002-1120 - - - OSVDB - - "9829" - - - BID - - "5686" - - - URL - - http://www.milw0rm.com/exploits/787 - path: extensions/metasploit/ - class: Msf_module -msf_ipswitch_wug_maincfgret: - enable: true - msf: true - msf_key: windows/http/ipswitch_wug_maincfgret - name: Ipswitch WhatsUp Gold 8.03 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\n\ - \t\t\t\tposting a long string for the value of 'instancename' in the _maincfgret.cgi\n\ - \t\t\t\tscript an attacker can overflow a buffer and execute arbitrary code on the system.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0798 - - - OSVDB - - "9177" - - - BID - - "11043" - path: extensions/metasploit/ - class: Msf_module -msf_xitami_if_mod_since: - enable: true - msf: true - msf_key: windows/http/xitami_if_mod_since - name: Xitami 2.5c2 Web Server If-Modified-Since Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the iMatix Corporation\n\ - \t\t\t\tXitami Web Server. If a malicious user sends an\tIf-Modified-Since\n\ - \t\t\t\theader containing an overly long string, it may be possible to\n\ - \t\t\t\texecute a payload remotely. Due to size constraints, this module uses\n\ - \t\t\t\tthe Egghunter technique.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5067 - - - OSVDB - - "40594" - - - OSVDB - - "40595" - - - BID - - "25772" - - - URL - - http://www.milw0rm.com/exploits/4450 - path: extensions/metasploit/ - class: Msf_module -msf_ia_webmail: - enable: true - msf: true - msf_key: windows/http/ia_webmail - name: IA WebMail 3.x Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a stack buffer overflow in the IA WebMail server.\n\ - \t\t\t\tThis exploit has not been tested against a live system at\n\ - \t\t\t\tthis time.\n\ - \t\t\t" - authors: - - - CVE - - 2003-1192 - - - OSVDB - - "2757" - - - BID - - "8965" - - - URL - - http://www.k-otik.net/exploits/11.19.iawebmail.pl.php - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_ovas: - enable: true - msf: true - msf_key: windows/http/hp_nnm_ovas - name: HP OpenView NNM 7.53, 7.51 OVAS.EXE Pre-Authentication Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager versions 7.53 and earlier.\n\ - \t\t\t\tSpecifically this vulnerability is caused by a failure to properly handle user supplied input within the\n\ - \t\t\t\tHTTP request including headers and the actual URL GET request.\n\n\ - \t\t\t\tExploitation is tricky due to character restrictions. It was necessary to utilize a egghunter shellcode\n\ - \t\t\t\twhich was alphanumeric encoded by muts in the original exploit.\n\n\ - \t\t\t\tIf you plan on using exploit this for a remote shell, you will likely want to migrate to a different process\n\ - \t\t\t\tas soon as possible. Any connections get reset after a short period of time. This is probably some timeout\n\ - \t\t\t\thandling code that causes this.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1697 - - - OSVDB - - "43992" - - - BID - - "28569" - path: extensions/metasploit/ - class: Msf_module -msf_sybase_easerver: - enable: true - msf: true - msf_key: windows/http/sybase_easerver - name: Sybase EAServer 5.2 Remote Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Sybase EAServer Web\n\ - \t\t\t\tConsole. The offset to the SEH frame appears to change depending\n\ - \t\t\t\ton what version of Java is in use by the remote server, making this\n\ - \t\t\t\texploit somewhat unreliable.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2297 - - - OSVDB - - "17996" - - - BID - - "14287" - path: extensions/metasploit/ - class: Msf_module -msf_privatewire_gateway: - enable: true - msf: true - msf_key: windows/http/privatewire_gateway - name: Private Wire Gateway Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a buffer overflow in the ADMCREG.EXE used\n\ - \t\t\t\tin the PrivateWire Online Registration Facility.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3252 - - - OSVDB - - "26861" - - - BID - - "18647" - path: extensions/metasploit/ - class: Msf_module -msf_belkin_bulldog: - enable: true - msf: true - msf_key: windows/http/belkin_bulldog - name: Belkin Bulldog Plus Web Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Belkin Bulldog Plus\n\ - \t\t\t\t4.0.2 build 1219. When sending a specially crafted http request,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "54395" - - - BID - - "34033" - path: extensions/metasploit/ - class: Msf_module -msf_shoutcast_format: - enable: true - msf: true - msf_key: windows/http/shoutcast_format - name: SHOUTcast DNAS/win32 1.9.4 File Request Format String Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a format string vulnerability in the\n\ - \t\t\t\tNullsoft SHOUTcast server for Windows. The vulnerability is\n\ - \t\t\t\ttriggered by requesting a file path that contains format\n\ - \t\t\t\tstring specifiers. This vulnerability was discovered by\n\ - \t\t\t\tTomasz Trojanowski and Damian Put.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1373 - - - OSVDB - - "12585" - - - BID - - "12096" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_webappmon_ovjavalocale: - enable: true - msf: true - msf_key: windows/http/hp_nnm_webappmon_ovjavalocale - name: HP NNM CGI webappmon.exe OvJavaLocale Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n\ - \t\t\t\tBy sending a request continaing a cookie longer than 5120 bytes, an attacker can overflow\n\ - \t\t\t\ta stack buffer and execute arbitrary code.\n\n\ - \t\t\t\tThe vulnerable code is within the OvWwwDebug function. The static-sized stack buffer is\n\ - \t\t\t\tdeclared within this function. When the vulnerability is triggered, the stack trace looks\n\ - \t\t\t\tlike the following:\n\n\ - \t\t\t\t\t#0 ...\n\ - \t\t\t\t\t#1 sprintf_new(local_stack_buf, fmt, cooke);\n\ - \t\t\t\t\t#2 OvWwwDebug(\" HTTP_COOKIE=%s\\n\", cookie);\n\ - \t\t\t\t\t#3 ?OvWwwInit@@YAXAAHQAPADPBD@Z(x, x, x);\n\ - \t\t\t\t\t#4 sub_405ee0(\"nnm\", \"webappmon\");\n\n\ - \t\t\t\tNo validation is done on the cookie argument. There are no stack cookies, so exploitation\n\ - \t\t\t\tis easily achieved by overwriting the saved return address or SEH frame.\n\n\ - \t\t\t\tThe original advisory detailed an attack vector using the \"OvJavaLocale\" cookie being\n\ - \t\t\t\tpassed in a request ot \"webappmon.exe\". Further research shows that several different\n\ - \t\t\t\tcookie values, as well as several different CGI applications, can be used.\n\ - \t\t\t'" - authors: - - - CVE - - 2010-2709 - - - OSVDB - - "66932" - - - BID - - "42154" - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02446520 - - - URL - - http://www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_webappmon_execvp: - enable: true - msf: true - msf_key: windows/http/hp_nnm_webappmon_execvp - name: HP OpenView Network Node Manager execvp_nc Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ - \t\t\t\tprior to NNM_01207 or NNM_01206 without the SSRT100025 hotfix. By specifying a long 'sel'\n\ - \t\t\t\tparameter when calling methods within the 'webappmon.exe' CGI program, an attacker can\n\ - \t\t\t\tcause a stack-based buffer overflow and execute arbitrary code.\n\n\ - \t\t\t\tThis vulnerability is not triggerable via a GET request due to limitations on the\n\ - \t\t\t\trequest size. The buffer being targetted is 16384 bytes in size. There are actually two\n\ - \t\t\t\tadjacent buffers that both get overflowed (one into the other), and strcat is used.\n\n\ - \t\t\t\tThe vulnerable code is within the \"execvp_nc\" function within \"ov.dll\" prior to\n\ - \t\t\t\tv 1.30.12.69. There are no stack cookies, so exploitation is easily achieved by\n\ - \t\t\t\toverwriting the saved return address or SEH frame.\n\n\ - \t\t\t\tThis vulnerability might also be triggerable via other CGI programs, however this was\n\ - \t\t\t\tnot fully investigated.\n\ - \t\t\t" - authors: - - - CVE - - 2010-2703 - - - OSVDB - - "66514" - - - BID - - "41829" - - - URL - - http://www.vupen.com/english/advisories/2010/1866 - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-137/ - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02286088 - path: extensions/metasploit/ - class: Msf_module -msf_steamcast_useragent: - enable: true - msf: true - msf_key: windows/http/steamcast_useragent - name: Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending\n\ - \t\t\t\t\tan overly long User-Agent in an HTTP GET request, an attacker may be able to\n\ - \t\t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0550 - - - OSVDB - - "42670" - - - URL - - http://aluigi.altervista.org/adv/steamcazz-adv.txt - - - BID - - "33898" - path: extensions/metasploit/ - class: Msf_module -msf_fdm_auth_header: - enable: true - msf: true - msf_key: windows/http/fdm_auth_header - name: Free Download Manager Remote Control Server Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Free Download Manager\n\ - \t\t\t\tRemote Control 2.5 Build 758. When sending a specially crafted\n\ - \t\t\t\tAuthorization header, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0183 - - - OSVDB - - "51745" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_ovwebsnmpsrv_main: - enable: true - msf: true - msf_key: windows/http/hp_nnm_ovwebsnmpsrv_main - name: HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ - \t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\ - \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n\ - \t\t\t\tThis vulnerability is triggerable via either a GET or POST request. The buffer being\n\ - \t\t\t\twritten to is 1024 bytes in size. It is important to note that this vulnerability must\n\ - \t\t\t\tbe exploited by overwriting SEH. Otherwise, CVE-2010-1961 is triggered!\n\n\ - \t\t\t\tThe vulnerable code is within the \"main\" function within \"ovwebsnmpsrv.exe\" with a\n\ - \t\t\t\ttimestamp prior to April 7th, 2010. There are no stack cookies, so exploitation is\n\ - \t\t\t\teasily achieved by overwriting SEH structures.\n\n\ - \t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\n\ - \t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\n\ - \t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\n\ - \t\t\t\teither.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1964 - - - OSVDB - - "65552" - - - BID - - "40873" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-108/ - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439 - path: extensions/metasploit/ - class: Msf_module -msf_ibm_tpmfosd_overflow: - enable: true - msf: true - msf_key: windows/http/ibm_tpmfosd_overflow - name: IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n\ - \t\t\t\tfor OS Deployment version 5.1.0.X.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1868 - - - OSVDB - - "34678" - - - BID - - "23264" - - - URL - - http://dvlabs.tippingpoint.com/advisory/TPTI-07-05 - path: extensions/metasploit/ - class: Msf_module -msf_ibm_tsm_cad_header: - enable: true - msf: true - msf_key: windows/http/ibm_tsm_cad_header - name: IBM Tivoli Storage Manager Express CAD Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).\n\ - \t\t\t\tBy sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4880 - - - OSVDB - - "38161" - - - BID - - "25743" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_ovwebsnmpsrv_uro: - enable: true - msf: true - msf_key: windows/http/hp_nnm_ovwebsnmpsrv_uro - name: HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ - \t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\ - \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\ - \t\t\t\tThe vulnerable code is within the option parsing function within \"ovwebsnmpsrv.exe\" with a\n\ - \t\t\t\ttimestamp prior to April 7th, 2010.\n\n\ - \t\t\t\tReaching the vulnerable code requires a 'POST' request with an 'arg' parameter that, when combined\n\ - \t\t\t\twith a some static text, exceeds 10240 bytes. The parameter must begin with a dash. It is\n\ - \t\t\t\timportant to note that this vulnerability must be exploited by overwriting SEH. This is since\n\ - \t\t\t\toverflowing the buffer with controllable data always triggers an access violation when\n\ - \t\t\t\tattempting to write static text beyond the end of the stack.\n\n\ - \t\t\t\tExploiting this issue is a bit tricky due to a restrictive character set. In order to accomplish\n\ - \t\t\t\tarbitrary code execution, a double-backward jump is used in combination with the Alpha2\n\ - \t\t\t\tencoder.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1960 - - - OSVDB - - "65427" - - - BID - - "40637" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-105/ - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439 - path: extensions/metasploit/ - class: Msf_module -msf_navicopa_get_overflow: - enable: true - msf: true - msf_key: windows/http/navicopa_get_overflow - name: NaviCOPA 2.0.1 URL Handling Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in NaviCOPA 2.0.1.\n\ - \t\t\t\tThe vulnerability is caused due to a boundary error within the\n\ - \t\t\t\thandling of URL parameters.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5112 - - - OSVDB - - "29257" - - - BID - - "20250" - path: extensions/metasploit/ - class: Msf_module -msf_manageengine_apps_mngr: - enable: true - msf: true - msf_key: windows/http/manageengine_apps_mngr - name: ManageEngine Applications Manager Authenticated Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\t\tThis module logs into the Manage Engine Appplications Manager to upload a \n\ - \t\t\t\t\tpayload to the file system and a batch script that executes the payload. " - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_sapdb_webtools: - enable: true - msf: true - msf_key: windows/http/sapdb_webtools - name: SAP DB 7.4 WebTools Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SAP DB 7.4 WebTools.\n\ - \t\t\t\tBy sending an overly long GET request, it may be possible for\n\ - \t\t\t\tan attacker to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3614 - - - OSVDB - - "37838" - - - BID - - "24773" - path: extensions/metasploit/ - class: Msf_module -msf_ibm_tivoli_endpoint_bof: - enable: true - msf: true - msf_key: windows/http/ibm_tivoli_endpoint_bof - name: IBM Tivoli Endpoint Manager POST Query Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack based buffer overflow in the way IBM Tivoli \n\ - \t\t\t\tEndpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query \n\ - \t\t\t\targuments.\n\n\ - \t\t\t\tThis issue can be triggered by sending a specially crafted HTTP POST request to \n\ - \t\t\tthe service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization\n\ - \t\t\tis required. This exploit makes use of a second vulnerability, a hardcoded account \n\ - \t\t\t(tivoli/boss) is used to bypass the authorization restriction.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1220 - - - OSVDB - - "72713" - - - OSVDB - - "72751" - - - BID - - "48049" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-169/ - path: extensions/metasploit/ - class: Msf_module -msf_apache_chunked: - enable: true - msf: true - msf_key: windows/http/apache_chunked - name: Apache Win32 Chunked Encoding - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the chunked transfer integer wrap\n\ - \t\t\t\tvulnerability in Apache version 1.2.x to 1.3.24. This\n\ - \t\t\t\tparticular module has been tested with all versions of the\n\ - \t\t\t\tofficial Win32 build between 1.3.9 and 1.3.24. Additionally,\n\ - \t\t\t\tit should work against most co-branded and bundled versions\n\ - \t\t\t\tof Apache (Oracle 8i, 9i, IBM HTTPD, etc).\n\n\ - \t\t\t\tYou will need to use the Check() functionality to determine\n\ - \t\t\t\tthe exact target version prior to launching the exploit. The\n\ - \t\t\t\tversion of Apache bundled with Oracle 8.1.7 will not\n\ - \t\t\t\tautomatically restart, so if you use the wrong target value,\n\ - \t\t\t\tthe server will crash.\n\ - \t\t\t" - authors: - - - CVE - - 2002-0392 - - - OSVDB - - "838" - - - BID - - "5033" - - - URL - - http://lists.insecure.org/lists/bugtraq/2002/Jun/0184.html - path: extensions/metasploit/ - class: Msf_module -msf_hp_power_manager_login: - enable: true - msf: true - msf_key: windows/http/hp_power_manager_login - name: Hewlett-Packard Power Manager Administration Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Hewlett-Packard Power Manager 4.2.\n\ - \t\t\t\tSending a specially crafted POST request with an overly long Login string, an\n\ - \t\t\t\tattacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2685 - - - OSVDB - - "59684" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_openview5: - enable: true - msf: true - msf_key: windows/http/hp_nnm_openview5 - name: HP OpenView Network Node Manager OpenView5.exe CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ - \t\t\t\tBy sending a specially crafted CGI request, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-6204 - - - OSVDB - - "39530" - - - BID - - "26741" - path: extensions/metasploit/ - class: Msf_module -msf_psoproxy91_overflow: - enable: true - msf: true - msf_key: windows/http/psoproxy91_overflow - name: PSO Proxy v0.91 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow in the PSO Proxy v0.91 web server.\n\ - \t\t\t\tIf a client sends an excessively long string the stack is overwritten.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0313 - - - OSVDB - - "4028" - - - URL - - http://www.milw0rm.com/exploits/156 - - - BID - - "9706" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_snmpviewer_actapp: - enable: true - msf: true - msf_key: windows/http/hp_nnm_snmpviewer_actapp - name: HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ - \t\t\t\tprior to NNM_01203. By making a specially crafted HTTP request to the \"snmpviewer.exe\"\n\ - \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary\n\ - \t\t\t\tcode.\n\n\ - \t\t\t\tThe vulnerable code lies within the a function within \"snmpviewer.exe\" with a\n\ - \t\t\t\ttimestamp prior to April 7th, 2010. This vulnerability is triggerable via either a GET\n\ - \t\t\t\tor POST request. The request must contain 'act' and 'app' parameters which, when\n\ - \t\t\t\tcombined, total more than the 1024 byte stack buffer can hold.\n\n\ - \t\t\t\tIt is important to note that this vulnerability must be exploited by overwriting SEH.\n\ - \t\t\t\tWhile the saved return address can be smashed, a function call that occurs before\n\ - \t\t\t\tthe function returns calls \"exit\".\n\ - \t\t\t" - authors: - - - CVE - - 2010-1552 - - - OSVDB - - "64975" - - - BID - - "40068" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-083/ - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02153379 - path: extensions/metasploit/ - class: Msf_module -msf_mailenable_auth_header: - enable: true - msf: true - msf_key: windows/http/mailenable_auth_header - name: MailEnable Authorization Header Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a remote buffer overflow in the MailEnable web service.\n\ - \t\t\t\tThe vulnerability is triggered when a large value is placed into the Authorization\n\ - \t\t\t\theader of the web request. MailEnable Enterprise Edition versions priot to 1.0.5 and\n\ - \t\t\t\tMailEnable Professional versions prior to 1.55 are affected.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1348 - - - OSVDB - - "15913" - - - OSVDB - - "15737" - - - BID - - "13350" - - - NSS - - "18123" - path: extensions/metasploit/ - class: Msf_module -msf_efs_easychatserver_username: - enable: true - msf: true - msf_key: windows/http/efs_easychatserver_username - name: EFS Easy Chat Server Authentication Request Handling Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in EFS Software Easy Chat Server. By\n\ - \t\t\t\tsending a overly long authentication request, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\n\ - \t\t\t\tNOTE: The offset to SEH is influenced by the installation path of the program.\n\ - \t\t\t\tThe path, which defaults to \"C:\\Program Files\\Easy Chat Server\", is concatentated\n\ - \t\t\t\twith \"\\users\\\" and the string passed as the username HTTP paramter.\n\ - \t\t\t" - authors: - - - CVE - - 2004-2466 - - - OSVDB - - "7416" - - - BID - - "25328" - path: extensions/metasploit/ - class: Msf_module -msf_apache_modjk_overflow: - enable: true - msf: true - msf_key: windows/http/apache_modjk_overflow - name: Apache mod_jk 1.2.20 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is a stack buffer overflow exploit for mod_jk 1.2.20.\n\ - \t\t\t\tShould work on any Win32 OS.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0774 - - - OSVDB - - "33855" - - - BID - - "22791" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-07-008.html - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_toolbar_02: - enable: true - msf: true - msf_key: windows/http/hp_nnm_toolbar_02 - name: HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0\n\ - \t\t\t\tand 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an\n\ - \t\t\t\tattacker may be able to execute arbitrary code. Please note that this module only works\n\ - \t\t\t\tagainst a specific build (ie. NNM 7.53_01195)\n\ - \t\t\t" - authors: - - - CVE - - 2009-0920 - - - OSVDB - - "53242" - - - BID - - "34294" - - - URL - - http://www.coresecurity.com/content/openview-buffer-overflows - path: extensions/metasploit/ - class: Msf_module -msf_oracle9i_xdb_pass: - enable: true - msf: true - msf_key: windows/http/oracle9i_xdb_pass - name: Oracle 9i XDB HTTP PASS Overflow (win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the authorization\n\ - \t\t\t\tcode of the Oracle 9i HTTP XDB service. David Litchfield,\n\ - \t\t\t\thas illustrated multiple vulnerabilities in the Oracle\n\ - \t\t\t\t9i XML Database (XDB), during a seminar on \"Variations\n\ - \t\t\t\tin exploit methods between Linux and Windows\" presented\n\ - \t\t\t\tat the Blackhat conference.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0727 - - - OSVDB - - "2449" - - - BID - - "8375" - - - URL - - http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_nnmrptconfig_schdparams: - enable: true - msf: true - msf_key: windows/http/hp_nnm_nnmrptconfig_schdparams - name: HP OpenView NNM nnmRptConfig.exe schdParams Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits NNM's nnmRptConfig.exe. Similar to other NNM CGI bugs,\n\ - \t\t\t\tthe overflow occurs during a ov.sprintf_new() call, which allows an attacker to\n\ - \t\t\t\toverwrite data on the stack, and gain arbitrary code execution.\n\ - \t\t\t" - authors: - - - CVE - - 2011-0267 - - - OSVDB - - "70473" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-009/ - path: extensions/metasploit/ - class: Msf_module -msf_webster_http: - enable: true - msf: true - msf_key: windows/http/webster_http - name: Webster HTTP Server GET Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a stack buffer overflow in the Webster HTTP server.\n\ - \t\t\t\t\tThe server and source code was released within an article from\n\ - \t\t\t\t\tthe Microsoft Systems Journal in February 1996 titled \"Write a\n\ - \t\t\t\t\tSimple HTTP-based Server Using MFC and Windows Sockets\".\n\ - \t\t\t" - authors: - - - CVE - - 2002-2268 - - - OSVDB - - "44106" - - - BID - - "6289" - - - URL - - http://www.microsoft.com/msj/archive/s25f.aspx - - - URL - - http://www.netdave.com/webster/webster.htm - path: extensions/metasploit/ - class: Msf_module -msf_httpdx_handlepeer: - enable: true - msf: true - msf_key: windows/http/httpdx_handlepeer - name: HTTPDX h_handlepeer() Function Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in HTTPDX HTTP server 1.4. The\n\ - \t\t\t\tvulnerability is caused due to a boundary error within the \"h_handlepeer()\" function in http.cpp.\n\ - \t\t\t\tBy sending an overly long HTTP request, an attacker can overrun a buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "58714" - - - CVE - - 2009-3711 - - - URL - - http://www.pank4j.com/exploits/httpdxb0f.php - - - URL - - http://www.rec-sec.com/2009/10/16/httpdx-buffer-overflow-exploit/ - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_getnnmdata_maxage: - enable: true - msf: true - msf_key: windows/http/hp_nnm_getnnmdata_maxage - name: HP OpenView Network Node Manager getnnmdata.exe (MaxAge) CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\ - \t\t\t\tBy sending specially crafted MaxAge parameter to the getnnmdata.exe CGI,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1553 - - - OSVDB - - "64976" - path: extensions/metasploit/ - class: Msf_module -msf_hp_openview_insight_backdoor: - enable: true - msf: true - msf_key: windows/http/hp_openview_insight_backdoor - name: HP OpenView Performance Insight Server Backdoor Account Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a hidden account in the com.trinagy.security.XMLUserManager Java\n\ - \t\t\t\tclass. When using this account, an attacker can abuse the \n\ - \t\t\t\tcom.trinagy.servlet.HelpManagerServlet class and write arbitary files to the system \n\ - \t\t\t\tallowing the execution of arbitary code.\n\n\ - \t\t\t\tNOTE: This module has only been tested against HP OpenView Performance Insight Server 5.41.0\n\ - \t\t\t" - authors: - - - CVE - - 2011-0276 - - - OSVDB - - "70754" - path: extensions/metasploit/ - class: Msf_module -msf_bea_weblogic_transfer_encoding: - enable: true - msf: true - msf_key: windows/http/bea_weblogic_transfer_encoding - name: BEA Weblogic Transfer-Encoding Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack based buffer overflow in the BEA\n\ - \t\t\t\tWeblogic Apache plugin. This vulnerability exists in the\n\ - \t\t\t\terror reporting for unknown Transfer-Encoding headers.\n\ - \t\t\t\tYou may have to run this twice due to timing issues with handlers.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4008 - - - OSVDB - - "49283" - - - URL - - http://support.bea.com/application_content/product_portlets/securityadvisories/2806.html - path: extensions/metasploit/ - class: Msf_module -msf_icecast_header: - enable: true - msf: true - msf_key: windows/http/icecast_header - name: Icecast (<= 2.0.1) Header Overwrite (win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the header parsing\n\ - \t\t\t\tof icecast, discovered by Luigi Auriemma. Sending 32 HTTP\n\ - \t\t\t\theaders will cause a write one past the end of a pointer\n\ - \t\t\t\tarray. On win32 this happens to overwrite the saved\n\ - \t\t\t\tinstruction pointer, and on linux (depending on compiler,\n\ - \t\t\t\tetc) this seems to generally overwrite nothing crucial (read\n\ - \t\t\t\tnot exploitable).\n\n\ - \t\t\t\t!! This exploit uses ExitThread(), this will leave icecast\n\ - \t\t\t\tthinking the thread is still in use, and the thread counter\n\ - \t\t\t\twon't be decremented. This means for each time your payload\n\ - \t\t\t\texits, the counter will be left incremented, and eventually\n\ - \t\t\t\tthe threadpool limit will be maxed. So you can multihit,\n\ - \t\t\t\tbut only till you fill the threadpool.\n\n\ - \t\t\t" - authors: - - - CVE - - 2004-1561 - - - OSVDB - - "10406" - - - BID - - "11271" - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html - path: extensions/metasploit/ - class: Msf_module -msf_amlibweb_webquerydll_app: - enable: true - msf: true - msf_key: windows/http/amlibweb_webquerydll_app - name: Amlibweb NetOpacs webquery.dll Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Amlib's Amlibweb\n\ - \t\t\t\tLibrary Management System (NetOpacs). The webquery.dll\n\ - \t\t\t\tAPI is available through IIS requests. By specifying\n\ - \t\t\t\tan overly long string to the 'app' parameter, SeH can be\n\ - \t\t\t\treliably overwritten allowing for arbitrary remote code execution.\n\ - \t\t\t\tIn addition, it is possible to overwrite EIP by specifying\n\ - \t\t\t\tan arbitrary parameter name with an '=' terminator.\n\ - \t\t\t" - authors: - - - OSVDB - - "66814" - - - URL - - http://www.aushack.com/advisories/ - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_toolbar_01: - enable: true - msf: true - msf_key: windows/http/hp_nnm_toolbar_01 - name: HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ - \t\t\t\tBy sending a specially crafted CGI request to Toolbar.exe, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0067 - - - OSVDB - - "53222" - - - BID - - "33147" - path: extensions/metasploit/ - class: Msf_module -msf_edirectory_imonitor: - enable: true - msf: true - msf_key: windows/http/edirectory_imonitor - name: eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in eDirectory 8.7.3\n\ - \t\t\t\tiMonitor service. This vulnerability was discovered by Peter\n\ - \t\t\t\tWinter-Smith of NGSSoftware.\n\n\ - \t\t\t\tNOTE: repeated exploitation attempts may cause eDirectory to crash. It does\n\ - \t\t\t\tnot restart automatically in a default installation.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2551 - - - OSVDB - - "18703" - - - BID - - "14548" - path: extensions/metasploit/ - class: Msf_module -msf_altn_webadmin: - enable: true - msf: true - msf_key: windows/http/altn_webadmin - name: Alt-N WebAdmin USER Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tAlt-N WebAdmin is prone to a buffer overflow condition. This\n\ - \t\t\t\tis due to insufficient bounds checking on the USER\n\ - \t\t\t\tparameter. Successful exploitation could result in code\n\ - \t\t\t\texecution with SYSTEM level privileges.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0471 - - - OSVDB - - "2207" - - - BID - - "8024" - - - NSS - - "11771" - path: extensions/metasploit/ - class: Msf_module -msf_bea_weblogic_jsessionid: - enable: true - msf: true - msf_key: windows/http/bea_weblogic_jsessionid - name: BEA WebLogic JSESSIONID Cookie Value Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in BEA\\'s WebLogic plugin. The vulnerable\n\ - \t\t\t\tcode is only accessible when clustering is configured. A request containing a\n\ - \t\t\t\tlong JSESSION cookie value can lead to arbirtary code execution.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5457 - - - OSVDB - - "51311" - path: extensions/metasploit/ - class: Msf_module -msf_mcafee_epolicy_source: - enable: true - msf: true - msf_key: windows/http/mcafee_epolicy_source - name: McAfee ePolicy Orchestrator / ProtectionPilot Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the McAfee HTTP Server (NAISERV.exe).\n\ - \t\t\t\tMcAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are\n\ - \t\t\t\tknown to be vulnerable. By sending a large 'Source' header, the stack can\n\ - \t\t\t\tbe overwritten. This module is based on the exploit by xbxice and muts.\n\ - \t\t\t\tDue to size constraints, this module uses the Egghunter technique.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5156 - - - OSVDB - - "29421 " - - - URL - - http://www.milw0rm.com/exploits/2467 - - - URL - - http://www.remote-exploit.org/advisories/mcafee-epo.pdf - - - BID - - "20288" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_ovwebsnmpsrv_ovutil: - enable: true - msf: true - msf_key: windows/http/hp_nnm_ovwebsnmpsrv_ovutil - name: HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53\n\ - \t\t\t\tprior to NNM_01203. By specifying a long 'arg' parameter when executing the 'jovgraph.exe'\n\ - \t\t\t\tCGI program, an attacker can cause a stack-based buffer overflow and execute arbitrary code.\n\n\ - \t\t\t\tThis vulnerability is triggerable via either a GET or POST request. It is interesting to\n\ - \t\t\t\tnote that this vulnerability cannot be exploited by overwriting SEH, since attempting\n\ - \t\t\t\tto would trigger CVE-2010-1964.\n\n\ - \t\t\t\tThe vulnerable code is within a sub-function called from \"main\" within \"ovwebsnmpsrv.exe\"\n\ - \t\t\t\twith a timestamp prior to April 7th, 2010. This function contains a 256 byte stack buffer\n\ - \t\t\t\twhich is passed to the \"getProxiedStorageAddress\" function within ovutil.dll. When\n\ - \t\t\t\tprocessing the address results in an error, the buffer is overflowed in a call to sprintf_new.\n\ - \t\t\t\tThere are no stack cookies present, so exploitation is easily achieved by overwriting the\n\ - \t\t\t\tsaved return address.\n\n\ - \t\t\t\tThere exists some unreliability when running this exploit. It is not completely clear why\n\ - \t\t\t\tat this time, but may be related to OVWDB or session management. Also, on some attempts\n\ - \t\t\t\tOV NNM may report invalid characters in the URL. It is not clear what is causing this\n\ - \t\t\t\teither.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1961 - - - OSVDB - - "65428" - - - BID - - "40638" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-106/ - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439 - path: extensions/metasploit/ - class: Msf_module -msf_intersystems_cache: - enable: true - msf: true - msf_key: windows/http/intersystems_cache - name: InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n\ - \t\t\t\tBy sending a specially crafted GET request, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "60549" - - - BID - - "37177" - path: extensions/metasploit/ - class: Msf_module -msf_integard_password_bof: - enable: true - msf: true - msf_key: windows/http/integard_password_bof - name: Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\t\tThis module exploits a stack buffer overflow in Race river's Integard Home/Pro\n\ - \t\t\t\t\tinternet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are\n\ - \t\t\t\t\tvulnerable.\n\n\ - \t\t\t\t\tThe administration web page on port 18881 is vulnerable to a remote buffer overflow\n\ - \t\t\t\t\tattack. By sending an long character string in the password field, both the structured\n\ - \t\t\t\t\texception handler and the saved extended instruction pointer are over written, allowing\n\ - \t\t\t\t\tan attacker to gain control of the application and the underlying operating system\n\ - \t\t\t\t\tremotely.\n\n\ - \t\t\t\t\tThe administration website service runs with SYSTEM privileges, and automatically\n\ - \t\t\t\t\trestarts when it crashes.\n\ - \t\t\t" - authors: - - - OSVDB - - "67909" - - - URL - - http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061 - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_getnnmdata_hostname: - enable: true - msf: true - msf_key: windows/http/hp_nnm_getnnmdata_hostname - name: HP OpenView Network Node Manager getnnmdata.exe (Hostname) CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in HP OpenView Network Node Manager 7.50/7.53.\n\ - \t\t\t\tBy sending specially crafted Hostname parameter to the getnnmdata.exe CGI,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1555 - - - OSVDB - - "64976" - path: extensions/metasploit/ - class: Msf_module -msf_nowsms: - enable: true - msf: true - msf_key: windows/http/nowsms - name: Now SMS/MMS Gateway Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Now SMS/MMS Gateway v2007.06.27.\n\ - \t\t\t\tBy sending a specially crafted GET request, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0871 - - - OSVDB - - "42953" - - - BID - - "27896" - path: extensions/metasploit/ - class: Msf_module -msf_sambar6_search_results: - enable: true - msf: true - msf_key: windows/http/sambar6_search_results - name: Sambar 6 Search Results Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\tThis module exploits a buffer overflow found in the\n\ - \t\t\t/search/results.stm application that comes with Sambar 6.\n\ - \t\t\tThis code is a direct port of Andrew Griffiths's SMUDGE\n\ - \t\t\texploit, the only changes made were to the nops and payload.\n\ - \t\t\tThis exploit causes the service to die, whether you provided\n\ - \t\t\tthe correct target or not.\n\ - \t\t\t" - authors: - - - CVE - - 2004-2086 - - - OSVDB - - "5786" - - - BID - - "9607" - path: extensions/metasploit/ - class: Msf_module -msf_kolibri_http: - enable: true - msf: true - msf_key: windows/http/kolibri_http - name: Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow - category: Metasploit - description: This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server. - authors: - - - CVE - - 2002-2268 - - - OSVDB - - "70808" - - - BID - - "6289" - - - URL - - http://www.exploit-db.com/exploits/15834/ - path: extensions/metasploit/ - class: Msf_module -msf_ca_igateway_debug: - enable: true - msf: true - msf_key: windows/http/ca_igateway_debug - name: CA iTechnology iGateway Debug Mode Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Computer Associates\n\ - \t\t\t\tiTechnology iGateway component. When True is enabled\n\ - \t\t\t\tin igateway.conf (non-default), it is possible to overwrite the stack\n\ - \t\t\t\tand execute code remotely. This module works best with Ordinal payloads.\n\ - \t\t\t" - authors: - - - CVE - - 2005-3190 - - - OSVDB - - "19920" - - - URL - - http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485 - - - URL - - http://www.milw0rm.com/exploits/1243 - - - BID - - "15025" - path: extensions/metasploit/ - class: Msf_module -msf_shttpd_post: - enable: true - msf: true - msf_key: windows/http/shttpd_post - name: SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SHTTPD <= 1.34.\n\ - \t\t\t\tThe vulnerability is caused due to a boundary error within the\n\ - \t\t\t\thandling of POST requests. Based on an original exploit by skOd\n\ - \t\t\t\tbut using a different method found by hdm.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5216 - - - OSVDB - - "29565" - - - URL - - http://shttpd.sourceforge.net - - - BID - - "20393" - path: extensions/metasploit/ - class: Msf_module -msf_badblue_passthru: - enable: true - msf: true - msf_key: windows/http/badblue_passthru - name: BadBlue 2.72b PassThru Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the PassThru\n\ - \t\t\t\tfunctionality in ext.dll in BadBlue 2.72b and earlier.\n\ - \t\t\t" - authors: - - - CVE - - 2007-6377 - - - OSVDB - - "42416" - - - BID - - "26803" - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_nnmrptconfig_nameparams: - enable: true - msf: true - msf_key: windows/http/hp_nnm_nnmrptconfig_nameparams - name: HP OpenView NNM nnmRptConfig nameParams Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a vulnerability in HP NNM's nnmRptConfig.exe.\n\ - \t\t\t\tA remote user can send a long string data to the nameParams parameter via\n\ - \t\t\t\ta POST request, which causes an overflow on the stack when function\n\ - \t\t\t\tov.sprintf_new() is used, and gain arbitrary code execution.'\n\ - \t\t\t" - authors: - - - CVE - - 2011-0266 - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-11-008/ - path: extensions/metasploit/ - class: Msf_module -msf_edirectory_host: - enable: true - msf: true - msf_key: windows/http/edirectory_host - name: Novell eDirectory NDS Server Host Header Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell eDirectory 8.8.1.\n\ - \t\t\t\tThe web interface does not validate the length of the\n\ - \t\t\t\tHTTP Host header prior to using the value of that header in an\n\ - \t\t\t\tHTTP redirect.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5478 - - - OSVDB - - "29993" - - - BID - - "20655" - path: extensions/metasploit/ - class: Msf_module -msf_badblue_ext_overflow: - enable: true - msf: true - msf_key: windows/http/badblue_ext_overflow - name: BadBlue 2.5 EXT.dll Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis is a stack buffer overflow exploit for BadBlue version 2.5.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0595 - - - OSVDB - - "14238" - - - BID - - "7387" - path: extensions/metasploit/ - class: Msf_module -msf_novell_imanager_upload: - enable: true - msf: true - msf_key: windows/http/novell_imanager_upload - name: Novell iManager getMultiPartParameters Arbitrary File Upload - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a directory traversal vulnerability which\n\ - \t\t\t\tallows remote attackers to upload and execute arbitrary code.\n\n\ - \t\t\t\tPortalModuleInstallManager\n\ - \t\t\t" - authors: - - - OSVDB - - "68320" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-190/ - - - URL - - http://www.novell.com/support/viewContent.do?externalId=7006515&sliceId=2 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_robohelper_authbypass: - enable: true - msf: true - msf_key: windows/http/adobe_robohelper_authbypass - name: Adobe RoboHelp Server 8 Arbitrary File Upload and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an authentication bypass vulnerability which\n\ - \t\t\t\tallows remote attackers to upload and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3068 - - - OSVDB - - "57896" - - - URL - - http://www.intevydis.com/blog/?p=69 - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-066 - path: extensions/metasploit/ - class: Msf_module -msf_minishare_get_overflow: - enable: true - msf: true - msf_key: windows/http/minishare_get_overflow - name: Minishare 1.4.1 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is a simple buffer overflow for the minishare web\n\ - \t\t\t\tserver. This flaw affects all versions prior to 1.4.2. This\n\ - \t\t\t\tis a plain stack buffer overflow that requires a \"jmp esp\" to reach\n\ - \t\t\t\tthe payload, making this difficult to target many platforms\n\ - \t\t\t\tat once. This module has been successfully tested against\n\ - \t\t\t\t1.4.1. Version 1.3.4 and below do not seem to be vulnerable.\n\ - \t\t\t" - authors: - - - CVE - - 2004-2271 - - - OSVDB - - "11530" - - - BID - - "11620" - - - URL - - http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_ovalarm_lang: - enable: true - msf: true - msf_key: windows/http/hp_nnm_ovalarm_lang - name: HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.53.\n\ - \t\t\t\tBy sending a specially crafted CGI request to ovalarm.exe, an attacker can execute\n\ - \t\t\t\tarbitrary code.\n\n\ - \t\t\t\tThis specific vulnerability is due to a call to \"sprintf_new\" in the \"isWide\"\n\ - \t\t\t\tfunction within \"ovalarm.exe\". A stack buffer overflow occurs when processing an\n\ - \t\t\t\tHTTP request that contains the following.\n\n\ - \t\t\t\t1. An \"Accept-Language\" header longer than 100 bytes\n\ - \t\t\t\t2. An \"OVABverbose\" URI variable set to \"on\", \"true\" or \"1\"\n\n\ - \t\t\t\tThe vulnerability is related to \"_WebSession::GetWebLocale()\" ..\n\n\ - \t\t\t\tNOTE: This exploit has been tested successfully with a reverse_ord_tcp payload.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4179 - - - OSVDB - - "60930" - - - BID - - "37347" - - - URL - - http://dvlabs.tippingpoint.com/advisory/TPTI-09-12 - - - URL - - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01950877 - path: extensions/metasploit/ - class: Msf_module -msf_coldfusion_fckeditor: - enable: true - msf: true - msf_key: windows/http/coldfusion_fckeditor - name: ColdFusion 8.0.1 Arbitrary File Upload and Execute - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload\n\ - \t\t\t\tand Execute vulnerability.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2265 - - - OSVDB - - "55684" - path: extensions/metasploit/ - class: Msf_module -msf_altn_securitygateway: - enable: true - msf: true - msf_key: windows/http/altn_securitygateway - name: Alt-N SecurityGateway username Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tAlt-N SecurityGateway is prone to a buffer overflow condition. This\n\ - \t\t\t\tis due to insufficient bounds checking on the \"username\"\n\ - \t\t\t\tparameter. Successful exploitation could result in code\n\ - \t\t\t\texecution with SYSTEM level privileges.\n\n\ - \t\t\t\tNOTE: This service doesn't restart, you'll only get one shot. However,\n\ - \t\t\t\tit often survives a successful exploitation attempt.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4193 - - - OSVDB - - "45854" - - - BID - - "29457" - path: extensions/metasploit/ - class: Msf_module -msf_apache_mod_rewrite_ldap: - enable: true - msf: true - msf_key: windows/http/apache_mod_rewrite_ldap - name: Apache module mod_rewrite LDAP protocol Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits the mod_rewrite LDAP protocol scheme handling\n\ - \t\t\t\tflaw discovered by Mark Dowd, which produces an off-by-one overflow.\n\ - \t\t\t\tApache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.\n\ - \t\t\t\tThis module requires REWRITEPATH to be set accurately. In addition,\n\ - \t\t\t\tthe target must have 'RewriteEngine on' configured, with a specific\n\ - \t\t\t\t'RewriteRule' condition enabled to allow for exploitation.\n\n\ - \t\t\t\tThe flaw affects multiple platforms, however this module currently\n\ - \t\t\t\tonly supports Windows based installations.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3747 - - - OSVDB - - "27588" - - - BID - - "19204" - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html - - - URL - - http://www.milw0rm.com/exploits/3680 - - - URL - - http://www.milw0rm.com/exploits/3996 - - - URL - - http://www.milw0rm.com/exploits/2237 - path: extensions/metasploit/ - class: Msf_module -msf_hp_nnm_ovwebhelp: - enable: true - msf: true - msf_key: windows/http/hp_nnm_ovwebhelp - name: HP OpenView Network Node Manager OvWebHelp.exe CGI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.50.\n\ - \t\t\t\tBy sending a specially crafted CGI request to OvWebHelp.exe, an attacker may be able to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4178 - - - OSVDB - - "60929" - - - BID - - "37340" - path: extensions/metasploit/ - class: Msf_module -msf_kerio_auth: - enable: true - msf: true - msf_key: windows/firewall/kerio_auth - name: Kerio Firewall 2.1.4 Authentication Packet Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Kerio Personal Firewall\n\ - \t\t\t\tadministration authentication process. This module has only been tested\n\ - \t\t\t\tagainst Kerio Personal Firewall 2 (2.1.4).\n\ - \t\t\t" - authors: - - - CVE - - 2003-0220 - - - OSVDB - - "6294" - - - BID - - "7180" - - - URL - - http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10 - path: extensions/metasploit/ - class: Msf_module -msf_blackice_pam_icq: - enable: true - msf: true - msf_key: windows/firewall/blackice_pam_icq - name: ISS PAM.dll ICQ Parser Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the ISS products that use\n\ - \t\t\t\tthe iss-pam1.dll ICQ parser (Blackice/RealSecure). Successful exploitation\n\ - \t\t\t\twill result in arbitrary code execution as LocalSystem. This exploit\n\ - \t\t\t\tonly requires 1 UDP packet, which can be both spoofed and sent to a broadcast\n\ - \t\t\t\taddress.\n\n\ - \t\t\t\tThe ISS exception handler will recover the process after each overflow, giving\n\ - \t\t\t\tus the ability to bruteforce the service and exploit it multiple times.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0362 - - - OSVDB - - "4355" - - - URL - - http://www.eeye.com/html/Research/Advisories/AD20040318.html - - - URL - - http://xforce.iss.net/xforce/alerts/id/166 - path: extensions/metasploit/ - class: Msf_module -msf_energizer_duo_payload: - enable: true - msf: true - msf_key: windows/backdoor/energizer_duo_payload - name: Energizer DUO Trojan Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module will execute an arbitrary payload against\n\ - \t\t\t\tany system infected with the Arugizer trojan horse. This\n\ - \t\t\t\tbackdoor was shipped with the software package accompanying\n\ - \t\t\t\tthe Energizer Duo USB battery charger.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0103 - - - OSVDB - - "62782" - - - US-CERT-VU - - "154421" - path: extensions/metasploit/ - class: Msf_module -msf_ms07_029_msdns_zonename: - enable: true - msf: true - msf_key: windows/smb/ms07_029_msdns_zonename - name: Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\ - \t\t\t\tof the Microsoft DNS service. The vulnerability is triggered\n\ - \t\t\t\twhen a long zone name parameter is supplied that contains\n\ - \t\t\t\tescaped octal strings. This module is capable of bypassing NX/DEP\n\ - \t\t\t\tprotection on Windows 2003 SP1/SP2. This module exploits the\n\ - \t\t\t\tRPC service using the \\DNSSERVER pipe available via SMB. This\n\ - \t\t\t\tpipe requires a valid user account to access, so the SMBUSER\n\ - \t\t\t\tand SMBPASS options must be specified.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1748 - - - OSVDB - - "34100" - - - MSB - - MS07-029 - - - URL - - http://www.microsoft.com/technet/security/advisory/935964.mspx - path: extensions/metasploit/ - class: Msf_module -msf_ms05_017_msmq: - enable: true - msf: true - msf_key: windows/dcerpc/ms05_017_msmq - name: Microsoft Message Queueing Service Path Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\ - \t\t\t\tto the Microsoft Message Queueing service. The offset to the\n\ - \t\t\t\treturn address changes based on the length of the system\n\ - \t\t\t\thostname, so this must be provided via the 'HNAME' option.\n\ - \t\t\t\tMuch thanks to snort.org and Jean-Baptiste Marchand's\n\ - \t\t\t\texcellent MSRPC website.\n\n\ - \t\t\t" - authors: - - - CVE - - 2005-0059 - - - OSVDB - - "15458" - - - MSB - - MS05-017 - - - BID - - "13112" - path: extensions/metasploit/ - class: Msf_module -msf_ms07_065_msmq: - enable: true - msf: true - msf_key: windows/dcerpc/ms07_065_msmq - name: Microsoft Message Queueing Service DNS Name Path Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the RPC interface\n\ - \t\t\tto the Microsoft Message Queueing service. This exploit requires\n\ - \t\t\tthe target system to have been configured with a DNS name and\n\ - \t\t\tfor that name to be supplied in the 'DNAME' option. This name does\n\ - \t\t\tnot need to be served by a valid DNS server, only configured on\n\ - \t\t\tthe target machine.\n\n\ - \t\t\t" - authors: - - - CVE - - 2007-3039 - - - OSVDB - - "39123" - - - MSB - - MS07-065 - path: extensions/metasploit/ - class: Msf_module -msf_ms03_026_dcom: - enable: true - msf: true - msf_key: windows/dcerpc/ms03_026_dcom - name: Microsoft RPC DCOM Interface Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the RPCSS service, this vulnerability\n\ - \t\t\t\twas originally found by the Last Stage of Delirium research group and has been\n\ - \t\t\t\twidely exploited ever since. This module can exploit the English versions of\n\ - \t\t\t\tWindows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)\n\ - \t\t\t" - authors: - - - CVE - - 2003-0352 - - - OSVDB - - "2100" - - - MSB - - MS03-026 - - - BID - - "8205" - path: extensions/metasploit/ - class: Msf_module -msf_name_service: - enable: true - msf: true - msf_key: windows/backupexec/name_service - name: Veritas Backup Exec Name Service Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the Veritas Backup\n\ - \t\t\t\tExec Agent Browser service. This vulnerability occurs when a\n\ - \t\t\t\trecv() call has a length value too long for the\tdestination\n\ - \t\t\t\tstack buffer. By sending an agent name value of 63 bytes or\n\ - \t\t\t\tmore, we can overwrite the return address of the recv\n\ - \t\t\t\tfunction. Since we only have ~60 bytes of contiguous space\n\ - \t\t\t\tfor shellcode, a tiny findsock payload is sent which uses a\n\ - \t\t\t\thardcoded IAT address for the recv() function. This payload\n\ - \t\t\t\twill then roll the stack back to the beginning of the page,\n\ - \t\t\t\trecv() the real shellcode into it, and jump to it. This\n\ - \t\t\t\tmodule has been tested against Veritas 9.1 SP0, 9.1 SP1, and\n\ - \t\t\t\t8.6.\n\ - \t\t\t" - authors: - - - CVE - - 2004-1172 - - - OSVDB - - "12418" - - - BID - - "11974" - - - URL - - http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities - path: extensions/metasploit/ - class: Msf_module -msf_remote_agent: - enable: true - msf: true - msf_key: windows/backupexec/remote_agent - name: Veritas Backup Exec Windows Remote Agent Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Veritas\n\ - \t\t\t\tBackupExec Windows Agent software. This vulnerability occurs\n\ - \t\t\t\twhen a client authentication request is received with type\n\ - \t\t\t\t'3' and a long password argument. Reliable execution is\n\ - \t\t\t\tobtained by abusing the stack buffer overflow to smash a SEH\n\ - \t\t\t\tpointer.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0773 - - - OSVDB - - "17624" - - - BID - - "14022" - - - URL - - http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities - - - URL - - http://seer.support.veritas.com/docs/276604.htm - path: extensions/metasploit/ - class: Msf_module -msf_w3who_query: - enable: true - msf: true - msf_key: windows/isapi/w3who_query - name: Microsoft IIS ISAPI w3who.dll Query String Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the w3who.dll ISAPI\n\ - \t\t\t\tapplication. This vulnerability was discovered Nicolas\n\ - \t\t\t\tGregoire and this code has been successfully tested against\n\ - \t\t\t\tWindows 2000 and Windows XP (SP2). When exploiting Windows\n\ - \t\t\t\tXP, the payload must call RevertToSelf before it will be\n\ - \t\t\t\table to spawn a command shell.\n\n\ - \t\t\t" - authors: - - - CVE - - 2004-1134 - - - OSVDB - - "12258" - - - URL - - http://www.exaprobe.com/labs/advisories/esa-2004-1206.html - - - BID - - "11820" - path: extensions/metasploit/ - class: Msf_module -msf_rsa_webagent_redirect: - enable: true - msf: true - msf_key: windows/isapi/rsa_webagent_redirect - name: Microsoft IIS ISAPI RSA WebAgent Redirect Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in the SecurID Web\n\ - \t\t\t\tAgent for IIS. This ISAPI filter runs in-process with\n\ - \t\t\t\tinetinfo.exe, any attempt to exploit this flaw will result\n\ - \t\t\t\tin the termination and potential restart of the IIS service.\n\n\ - \t\t\t" - authors: - - - CVE - - 2005-4734 - - - OSVDB - - "20151" - path: extensions/metasploit/ - class: Msf_module -msf_ms03_022_nsiislog_post: - enable: true - msf: true - msf_key: windows/isapi/ms03_022_nsiislog_post - name: Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a buffer overflow found in the nsiislog.dll\n\ - \t\t\t\tISAPI filter that comes with Windows Media Server. This\n\ - \t\t\t\tmodule will also work against the 'patched' MS03-019\n\ - \t\t\t\tversion. This vulnerability was addressed by MS03-022.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0349 - - - OSVDB - - "4535" - - - BID - - "8035" - - - MSB - - MS03-022 - - - URL - - http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0120.html - path: extensions/metasploit/ - class: Msf_module -msf_ms00_094_pbserver: - enable: true - msf: true - msf_key: windows/isapi/ms00_094_pbserver - name: Microsoft IIS Phone Book Service Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the Phone Book Service /pbserver/pbserver.dll\n\ - \t\t\t\tdescribed in MS00-094. By sending an overly long URL argument\n\ - \t\t\t\tfor phone book updates, it is possible to overwrite the stack. This\n\ - \t\t\t\tmodule has only been tested against Windows 2000 SP1.\n\ - \t\t\t" - authors: - - - CVE - - 2000-1089 - - - OSVDB - - "463" - - - BID - - "2048" - - - MSB - - MS00-094 - path: extensions/metasploit/ - class: Msf_module -msf_ms03_051_fp30reg_chunked: - enable: true - msf: true - msf_key: windows/isapi/ms03_051_fp30reg_chunked - name: Microsoft IIS ISAPI FrontPage fp30reg.dll Chunked Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the chunked encoding buffer overflow\n\ - \t\t\t\tdescribed in MS03-051 and originally reported by Brett\n\ - \t\t\t\tMoore. This particular modules works against versions of\n\ - \t\t\t\tWindows 2000 between SP0 and SP3. Service Pack 4 fixes the\n\ - \t\t\t\tissue.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0822 - - - OSVDB - - "2952" - - - BID - - "9007" - - - MSB - - MS03-051 - path: extensions/metasploit/ - class: Msf_module -msf_cam_log_security: - enable: true - msf: true - msf_key: windows/unicenter/cam_log_security - name: CA CAM log_security() Stack Buffer Overflow (Win32) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the CA CAM service\n\ - \t\t\t\tby passing a long parameter to the log_security() function.\n\ - \t\t\t\tThe CAM service is part of TNG Unicenter. This module has\n\ - \t\t\t\tbeen tested on Unicenter v3.1.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2668 - - - OSVDB - - "18916" - - - BID - - "14622" - path: extensions/metasploit/ - class: Msf_module -msf_igss9_igssdataserver_listall: - enable: true - msf: true - msf_key: windows/scada/igss9_igssdataserver_listall - name: 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies\n\ - \t\t\t\tIGSS up to version 9.00.00 b11063. While processing a ListAll command, the application\n\ - \t\t\t\tfails to do proper bounds checking before copying data into a small buffer on the stack.\n\ - \t\t\t\tThis causes a buffer overflow and allows to overwrite a structured exception handling record\n\ - \t\t\t\ton the stack, allowing for unauthenticated remote code execution. Also, after the payload\n\ - \t\t\t\texits, IGSSdataServer.exe should automatically recover.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1567 - - - OSVDB - - "72353" - - - URL - - http://aluigi.altervista.org/adv/igss_2-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_factorylink_vrn_09: - enable: true - msf: true - msf_key: windows/scada/factorylink_vrn_09 - name: Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,\n\ - \t\t\t\tand 8.0.1.703. By sending a specially crafted packet, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code due to the improper use of a vsprintf() function while\n\ - \t\t\t\tprocessing the user-supplied text field. Originally found and posted by\n\ - \t\t\t\tLuigi Auriemma.\n\ - \t\t\t" - authors: - - - OSVDB - - "72815" - - - URL - - http://aluigi.altervista.org/adv/factorylink_4-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_realwin: - enable: true - msf: true - msf_key: windows/scada/realwin - name: DATAC RealWin SCADA Server Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ - \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.0.10.37).\n\ - \t\t\t\tBy sending a specially crafted FC_INFOTAG/SET_CONTROL packet,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4322 - - - OSVDB - - "48606" - - - BID - - "31418" - path: extensions/metasploit/ - class: Msf_module -msf_realwin_scpc_initialize: - enable: true - msf: true - msf_key: windows/scada/realwin_scpc_initialize - name: DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ - \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\ - \t\t\t\tBy sending a specially crafted packet, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "68812" - - - CVE - - 2010-4142 - - - URL - - http://aluigi.altervista.org/adv/realwin_1-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_iconics_genbroker: - enable: true - msf: true - msf_key: windows/scada/iconics_genbroker - name: Iconics GENESIS32 Integer overflow version 9.21.201.01 - category: Metasploit - description: "\n\ - \t\t\t\t\tThe GenBroker service on port 38080 is affected by three integer overflow\n\ - \t\t\t\tvulnerabilities while handling opcode 0x4b0, which is caused by abusing the\n\ - \t\t\t\tthe memory allocations needed for the number of elements passed by the client.\n\ - \t\t\t\tThis results unexpected behaviors such as direct registry calls, memory location\n\ - \t\t\t\tcalls, or arbitrary remote code execution. Please note that in order to ensure\n\ - \t\t\t\treliability, this exploit will try to open calc (hidden), inject itself into the\n\ - \t\t\t\tprocess, and then open up a shell session. Also, DEP bypass is supported.\n\ - \t\t\t" - authors: - - - URL - - http://aluigi.org/adv/genesis_4-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_moxa_mdmtool: - enable: true - msf: true - msf_key: windows/scada/moxa_mdmtool - name: MOXA Device Manager Tool 2.1 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in MOXA MDM Tool 2.1.\n\ - \t\t\t\tWhen sending a specially crafted MDMGw (MDM2_Gateway) response, an\n\ - \t\t\t\tattacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "69027" - - - URL - - http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid= - - - URL - - http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf - path: extensions/metasploit/ - class: Msf_module -msf_iconics_webhmi_setactivexguid: - enable: true - msf: true - msf_key: windows/scada/iconics_webhmi_setactivexguid - name: ICONICS WebHMI ActiveX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.\n\ - \t\t\t\tBy supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll\n\ - \t\t\t\tfails to do any proper bounds checking before this input is copied onto the stack,\n\ - \t\t\t\twhich causes a buffer overflow, and results arbitrary code execution under the context\n\ - \t\t\t\tof the user.\n\ - \t\t\t" - authors: - - - OSVDB - - "72135" - - - URL - - http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf - - - URL - - http://www.exploit-db.com/exploits/17240/ - path: extensions/metasploit/ - class: Msf_module -msf_igss9_igssdataserver_rename: - enable: true - msf: true - msf_key: windows/scada/igss9_igssdataserver_rename - name: 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying\n\ - \t\t\t\ta long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,\n\ - \t\t\t\ta buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,\n\ - \t\t\t\twhich results arbitrary code execution under the context of the user.\n\n\ - \t\t\t\tThe attack is carried out in three stages. The first stage sends the final payload to\n\ - \t\t\t\tIGSSdataServer.exe, which will remain in memory. The second stage sends the Add command\n\ - \t\t\t\tso the process can find a valid ID for the Rename command. The last stage then triggers\n\ - \t\t\t\tthe vulnerability with the Rename command, and uses an egghunter to search for the\n\ - \t\t\t\tshellcode that we sent in stage 1. The use of egghunter appears to be necessary due to\n\ - \t\t\t\tthe small buffer size, which cannot even contain our ROP chain and the final payload.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1567 - - - OSVDB - - "72352" - - - URL - - http://aluigi.altervista.org/adv/igss_5-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_realwin_on_fc_binfile_a: - enable: true - msf: true - msf_key: windows/scada/realwin_on_fc_binfile_a - name: DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found in DATAC Control International RealWin\n\ - \t\t\t\tSCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE\n\ - \t\t\t\tpacket via port 910, RealWin will try to create a file (which would be saved to\n\ - \t\t\t\tC:\\Program Files\\DATAC\\Real Win\\RW-version\\filename) by first copying the user-\n\ - \t\t\t\tsupplied filename with a inline memcpy routine without proper bounds checking, which\n\ - \t\t\t\tresults a stack-based buffer overflow, allowing arbitrary remote code execution.\n\n\ - \t\t\t\tTested version: 2.0 (Build 6.1.8.10)\n\ - \t\t\t" - authors: - - - CVE - - 2011-1563 - - - OSVDB - - "72826" - - - BID - - "46937" - - - URL - - http://aluigi.altervista.org/adv/realwin_5-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_igss9_misc: - enable: true - msf: true - msf_key: windows/scada/igss9_misc - name: 7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits multiple vulnerabilities found on IGSS 9's Data Server and\n\ - \t\t\t\tData Collector services. The initial approach is first by transferring our binary\n\ - \t\t\t\twith Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send\n\ - \t\t\t\tan EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run\n\ - \t\t\t\tthat payload with a CreateProcessA() function as a new thread.\n\ - \t\t\t" - authors: - - - OSVDB - - "72354" - - - OSVDB - - "72349" - - - URL - - http://aluigi.altervista.org/adv/igss_1-adv.txt - - - URL - - http://aluigi.altervista.org/adv/igss_8-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_factorylink_csservice: - enable: true - msf: true - msf_key: windows/scada/factorylink_csservice - name: Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found on Siemens FactoryLink 8. The\n\ - \t\t\t\tvulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,\n\ - \t\t\t\tthe user-supplied path first gets converted to ANSI format (CodePage 0), and then\n\ - \t\t\t\tgets handled by a logging routine where proper bounds checking is not done,\n\ - \t\t\t\ttherefore causing a stack-based buffer overflow, and results arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "72812" - - - URL - - http://aluigi.altervista.org/adv/factorylink_1-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_winlog_runtime: - enable: true - msf: true - msf_key: windows/scada/winlog_runtime - name: Sielco Sistemi Winlog Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Sielco\n\ - \t\t\t\tSistem Winlog <= 2.07.00. When sending a specially formatted\n\ - \t\t\t\tpacket to the Runtime.exe service, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2011-0517 - - - OSVDB - - "70418" - - - URL - - http://aluigi.org/adv/winlog_1-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_realwin_on_fcs_login: - enable: true - msf: true - msf_key: windows/scada/realwin_on_fcs_login - name: RealWin SCADA Server DATAC Login Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ - \t\t\t\tInternational RealWin SCADA Server 2.1 (Build 6.0.10.10) or\n\ - \t\t\t\tearlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN\n\ - \t\t\t\tpacket containing a long username, an attacker may be able to\n\ - \t\t\t\texecute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1563 - - - OSVDB - - "72824" - - - URL - - http://aluigi.altervista.org/adv/realwin_2-adv.txt - - - URL - - http://www.dataconline.com/software/realwin.php - path: extensions/metasploit/ - class: Msf_module -msf_citect_scada_odbc: - enable: true - msf: true - msf_key: windows/scada/citect_scada_odbc - name: CitectSCADA/CitectFacilities ODBC Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.\n\ - \t\t\t\tThis has only been tested against Citect v5, v6 and v7.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2639 - - - BID - - "29634" - - - OSVDB - - "46105" - - - URL - - http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability - - - URL - - http://www.auscert.org.au/render.html?it=9433 - - - URL - - http://www.controsys.hu/anyagok/group_quality_assurance.pdf - - - URL - - http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf - path: extensions/metasploit/ - class: Msf_module -msf_realwin_scpc_txtevent: - enable: true - msf: true - msf_key: windows/scada/realwin_scpc_txtevent - name: DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ - \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\ - \t\t\t\tBy sending a specially crafted packet,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2010-4142 - - - OSVDB - - "68812" - path: extensions/metasploit/ - class: Msf_module -msf_realwin_scpc_initialize_rf: - enable: true - msf: true - msf_key: windows/scada/realwin_scpc_initialize_rf - name: DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in DATAC Control\n\ - \t\t\t\tInternational RealWin SCADA Server 2.0 (Build 6.1.8.10).\n\ - \t\t\t\tBy sending a specially crafted packet, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "68812" - - - CVE - - 2010-4142 - - - URL - - http://aluigi.altervista.org/adv/realwin_1-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_timbuktu_fileupload: - enable: true - msf: true - msf_key: windows/motorola/timbuktu_fileupload - name: Timbuktu Pro Directory Traversal/File Upload - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a directory traversal vulnerablity in Motorola's\n\ - \t\t\t\tTimbuktu Pro for Windows 8.6.5.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1117 - - - OSVDB - - "43544" - path: extensions/metasploit/ - class: Msf_module -msf_ms04_031_netdde: - enable: true - msf: true - msf_key: windows/smb/ms04_031_netdde - name: Microsoft NetDDE Service Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the NetDDE service, which is the\n\ - \t\t\t\tprecursor to the DCOM interface. This exploit effects only operating systems\n\ - \t\t\t\treleased prior to Windows XP SP1 (2000 SP4, XP SP0). Despite Microsoft's claim\n\ - \t\t\t\tthat this vulnerability can be exploited without authentication, the NDDEAPI\n\ - \t\t\t\tpipe is only accessible after successful authentication.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0206 - - - OSVDB - - "10689" - - - BID - - "11372" - - - MSB - - MS04-031 - path: extensions/metasploit/ - class: Msf_module -msf_ms04_011_lsass: - enable: true - msf: true - msf_key: windows/smb/ms04_011_lsass - name: Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the LSASS service, this vulnerability\n\ - \t\t\t\twas originally found by eEye. When re-exploiting a Windows XP system, you will need\n\ - \t\t\t\tneed to run this module twice. DCERPC request fragmentation can be performed by setting\n\ - \t\t\t\t'FragSize' parameter.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0533 - - - OSVDB - - "5248" - - - BID - - "10108" - - - MSB - - MS04-011 - path: extensions/metasploit/ - class: Msf_module -msf_ms06_070_wkssvc: - enable: true - msf: true - msf_key: windows/smb/ms06_070_wkssvc - name: Microsoft Workstation Service NetpManageIPCConnect Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 NetpManageIPCConnect\n\ - \t\t\t\tfunction using the Workstation service in Windows 2000 SP4 and Windows XP SP2.\n\n\ - \t\t\t\tIn order to exploit this vulnerability, you must specify a the name of a\n\ - \t\t\t\tvalid Windows DOMAIN. It may be possible to satisfy this condition by using\n\ - \t\t\t\ta custom dns and ldap setup, however that method is not covered here.\n\n\ - \t\t\t\tAlthough Windows XP SP2 is vulnerable, Microsoft reports that Administrator\n\ - \t\t\t\tcredentials are required to reach the vulnerable code. Windows XP SP1 only\n\ - \t\t\t\trequires valid user credentials. Also, testing shows that a machine already\n\ - \t\t\t\tjoined to a domain is not exploitable.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4691 - - - OSVDB - - "30263" - - - BID - - "20985" - - - MSB - - MS06-070 - path: extensions/metasploit/ - class: Msf_module -msf_ms05_039_pnp: - enable: true - msf: true - msf_key: windows/smb/ms05_039_pnp - name: Microsoft Plug and Play Service Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Plug\n\ - \t\t\t\tand Play service. This vulnerability can be exploited on\n\ - \t\t\t\tWindows 2000 without a valid user account.\n\n\ - \t\t\t\tNOTE: Since the PnP service runs inside the service.exe process, a failed\n\ - \t\t\t\texploit attempt will cause the system to automatically reboot.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1983 - - - OSVDB - - "18605" - - - BID - - "14513" - - - MSB - - MS05-039 - - - URL - - http://www.hsc.fr/ressources/presentations/null_sessions/ - path: extensions/metasploit/ - class: Msf_module -msf_timbuktu_plughntcommand_bof: - enable: true - msf: true - msf_key: windows/smb/timbuktu_plughntcommand_bof - name: Timbuktu <= 8.6.6 PlughNTCommand Named Pipe Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6\n\ - \t\t\t\tin a pretty novel way.\n\n\ - \t\t\t\tThis exploit requires two connections. The first connection is used to leak stack data\n\ - \t\t\t\tusing the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying\n\ - \t\t\t\ta large value for this argument it is possible to cause Timbuktu to reply to the initial\n\ - \t\t\t\trequest with leaked stack data. Using this data allows for reliable exploitation of the\n\ - \t\t\t\tbuffer overflow vulnerability.\n\n\ - \t\t\t\tProps to Infamous41d for helping in finding this exploitation path.\n\n\ - \t\t\t\tThe second connection utilizes the data from the data leak to accurately exploit\n\ - \t\t\t\tthe stack based buffer overflow vulnerability.\n\n\ - \t\t\t\tTODO:\n\ - \t\t\t\thdm suggested using meterpreter's migration capability and restarting the process\n\ - \t\t\t\tfor multishot exploitation.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1394 - - - OSVDB - - "55436" - - - BID - - "35496" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809 - path: extensions/metasploit/ - class: Msf_module -msf_netidentity_xtierrpcpipe: - enable: true - msf: true - msf_key: windows/smb/netidentity_xtierrpcpipe - name: Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending\n\ - \t\t\t\ta specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be\n\ - \t\t\t\table to execute arbitrary code. The success of this module is much greater once the\n\ - \t\t\t\tservice has been restarted.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1350 - - - OSVDB - - "53351" - - - BID - - "34400" - - - URL - - http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1 - path: extensions/metasploit/ - class: Msf_module -msf_ms06_025_rasmans_reg: - enable: true - msf: true - msf_key: windows/smb/ms06_025_rasmans_reg - name: Microsoft RRAS Service RASMAN Registry Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a registry-based stack buffer overflow in the Windows Routing\n\ - \t\t\t\tand Remote Access Service. Since the service is hosted inside svchost.exe,\n\ - \t\t\t\ta failed exploit attempt can cause other system services to fail as well.\n\ - \t\t\t\tA valid username and password is required to exploit this flaw on Windows 2000.\n\ - \t\t\t\tWhen attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\n\ - \t\t\t\tExploiting this flaw involves two distinct steps - creating the registry key\n\ - \t\t\t\tand then triggering an overwrite based on a read of this key. Once the key is\n\ - \t\t\t\tcreated, it cannot be recreated. This means that for any given system, you\n\ - \t\t\t\tonly get one chance to exploit this flaw. Picking the wrong target will require\n\ - \t\t\t\ta manual removal of the following registry key before you can try again:\n\ - \t\t\t\tHKEY_USERS\\.DEFAULT\\Software\\Microsoft\\RAS Phonebook\n\ - \t\t\t" - authors: - - - CVE - - 2006-2370 - - - OSVDB - - "26437" - - - BID - - "18325" - - - MSB - - MS06-025 - path: extensions/metasploit/ - class: Msf_module -msf_ms09_050_smb2_negotiate_func_index: - enable: true - msf: true - msf_key: windows/smb/ms09_050_smb2_negotiate_func_index - name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an out of bounds function table dereference in the SMB\n\ - \t\t\t\trequest validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n\ - \t\t\t\trelease candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n\ - \t\t\t\twithout SP1 does not seem affected by this flaw.\n\ - \t\t\t" - authors: - - - MSB - - MS09-050 - - - CVE - - 2009-3103 - - - BID - - "36299" - - - OSVDB - - "57799" - - - URL - - http://seclists.org/fulldisclosure/2009/Sep/0039.html - - - URL - - http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx - path: extensions/metasploit/ - class: Msf_module -msf_ms04_007_killbill: - enable: true - msf: true - msf_key: windows/smb/ms04_007_killbill - name: Microsoft ASN.1 Library Bitstring Heap Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for a previously undisclosed\n\ - \t\t\t\tvulnerability in the bit string decoding code in the\n\ - \t\t\t\tMicrosoft ASN.1 library. This vulnerability is not related\n\ - \t\t\t\tto the bit string vulnerability described in eEye advisory\n\ - \t\t\t\tAD20040210-2. Both vulnerabilities were fixed in the\n\ - \t\t\t\tMS04-007 patch.\n\n\ - \t\t\t\tYou are only allowed one attempt with this vulnerability. If\n\ - \t\t\t\tthe payload fails to execute, the LSASS system service will\n\ - \t\t\t\tcrash and the target system will automatically reboot itself\n\ - \t\t\t\tin 60 seconds. If the payload succeeeds, the system will no\n\ - \t\t\t\tlonger be able to process authentication requests, denying\n\ - \t\t\t\tall attempts to login through SMB or at the console. A\n\ - \t\t\t\treboot is required to restore proper functioning of an\n\ - \t\t\t\texploited system.\n\n\ - \t\t\t\tThis exploit has been successfully tested with the win32/*/reverse_tcp\n\ - \t\t\t\tpayloads, however a few problems were encounted when using the\n\ - \t\t\t\tequivalent bind payloads. Your mileage may vary.\n\n\ - \t\t\t" - authors: - - - CVE - - 2003-0818 - - - OSVDB - - "3902" - - - BID - - "9633" - - - URL - - http://www.phreedom.org/solar/exploits/msasn1-bitstring/ - - - MSB - - MS04-007 - path: extensions/metasploit/ - class: Msf_module -msf_ms03_049_netapi: - enable: true - msf: true - msf_key: windows/smb/ms03_049_netapi - name: Microsoft Workstation Service NetAddAlternateComputerName Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName\n\ - \t\t\t\tfunction using the Workstation service in Windows XP.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0812 - - - OSVDB - - "11461" - - - BID - - "9011" - - - MSB - - MS03-049 - path: extensions/metasploit/ - class: Msf_module -msf_ms06_025_rras: - enable: true - msf: true - msf_key: windows/smb/ms06_025_rras - name: Microsoft RRAS Service Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Routing and Remote\n\ - \t\t\t\tAccess Service. Since the service is hosted inside svchost.exe, a failed\n\ - \t\t\t\texploit attempt can cause other system services to fail as well. A valid\n\ - \t\t\t\tusername and password is required to exploit this flaw on Windows 2000.\n\ - \t\t\t\tWhen attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.\t\t\t" - authors: - - - CVE - - 2006-2370 - - - OSVDB - - "26437" - - - BID - - "18325" - - - MSB - - MS06-025 - path: extensions/metasploit/ - class: Msf_module -msf_ms06_066_nwapi: - enable: true - msf: true - msf_key: windows/smb/ms06_066_nwapi - name: Microsoft Services MS06-066 nwapi32.dll - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\n\ - \t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4688 - - - OSVDB - - "30260" - - - BID - - "21023" - - - MSB - - MS06-066 - path: extensions/metasploit/ - class: Msf_module -msf_ms06_066_nwwks: - enable: true - msf: true - msf_key: windows/smb/ms06_066_nwwks - name: Microsoft Services MS06-066 nwwks.dll - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the svchost service, when the netware\n\ - \t\t\t\tclient service is running. This specific vulnerability is in the nwapi32.dll module.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4688 - - - OSVDB - - "30260" - - - BID - - "21023" - - - MSB - - MS06-066 - path: extensions/metasploit/ - class: Msf_module -msf_ms10_061_spoolss: - enable: true - msf: true - msf_key: windows/smb/ms10_061_spoolss - name: Microsoft Print Spooler Service Impersonation Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the RPC service impersonation vulnerability detailed in\n\ - \t\t\t\tMicrosoft Bulletin MS10-061. By making a specific DCE RPC request to the\n\ - \t\t\t\tStartDocPrinter procedure, an attacker can impersonate the Printer Spooler service\n\ - \t\t\t\tto create a file. The working directory at the time is %SystemRoot%\\system32.\n\ - \t\t\t\tAn attacker can specify any file name, including directory traversal or full paths.\n\ - \t\t\t\tBy sending WritePrinter requests, an attacker can fully control the content of\n\ - \t\t\t\tthe created file.\n\n\ - \t\t\t\tIn order to gain code execution, this module writes to a directory used by Windows\n\ - \t\t\t\tManagement Instrumentation (WMI) to deploy applications. This directory (Wbem\\Mof)\n\ - \t\t\t\tis periodically scanned and any new .mof files are processed automatically. This is\n\ - \t\t\t\tthe same technique employed by the Stuxnet code found in the wild.\n\ - \t\t\t" - authors: - - - OSVDB - - "67988" - - - CVE - - 2010-2729 - - - MSB - - MS10-061 - path: extensions/metasploit/ - class: Msf_module -msf_psexec: - enable: true - msf: true - msf_key: windows/smb/psexec - name: Microsoft Windows Authenticated User Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module uses a valid administrator username and password (or\n\ - \t\t\t\tpassword hash) to execute an arbitrary payload. This module is similar\n\ - \t\t\t\tto the \"psexec\" utility provided by SysInternals. This module is now able\n\ - \t\t\t\tto clean up after itself. The service created by this tool uses a randomly \n\ - \t\t\t\tchosen name and description.\n\ - \t\t\t" - authors: - - - CVE - - 1999-0504 - - - OSVDB - - "3106" - - - URL - - http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx - path: extensions/metasploit/ - class: Msf_module -msf_smb_relay: - enable: true - msf: true - msf_key: windows/smb/smb_relay - name: Microsoft Windows SMB Relay Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module will relay SMB authentication requests to another\n\ - \t\t\t\thost, gaining access to an authenticated SMB session if successful.\n\ - \t\t\t\tIf the connecting user is an administrator and network logins are\n\ - \t\t\t\tallowed to the target machine, this module will execute an arbitrary\n\ - \t\t\t\tpayload. To exploit this, the target system\tmust try to\tauthenticate\n\ - \t\t\t\tto this module. The easiest way to force a SMB authentication attempt\n\ - \t\t\t\tis by embedding a UNC path (\\\\SERVER\\SHARE) into a web page or\n\ - \t\t\t\temail message. When the victim views the web page or email, their\n\ - \t\t\t\tsystem will automatically connect to the server specified in the UNC\n\ - \t\t\t\tshare (the IP address of the system running this module) and attempt\n\ - \t\t\t\tto authenticate. Unfortunately, this\n\ - \t\t\t\tmodule is not able to clean up after itself. The service and payload\n\ - \t\t\t\tfile listed in the output will need to be manually removed after access\n\ - \t\t\t\thas been gained. The service created by this tool uses a randomly chosen\n\ - \t\t\t\tname and description, so the services list can become cluttered after\n\ - \t\t\t\trepeated exploitation.\n\n\ - \t\t\t\tThe SMB authentication relay attack was first reported by Sir Dystic on\n\ - \t\t\t\tMarch 31st, 2001 at @lanta.con in Atlanta, Georgia.\n\n\ - \t\t\t\tOn November 11th 2008 Microsoft released bulletin MS08-068. This bulletin\n\ - \t\t\t\tincludes a patch which prevents the relaying of challenge keys back to\n\ - \t\t\t\tthe host which issued them, preventing this exploit from working in\n\ - \t\t\t\tthe default configuration. It is still possible to set the SMBHOST\n\ - \t\t\t\tparameter to a third-party host that the victim is authorized to access,\n\ - \t\t\t\tbut the \"reflection\" attack has been effectively broken.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4037 - - - OSVDB - - "49736" - - - MSB - - MS08-068 - - - URL - - http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx - - - URL - - http://en.wikipedia.org/wiki/SMBRelay - - - URL - - http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx - - - URL - - http://www.xfocus.net/articles/200305/smbrelay.html - path: extensions/metasploit/ - class: Msf_module -msf_ms08_067_netapi: - enable: true - msf: true - msf_key: windows/smb/ms08_067_netapi - name: Microsoft Server Service Relative Path Stack Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a parsing flaw in the path canonicalization code of\n\ - \t\t\t\tNetAPI32.dll through the Server Service. This module is capable of bypassing\n\ - \t\t\t\tNX on some operating systems and service packs. The correct target must be\n\ - \t\t\t\tused to prevent the Server Service (along with a dozen others in the same\n\ - \t\t\t\tprocess) from crashing. Windows XP targets seem to handle multiple successful\n\ - \t\t\t\texploitation events, but 2003 targets will often crash or hang on subsequent\n\ - \t\t\t\tattempts. This is just the first version of this module, full support for\n\ - \t\t\t\tNX bypass on 2003, along with other platforms, is still in development.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4250 - - - OSVDB - - "49243" - - - MSB - - MS08-067 - - - NEXPOSE - - dcerpc-ms-netapi-netpathcanonicalize-dos - path: extensions/metasploit/ - class: Msf_module -msf_ms06_040_netapi: - enable: true - msf: true - msf_key: windows/smb/ms06_040_netapi - name: Microsoft Server Service NetpwPathCanonicalize Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function\n\ - \t\t\t\tusing the NetpwPathCanonicalize RPC call in the Server Service. It is likely that\n\ - \t\t\t\tother RPC calls could be used to exploit this service. This exploit will result in\n\ - \t\t\t\ta denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt\n\ - \t\t\t\twill likely result in a complete reboot on Windows 2000 and the termination of all\n\ - \t\t\t\tSMB-related services on Windows XP. The default target for this exploit should succeed\n\ - \t\t\t\ton Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3439 - - - OSVDB - - "27845" - - - BID - - "19409" - - - MSB - - MS06-040 - path: extensions/metasploit/ - class: Msf_module -msf_netgear_wg111_beacon: - enable: true - msf: true - msf_key: windows/driver/netgear_wg111_beacon - name: NetGear WG111v2 Wireless Driver Long Beacon Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the NetGear WG111v2 wireless\n\ - \t\t\t\tdevice driver. This stack buffer overflow allows remote code execution in kernel mode.\n\ - \t\t\t\tThe stack buffer overflow is triggered when a 802.11 Beacon frame is received that\n\ - \t\t\t\tcontains more than 1100 bytes worth of information elements.\n\n\ - \t\t\t\tThis exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and\n\ - \t\t\t\ta NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,\n\ - \t\t\t\tall cards within range of the attack will be affected. The tested adapter used\n\ - \t\t\t\ta MAC address in the range of 00:18:4d:02:XX:XX.\n\n\ - \t\t\t\tVulnerable clients will need to have their card in a non-associated state\n\ - \t\t\t\tfor this exploit to work. The easiest way to reproduce this bug is by starting\n\ - \t\t\t\tthe exploit and then unplugging and reinserting the USB card. The exploit can\n\ - \t\t\t\ttake up to a minute to execute the payload, depending on system activity.\n\n\ - \t\t\t\tNetGear was NOT contacted about this flaw. A search of the SecurityFocus\n\ - \t\t\t\tdatabase indicates that NetGear has not provided an official patch or\n\ - \t\t\t\tsolution for any of the thirty flaws listed at the time of writing. This list\n\ - \t\t\t\tincludes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,\n\ - \t\t\t\t7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,\n\ - \t\t\t\t16835, 19468, and 19973.\n\n\ - \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\ - \t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\ - \t\t\t\t(external/ruby-lorcon/README) for more information.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5972 - - - OSVDB - - "30473" - - - URL - - http://projects.info-pull.com/mokb/MOKB-16-11-2006.html - path: extensions/metasploit/ - class: Msf_module -msf_broadcom_wifi_ssid: - enable: true - msf: true - msf_key: windows/driver/broadcom_wifi_ssid - name: Broadcom Wireless Driver Probe Response SSID Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Broadcom Wireless driver\n\ - \t\t\t\tthat allows remote code execution in kernel mode by sending a 802.11 probe\n\ - \t\t\t\tresponse that contains a long SSID. The target MAC address must\n\ - \t\t\t\tbe provided to use this exploit. The two cards tested fell into the\n\ - \t\t\t\t00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.\n\n\ - \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\ - \t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\ - \t\t\t\t(external/ruby-lorcon/README) for more information.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5882 - - - OSVDB - - "30294" - - - URL - - http://projects.info-pull.com/mokb/MOKB-11-11-2006.html - path: extensions/metasploit/ - class: Msf_module -msf_dlink_wifi_rates: - enable: true - msf: true - msf_key: windows/driver/dlink_wifi_rates - name: D-Link DWL-G132 Wireless Driver Beacon Rates Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the A5AGU.SYS driver provided\n\ - \t\t\t\twith the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow\n\ - \t\t\t\tallows remote code execution in kernel mode. The stack buffer overflow is triggered\n\ - \t\t\t\twhen a 802.11 Beacon frame is received that contains a long Rates information\n\ - \t\t\t\telement. This exploit was tested with version 1.0.1.41 of the\n\ - \t\t\t\tA5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer\n\ - \t\t\t\tversions of the A5AGU.SYS driver are provided with the D-Link WUA-2340\n\ - \t\t\t\tadapter and appear to resolve this flaw, but D-Link does not offer an updated\n\ - \t\t\t\tdriver for the DWL-G132. Since this vulnerability is exploited via beacon frames,\n\ - \t\t\t\tall cards within range of the attack will be affected. The tested adapter used\n\ - \t\t\t\ta MAC address in the range of 00:11:95:f2:XX:XX.\n\n\ - \t\t\t\tVulnerable clients will need to have their card in a non-associated state\n\ - \t\t\t\tfor this exploit to work. The easiest way to reproduce this bug is by starting\n\ - \t\t\t\tthe exploit and then accessing the Windows wireless network browser and\n\ - \t\t\t\tforcing it to refresh.\n\n\ - \t\t\t\tD-Link was NOT contacted about this flaw. A search of the SecurityFocus\n\ - \t\t\t\tdatabase indicates that D-Link has not provided an official patch or\n\ - \t\t\t\tsolution for any of the seven flaws listed at the time of writing:\n\ - \t\t\t\t(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).\n\n\ - \t\t\t\tAs of November 17th, 2006, D-Link has fixed the flaw it the latest version of the\n\ - \t\t\t\tDWL-G132 driver (v1.21).\n\n\ - \t\t\t\tThis module depends on the Lorcon2 library and only works on the Linux platform\n\ - \t\t\t\twith a supported wireless card. Please see the Ruby Lorcon2 documentation\n\ - \t\t\t\t(external/ruby-lorcon/README) for more information.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6055 - - - OSVDB - - "30296" - - - URL - - http://projects.info-pull.com/mokb/MOKB-13-11-2006.html - - - URL - - ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip - path: extensions/metasploit/ - class: Msf_module -msf_goodtech_telnet: - enable: true - msf: true - msf_key: windows/telnet/goodtech_telnet - name: GoodTech Telnet Server <= 5.0.6 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in GoodTech Systems Telnet Server\n\ - \t\t\t\tversions prior to 5.0.7. By sending an overly long string, an attacker can\n\ - \t\t\t\toverwrite the buffer and control program execution.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0768 - - - OSVDB - - "14806" - - - BID - - "12815" - path: extensions/metasploit/ - class: Msf_module -msf_gamsoft_telsrv_username: - enable: true - msf: true - msf_key: windows/telnet/gamsoft_telsrv_username - name: GAMSoft TelSrv 1.5 Username Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.\n\ - \t\t\t\tOther versions may also be affected. The service terminates after exploitation,\n\ - \t\t\t\tso you only get one chance!\n\ - \t\t\t" - authors: - - - CVE - - 2000-0665 - - - OSVDB - - "373" - - - BID - - "1478" - - - URL - - http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip - path: extensions/metasploit/ - class: Msf_module -msf_postgres_payload: - enable: true - msf: true - msf_key: windows/postgres/postgres_payload - name: PostgreSQL for Microsoft Windows Payload Execution - category: Metasploit - description: "\n\ - \t\t\t\tThis module creates and enables a custom UDF (user defined function) on the\n\ - \t\t\t\ttarget host via the UPDATE pg_largeobject method of binary injection. On\n\ - \t\t\t\tdefault Microsoft Windows installations of PostgreSQL (=< 8.4), the postgres\n\ - \t\t\t\tservice account may write to the Windows temp directory, and may source\n\ - \t\t\t\tUDF DLL's from there as well.\n\n\ - \t\t\t\tPostgreSQL versions 8.2.x, 8.3.x, and 8.4.x on Microsoft Windows (32-bit) are \n\ - \t\t\t\tvalid targets for this module.\n\n\ - \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ - \t\t\t\tattack is finished, as well as the UDF DLL and the OID.\n\ - \t\t\t" - authors: [] - - path: extensions/metasploit/ - class: Msf_module -msf_winvnc_http_get: - enable: true - msf: true - msf_key: windows/vnc/winvnc_http_get - name: WinVNC Web Server <= v3.3.3r7 GET Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow in the AT&T WinVNC version\n\ - \t\t\t\t<= v3.3.3r7 web server. When debugging mode with logging is\n\ - \t\t\t\tenabled (non-default), an overly long GET request can overwrite\n\ - \t\t\t\tthe stack. This exploit does not work well with VNC payloads!\n\ - \t\t\t" - authors: - - - BID - - "2306" - - - OSVDB - - "6280" - - - CVE - - 2001-0168 - path: extensions/metasploit/ - class: Msf_module -msf_realvnc_client: - enable: true - msf: true - msf_key: windows/vnc/realvnc_client - name: RealVNC 3.3.7 Client Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow in RealVNC 3.3.7 (vncviewer.exe).\n\ - \t\t\t" - authors: - - - CVE - - 2001-0167 - - - OSVDB - - "6281" - - - BID - - "2305" - path: extensions/metasploit/ - class: Msf_module -msf_ultravnc_client: - enable: true - msf: true - msf_key: windows/vnc/ultravnc_client - name: UltraVNC 1.0.1 Client Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a buffer overflow in UltraVNC Win32\n\ - \t\t\t\tViewer 1.0.1 Release.\n\ - \t\t\t" - authors: - - - CVE - - 2006-1652 - - - OSVDB - - "24456" - - - BID - - "17378" - path: extensions/metasploit/ - class: Msf_module -msf_ms10_045_outlook_ref_only: - enable: true - msf: true - msf_key: windows/email/ms10_045_outlook_ref_only - name: Outlook ATTACH_BY_REF_ONLY File Execution - category: Metasploit - description: "\n\ - \t\t\t\tIt has been discovered that certain e-mail message cause Outlook to create Windows\n\ - \t\t\t\tshortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n\ - \t\t\t\tstreams with certain MAPI attachment properties, it is possible to set a path name\n\ - \t\t\t\tto files to be executed. When a user double clicks on such an attachment or message,\n\ - \t\t\t\tOutlook will proceed to execute the file that is set by the path name value. These\n\ - \t\t\t\tfiles can be local files, but also file stored remotely for example on a file share.\n\ - \t\t\t\tExploitation is limited by the fact that its is not possible for attackers to supply\n\ - \t\t\t\tcommand line options.\n\ - \t\t\t" - authors: - - - MSB - - MS10-045 - - - CVE - - 2010-0266 - - - OSVDB - - "66296" - - - BID - - "41446" - - - URL - - http://www.akitasecurity.nl/advisory.php?id=AK20091001 - path: extensions/metasploit/ - class: Msf_module -msf_ms10_045_outlook_ref_resolve: - enable: true - msf: true - msf_key: windows/email/ms10_045_outlook_ref_resolve - name: Outlook ATTACH_BY_REF_RESOLVE File Execution - category: Metasploit - description: "\n\ - \t\t\t\tIt has been discovered that certain e-mail message cause Outlook to create Windows\n\ - \t\t\t\tshortcut-like attachments or messages within Outlook. Through specially crafted TNEF\n\ - \t\t\t\tstreams with certain MAPI attachment properties, it is possible to set a path name\n\ - \t\t\t\tto files to be executed. When a user double clicks on such an attachment or message,\n\ - \t\t\t\tOutlook will proceed to execute the file that is set by the path name value. These\n\ - \t\t\t\tfiles can be local files, but also file stored remotely for example on a file share.\n\ - \t\t\t\tExploitation is limited by the fact that its is not possible for attackers to supply\n\ - \t\t\t\tcommand line options.\n\ - \t\t\t" - authors: - - - MSB - - MS10-045 - - - CVE - - 2010-0266 - - - OSVDB - - "66296" - - - BID - - "41446" - - - URL - - http://www.akitasecurity.nl/advisory.php?id=AK20091001 - path: extensions/metasploit/ - class: Msf_module -msf_seattlelab_pass: - enable: true - msf: true - msf_key: windows/pop3/seattlelab_pass - name: Seattle Lab Mail 5.5 POP3 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThere exists an unauthenticated buffer overflow vulnerability\n\ - \t\t\t\tin the POP3 server of Seattle Lab Mail 5.5 when sending a password\n\ - \t\t\t\twith excessive length.\n\n\ - \t\t\t\tSuccessful exploitation should not crash either the\n\ - \t\t\t\tservice or the server; however, after initial use the\n\ - \t\t\t\tport cannot be reused for successive exploitation until\n\ - \t\t\t\tthe service has been restarted. Consider using a command\n\ - \t\t\t\texecution payload following the bind shell to restart\n\ - \t\t\t\tthe service if you need to reuse the same port.\n\n\ - \t\t\t\tThe overflow appears to occur in the debugging/error reporting\n\ - \t\t\t\tsection of the slmail.exe executable, and there are multiple\n\ - \t\t\t\toffsets that will lead to successful exploitation. This exploit\n\ - \t\t\t\tuses 2606, the offset that creates the smallest overall payload.\n\ - \t\t\t\tThe other offset is 4654.\n\n\ - \t\t\t\tThe return address is overwritten with a \"jmp esp\" call from the\n\ - \t\t\t\tapplication library SLMFC.DLL found in %SYSTEM%\\system32\\. This\n\ - \t\t\t\treturn address works against all version of Windows and service packs.\n\n\ - \t\t\t\tThe last modification date on the library is dated 06/02/99. Assuming\n\ - \t\t\t\tthat the code where the overflow occurs has not changed in some time,\n\ - \t\t\t\tprior version of SLMail may also be vulnerable with this exploit. The\n\ - \t\t\t\tauthor has not been able to acquire older versions of SLMail for\n\ - \t\t\t\ttesting purposes. Please let us know if you were able to get this\n\ - \t\t\t\texploit working against other SLMail versions.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0264 - - - OSVDB - - "11975" - - - BID - - "7519" - path: extensions/metasploit/ - class: Msf_module -msf_tns_arguments: - enable: true - msf: true - msf_key: windows/oracle/tns_arguments - name: Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Oracle 8i. When\n\ - \t\t\t\tsending a specially crafted packet containing a overly long\n\ - \t\t\t\tARGUMENTS string to the TNS service, an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0499 - - - OSVDB - - "9427" - - - BID - - "2941" - path: extensions/metasploit/ - class: Msf_module -msf_osb_ndmp_auth: - enable: true - msf: true - msf_key: windows/oracle/osb_ndmp_auth - name: Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThe module exploits a stack buffer overflow in Oracle Secure Backup.\n\ - \t\t\t\tWhen sending a specially crafted NDMP_CONNECT_CLIENT_AUTH packet,\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5444 - - - OSVDB - - "51340" - - - URL - - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html - path: extensions/metasploit/ - class: Msf_module -msf_tns_service_name: - enable: true - msf: true - msf_key: windows/oracle/tns_service_name - name: Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Oracle. When\n\ - \t\t\t\tsending a specially crafted packet containing a long SERVICE_NAME\n\ - \t\t\t\tto the TNS service, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2002-0965 - - - OSVDB - - "5041" - - - BID - - "4845" - - - URL - - http://www.appsecinc.com/resources/alerts/oracle/02-0013.shtml - - - URL - - http://www.oracle.com/technology/deploy/security/pdf/net9_dos_alert.pdf - path: extensions/metasploit/ - class: Msf_module -msf_tns_auth_sesskey: - enable: true - msf: true - msf_key: windows/oracle/tns_auth_sesskey - name: Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Oracle. When\n\ - \t\t\t\tsending a specially crafted packet containing a long AUTH_SESSKEY value\n\ - \t\t\t\tto the TNS service, an attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1979 - - - OSVDB - - "59110" - - - BID - - "36747" - - - URL - - http://blogs.conus.info/node/28 - - - URL - - http://blogs.conus.info/node/35 - - - URL - - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html - path: extensions/metasploit/ - class: Msf_module -msf_lgserver: - enable: true - msf: true - msf_key: windows/brightstor/lgserver - name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n\ - \t\t\t\toverflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0449 - - - OSVDB - - "31593" - - - BID - - "22342" - path: extensions/metasploit/ - class: Msf_module -msf_sql_agent: - enable: true - msf: true - msf_key: windows/brightstor/sql_agent - name: CA BrightStor Agent for Microsoft SQL Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\ - \t\t\t\tAgent for Microsoft SQL Server. This vulnerability was\n\ - \t\t\t\tdiscovered by cybertronic[at]gmx.net.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1272 - - - OSVDB - - "18501" - - - BID - - "14453" - - - URL - - http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities - - - URL - - http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239 - path: extensions/metasploit/ - class: Msf_module -msf_lgserver_rxssetdatagrowthscheduleandfilter: - enable: true - msf: true - msf_key: windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter - name: CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),\n\ - \t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3216 - - - OSVDB - - "35329" - - - BID - - "24348" - path: extensions/metasploit/ - class: Msf_module -msf_ca_arcserve_342: - enable: true - msf: true - msf_key: windows/brightstor/ca_arcserve_342 - name: Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884).\n\ - \t\t\t\tBy sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer\n\ - \t\t\t\tand execute arbitrary code. In order to successfully exploit this vulnerability, you will need\n\ - \t\t\t\tset the hostname argument (HNAME).\n\ - \t\t\t" - authors: - - - BID - - "31684" - - - OSVDB - - "49468" - - - CVE - - 2008-4397 - - - URL - - http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html - path: extensions/metasploit/ - class: Msf_module -msf_lgserver_multi: - enable: true - msf: true - msf_key: windows/brightstor/lgserver_multi - name: CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\n\ - \t\t\t\tan attacker could overflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3216 - - - OSVDB - - "35329" - - - BID - - "24348" - path: extensions/metasploit/ - class: Msf_module -msf_message_engine_72: - enable: true - msf: true - msf_key: windows/brightstor/message_engine_72 - name: CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\t11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n\ - \t\t\t\tthe buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "68329" - - - URL - - http://www.metasploit.com/users/mc - path: extensions/metasploit/ - class: Msf_module -msf_tape_engine_8A: - enable: true - msf: true - msf_key: windows/brightstor/tape_engine_8A - name: CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tr11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n\ - \t\t\t\tthe buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "68330" - - - URL - - http://www.metasploit.com/users/mc - path: extensions/metasploit/ - class: Msf_module -msf_hsmserver: - enable: true - msf: true - msf_key: windows/brightstor/hsmserver - name: CA BrightStor HSM Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits one of the multiple stack buffer overflows in Computer Associates BrightStor HSM.\n\ - \t\t\t\tBy sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5082 - - - OSVDB - - "41363" - - - BID - - "25823" - path: extensions/metasploit/ - class: Msf_module -msf_universal_agent: - enable: true - msf: true - msf_key: windows/brightstor/universal_agent - name: CA BrightStor Universal Agent Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a convoluted heap overflow in the CA\n\ - \t\t\t\tBrightStor Universal Agent service. Triple userland\n\ - \t\t\t\texception results in heap growth and execution of\n\ - \t\t\t\tdereferenced function pointer at a specified address.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1018 - - - OSVDB - - "15471" - - - BID - - "13102" - - - URL - - http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities - path: extensions/metasploit/ - class: Msf_module -msf_lgserver_rxsuselicenseini: - enable: true - msf: true - msf_key: windows/brightstor/lgserver_rxsuselicenseini - name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an\n\ - \t\t\t\tattacker could overflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3216 - - - OSVDB - - "35329" - - - BID - - "24348" - path: extensions/metasploit/ - class: Msf_module -msf_license_gcr: - enable: true - msf: true - msf_key: windows/brightstor/license_gcr - name: CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0.\n\ - \t\t\t\tBy sending a specially crafted request to the lic98rmtd.exe service, an attacker\n\ - \t\t\t\tcould overflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0581 - - - OSVDB - - "14389" - - - BID - - "12705" - path: extensions/metasploit/ - class: Msf_module -msf_discovery_udp: - enable: true - msf: true - msf_key: windows/brightstor/discovery_udp - name: CA BrightStor Discovery Service Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\ - \t\t\t\tDiscovery Service. This vulnerability occurs when a large\n\ - \t\t\t\trequest is sent to UDP port 41524, triggering a stack buffer\n\ - \t\t\t\toverflow.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0260 - - - OSVDB - - "13613" - - - BID - - "12491" - - - URL - - http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities - path: extensions/metasploit/ - class: Msf_module -msf_message_engine_heap: - enable: true - msf: true - msf_key: windows/brightstor/message_engine_heap - name: CA BrightStor ARCserve Message Engine Heap Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\t11.5. By sending a specially crafted RPC request, an attacker could overflow the\n\ - \t\t\t\tbuffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-5143 - - - OSVDB - - "29533" - - - BID - - "20365" - path: extensions/metasploit/ - class: Msf_module -msf_tape_engine: - enable: true - msf: true - msf_key: windows/brightstor/tape_engine - name: CA BrightStor ARCserve Tape Engine Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tr11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow\n\ - \t\t\t\tthe buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6076 - - - OSVDB - - "30637" - - - BID - - "21221" - - - URL - - http://www.milw0rm.com/exploits/3086 - - - URL - - http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=101317 - path: extensions/metasploit/ - class: Msf_module -msf_etrust_itm_alert: - enable: true - msf: true - msf_key: windows/brightstor/etrust_itm_alert - name: Computer Associates Alert Notification Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1\n\ - \t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.\n\ - \t\t\t\tIn order to successfully exploit this vulnerability, you will need valid logon credentials to the target.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4620 - - - OSVDB - - "44040" - - - BID - - "28605" - path: extensions/metasploit/ - class: Msf_module -msf_message_engine: - enable: true - msf: true - msf_key: windows/brightstor/message_engine - name: CA BrightStor ARCserve Message Engine Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\t11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow\n\ - \t\t\t\tthe buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-0169 - - - OSVDB - - "31318" - - - BID - - "22005" - path: extensions/metasploit/ - class: Msf_module -msf_mediasrv_sunrpc: - enable: true - msf: true - msf_key: windows/brightstor/mediasrv_sunrpc - name: CA BrightStor ArcServe Media Service Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploit targets a stack buffer overflow in the MediaSrv RPC service of CA\n\ - \t\t\t\tBrightStor Arcserve. By sending a specially crafted SUNRPC request, an attacker\n\ - \t\t\t\tcan overflow a stack buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2139 - - - OSVDB - - "35326" - - - BID - - "23635" - - - URL - - https://www.zerodayinitiative.com/advisories/ZDI-07-022.html - path: extensions/metasploit/ - class: Msf_module -msf_discovery_tcp: - enable: true - msf: true - msf_key: windows/brightstor/discovery_tcp - name: CA BrightStor Discovery Service TCP Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\n\ - \t\t\t\tDiscovery Service. This vulnerability occurs when a specific\n\ - \t\t\t\ttype of request is sent to the TCP listener on port 41523.\n\ - \t\t\t\tThis vulnerability was discovered by cybertronic[at]gmx.net\n\ - \t\t\t\tand affects all known versions of the BrightStor product.\n\ - \t\t\t\tThis module is based on the 'cabrightstor_disco' exploit by\n\ - \t\t\t\tHD Moore.\n\ - \t\t\t" - authors: - - - CVE - - 2005-2535 - - - OSVDB - - "13814" - - - BID - - "12536" - - - URL - - http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html - - - URL - - http://milw0rm.com/exploits/1131 - path: extensions/metasploit/ - class: Msf_module -msf_lgserver_rxrlogin: - enable: true - msf: true - msf_key: windows/brightstor/lgserver_rxrlogin - name: CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n\ - \t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\n\ - \t\t\t\toverflow the buffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5003 - - - OSVDB - - "41353" - - - BID - - "24348" - path: extensions/metasploit/ - class: Msf_module -msf_ms01_023_printer: - enable: true - msf: true - msf_key: windows/iis/ms01_023_printer - name: Microsoft IIS 5.0 Printer Host Header Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a buffer overflow in the request processor of\n\ - \t\t\t\tthe Internet Printing Protocol ISAPI module in IIS. This\n\ - \t\t\t\tmodule works against Windows 2000 service pack 0 and 1. If\n\ - \t\t\t\tthe service stops responding after a successful compromise,\n\ - \t\t\t\trun the exploit a couple more times to completely kill the\n\ - \t\t\t\thung process.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0241 - - - OSVDB - - "3323" - - - BID - - "2674" - - - MSB - - MS01-023 - - - URL - - http://seclists.org/lists/bugtraq/2001/May/0005.html - path: extensions/metasploit/ - class: Msf_module -msf_ms02_018_htr: - enable: true - msf: true - msf_key: windows/iis/ms02_018_htr - name: Microsoft IIS 4.0 .HTR Path Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a buffer overflow in the ISAPI ISM.DLL used to\n\ - \t\t\t\tprocess HTR scripting in IIS 4.0. This module works against\n\ - \t\t\t\tWindows NT 4 Service Packs 3, 4, and 5. The server will\n\ - \t\t\t\tcontinue to process requests until the payload being\n\ - \t\t\t\texecuted has exited. If you've set EXITFUNC to 'seh', the\n\ - \t\t\t\tserver will continue processing requests, but you will have\n\ - \t\t\t\ttrouble terminating a bind shell. If you set EXITFUNC to\n\ - \t\t\t\tthread, the server will crash upon exit of the bind shell.\n\ - \t\t\t\tThe payload is alpha-numerically encoded without a NOP sled\n\ - \t\t\t\tbecause otherwise the data gets mangled by the filters.\n\ - \t\t\t" - authors: - - - CVE - - 1999-0874 - - - OSVDB - - "3325" - - - BID - - "307" - - - URL - - http://www.eeye.com/html/research/advisories/AD19990608.html - - - MSB - - MS02-018 - path: extensions/metasploit/ - class: Msf_module -msf_ms01_033_idq: - enable: true - msf: true - msf_key: windows/iis/ms01_033_idq - name: Microsoft IIS 5.0 IDQ Path Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the IDQ ISAPI handler for\n\ - \t\t\t\tMicrosoft Index Server.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0500 - - - OSVDB - - "568" - - - MSB - - MS01-033 - - - BID - - "2880" - path: extensions/metasploit/ - class: Msf_module -msf_iis_webdav_upload_asp: - enable: true - msf: true - msf_key: windows/iis/iis_webdav_upload_asp - name: Microsoft IIS WebDAV Write Access Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module can be used to execute a payload on IIS servers that\n\ - \t\t\t\thave world-writeable directories. The payload is uploaded as an ASP\n\ - \t\t\t\tscript using a WebDAV PUT request.\n\ - \t\t\t" - authors: - - - OSVDB - - "397" - - - BID - - "12141" - path: extensions/metasploit/ - class: Msf_module -msf_ms03_007_ntdll_webdav: - enable: true - msf: true - msf_key: windows/iis/ms03_007_ntdll_webdav - name: Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis exploits a buffer overflow in NTDLL.dll on Windows 2000\n\ - \t\t\t\tthrough the SEARCH WebDAV method in IIS. This particular\n\ - \t\t\t\tmodule only works against Windows 2000. It should have a\n\ - \t\t\t\treasonable chance of success against any service pack.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0109 - - - OSVDB - - "4467" - - - BID - - "7116" - - - MSB - - MS03-007 - path: extensions/metasploit/ - class: Msf_module -msf_ms01_026_dbldecode: - enable: true - msf: true - msf_key: windows/iis/ms01_026_dbldecode - name: Microsoft IIS/PWS CGI Filename Double Decode Command Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module will execute an arbitrary payload on a Microsoft IIS installation\n\ - \t\t\t\tthat is vulnerable to the CGI double-decode vulnerability of 2001.\n\n\ - \t\t\t\tNOTE: This module will leave a metasploit payload in the IIS scripts directory.\n\ - \t\t\t" - authors: - - - CVE - - 2001-0333 - - - OSVDB - - "556" - - - BID - - "2708" - - - MSB - - MS01-026 - - - URL - - http://marc.info/?l=bugtraq&m=98992056521300&w=2 - path: extensions/metasploit/ - class: Msf_module -msf_vuplayer_m3u: - enable: true - msf: true - msf_key: windows/fileformat/vuplayer_m3u - name: VUPlayer M3U Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack over flow in VUPlayer <= 2.49. When\n\ - \t\t\t\t\tthe application is used to open a specially crafted m3u file, an buffer is overwritten allowing\n\ - \t\t\t\t\tfor the execution of arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6251 - - - OSVDB - - "31710" - path: extensions/metasploit/ - class: Msf_module -msf_audio_wkstn_pls: - enable: true - msf: true - msf_key: windows/fileformat/audio_wkstn_pls - name: Audio Workstation 6.4.2.4.3 pls Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n\ - \t\t\t\tWhen opening a malicious pls file with the Audio Workstation,\n\ - \t\t\t\ta remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0476 - - - OSVDB - - "55424" - - - URL - - http://www.exploit-db.com/exploits/10353 - path: extensions/metasploit/ - class: Msf_module -msf_galan_fileformat_bof: - enable: true - msf: true - msf_key: windows/fileformat/galan_fileformat_bof - name: gAlan 0.2.1 Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in gAlan 0.2.1\n\ - \t\t\tBy creating a specially crafted galan file, an an attacker may be able\n\ - \t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "60897" - - - URL - - http://www.exploit-db.com/exploits/10339 - path: extensions/metasploit/ - class: Msf_module -msf_millenium_mp3_pls: - enable: true - msf: true - msf_key: windows/fileformat/millenium_mp3_pls - name: Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.\n\ - \t\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ - \t\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ - \t\t\t\t\tPLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.\n\ - \t\t\t\t\tThis functionality has not been tested in this module.\n\ - \t\t\t" - authors: - - - OSVDB - - "56574" - - - URL - - http://www.exploit-db.com/exploits/9618 - - - URL - - http://www.exploit-db.com/exploits/10240 - path: extensions/metasploit/ - class: Msf_module -msf_ca_cab: - enable: true - msf: true - msf_key: windows/fileformat/ca_cab - name: CA Antivirus Engine CAB Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in CA eTrust Antivirus 8.1.637.\n\ - \t\t\t\t\tBy creating a specially crafted CAB file, an an attacker may be able\n\ - \t\t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2864 - - - OSVDB - - "35245" - - - BID - - "24330" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-07-035.html - path: extensions/metasploit/ - class: Msf_module -msf_hhw_hhp_contentfile_bof: - enable: true - msf: true - msf_key: windows/fileformat/hhw_hhp_contentfile_bof - name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\ - \t\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\ - \t\t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0564 - - - OSVDB - - "22941" - - - URL - - http://www.exploit-db.com/exploits/1470 - - - URL - - http://www.exploit-db.com/exploits/1495 - path: extensions/metasploit/ - class: Msf_module -msf_ms09_067_excel_featheader: - enable: true - msf: true - msf_key: windows/fileformat/ms09_067_excel_featheader - name: Microsoft Excel Malformed FEATHEADER Record Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\t\tThis module exploits a vulnerability in the handling of the FEATHEADER record\n\ - \t\t\t\t\tby Microsoft Excel. Revisions of Office XP and later prior to the release of the\n\ - \t\t\t\t\tMS09-067 bulletin are vulnerable.\n\n\ - \t\t\t\t\tWhen processing a FEATHEADER (Shared Feature) record, Microsoft used a data\n\ - \t\t\t\t\tstructure from the file to calculate a pointer offset without doing proper\n\ - \t\t\t\t\tvalidation. Attacker supplied data is then used to calculate the location of an\n\ - \t\t\t\t\tobject, and in turn a virtual function call. This results in arbitrary code\n\ - \t\t\t\t\texection.\n\n\ - \t\t\t\t\tNOTE: On some versions of Office, the user will need to dismiss a warning dialog\n\ - \t\t\t\t\tprior to the payload executing.\n\ - \t\t\t\t" - authors: - - - CVE - - 2009-3129 - - - OSVDB - - "59860" - - - MSB - - MS09-067 - - - BID - - "36945" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-09-083/ - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832 - path: extensions/metasploit/ - class: Msf_module -msf_a-pdf_wav_to_mp3: - enable: true - msf: true - msf_key: windows/fileformat/a-pdf_wav_to_mp3 - name: A-PDF WAV to MP3 v1.0.0 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When\n\ - \t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\ - \t\t\t\tallowing arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "67241" - - - URL - - http://www.exploit-db.com/exploits/14676/ - - - URL - - http://www.exploit-db.com/exploits/14681/ - path: extensions/metasploit/ - class: Msf_module -msf_emc_appextender_keyworks: - enable: true - msf: true - msf_key: windows/fileformat/emc_appextender_keyworks - name: EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the KeyWorks KeyHelp Activex Control\n\ - \t\t\t\t(KeyHelp.ocx 1.2.3120.0). This Activex Control comes bundled with EMC's\n\ - \t\t\t\tDocumentation ApplicationXtender 5.4.\n\ - \t\t\t" - authors: - - - OSVDB - - "58423" - - - BID - - "36546" - path: extensions/metasploit/ - class: Msf_module -msf_adobe_libtiff: - enable: true - msf: true - msf_key: windows/fileformat/adobe_libtiff - name: Adobe Acrobat Bundled LibTIFF Integer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat\n\ - \t\t\t\tProfessional versions 8.0 through 8.2 and 9.0 through 9.3.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0188 - - - BID - - "38195" - - - OSVDB - - "62526" - - - URL - - http://www.adobe.com/support/security/bulletins/apsb10-07.html - - - URL - - http://secunia.com/blog/76/ - - - URL - - http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html - path: extensions/metasploit/ - class: Msf_module -msf_proshow_cellimage_bof: - enable: true - msf: true - msf_key: windows/fileformat/proshow_cellimage_bof - name: ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.\n\ - \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3214 - - - OSVDB - - "57226" - - - URL - - http://www.exploit-db.com/exploits/9483 - - - URL - - http://www.exploit-db.com/exploits/9519 - path: extensions/metasploit/ - class: Msf_module -msf_etrust_pestscan: - enable: true - msf: true - msf_key: windows/fileformat/etrust_pestscan - name: CA eTrust PestPatrol ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in CA eTrust PestPatrol. When\n\ - \t\t\t\tsending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-4225 - - - OSVDB - - "60862" - - - URL - - http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm - path: extensions/metasploit/ - class: Msf_module -msf_safenet_softremote_groupname: - enable: true - msf: true - msf_key: windows/fileformat/safenet_softremote_groupname - name: SafeNet SoftRemote GROUPNAME Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in SafeNet SoftRemote\n\ - \t\t\t\tSecurity Policy Editor <= 10.8.5. When an attacker\n\ - \t\t\t\tcreates a specially formatted security policy with an\n\ - \t\t\t\toverly long GROUPNAME argument, it is possible to execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3861 - - - OSVDB - - "59660" - - - URL - - http://www.senseofsecurity.com.au/advisories/SOS-09-008 - path: extensions/metasploit/ - class: Msf_module -msf_mjm_quickplayer_s3m: - enable: true - msf: true - msf_key: windows/fileformat/mjm_quickplayer_s3m - name: MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a\n\ - \t\t\t\tand QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in\n\ - \t\t\t\tone of these 2 applications, a stack buffer overflow can be triggered, resulting in\n\ - \t\t\t\tarbitrary code execution.\n\n\ - \t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. \n\ - \t\t\t" - authors: - - - OSVDB - - "72102" - - - URL - - http://www.corelan.be/advisories.php?id=CORELAN-11-003 - path: extensions/metasploit/ - class: Msf_module -msf_mini_stream: - enable: true - msf: true - msf_key: windows/fileformat/mini_stream - name: Mini-Stream 3.0.1.1 Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Mini-Stream 3.0.1.1\n\ - \t\t\t\tBy creating a specially crafted pls file, an an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "61341" - - - URL - - http://www.exploit-db.com/exploits/10745 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_pdf_embedded_exe: - enable: true - msf: true - msf_key: windows/fileformat/adobe_pdf_embedded_exe - name: Adobe PDF Embedded EXE Social Engineering - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module embeds a Metasploit payload into an existing PDF file. The\n\ - \t\t\t\tresulting PDF can be sent to a target as part of a social engineering attack.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1240 - - - OSVDB - - "63667" - - - URL - - http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/ - - - URL - - http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ - - - URL - - http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ - path: extensions/metasploit/ - class: Msf_module -msf_blazedvd_plf: - enable: true - msf: true - msf_key: windows/fileformat/blazedvd_plf - name: BlazeDVD 5.1 PLF Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack over flow in BlazeDVD 5.1. When\n\ - \t\t\t\t\tthe application is used to open a specially crafted plf file,\n\ - \t\t\t\t\ta buffer is overwritten allowing for the execution of arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6199 - - - OSVDB - - "30770" - - - BID - - "35918" - path: extensions/metasploit/ - class: Msf_module -msf_fdm_torrent: - enable: true - msf: true - msf_key: windows/fileformat/fdm_torrent - name: Free Download Manager Torrent Parsing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Free Download Manager\n\ - \t\t\t\t3.0 Build 844. Arbitrary code execution could occur when parsing a\n\ - \t\t\t\tspecially crafted torrent file.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0184 - - - OSVDB - - "54033" - - - BID - - "33555" - - - URL - - http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18 - - - URL - - http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18 - - - URL - - http://secunia.com/secunia_research/2009-5/ - - - URL - - http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl - path: extensions/metasploit/ - class: Msf_module -msf_xion_m3u_sehbof: - enable: true - msf: true - msf_key: windows/fileformat/xion_m3u_sehbof - name: Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Xion Audio Player prior to version\n\ - \t\t\t\t1.0.126. The vulnerability is triggered when opening a malformed M3U file that\n\ - \t\t\t\tcontains an overly long string. This results in overwriting a\n\ - \t\t\t\tstructured exception handler record.\n\ - \t\t\t" - authors: - - - OSVDB - - "66912" - - - URL - - http://www.exploit-db.com/exploits/14517 - - - URL - - http://www.exploit-db.com/exploits/14633 - - - URL - - http://www.exploit-db.com/exploits/15598 - path: extensions/metasploit/ - class: Msf_module -msf_orbital_viewer_orb: - enable: true - msf: true - msf_key: windows/fileformat/orbital_viewer_orb - name: Orbital Viewer ORB File Parsing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in David Manthey's\n\ - \t\t\t\tOrbital Viewer. When processing .ORB files, data is read from file into\n\ - \t\t\t\ta fixed-size stack buffer using the fscanf function. Since no bounds\n\ - \t\t\t\tchecking is done, a buffer overflow can occur. Attackers can execute\n\ - \t\t\t\tarbitrary code by convincing their victim to open an ORB file.\n\ - \t\t\t" - authors: - - - BID - - "38436" - - - OSVDB - - "62580" - - - CVE - - 2010-0688 - - - URL - - http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/ - - - URL - - http://www.exploit-db.com/exploits/11581 - path: extensions/metasploit/ - class: Msf_module -msf_ms10_004_textbytesatom: - enable: true - msf: true - msf_key: windows/fileformat/ms10_004_textbytesatom - name: Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow vulnerability in the handling of\n\ - \t\t\t\tthe TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,\n\ - \t\t\t\tthe PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as\n\ - \t\t\t\tOffice 2004 for Mac, are vulnerable.\n\n\ - \t\t\t\tNOTE: The vulnerable code path is not reachable on versions of Windows prior to\n\ - \t\t\t\tWindows Vista.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0033 - - - OSVDB - - "62241" - - - MSB - - MS10-004 - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-017/ - - - URL - - http://www.snoop-security.com/blog/index.php/2010/03/exploiting-ms10-004-ppt-viewer/ - path: extensions/metasploit/ - class: Msf_module -msf_videolan_tivo: - enable: true - msf: true - msf_key: windows/fileformat/videolan_tivo - name: VideoLAN VLC TiVo Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in VideoLAN VLC 0.9.4.\n\ - \t\t\t\tBy creating a malicious TY file, a remote attacker could overflow a\n\ - \t\t\t\tbuffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4654 - - - OSVDB - - "49181" - - - BID - - "31813" - path: extensions/metasploit/ - class: Msf_module -msf_visio_dxf_bof: - enable: true - msf: true - msf_key: windows/fileformat/visio_dxf_bof - name: Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack based overflow vulnerability in the handling\n\ - \t\t\t\tof the DXF files by Microsoft Visio 2002. Revisions prior to the release of\n\ - \t\t\t\tthe MS bulletin MS10-028 are vulnerable. The overflow occurs when the application\n\ - \t\t\t\tis used to import a specially crafted DXF file, while parsing the HEADER section\n\ - \t\t\t\tof the DXF file.\n\n\ - \t\t\t\tTo trigger the vulnerability an attacker must convince someone to insert a\n\ - \t\t\t\tspecially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'\n\ - \t\t\t\t" - authors: - - - CVE - - 2010-1681 - - - OSVDB - - "64446" - - - BID - - "39836" - - - URL - - http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow - - - URL - - http://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/ - path: extensions/metasploit/ - class: Msf_module -msf_audiotran_pls: - enable: true - msf: true - msf_key: windows/fileformat/audiotran_pls - name: Audiotran 1.4.1 (PLS File) Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n\ - \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ - \t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ - \t\t\t\tPLS file within a browser, when the PLS extention is registered to Audiotran.\n\ - \t\t\t\tThis functionality has not been tested in this module.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0476 - - - OSVDB - - "55424" - - - URL - - http://www.exploit-db.com/exploits/11079 - path: extensions/metasploit/ - class: Msf_module -msf_moxa_mediadbplayback: - enable: true - msf: true - msf_key: windows/fileformat/moxa_mediadbplayback - name: MOXA MediaDBPlayback ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When\n\ - \t\t\t\tsending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)\n\ - \t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "68986" - - - URL - - http://www.moxa.com - path: extensions/metasploit/ - class: Msf_module -msf_ultraiso_cue: - enable: true - msf: true - msf_key: windows/fileformat/ultraiso_cue - name: UltraISO CUE File Parsing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\n\ - \t\t\t\tUltraISO. When processing .CUE files, data is read from file into a\n\ - \t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n\ - \t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\n\ - \t\t\t\tto open an CUE file.\n\n\ - \t\t\t\tNOTE: A file with the same base name, but the extension of \"bin\" must also\n\ - \t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\n\ - \t\t\t\tboth exist.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2888 - - - OSVDB - - "36570" - - - BID - - "24140" - - - URL - - http://www.exploit-db.com/exploits/3978 - path: extensions/metasploit/ - class: Msf_module -msf_activepdf_webgrabber: - enable: true - msf: true - msf_key: windows/fileformat/activepdf_webgrabber - name: activePDF WebGrabber ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When\n\ - \t\t\t\tsending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)\n\ - \t\t\t\tan attacker may be able to execute arbitrary code. This control is not marked safe\n\ - \t\t\t\tfor scripting, so choose your attack vector accordingly.\n\n\ - \t\t\t" - authors: - - - OSVDB - - "64579" - - - URL - - http://www.activepdf.com/products/serverproducts/webgrabber/ - path: extensions/metasploit/ - class: Msf_module -msf_nuance_pdf_launch_overflow: - enable: true - msf: true - msf_key: windows/fileformat/nuance_pdf_launch_overflow - name: Nuance PDF Reader v6.0 Launch Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Nuance PDF Reader v6.0. The vulnerability is\n\ - \t\t\t\t\ttriggered when opening a malformed PDF file that contains an overly long string in a /Launch field. This results in overwriting a structured exception handler record.\n\ - \t\t\t\t\tThis exploit does not use javascript.\n\ - \t\t\t" - authors: - - - OSVDB - - "68514" - - - URL - - http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-062-stack-buffer-overflow-in-nuance-pdf-reader-v6-0/ - path: extensions/metasploit/ - class: Msf_module -msf_lotusnotes_lzh: - enable: true - msf: true - msf_key: windows/lotus/lotusnotes_lzh - name: Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview(.lzh attachment) - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in Lotus Notes 8.5.2 when\n\ - \t\t\t\tparsing a malformed, specially crafted LZH file. This vulnerability was\n\ - \t\t\t\tdiscovered binaryhouse.net\n\n\ - \t\t\t" - authors: - - - CVE - - 2011-1213 - - - OSVDB - - "72706" - - - BID - - "48018" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904 - - - URL - - http://www.ibm.com/support/docview.wss?uid=swg21500034 - path: extensions/metasploit/ - class: Msf_module -msf_vuplayer_cue: - enable: true - msf: true - msf_key: windows/fileformat/vuplayer_cue - name: VUPlayer CUE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack over flow in VUPlayer <= 2.49. When\n\ - \t\t\t\tthe application is used to open a specially crafted cue file, an buffer is overwritten allowing\n\ - \t\t\t\tfor the execution of arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "64581" - - - BID - - "33960" - path: extensions/metasploit/ - class: Msf_module -msf_mcafee_hercules_deletesnapshot: - enable: true - msf: true - msf_key: windows/fileformat/mcafee_hercules_deletesnapshot - name: McAfee Remediation Client ActiveX Control Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When\n\ - \t\t\t\tsending an overly long string to the DeleteSnapshot() method\n\ - \t\t\t\tof enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.\n\ - \t\t\t\tThis control is not marked safe for scripting, so choose your attack vector accordingly.\n\ - \t\t\t" - authors: - - - URL - - http://www.metasploit.com - path: extensions/metasploit/ - class: Msf_module -msf_vlc_smb_uri: - enable: true - msf: true - msf_key: windows/fileformat/vlc_smb_uri - name: VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Win32AddConnection\n\ - \t\t\t\tfunction of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are\n\ - \t\t\t\treportedly affected.\n\n\ - \t\t\t\tThis vulnerability is only present in Win32 builds of VLC.\n\n\ - \t\t\t\tThis payload was found to work with the windows/exec and\n\ - \t\t\t\twindows/meterpreter/reverse_tcp payloads. However, the\n\ - \t\t\t\twindows/meterpreter/reverse_ord_tcp was found not to work.\n\ - \t\t\t" - authors: - - - BID - - "35500" - - - OSVDB - - "55509" - - - CVE - - 2009-2484 - - - URL - - http://git.videolan.org/?p=vlc.git;a=commit;h=e60a9038b13b5eb805a76755efc5c6d5e080180f - - - URL - - http://milw0rm.com/exploits/9209 - - - URL - - http://www.exploit-db.com/exploits/9029 - path: extensions/metasploit/ - class: Msf_module -msf_foxit_reader_filewrite: - enable: true - msf: true - msf_key: windows/fileformat/foxit_reader_filewrite - name: Foxit PDF Reader 4.2 Javascript File Write - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an unsafe Javascript API implemented in Foxit PDF Reader\n\ - \t\t\t\t\tversion 4.2. The createDataObject() Javascript API function allows for writing\n\ - \t\t\t\t\tarbitrary files to the file system. This issue was fixed in version 4.3.1.0218.\n\ - \t\t\t\t\t\n\ - \t\t\t\t\tNote: This exploit uses the All Users directory currently, which required \n\ - \t\t\t\t\tadministrator privileges to write to. This means an administrative user has to\n\ - \t\t\t\t\topen the file to be successful. Kind of lame but thats how it goes sometimes in\n\ - \t\t\t\t\tthe world of file write bugs.\n\ - \t\t\t" - authors: - - - OSVDB - - "71104" - - - URL - - http://scarybeastsecurity.blogspot.com/2011/03/dangerous-file-write-bug-in-foxit-pdf.html - path: extensions/metasploit/ - class: Msf_module -msf_hhw_hhp_indexfile_bof: - enable: true - msf: true - msf_key: windows/fileformat/hhw_hhp_indexfile_bof - name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\ - \t\t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\ - \t\t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0133 - - - BID - - "33189" - - - OSVDB - - "22941" - - - URL - - http://www.exploit-db.com/exploits/10323 - - - URL - - http://www.exploit-db.com/exploits/10335 - path: extensions/metasploit/ - class: Msf_module -msf_msworks_wkspictureinterface: - enable: true - msf: true - msf_key: windows/fileformat/msworks_wkspictureinterface - name: Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThe Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n\ - \t\t\t\tto execute arbitrary code on a system. By passing a negative integer to the\n\ - \t\t\t\tWksPictureInterface method, an attacker could execute arbitrary code on the system\n\ - \t\t\t\twith privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n\ - \t\t\t\tThis control is not marked safe for scripting, please choose your attack vector carefully.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1898 - - - OSVDB - - "44458" - path: extensions/metasploit/ - class: Msf_module -msf_vlc_modplug_s3m: - enable: true - msf: true - msf_key: windows/fileformat/vlc_modplug_s3m - name: VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an input validation error in libmod_plugin as\n\ - \t\t\t\tincluded with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9\n\ - \t\t\t\tare affected. By creating a malicious S3M file, a remote attacker\n\ - \t\t\t\tcould execute arbitrary code.\n\n\ - \t\t\t\tAlthough other products that bundle libmodplug may be vulnerable, this\n\ - \t\t\t\tmodule was only tested against VLC.\n\n\ - \t\t\t\tNOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n\ - \t\t\t\tpermanently enable NX support on machines that support it. As such,\n\ - \t\t\t\tthis module is capable of bypassing DEP, but not ASLR.\n\ - \t\t\t" - authors: - - - CVE - - 2011-1574 - - - OSVDB - - "72143" - - - URL - - http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms;a=commitdiff;h=aecef259828a89bb00c2e6f78e89de7363b2237b - - - URL - - http://hackipedia.org/File%20formats/Music/html/s3mformat.php - - - URL - - https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt - - - URL - - http://seclists.org/fulldisclosure/2011/Apr/113 - path: extensions/metasploit/ - class: Msf_module -msf_aol_desktop_linktag: - enable: true - msf: true - msf_key: windows/fileformat/aol_desktop_linktag - name: AOL Desktop 9.6 RTX Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found in AOL Desktop 9.6's Tool\\rich.rct\n\ - \t\t\t\tcomponent. By supplying a long string of data in the hyperlink tag, rich.rct copies\n\ - \t\t\t\tthis data into a buffer using a strcpy function, which causes an overflow, and\n\ - \t\t\t\tresults arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "70741" - - - URL - - http://www.exploit-db.com/exploits/16085/ - path: extensions/metasploit/ - class: Msf_module -msf_ms10_087_rtf_pfragments_bof: - enable: true - msf: true - msf_key: windows/fileformat/ms10_087_rtf_pfragments_bof - name: Microsoft Word RTF pFragments Stack Buffer Overflow (File Format) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of the\n\ - \t\t\t\t'pFragments' shape property within the Microsoft Word RTF parser. All versions\n\ - \t\t\t\tof Microsoft Office 2010, 2007, 2003, and XP prior to the release of the\n\ - \t\t\t\tMS10-087 bulletin are vulnerable.\n\n\ - \t\t\t\tThis module does not attempt to exploit the vulnerability via Microsoft Outlook.\n\n\ - \t\t\t\tThe Microsoft Word RTF parser was only used by default in versions of Microsoft\n\ - \t\t\t\tWord itself prior to Office 2007. With the release of Office 2007, Microsoft\n\ - \t\t\t\tbegan using the Word RTF parser, by default, to handle rich-text messages within\n\ - \t\t\t\tOutlook as well. It was possible to configure Outlook 2003 and earlier to use\n\ - \t\t\t\tthe Microsoft Word engine too, but it was not a default setting.\n\n\ - \t\t\t\tIt appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that\n\ - \t\t\t\tMicrosoft will confirm or deny this since Office 2000 has reached its support\n\ - \t\t\t\tcycle end-of-life.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3333 - - - OSVDB - - "69085" - - - MSB - - MS10-087 - - - BID - - "44652" - - - URL - - http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880 - path: extensions/metasploit/ - class: Msf_module -msf_hhw_hhp_compiledfile_bof: - enable: true - msf: true - msf_key: windows/fileformat/hhw_hhp_compiledfile_bof - name: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HTML Help Workshop 4.74\n\ - \t\t\t\tBy creating a specially crafted hhp file, an an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2006-0564 - - - OSVDB - - "22941" - - - URL - - http://www.exploit-db.com/exploits/1488 - - - URL - - http://www.exploit-db.com/exploits/1490 - path: extensions/metasploit/ - class: Msf_module -msf_feeddemon_opml: - enable: true - msf: true - msf_key: windows/fileformat/feeddemon_opml - name: FeedDemon <= 3.1.0.12 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application\n\ - \t\t\t\tis used to import a specially crafted opml file, a buffer overflow occurs allowing\n\ - \t\t\t\tarbitrary code execution.\n\n\ - \t\t\t\tAll versions are suspected to be vulnerable. This vulnerability was originally reported\n\ - \t\t\t\tagainst version 2.7 in February of 2009.\n\ - \t\t\t" - authors: - - - CVE - - 2009-0546 - - - OSVDB - - "51753" - - - BID - - "33630" - - - URL - - http://www.exploit-db.com/exploits/7995 - - - URL - - http://www.exploit-db.com/exploits/8010 - - - URL - - http://www.exploit-db.com/exploits/11379 - path: extensions/metasploit/ - class: Msf_module -msf_ms11_006_createsizeddibsection: - enable: true - msf: true - msf_key: windows/fileformat/ms11_006_createsizeddibsection - name: Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the handling of thumbnails\n\ - \t\t\t\twithin .MIC files and various Office documents. When processing a thumbnail bitmap\n\ - \t\t\t\tcontaining a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This\n\ - \t\t\t\tleads to arbitrary code execution.\n\n\ - \t\t\t\tIn order to trigger the vulnerable code, the folder containing the document must be\n\ - \t\t\t\tviewed using the \"Thumbnails\" view.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3970 - - - OSVDB - - "70263" - - - MSB - - MS11-006 - - - BID - - "45662" - - - URL - - http://www.microsoft.com/technet/security/advisory/2490606.mspx - - - URL - - http://www.powerofcommunity.net/schedule.html - path: extensions/metasploit/ - class: Msf_module -msf_visiwave_vwr_type: - enable: true - msf: true - msf_key: windows/fileformat/visiwave_vwr_type - name: VisiWave VWR File Parsing Vulnerability - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a vulnerability found in VisiWave's Site Survey Report application.\n\ - \t\t\t\tWhen processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'\n\ - \t\t\t\tproperty (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',\n\ - \t\t\t\t'Image'), but if a match isn't found, the function that's supposed to handle this routine\n\ - \t\t\t\tends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]\n\ - \t\t\t\tinstruction. This allows attackers to overwrite it with any arbitrary value, and results code\n\ - \t\t\t\texecution. A patch is available at visiwave.com; the fix is done by XORing the return value as\n\ - \t\t\t\tnull if no match is found, and then it is validated before use.\n\n\ - \t\t\t\tNOTE: During installation, the application will register two file handle's, VWS and VWR and allows a\n\ - \t\t\t\tvictim user to 'double click' the malicious VWR file and execute code. This module was also built\n\ - \t\t\t\tto bypass ASLR and DEP.\n\ - \t\t\t" - authors: - - - CVE - - 2011-2386 - - - OSVDB - - "72464" - - - URL - - http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html - - - URL - - http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20 - path: extensions/metasploit/ - class: Msf_module -msf_mediajukebox: - enable: true - msf: true - msf_key: windows/fileformat/mediajukebox - name: Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Media Jukebox 8.0.400\n\ - \t\t\t\tBy creating a specially crafted m3u or pls file, an an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "55924" - - - CVE - - 2009-2650 - path: extensions/metasploit/ - class: Msf_module -msf_microp_mppl: - enable: true - msf: true - msf_key: windows/fileformat/microp_mppl - name: MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow - category: Metasploit - description: " \n\ - \t\t\t\t\tThis module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based\n\ - \t\t\t\tbuffer overflow occurs when the content of a .mppl file gets copied onto the stack,\n\ - \t\t\t\twhich overwrites the lpFileName parameter of a CreateFileA() function, and results\n\ - \t\t\t\tarbitrary code execution under the context of the user.\n\ - \t\t\t" - authors: - - - OSVDB - - "73627" - - - URL - - http://www.exploit-db.com/exploits/14720 - path: extensions/metasploit/ - class: Msf_module -msf_sascam_get: - enable: true - msf: true - msf_key: windows/fileformat/sascam_get - name: SasCam Webcam Server v.2.6.5 Get() method Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThe SasCam Webcam Server ActiveX control is vulnerable to a buffer overflow.\n\ - \t\t\t\tBy passing an overly long argument via the Get method, a remote attacker could\n\ - \t\t\t\toverflow a buffer and execute arbitrary code on the system with the privileges\n\ - \t\t\t\tof the user. This control is not marked safe for scripting, please choose your\n\ - \t\t\t\tattack vector carefully.\n\ - \t\t\t\t" - authors: - - - CVE - - 2008-6898 - - - OSVDB - - "55945" - - - BID - - "33053" - path: extensions/metasploit/ - class: Msf_module -msf_fatplayer_wav: - enable: true - msf: true - msf_key: windows/fileformat/fatplayer_wav - name: Fat Player Media Player 0.6b0 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Fat Player 0.6b. When\n\ - \t\t\t\tthe application is used to import a specially crafted wav file, a buffer overflow occurs\n\ - \t\t\t\tallowing arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "57343" - - - URL - - https://www.exploit-db.com/exploits/15279/ - path: extensions/metasploit/ - class: Msf_module -msf_mjm_coreplayer2011_s3m: - enable: true - msf: true - msf_key: windows/fileformat/mjm_coreplayer2011_s3m - name: MJM Core Player 2011 .s3m Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in MJM Core Player 2011\n\ - \t\t\t\tWhen opening a malicious s3m file in this applications, a stack buffer overflow can be\n\ - \t\t\t\ttriggered, resulting in arbitrary code execution.\n\ - \t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. \n\ - \t\t\t" - authors: - - - OSVDB - - "72101" - - - URL - - http://www.corelan.be/advisories.php?id=CORELAN-11-004 - path: extensions/metasploit/ - class: Msf_module -msf_wm_downloader_m3u: - enable: true - msf: true - msf_key: windows/fileformat/wm_downloader_m3u - name: WM Downloader 3.1.2.2 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in WM Downloader v3.1.2.2. When\n\ - \t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\ - \t\t\t\tallowing arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "66911" - - - URL - - http://www.exploit-db.com/exploits/14497/ - path: extensions/metasploit/ - class: Msf_module -msf_adobe_flashplayer_button: - enable: true - msf: true - msf_key: windows/fileformat/adobe_flashplayer_button - name: Adobe Flash Player "Button" Remote Code Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability in the handling of certain SWF movies\n\ - \t\t\t\twithin versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat\n\ - \t\t\t\tare also vulnerable, as are any other applications that may embed Flash player.\n\n\ - \t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\n\ - \t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\n\ - \t\t\t\tthat the memory used by the invalid pointer issue is controlled.\n\n\ - \t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\n\ - \t\t\t\tadobe_libtiff module. This method is unlikely to work across various\n\ - \t\t\t\tWindows versions due a the hardcoded syscall number.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3654 - - - OSVDB - - "68932" - - - BID - - "44504" - - - URL - - http://www.adobe.com/support/security/advisories/apsa10-05.html - - - URL - - http://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/ - - - URL - - http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/ - path: extensions/metasploit/ - class: Msf_module -msf_deepburner_path: - enable: true - msf: true - msf_key: windows/fileformat/deepburner_path - name: AstonSoft DeepBurner (DBR File) Path Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in versions 1.9.0.228,\n\ - \t\t\t\t1.8.0, and possibly other versions of AstonSoft's DeepBurner (Pro, Lite, etc).\n\ - \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ - \t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ - \t\t\t\tDBR file within a browser, since the DBR extention is registered to DeepBurner.\n\ - \t\t\t" - authors: - - - BID - - "21657" - - - OSVDB - - "32356" - - - CVE - - 2006-6665 - - - URL - - http://milw0rm.com/exploits/2950 - - - URL - - http://milw0rm.com/exploits/8335 - - - URL - - http://www.exploit-db.com/exploits/11315 - path: extensions/metasploit/ - class: Msf_module -msf_acdsee_xpm: - enable: true - msf: true - msf_key: windows/fileformat/acdsee_xpm - name: ACDSee XPM File Section Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in ACDSee 9.0.\n\ - \t\t\t\tWhen viewing a malicious XPM file with the ACDSee product,\n\ - \t\t\t\ta remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2193 - - - OSVDB - - "35236" - - - BID - - "23620" - path: extensions/metasploit/ - class: Msf_module -msf_bacnet_csv: - enable: true - msf: true - msf_key: windows/fileformat/bacnet_csv - name: BACnet OPC Client Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SCADA\n\ - \t\t\t\tEngine BACnet OPC Client v1.0.24. When the BACnet OPC Client\n\ - \t\t\t\tparses a specially crafted csv file, arbitrary code may be\n\ - \t\t\t\texecuted.\n\ - \t\t\t" - authors: - - - OSVDB - - "68096" - - - BID - - "43289" - - - URL - - http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf - path: extensions/metasploit/ - class: Msf_module -msf_cain_abel_4918_rdp: - enable: true - msf: true - msf_key: windows/fileformat/cain_abel_4918_rdp - name: Cain & Abel <= v4.9.24 RDP Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24\n\ - \t\t\t\tand below. An attacker must send the file to victim, and the victim must open\n\ - \t\t\t\tthe specially crafted RDP file under Tools -> Remote Desktop Password Decoder.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5405 - - - OSVDB - - "50342" - - - URL - - http://www.milw0rm.com/exploits/7329 - - - BID - - "32543" - path: extensions/metasploit/ - class: Msf_module -msf_subtitle_processor_m3u_bof: - enable: true - msf: true - msf_key: windows/fileformat/subtitle_processor_m3u_bof - name: Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found in Subtitle Processor 7. By\n\ - \t\t\t\tsupplying a long string of data as a .m3u file, Subtitle Processor first converts\n\ - \t\t\t\tthis input in Unicode, which expands the string size, and then attempts to copy it\n\ - \t\t\t\tinline on the stack. This results a buffer overflow with SEH overwritten, allowing\n\ - \t\t\t\tarbitrary code execution.\n\ - \t\t\t" - authors: - - - URL - - http://sourceforge.net/projects/subtitleproc/ - - - URL - - http://www.exploit-db.com/exploits/17217/ - path: extensions/metasploit/ - class: Msf_module -msf_mymp3player_m3u: - enable: true - msf: true - msf_key: windows/fileformat/mymp3player_m3u - name: Steinberg MyMP3Player 3.0 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Steinberg MyMP3Player == 3.0. When\n\ - \t\t\t\tthe application is used to open a specially crafted m3u file, a buffer overflow occurs\n\ - \t\t\t\tallowing arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "64580" - - - URL - - http://www.exploit-db.com/exploits/11791 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_collectemailinfo: - enable: true - msf: true - msf_key: windows/fileformat/adobe_collectemailinfo - name: Adobe Collab.collectEmailInfo() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.\n\ - \t\t\t\t\tBy creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,\n\ - \t\t\t\t\tan attacker may be able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-5659 - - - OSVDB - - "41495" - path: extensions/metasploit/ - class: Msf_module -msf_ideal_migration_ipj: - enable: true - msf: true - msf_key: windows/fileformat/ideal_migration_ipj - name: PointDev IDEAL Migration Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in versions v9.7\n\ - \t\t\t\tthrough v10.5 of IDEAL Administration and versions 4.5 and 4.51 of\n\ - \t\t\t\tIDEAL Migration. All versions are suspected to be vulnerable.\n\ - \t\t\t\tBy creating a specially crafted ipj file, an an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\n\ - \t\t\t\tNOTE: IDEAL Administration 10.5 is compiled with /SafeSEH\n\ - \t\t\t" - authors: - - - CVE - - 2009-4265 - - - OSVDB - - "60681" - - - URL - - http://www.exploit-db.com/exploits/10319 - - - URL - - http://www.exploit-db.com/exploits/12403 - - - URL - - http://www.exploit-db.com/exploits/12404 - - - URL - - http://www.exploit-db.com/exploits/12540 - path: extensions/metasploit/ - class: Msf_module -msf_djvu_imageurl: - enable: true - msf: true - msf_key: windows/fileformat/djvu_imageurl - name: DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an\n\ - \t\t\t\toverly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)\n\ - \t\t\t\tan attacker may be able to execute arbitrary code. This control is not marked safe\n\ - \t\t\t\tfor scripting, so choose your attack vector accordingly.\n\ - \t\t\t" - authors: - - - CVE - - 2008-4922 - - - OSVDB - - "49592" - - - BID - - "31987" - path: extensions/metasploit/ - class: Msf_module -msf_ht_mp3player_ht3_bof: - enable: true - msf: true - msf_key: windows/fileformat/ht_mp3player_ht3_bof - name: HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in HT-MP3Player 1.0.\n\ - \t\t\t\t\tArbitrary code execution could occur when parsing a specially crafted\n\ - \t\t\t\t\t.HT3 file.\n\n\ - \t\t\t\t\tNOTE: The player installation does not register the file type to be\n\ - \t\t\t\t\thandled. Therefore, a user must take extra steps to load this file.\n\ - \t\t\t" - authors: - - - CVE - - 2009-2485 - - - OSVDB - - "55449" - - - URL - - http://www.milw0rm.com/exploits/9034 - - - URL - - http://www.milw0rm.com/exploits/9038 - path: extensions/metasploit/ - class: Msf_module -msf_vlc_webm: - enable: true - msf: true - msf_key: windows/fileformat/vlc_webm - name: VideoLAN VLC MKV Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an input validation error in VideoLAN VLC\n\ - \t\t\t\t< 1.1.7. By creating a malicious MKV or WebM file, a remote attacker\n\ - \t\t\t\tcould execute arbitrary code.\n\n\ - \t\t\t\tNOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to\n\ - \t\t\t\tpermanently enable NX support on machines that support it.\n\ - \t\t\t" - authors: - - - OSVDB - - "70698" - - - CVE - - 2011-0531 - - - BID - - "46060" - - - URL - - http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456 - - - URL - - http://www.videolan.org/security/sa1102.html - path: extensions/metasploit/ - class: Msf_module -msf_altap_salamander_pdb: - enable: true - msf: true - msf_key: windows/fileformat/altap_salamander_pdb - name: Altap Salamander 2.5 PE Viewer Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Altap Salamander <= v2.5.\n\ - \t\t\t\t\tBy creating a malicious file and convincing a user to view the file with\n\ - \t\t\t\t\tthe Portable Executable Viewer plugin within a vulnerable version of\n\ - \t\t\t\t\tSalamander, the PDB file string is copied onto the stack and the\n\ - \t\t\t\t\tSEH can be overwritten.\n\ - \t\t\t" - authors: - - - CVE - - 2007-3314 - - - BID - - "24557" - - - OSVDB - - "37579" - - - URL - - http://vuln.sg/salamander25-en.html - path: extensions/metasploit/ - class: Msf_module -msf_adobe_illustrator_v14_eps: - enable: true - msf: true - msf_key: windows/fileformat/adobe_illustrator_v14_eps - name: Adobe Illustrator CS4 v14.0.0 - category: Metasploit - description: "\n\ - \t\t\t\t\tAdobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n\ - \t\t\t\toverlong DSC Comment Buffer Overflow Exploit\n\ - \t\t\t" - authors: - - - CVE - - 2009-4195 - - - BID - - "37192" - - - OSVDB - - "60632" - - - URL - - http://retrogod.altervista.org/9sg_adobe_illuso.html - - - URL - - http://www.exploit-db.com/exploits/10281 - path: extensions/metasploit/ - class: Msf_module -msf_ezip_wizard_bof: - enable: true - msf: true - msf_key: windows/fileformat/ezip_wizard_bof - name: eZip Wizard 3.0 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow vulnerability in\n\ - \t\t\t\tversion 3.0 of ediSys Corp.'s eZip Wizard.\n\n\ - \t\t\t\tIn order for the command to be executed, an attacker must convince someone to\n\ - \t\t\t\topen a specially crafted zip file with eZip Wizard, and access the specially\n\ - \t\t\t\tfile via double-clicking it. By doing so, an attacker can execute arbitrary\n\ - \t\t\t\tcode as the victim user.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1028 - - - OSVDB - - "52815" - - - BID - - "34044" - - - URL - - http://www.edisys.com/ - - - URL - - http://www.exploit-db.com/exploits/8180 - - - URL - - http://www.exploit-db.com/exploits/12059/ - path: extensions/metasploit/ - class: Msf_module -msf_aol_phobos_bof: - enable: true - msf: true - msf_key: windows/fileformat/aol_phobos_bof - name: AOL 9.5 Phobos.Playlist Import() Stack-based Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\tThis module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5.\n\ - \t\t\t\tBy setting an overly long value to 'Import()', an attacker can overrun a buffer\n\ - \t\t\t\tand execute arbitrary code.\n\n\ - \t\t\t\tNOTE: This ActiveX control is NOT marked safe for scripting or initialization.\n\ - \t\t\t" - authors: - - - OSVDB - - "61964" - - - URL - - http://www.exploit-db.com/exploits/11204 - - - URL - - http://www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/ - path: extensions/metasploit/ - class: Msf_module -msf_videospirit_visprj: - enable: true - msf: true - msf_key: windows/fileformat/videospirit_visprj - name: VeryTools Video Spirit Pro <= 1.70 - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Video Spirit <= 1.70.\n\ - \t\t\t\tWhen opening a malicious project file (.visprj), a stack buffer overflow occurs,\n\ - \t\t\t\tresulting in arbitrary code execution.\n\ - \t\t\t\tThis exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.\n\ - \t\t\t" - authors: - - - CVE - - 2011-0499 - - - CVE - - 2011-0500 - - - OSVDB - - "70619" - - - URL - - http://www.corelan.be/advisories.php?id=CORELAN-11-001 - path: extensions/metasploit/ - class: Msf_module -msf_destinymediaplayer16: - enable: true - msf: true - msf_key: windows/fileformat/destinymediaplayer16 - name: Destiny Media Player 1.61 PLS M3U Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.\n\ - \t\t\t\t\tAn attacker must send the file to victim and the victim must open the file. File-->Open Playlist\n\ - \t\t\t" - authors: - - - CVE - - 2009-3429 - - - OSVDB - - "53249" - - - URL - - http://www.milw0rm.com/exploits/7651 - - - BID - - "33091" - path: extensions/metasploit/ - class: Msf_module -msf_xenorate_xpl_bof: - enable: true - msf: true - msf_key: windows/fileformat/xenorate_xpl_bof - name: Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Xenorate 2.50\n\ - \t\t\t\tBy creating a specially crafted xpl file, an an attacker may be able\n\ - \t\t\t\tto execute arbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "57162" - - - URL - - http://www.exploit-db.com/exploits/10371 - path: extensions/metasploit/ - class: Msf_module -msf_ursoft_w32dasm: - enable: true - msf: true - msf_key: windows/fileformat/ursoft_w32dasm - name: URSoft W32Dasm Disassembler Function Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in W32Dasm <= v8.93.\n\ - \t\t\t\tBy creating a malicious file and convincing a user to disassemble\n\ - \t\t\t\tthe file with a vulnerable version of W32Dasm, the Imports/Exports\n\ - \t\t\t\tfunction is copied to the stack and arbitrary code may be executed\n\ - \t\t\t\tlocally as the user.\n\ - \t\t\t" - authors: - - - CVE - - 2005-0308 - - - OSVDB - - "13169" - - - BID - - "12352" - - - URL - - http://aluigi.altervista.org/adv/w32dasmbof-adv.txt - path: extensions/metasploit/ - class: Msf_module -msf_ultraiso_ccd: - enable: true - msf: true - msf_key: windows/fileformat/ultraiso_ccd - name: UltraISO CCD File Parsing Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\n\ - \t\t\t\tUltraISO. When processing .CCD files, data is read from file into a\n\ - \t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n\ - \t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\n\ - \t\t\t\tto open an CCD file.\n\n\ - \t\t\t\tNOTE: A file with the same base name, but the extension of \"img\" must also\n\ - \t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\n\ - \t\t\t\tboth exist.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1260 - - - OSVDB - - "53275" - - - BID - - "34363" - - - BID - - "38613" - - - URL - - http://www.exploit-db.com/exploits/8343 - path: extensions/metasploit/ - class: Msf_module -msf_zinfaudioplayer221_pls: - enable: true - msf: true - msf_key: windows/fileformat/zinfaudioplayer221_pls - name: Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.\n\ - \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ - \t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\n\ - \t\t\t\tPLS file within a browser, when the PLS extention is registered to Zinf.\n\ - \t\t\t\tThis functionality has not been tested in this module.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0964 - - - OSVDB - - "10416" - - - URL - - http://www.milw0rm.com/exploits/7888 - - - BID - - "11248" - path: extensions/metasploit/ - class: Msf_module -msf_digital_music_pad_pls: - enable: true - msf: true - msf_key: windows/fileformat/digital_music_pad_pls - name: Digital Music Pad Version 8.2.3.3.4 Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n\ - \t\t\t\tWhen opening a malicious pls file with the Digital Music Pad,\n\ - \t\t\t\ta remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code.\n\ - \t\t\t" - authors: - - - OSVDB - - "68178" - - - URL - - http://secunia.com/advisories/41519/ - - - URL - - http://www.exploit-db.com/exploits/15134 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_u3d_meshdecl: - enable: true - msf: true - msf_key: windows/fileformat/adobe_u3d_meshdecl - name: Adobe U3D CLODProgressiveMeshDeclaration Array Overrun - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits an array overflow in Adobe Reader and Adobe Acrobat.\n\ - \t\t\t\t\tAffected versions include < 7.1.4, < 8.2, and < 9.3. By creating a\n\ - \t\t\t\t\tspecially crafted pdf that a contains malformed U3D data, an attacker may\n\ - \t\t\t\t\tbe able to execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2009-3953 - - - OSVDB - - "61690" - - - URL - - http://www.adobe.com/support/security/bulletins/apsb10-02.html - path: extensions/metasploit/ - class: Msf_module -msf_magix_musikmaker_16_mmm: - enable: true - msf: true - msf_key: windows/fileformat/magix_musikmaker_16_mmm - name: Magix Musik Maker 16 .mmm Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Magix Musik Maker 16.\n\ - \t\t\t\tWhen opening a specially crafted arrangement file (.mmm) in the application, an\n\ - \t\t\t\tunsafe strcpy() will allow you to overwrite a SEH handler. This exploit\n\ - \t\t\t\tbypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and\n\ - \t\t\t\tmight require up to several seconds to receive a shell.\n\ - \t\t\t" - authors: - - - OSVDB - - "72455" - - - URL - - http://www.corelan.be/advisories.php?id=CORELAN-11-002 - path: extensions/metasploit/ - class: Msf_module -msf_adobe_pdf_embedded_exe_nojs: - enable: true - msf: true - msf_key: windows/fileformat/adobe_pdf_embedded_exe_nojs - name: Adobe PDF Escape EXE Social Engineering (No JavaScript) - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module embeds a Metasploit payload into an existing PDF file in\n\ - \t\t\t\ta non-standard method. The resulting PDF can be sent to a target as\n\ - \t\t\t\tpart of a social engineering attack.\n\ - \t\t\t" - authors: - - - CVE - - 2010-1240 - - - OSVDB - - "63667" - - - URL - - http://blog.didierstevens.com/2010/04/06/update-escape-from-pdf/ - - - URL - - http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ - - - URL - - http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ - path: extensions/metasploit/ - class: Msf_module -msf_ms_visual_basic_vbp: - enable: true - msf: true - msf_key: windows/fileformat/ms_visual_basic_vbp - name: Microsoft Visual Basic VBP Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack oveflow in Microsoft Visual\n\ - \t\t\t\tBasic 6.0. When a specially crafted vbp file containing a long\n\ - \t\t\t\treference line, an attacker may be able to execute arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4776 - - - OSVDB - - "36936" - - - BID - - "25629" - path: extensions/metasploit/ - class: Msf_module -msf_somplplayer_m3u: - enable: true - msf: true - msf_key: windows/fileformat/somplplayer_m3u - name: S.O.M.P.L 1.0 Player Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Simple Open Music Player v1.0. When\n\ - \t\t\t\tthe application is used to import a specially crafted m3u file, a buffer overflow occurs\n\ - \t\t\t\tallowing arbitrary code execution.\n\ - \t\t\t" - authors: - - - OSVDB - - "64368" - - - URL - - http://www.exploit-db.com/exploits/11219 - path: extensions/metasploit/ - class: Msf_module -msf_foxit_title_bof: - enable: true - msf: true - msf_key: windows/fileformat/foxit_title_bof - name: Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Foxit PDF Reader prior to version\n\ - \t\t\t\t4.2.0.0928. The vulnerability is triggered when opening a malformed PDF file that\n\ - \t\t\t\tcontains an overly long string in the Title field. This results in overwriting a\n\ - \t\t\t\tstructured exception handler record.\n\n\ - \t\t\t\tNOTE: This exploit does not use javascript.\n\ - \t\t\t" - authors: - - - OSVDB - - "68648" - - - URL - - http://www.exploit-db.com/exploits/15532 - - - URL - - http://www.corelan.be:8800/index.php/2010/11/13/offensive-security-exploit-weekend/ - path: extensions/metasploit/ - class: Msf_module -msf_varicad_dwb: - enable: true - msf: true - msf_key: windows/fileformat/varicad_dwb - name: VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.\n\ - \t\t\t\tAn attacker must send the file to victim and the victim must open the file.\n\ - \t\t\t" - authors: - - - OSVDB - - "63067" - - - BID - - "38815" - - - URL - - http://www.exploit-db.com/exploits/11789 - path: extensions/metasploit/ - class: Msf_module -msf_ms09_004_sp_replwritetovarbin_sqli: - enable: true - msf: true - msf_key: windows/mssql/ms09_004_sp_replwritetovarbin_sqli - name: Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection - category: Metasploit - description: "\n\ - \t\t\t\t\tA heap-based buffer overflow can occur when calling the undocumented\n\ - \t\t\t\t\"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n\ - \t\t\t\tall versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n\ - \t\t\t\tand Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n\ - \t\t\t\tMicrosoft patched this vulnerability in SP3 for 2005 without any public\n\ - \t\t\t\tmention.\n\n\ - \t\t\t\tThis exploit smashes several pointers, as shown below.\n\n\ - \t\t\t\t1. pointer to a 32-bit value that is set to 0\n\ - \t\t\t\t2. pointer to a 32-bit value that is set to a length influcenced by the buffer\n\ - \t\t\t\t\tlength.\n\ - \t\t\t\t3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n\ - \t\t\t\t\tthis value is referenced with a displacement of 0x38. For MSSQL 2005, the\n\ - \t\t\t\t\tdisplacement is 0x10. The address of our buffer is conveniently stored in\n\ - \t\t\t\t\tecx when this instruction is executed.\n\ - \t\t\t\t4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n\ - \t\t\t\t\ta displacement of 4. This pointer is not used by this exploit.\n\n\ - \t\t\t\tThis particular exploit replaces the previous dual-method exploit. It uses\n\ - \t\t\t\ta technique where the value contained in ecx becomes the stack. From there,\n\ - \t\t\t\treturn oriented programming is used to normalize the execution state and\n\ - \t\t\t\tfinally execute the payload via a \"jmp esp\". All addresses used were found\n\ - \t\t\t\twithin the sqlservr.exe memory space, yielding very reliable code execution\n\ - \t\t\t\tusing only a single query.\n\n\ - \t\t\t\tNOTE: The MSSQL server service does not automatically restart by default. That\n\ - \t\t\t\tsaid, some exceptions are caught and will not result in terminating the process.\n\ - \t\t\t\tIf the exploit crashes the service prior to hijacking the stack, it won't die.\n\ - \t\t\t\tOtherwise, it's a goner.\n\ - \t\t\t" - authors: - - - OSVDB - - "50589" - - - CVE - - 2008-5416 - - - BID - - "32710" - - - MSB - - MS09-004 - - - URL - - http://www.milw0rm.com/exploits/7501 - - - URL - - http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/ - path: extensions/metasploit/ - class: Msf_module -msf_lyris_listmanager_weak_pass: - enable: true - msf: true - msf_key: windows/mssql/lyris_listmanager_weak_pass - name: Lyris ListManager MSDE Weak sa Password - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a weak password vulnerability in the\n\ - \t\t\t\tLyris ListManager MSDE install. During installation, the 'sa'\n\ - \t\t\t\taccount password is set to 'lminstall'. Once the install\n\ - \t\t\t\tcompletes, it is set to 'lyris' followed by the process\n\ - \t\t\t\tID of the installer. This module brute forces all possible\n\ - \t\t\t\tprocess IDs that would be used by the installer.\n\ - \t\t\t" - authors: - - - CVE - - 2005-4145 - - - OSVDB - - "21559" - path: extensions/metasploit/ - class: Msf_module -msf_ms02_056_hello: - enable: true - msf: true - msf_key: windows/mssql/ms02_056_hello - name: Microsoft SQL Server Hello Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tBy sending malformed data to TCP port 1433, an\n\ - \t\t\t\tunauthenticated remote attacker could overflow a buffer and\n\ - \t\t\t\tpossibly execute code on the server with SYSTEM level\n\ - \t\t\t\tprivileges. This module should work against any vulnerable\n\ - \t\t\t\tSQL Server 2000 or MSDE install (< SP3).\n\n\ - \t\t\t" - authors: - - - CVE - - 2002-1123 - - - OSVDB - - "10132" - - - BID - - "5411" - - - MSB - - MS02-056 - path: extensions/metasploit/ - class: Msf_module -msf_mssql_payload_sqli: - enable: true - msf: true - msf_key: windows/mssql/mssql_payload_sqli - name: Microsoft SQL Server Payload Execution via SQL injection - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module will execute an arbitrary payload on a Microsoft SQL\n\ - \t\t\t\tServer, using a SQL injection vulnerability.\n\n\ - \t\t\t\tOnce a vulnerability is identified this module\n\ - \t\t\t\twill use xp_cmdshell to upload and execute Metasploit payloads.\n\ - \t\t\t\tIt is necessary to specify the exact point where the SQL injection\n\ - \t\t\t\tvulnerability happens. For example, given the following injection:\n\n\ - \t\t\t\thttp://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical\n\n\ - \t\t\t\tyou would need to set the following path:\n\ - \t\t\t\tset GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar\n\n\ - \t\t\t\tIn regard to the payload, unless there is a closed port in the web server,\n\ - \t\t\t\tyou dont want to use any \"bind\" payload, specially on port 80, as you will\n\ - \t\t\t\tstop reaching the vulnerable web server host. You want a \"reverse\" payload, probably to\n\ - \t\t\t\tyour port 80 or to any other outbound port allowed on the firewall.\n\ - \t\t\t\tFor privileged ports execute Metasploit msfconsole as root.\n\n\ - \t\t\t\tCurrently, three delivery methods are supported.\n\n\ - \t\t\t\tFirst, the original method uses Windows 'debug.com'. File size restrictions are\n\ - \t\t\t\tavoidied by incorporating the debug bypass method presented by SecureStat at\n\ - \t\t\t\tDefcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.\n\n\ - \t\t\t\tA second method takes advantage of the Command Stager subsystem. This allows using\n\ - \t\t\t\tvarious techniques, such as using a TFTP server, to send the executable. By default\n\ - \t\t\t\tthe Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n\ - \t\t\t\tFinally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n\ - \t\t\t\tpayload on the target.\n\n\ - \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ - \t\t\t\tattack is finished.\n\n\ - \t\t\t" - authors: - - - CVE - - 2000-0402 - - - OSVDB - - "557" - - - BID - - "1281" - - - CVE - - 2000-1209 - - - OSVDB - - "15757" - - - BID - - "4797" - - - URL - - http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/ - path: extensions/metasploit/ - class: Msf_module -msf_mssql_payload: - enable: true - msf: true - msf_key: windows/mssql/mssql_payload - name: Microsoft SQL Server Payload Execution - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module executes an arbitrary payload on a Microsoft SQL Server by using\n\ - \t\t\t\tthe \"xp_cmdshell\" stored procedure. Currently, three delivery methods are supported.\n\n\ - \t\t\t\tFirst, the original method uses Windows 'debug.com'. File size restrictions are\n\ - \t\t\t\tavoidied by incorporating the debug bypass method presented by SecureStat at\n\ - \t\t\t\tDefcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.\n\n\ - \t\t\t\tA second method takes advantage of the Command Stager subsystem. This allows using\n\ - \t\t\t\tvarious techniques, such as using a TFTP server, to send the executable. By default\n\ - \t\t\t\tthe Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n\ - \t\t\t\tFinally, ReL1K's latest method utilizes PowerShell to transmit and recreate the\n\ - \t\t\t\tpayload on the target.\n\n\ - \t\t\t\tNOTE: This module will leave a payload executable on the target system when the\n\ - \t\t\t\tattack is finished.\n\ - \t\t\t" - authors: - - - CVE - - 2000-0402 - - - OSVDB - - "557" - - - BID - - "1281" - - - CVE - - 2000-1209 - - - OSVDB - - "15757" - - - BID - - "4797" - path: extensions/metasploit/ - class: Msf_module -msf_ms02_039_slammer: - enable: true - msf: true - msf_key: windows/mssql/ms02_039_slammer - name: Microsoft SQL Server Resolution Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis is an exploit for the SQL Server 2000 resolution\n\ - \t\t\t\tservice buffer overflow. This overflow is triggered by\n\ - \t\t\t\tsending a udp packet to port 1434 which starts with 0x04 and\n\ - \t\t\t\tis followed by long string terminating with a colon and a\n\ - \t\t\t\tnumber. This module should work against any vulnerable SQL\n\ - \t\t\t\tServer 2000 or MSDE install (pre-SP3).\n\n\ - \t\t\t" - authors: - - - CVE - - 2002-0649 - - - OSVDB - - "4578" - - - BID - - "5310" - - - MSB - - MS02-039 - path: extensions/metasploit/ - class: Msf_module -msf_ms09_004_sp_replwritetovarbin: - enable: true - msf: true - msf_key: windows/mssql/ms09_004_sp_replwritetovarbin - name: Microsoft SQL Server sp_replwritetovarbin Memory Corruption - category: Metasploit - description: "\n\ - \t\t\t\t\tA heap-based buffer overflow can occur when calling the undocumented\n\ - \t\t\t\t\"sp_replwritetovarbin\" extended stored procedure. This vulnerability affects\n\ - \t\t\t\tall versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,\n\ - \t\t\t\tand Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004.\n\ - \t\t\t\tMicrosoft patched this vulnerability in SP3 for 2005 without any public\n\ - \t\t\t\tmention.\n\n\ - \t\t\t\tAn authenticated database session is required to access the vulnerable code.\n\ - \t\t\t\tThat said, it is possible to access the vulnerable code via an SQL injection\n\ - \t\t\t\tvulnerability.\n\n\ - \t\t\t\tThis exploit smashes several pointers, as shown below.\n\n\ - \t\t\t\t1. pointer to a 32-bit value that is set to 0\n\ - \t\t\t\t2. pointer to a 32-bit value that is set to a length influcenced by the buffer\n\ - \t\t\t\t\tlength.\n\ - \t\t\t\t3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000,\n\ - \t\t\t\t\tthis value is referenced with a displacement of 0x38. For MSSQL 2005, the\n\ - \t\t\t\t\tdisplacement is 0x10. The address of our buffer is conveniently stored in\n\ - \t\t\t\t\tecx when this instruction is executed.\n\ - \t\t\t\t4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with\n\ - \t\t\t\t\ta displacement of 4. This pointer is not used by this exploit.\n\n\ - \t\t\t\tThis particular exploit replaces the previous dual-method exploit. It uses\n\ - \t\t\t\ta technique where the value contained in ecx becomes the stack. From there,\n\ - \t\t\t\treturn oriented programming is used to normalize the execution state and\n\ - \t\t\t\tfinally execute the payload via a \"jmp esp\". All addresses used were found\n\ - \t\t\t\twithin the sqlservr.exe memory space, yielding very reliable code execution\n\ - \t\t\t\tusing only a single query.\n\n\ - \t\t\t\tNOTE: The MSSQL server service does not automatically restart by default. That\n\ - \t\t\t\tsaid, some exceptions are caught and will not result in terminating the process.\n\ - \t\t\t\tIf the exploit crashes the service prior to hijacking the stack, it won't die.\n\ - \t\t\t\tOtherwise, it's a goner.\n\ - \t\t\t" - authors: - - - OSVDB - - "50589" - - - CVE - - 2008-5416 - - - BID - - "32710" - - - MSB - - MS09-004 - - - URL - - http://www.milw0rm.com/exploits/7501 - path: extensions/metasploit/ - class: Msf_module -msf_ms04_011_pct: - enable: true - msf: true - msf_key: windows/ssl/ms04_011_pct - name: Microsoft Private Communications Transport Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in the Microsoft\n\ - \t\t\t\tWindows SSL PCT protocol stack. This code is based on Johnny\n\ - \t\t\t\tCyberpunk's THC release and has been tested against Windows\n\ - \t\t\t\t2000 and Windows XP. To use this module, specify the remote\n\ - \t\t\t\tport of any SSL service, or the port and protocol of an\n\ - \t\t\t\tapplication that uses SSL. The only application protocol\n\ - \t\t\t\tsupported at this time is SMTP. You only have one chance to\n\ - \t\t\t\tselect the correct target, if you are attacking IIS, you may\n\ - \t\t\t\twant to try one of the other exploits first (WebDAV). If\n\ - \t\t\t\tWebDAV does not work, this more than likely means that this\n\ - \t\t\t\tis either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS\n\ - \t\t\t\t5.1). Using the wrong target may not result in an immediate\n\ - \t\t\t\tcrash of the remote system.\n\ - \t\t\t" - authors: - - - CVE - - 2003-0719 - - - OSVDB - - "5250" - - - BID - - "10116" - - - MSB - - MS04-011 - path: extensions/metasploit/ - class: Msf_module -msf_domino_http_accept_language: - enable: true - msf: true - msf_key: windows/lotus/domino_http_accept_language - name: IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in IBM Lotus Domino Web Server\n\ - \t\t\t\tprior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP\n\ - \t\t\t\trequest with an Accept-Language header greater than 114 bytes.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2240 - - - OSVDB - - "45415" - - - BID - - "29310" - - - URL - - http://www-01.ibm.com/support/docview.wss?uid=swg21303057 - path: extensions/metasploit/ - class: Msf_module -msf_domino_sametime_stmux: - enable: true - msf: true - msf_key: windows/lotus/domino_sametime_stmux - name: IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Lotus Domino\\'s Sametime\n\ - \t\t\t\tServer. By sending an overly long POST request to the Multiplexer\n\ - \t\t\t\tSTMux.exe service we are able to overwrite SEH. Based on the exploit\n\ - \t\t\t\tby Manuel Santamarina Suarez.\n\ - \t\t\t" - authors: - - - CVE - - 2008-2499 - - - OSVDB - - "45610" - - - BID - - "29328" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-08-028/ - path: extensions/metasploit/ - class: Msf_module -msf_domino_icalendar_organizer: - enable: true - msf: true - msf_key: windows/lotus/domino_icalendar_organizer - name: IBM Lotus Domino iCalendar MAILTO Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a vulnerability found in IBM Lotus Domino iCalendar. By\n\ - \t\t\t\tsending a long string of data as the \"ORGANIZER;mailto\" header, process \"nRouter.exe\"\n\ - \t\t\t\tcrashes due to a Cstrcpy() routine in nnotes.dll, which allows remote attackers to\n\ - \t\t\t\tgain arbitrary code execution.\n\n\ - \t\t\t\tNote: In order to trigger the vulnerable code path, a valid Domino mailbox account\n\ - \t\t\t\tis needed.\n\ - \t\t\t" - authors: - - - CVE - - 2010-3407 - - - OSVDB - - "68040" - - - URL - - http://www.zerodayinitiative.com/advisories/ZDI-10-177/ - - - URL - - http://labs.mwrinfosecurity.com/advisories/lotus_domino_ical_stack_buffer_overflow/ - - - URL - - http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21446515 - path: extensions/metasploit/ - class: Msf_module -msf_sipxezphone_cseq: - enable: true - msf: true - msf_key: windows/sip/sipxezphone_cseq - name: SIPfoundry sipXezPhone 0.35a CSeq Field Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\n\ - \t\t\t\tsipXezPhone version 0.35a. By sending an long CSeq header,\n\ - \t\t\t\ta remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code on the system with the privileges of\n\ - \t\t\t\tthe affected application.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3524 - - - OSVDB - - "27122" - - - BID - - "18906" - path: extensions/metasploit/ - class: Msf_module -msf_aim_triton_cseq: - enable: true - msf: true - msf_key: windows/sip/aim_triton_cseq - name: AIM Triton 1.0.4 CSeq Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in AOL\\'s AIM\n\ - \t\t\t\tTriton 1.0.4. By sending an overly long CSeq value,\n\ - \t\t\t\ta remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code on the system with the privileges of\n\ - \t\t\t\tthe affected application.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3524 - - - OSVDB - - "27122" - - - BID - - "18906" - path: extensions/metasploit/ - class: Msf_module -msf_sipxphone_cseq: - enable: true - msf: true - msf_key: windows/sip/sipxphone_cseq - name: SIPfoundry sipXphone 2.6.0.27 CSeq Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in SIPfoundry's\n\ - \t\t\t\tsipXphone 2.6.0.27. By sending an overly long CSeq value,\n\ - \t\t\t\ta remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code on the system with the privileges of\n\ - \t\t\t\tthe affected application.\n\ - \t\t\t" - authors: - - - CVE - - 2006-3524 - - - OSVDB - - "27122" - - - BID - - "18906" - path: extensions/metasploit/ - class: Msf_module -msf_ms10_025_wmss_connect_funnel: - enable: true - msf: true - msf_key: windows/mmsp/ms10_025_wmss_connect_funnel - name: Windows Media Services ConnectFunnel Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Windows Media\n\ - \t\t\t\tUnicast Service version 4.1.0.3930 (NUMS.exe). By sending a specially\n\ - \t\t\t\tcrafted FunnelConnect request, an attacker can execute arbitrary code\n\ - \t\t\t\tunder the \"NetShowServices\" user account. Windows Media Services 4.1 ships\n\ - \t\t\t\twith Windows 2000 Server, but is not installed by default.\n\n\ - \t\t\t\tNOTE: This service does NOT restart automatically. Successful, as well as\n\ - \t\t\t\tunsuccessful exploitation attempts will kill the service which prevents\n\ - \t\t\t\tadditional attempts.\n\ - \t\t\t" - authors: - - - CVE - - 2010-0478 - - - OSVDB - - "63726" - - - MSB - - MS10-025 - - - URL - - https://www.lexsi.com/abonnes/labs/adviso-cve-2010-0478.txt - path: extensions/metasploit/ - class: Msf_module -msf_attftp_long_filename: - enable: true - msf: true - msf_key: windows/tftp/attftp_long_filename - name: Allied Telesyn TFTP Server 1.9 Long Filename Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a\n\ - \t\t\t\trequest (get/write) for an overly long file name.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6184 - - - OSVDB - - "11350" - - - BID - - "21320" - - - URL - - http://milw0rm.com/exploits/2887 - - - URL - - ftp://guest:guest@ftp.alliedtelesyn.co.uk/pub/utilities/at-tftpd19.zip - path: extensions/metasploit/ - class: Msf_module -msf_quick_tftp_pro_mode: - enable: true - msf: true - msf_key: windows/tftp/quick_tftp_pro_mode - name: Quick FTP Pro 2.1 Transfer-Mode Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the Quick TFTP Pro server\n\ - \t\t\t\tproduct. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting\n\ - \t\t\t\tin a DoS. This is a port of a sploit by Mati \"muts\" Aharoni.\n\ - \t\t\t" - authors: - - - CVE - - 2008-1610 - - - OSVDB - - "43784" - - - BID - - "28459" - - - URL - - http://secunia.com/advisories/29494 - path: extensions/metasploit/ - class: Msf_module -msf_threectftpsvc_long_mode: - enable: true - msf: true - msf_key: windows/tftp/threectftpsvc_long_mode - name: 3CTftpSvc TFTP Long Mode Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By\n\ - \t\t\t\tsending a specially crafted packet with an overly long mode\n\ - \t\t\t\tfield, a remote attacker could overflow a buffer and execute\n\ - \t\t\t\tarbitrary code on the system.\n\ - \t\t\t" - authors: - - - CVE - - 2006-6183 - - - OSVDB - - "30758" - - - BID - - "21301" - - - URL - - http://secunia.com/advisories/23113/ - path: extensions/metasploit/ - class: Msf_module -msf_dlink_long_filename: - enable: true - msf: true - msf_key: windows/tftp/dlink_long_filename - name: D-Link TFTP 1.0 Long Filename Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in D-Link TFTP 1.0.\n\ - \t\t\t\tBy sending a request for an overly long file name, an attacker\n\ - \t\t\t\tcould overflow a buffer and execute arbitrary code. For best results,\n\ - \t\t\t\tuse bind payloads with nonx (No NX).\n\ - \t\t\t" - authors: - - - CVE - - 2007-1435 - - - OSVDB - - "33977" - - - BID - - "22923" - path: extensions/metasploit/ - class: Msf_module -msf_tftpdwin_long_filename: - enable: true - msf: true - msf_key: windows/tftp/tftpdwin_long_filename - name: TFTPDWIN v0.4.2 Long Filename Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending\n\ - \t\t\t\tan overly long file name to the tftpd.exe server, the stack can be overwritten.\n\ - \t\t\t" - authors: - - - CVE - - 2006-4948 - - - OSVDB - - "29032" - - - BID - - "20131" - - - URL - - http://www.milw0rm.com/exploits/3132 - path: extensions/metasploit/ - class: Msf_module -msf_futuresoft_transfermode: - enable: true - msf: true - msf_key: windows/tftp/futuresoft_transfermode - name: FutureSoft TFTP Server 2000 Transfer-Mode Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the FutureSoft TFTP Server\n\ - \t\t\t\t2000 product. By sending an overly long transfer-mode string, we were able\n\ - \t\t\t\tto overwrite both the SEH and the saved EIP. A subsequent write-exception\n\ - \t\t\t\tthat will occur allows the transferring of execution to our shellcode\n\ - \t\t\t\tvia the overwritten SEH. This module has been tested against Windows\n\ - \t\t\t\t2000 Professional and for some reason does not seem to work against\n\ - \t\t\t\tWindows 2000 Server (could not trigger the overflow at all).\n\ - \t\t\t" - authors: - - - CVE - - 2005-1812 - - - OSVDB - - "16954" - - - BID - - "13821" - - - URL - - http://www.security.org.sg/vuln/tftp2000-1001.html - path: extensions/metasploit/ - class: Msf_module -msf_tftpd32_long_filename: - enable: true - msf: true - msf_key: windows/tftp/tftpd32_long_filename - name: TFTPD32 <= 2.21 Long Filename Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in TFTPD32 version 2.21\n\ - \t\t\t\tand prior. By sending a request for an overly long file name\n\ - \t\t\t\tto the tftpd32 server, a remote attacker could overflow a buffer and\n\ - \t\t\t\texecute arbitrary code on the system.\n\ - \t\t\t" - authors: - - - CVE - - 2002-2226 - - - OSVDB - - "45903" - - - BID - - "6199" - path: extensions/metasploit/ - class: Msf_module -msf_imail_thc: - enable: true - msf: true - msf_key: windows/ldap/imail_thc - name: IMail LDAP Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis exploits a buffer overflow in the LDAP service that is\n\ - \t\t\t\tpart of the IMail product. This module was tested against\n\ - \t\t\t\tversion 7.10 and 8.5, both running on Windows 2000.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0297 - - - OSVDB - - "3984" - - - BID - - "9682" - - - URL - - http://secunia.com/advisories/10880/ - path: extensions/metasploit/ - class: Msf_module -msf_pgp_keyserver7: - enable: true - msf: true - msf_key: windows/ldap/pgp_keyserver7 - name: Network Associates PGP KeyServer 7 LDAP Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the LDAP service that is\n\ - \t\t\t\t\tpart of the NAI PGP Enterprise product suite. This module was tested\n\ - \t\t\t\t\tagainst PGP KeyServer v7.0. Due to space restrictions, egghunter is\n\ - \t\t\t\t\tused to find our payload - therefore you may wish to adjust WfsDelay.\n\ - \t\t\t" - authors: - - - CVE - - 2001-1320 - - - OSVDB - - "4742" - - - BID - - "3046" - - - URL - - http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ - path: extensions/metasploit/ - class: Msf_module -msf_hummingbird_exceed: - enable: true - msf: true - msf_key: windows/lpd/hummingbird_exceed - name: Hummingbird Connectivity 10 SP5 LPD Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Hummingbird Connectivity\n\ - \t\t\t\t10 LPD Daemon. This module has only been tested against Hummingbird\n\ - \t\t\t\tExceed v10 with SP5.\n\ - \t\t\t" - authors: - - - CVE - - 2005-1815 - - - OSVDB - - "16957" - - - BID - - "13788" - path: extensions/metasploit/ - class: Msf_module -msf_saplpd: - enable: true - msf: true - msf_key: windows/lpd/saplpd - name: SAP SAPLPD 6.28 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .\n\ - \t\t\t\tBy sending an overly long argument, an attacker may be able to execute arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - CVE - - 2008-0621 - - - OSVDB - - "41127" - - - BID - - "27613" - path: extensions/metasploit/ - class: Msf_module -msf_wincomlpd_admin: - enable: true - msf: true - msf_key: windows/lpd/wincomlpd_admin - name: WinComLPD <= 3.0.2 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in WinComLPD <= 3.0.2.\n\ - \t\t\t\tBy sending an overly long authentication packet to the remote\n\ - \t\t\t\tadminstration service, an attacker may be able to execute arbitrary\n\ - \t\t\t\tcode.\n\ - \t\t\t" - authors: - - - CVE - - 2008-5159 - - - OSVDB - - "42861" - - - BID - - "27614" - path: extensions/metasploit/ - class: Msf_module -msf_niprint: - enable: true - msf: true - msf_key: windows/lpd/niprint - name: NIPrint LPD Request Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in the\n\ - \t\t\t\tNetwork Instrument NIPrint LPD service. Inspired by\n\ - \t\t\t\tImmunity's VisualSploit :-)\n\ - \t\t\t" - authors: - - - CVE - - 2003-1141 - - - OSVDB - - "2774" - - - BID - - "8968" - - - URL - - http://www.immunitysec.com/documentation/vs_niprint.html - path: extensions/metasploit/ - class: Msf_module -msf_trendmicro_serverprotect: - enable: true - msf: true - msf_key: windows/antivirus/trendmicro_serverprotect - name: Trend Micro ServerProtect 5.58 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n\ - \t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the\n\ - \t\t\t\tbuffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-1070 - - - OSVDB - - "33042" - - - BID - - "22639" - path: extensions/metasploit/ - class: Msf_module -msf_symantec_rtvscan: - enable: true - msf: true - msf_key: windows/antivirus/symantec_rtvscan - name: Symantec Remote Management Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Symantec Client Security 3.0.x.\n\ - \t\t\t\tThis module has only been tested against Symantec Client Security 3.0.2\n\ - \t\t\t\tbuild 10.0.2.2000.\n\ - \t\t\t" - authors: - - - CVE - - 2006-2630 - - - OSVDB - - "25846" - - - BID - - "18107" - - - URL - - http://research.eeye.com/html/advisories/published/AD20060612.html - path: extensions/metasploit/ - class: Msf_module -msf_symantec_iao: - enable: true - msf: true - msf_key: windows/antivirus/symantec_iao - name: Symantec Alert Management System Intel Alert Originator Service Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack buffer overflow in Intel Alert Originator Service msgsys.exe.\n\ - \t\t\t\tWhen an attacker sends a specially crafted alert, arbitrary code may be executed.\n\ - \t\t\t" - authors: - - - CVE - - 2009-1430 - - - OSVDB - - "54159" - - - BID - - "34674" - path: extensions/metasploit/ - class: Msf_module -msf_trendmicro_serverprotect_createbinding: - enable: true - msf: true - msf_key: windows/antivirus/trendmicro_serverprotect_createbinding - name: Trend Micro ServerProtect 5.58 CreateBinding() Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060.\n\ - \t\t\t\tBy sending a specially crafted RPC request, an attacker could overflow the\n\ - \t\t\t\tbuffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2508 - - - OSVDB - - "35790" - - - BID - - "23868" - path: extensions/metasploit/ - class: Msf_module -msf_trendmicro_serverprotect_earthagent: - enable: true - msf: true - msf_key: windows/antivirus/trendmicro_serverprotect_earthagent - name: Trend Micro ServerProtect 5.58 EarthAgent.EXE Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060\n\ - \t\t\t\tEarthAgent.EXE. By sending a specially crafted RPC request, an attacker could overflow the\n\ - \t\t\t\tbuffer and execute arbitrary code.\n\ - \t\t\t" - authors: - - - CVE - - 2007-2508 - - - OSVDB - - "35789" - - - BID - - "23866" - path: extensions/metasploit/ - class: Msf_module -msf_racer_503beta5: - enable: true - msf: true - msf_key: windows/games/racer_503beta5 - name: Racer v0.5.3 beta 5 Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module explots the Racer Car and Racing Simulator game\n\ - \t\t\t\tversions v0.5.3 beta 5 and earlier. Both the client and server listen\n\ - \t\t\t\ton UDP port 26000. By sending an overly long buffer we are able to\n\ - \t\t\t\texecute arbitrary code remotely.\n\ - \t\t\t" - authors: - - - CVE - - 2007-4370 - - - OSVDB - - "39601" - - - URL - - http://www.milw0rm.com/exploits/4283 - - - BID - - "25297" - path: extensions/metasploit/ - class: Msf_module -msf_mohaa_getinfo: - enable: true - msf: true - msf_key: windows/games/mohaa_getinfo - name: Medal Of Honor Allied Assault getinfo Stack Buffer Overflow - category: Metasploit - description: "\n\ - \t\t\t\t\tThis module exploits a stack based buffer overflow in the getinfo\n\ - \t\t\t\tcommand of Medal Of Honor Allied Assault.\n\ - \t\t\t" - authors: - - - CVE - - 2004-0735 - - - OSVDB - - "8061" - - - URL - - http://www.milw0rm.com/exploits/357 - - - BID - - "10743" - path: extensions/metasploit/ - class: Msf_module